Increasing External Auditor Reliance

Similar documents
THE AUDITOR S RESPONSIBILITIES AND FUNCTIONS, INTRODUCTION TO GAAS, AND THE GENERAL STANDARDS (INCLUDING THE QUALITY CONTROL STANDARDS)

Auditing & Assurance Services, 7e (Louwers) Chapter 2 Professional Standards

Chapter 2. The CPA Profession

CLIENT ALERT: INTERNAL CONTROL OVER FINANCIAL REPORTING

Statement on February 2014 Auditing Standards 128. Using the Work of Internal Auditors

Chapter 02. Professional Standards. Multiple Choice Questions. 1. Control risk is

International Standards for the Professional Practice of Internal Auditing (Standards)

SOX and PCAOB. Introduction. SOX Act. In what year did the Sarbanes Oxley Act pass into law?

International Standards for the Professional Practice of Internal Auditing (Standards)

Internal Audit Quality Analysis Evaluation against the Standards International Standards for the Professional Practice of Internal Auditing (2017)

1. A series of business and related auditing failures led to the passage of the Sarbanes-Oxley Act (2002).

Mr. Thomas Ray Deputy Chief Auditor Office of the Secretary Public Company Accounting Oversight Board 1666 K Street, N.W. Washington, DC

STANDING ADVISORY GROUP MEETING

Via November 21, 2003

Proposed Attestation Requirements for FR Y-14A/Q/M reports. Overview and Implications for Banking Institutions

FREQUENTLY ASKED QUESTIONS ABOUT INTERNAL CONTROL OVER FINANCIAL REPORTING

INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING (STANDARDS)

An Audit of Internal Control Over Financial Reporting Performed in Conjunction with An Audit of Financial Statements

An Audit of Internal Control Over Financial Reporting Performed in Conjunction with An Audit of Financial Statements

1095 Avenue of the Americas New York, NY Peter M. Carlson Executive Vice President and Chief Accounting Officer

Business development companies

STANDING ADVISORY GROUP MEETING ENGAGEMENT QUALITY REVIEW APRIL 2, 2009

Essential IT Considerations for Sarbanes-Oxley Act

Government Auditing Standards

α β 19 November 2003 Office of the Secretary Public Company Accounting Oversight Board 1666 K Street, N.W. Washington, D.C.

2016 INSPECTION OF BHARAT PARIKH & ASSOCIATES CHARTERED ACCOUNTANTS. Preface

Standing Advisory Group Meeting

Community Bankers Conference

1. Auditors may be independent in fact but not independent in appearance. 3. Attestation standards provide guidance for a wide variety of engagements

B S R & Co. LLP. Reporting on Internal. Reporting An Overview. Sarbanes Oxley Act (SOX) 28 December 2013

PPG INDUSTRIES, INC. AUDIT COMMITTEE CHARTER

GUIDELINES FOR THE INTERNAL CONTROL AND RISK MANAGEMENT SYSTEM OF THE TOD'S S.P.A. GROUP

Engagement Quality Review

Chapter 2. The CPA Profession

Internal controls over financial reporting

Evaluating Internal Controls

VERSION #1 PLEASE WRITE ON YOUR SCANTRON

BIOSCRIP, INC. CHARTER OF THE AUDIT COMMITTEE OF THE BOARD OF DIRECTORS

SARBANES-OXLEY COMPLIANCE MANAGING CHANGING EXPECTATIONS January 20, 2017

PGDBFS 103 International Financial Accounting and Policy (IFAP)

Internal Financial Controls New perspectives as per Companies Act 2013 and CARO 2016

Negotiating in a Sarbanes-Oxley World

The Auditor s Consideration of the Internal Audit Function in an Audit of Financial Statements

Checkpoint Contents Accounting, Audit & Corporate Finance Library Editorial Materials Audit and Attest PCAOB Audits Chapter 1 Overview 100 Background

9. Internal control Internal control, as defined in accounting and auditing, is a process for assuring achievement of an organization's objectives in

SEC Votes to Propose Interpretive Guidance for Management to Improve Sarbanes-Oxley 404 Implementation

Beyond Compliance. Leveraging Internal Control to Build a Better Business: A Response to Sarbanes-Oxley Sections 302 and 404

SOX FOR NPO S Focus on Control. Stephen L. Kuptz, CPA

How to Pass an ALGA Yellow Book Peer Review Training by the Association of Local Government Auditors (ALGA) Tampa, Florida September 20, 2013

[RELEASE NOS ; ; FR-77; File No. S ]

2-2 The major characteristics of CPA firms that permit them to fulfill their social function competently and independently are:

Office of the Secretary Public Company Accounting Oversight Board 1666 K Street, NW Washington, DC

2.1 Describe the various organizational structures of public accounting firms

CDK GLOBAL, INC. AUDIT COMMITTEE CHARTER Effective January 20, 2016

Guidance Note: Corporate Governance - Audit Committee. March Ce document est aussi disponible en français.

Guidance Note: Corporate Governance - Audit Committee. January Ce document est aussi disponible en français.

MINDEN BANCORP, INC. AUDIT COMMITTEE CHARTER

American Society of Corporate Secretaries. November 21, 2003

Internal controls over financial reporting

) ) ) ) ) ) ) ) ) ) ) )

REX ENERGY CORPORATION CORPORATE GOVERNANCE GUIDELINES

AUDIT COMMITTEE CHARTER DATED AS OF AUGUST 5, 2010

BancorpSouth, Inc. and. BancorpSouth Bank. Audit Committee Charter

2013 INSPECTION OF ENTERPRISE CPAS, LTD.

February 23, Office of the Secretary Public Company Accounting Oversight Board 1666 K Street, N.W. Washington, D.C.

) ) ) ) ) ) ) ) ) ) ) ) PROPOSED AUDITING STANDARDS RELATED TO THE AUDITOR'S ASSESSMENT OF AND RESPONSE TO RISK

Corporate Governance of NTT DATA Corporation

GOODWILL INDUSTRIES OF COLORADO SPRINGS

See your auditor clearly. Transparency report: How we perform quality audit engagements

Report. Quality Assessment of Internal Audit at <Organisation> Draft Report / Final Report

Corporate Governance Principles of Auditing: An Introduction to International Standards on Auditing - Ch 14

up Texas Society of ~ Certified Public Accountants

Practical Approach to Internal Controls for Pre & Post IPOs in Hong Kong & China

FDICIA Reporting for Financial Institutions. Reporting Changes Under Part 363 and SAS 130

Report on Inspection of Ernst & Young Accountants LLP (Headquartered in Rotterdam, Kingdom of The Netherlands)

Dexia Group Audit Charter

POLARIS INDUSTRIES INC. BOARD OF DIRECTORS AUDIT COMMITTEE CHARTER Revised January 26, 2017

DAVITA INC. AUDIT COMMITTEE CHARTER

GOVERNANCE POLICY. Adopted January 4, 2018

AUDIT COMMITTEE HANDBOOK

An Overview of the 2013 COSO Framework. August 2013

BioAmber Inc. Audit Committee Charter

STANDING ADVISORY GROUP MEETING

Reference: File Number Second-year experiences with the Implementation of Internal Control Reporting and Auditing Provisions

STARWOOD HOTELS & RESORTS WORLDWIDE, INC. CHARTER OF THE AUDIT COMMITTEE OF THE BOARD OF DIRECTORS

AEGON N.V. AUDIT COMMITTEE CHARTER

BancorpSouth Bank Audit Committee Charter

STANDING ADVISORY GROUP MEETING DESIGNING AND IMPLEMENTING A SYSTEM OF QUALITY CONTROL OCTOBER 13-14, 2010

Term Project. Sarbanes-Oxley Act (SOX) Hiroshi Tachibana (MBA 2 nd )

Audit Committee Charter

Approaches to auditing standards and their possible impact on auditor behavior

1666 K Street, NW K Street, NW Washington, D.C Telephone: (202) Facsimile: (202)

29 th Regional Conference of WIRC

2013 INSPECTION OF GEORGE STEWART, CPA

CABOT OIL & GAS CORPORATION AUDIT COMMITTEE CHARTER

STAFF QUESTIONS AND ANSWERS

2. The auditors' report on a corporation's financial statements usually is addressed to the president of the company.

CHAPTER 2 THE FINANCIAL STATEMENT AUDITING ENVIRONMENT

Airports Council International-North America 2006 Economic Specialty Conference June 5, 2006

In 1992, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued a

Transcription:

Increasing External Auditor Reliance Guiding Internal Auditors to realize the benefits of raising the bar on External Auditor Reliance. SOX Software Made Simple

Table of Contents 1 Introduction 3 Factors impacting external auditor reliance 3 Competence of the Internal Audit function 3 Objectivity of the Internal Audit function 4 Scope of work performed by the Internal Audit function 4 Assessed risk of material misstatement 4 Quality of the work of the Internal Audit function 6 Benefits of increasing external auditors reliance on the work of internal audit 6 Reduced external auditor fees - SOX compliance costs 6 Increases the Internal Audit function s value-add to companies 6 Supporting transparent and collaborative relationships between external auditors and Internal Audit 7 Company s action plan to increase external auditor s reliance on internal audit 7 Regularly monitor the controls environment and perform risk and controls optimization activities 7 Implement sustainable and industry-leading processes, including control automation 8 Utilize new technology to help manage SOX compliance efforts, not just business operations 9 Conclusion 1

Section I: Introduction he Public Company Accounting Oversight Board (PCAOB) allows external auditors to utilize and rely on the work of internal auditors when complying with Section 404 of the Sarbanes-Oxley Act. Although the PCAOB has provided explanations in the form of clarifications and alerts, there is still a considerable degree of ambiguity on the nature and extent of the external auditor s reliance decisions. In fact, many in the industry would consider this area to be more of an art than a science in some regards. The concept of external auditors utilizing the work of internal auditors is not new. Before formal regulatory guidance was issued in the area, the idea was being discussed among academic researchers since the mid-20th century. Since then, the Internal Audit function gained prominence as an enabler of operational efficiency and has been entrusted with significant importance as a result of factors such as new auditing and accounting guidance, the introduction of the Sarbanes Oxley Act, and revised listing rules. Guidance issued by the American Institute of Certified Public Accountants (AICPA) between the 1970s and 1990s (and later adopted by the PCAOB) set forth standards for external auditors evaluation of the Internal Audit function and their use of work performed by internal auditors. Statements on Auditing Standards (SAS) No. 9 and SAS No. 65 (superseded SAS No. 9) helped auditors plan their audits and factor in the efforts of the internal auditors, specifically: a) Using the work of the Internal Audit function in obtaining audit evidence, and b) Using internal auditors to provide direct assistance under the direction, supervision, and review of the external auditor 2

The introduction of the Sarbanes Oxley Act (SOX) set the stage for the Internal Audit function to expand its role within an organization and play a larger role in contributing to efficiencies. The Sarbanes-Oxley Act of 2002, a landmark legislation passed by Congress on July 30, 2002, was a reaction to several major corporate and accounting scandals, including Enron and Worldcom. The bill was designed primarily to safeguard investors by improving the accuracy and reliability of corporate disclosures. Section 404 of the Act moreover, imposes the biggest impact on corporations in America. Companies are now required to document, assess, test and remediate the internal controls over financial reporting (ICFR). To further strengthen SOX, the Securities and Exchange Commission (SEC) approved new rules in 2003 that required all listed companies to have an Internal Audit function. These new rules brought about a big change in the attitude of companies towards internal controls while placing new responsibilities on the external auditors, who now attest to the overall efficacy of internal controls in the organization in the annual report. 3

Excerpt from the Sarbanes-Oxley Act of 2002 report for section 404 (a) Rules Required: Each annual report to contain an internal control report, which shall-- (1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and (2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting. (b) Internal Control Evaluation and Reporting. With respect to the internal control assessment required by subsection (a), each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer. 4

These new requirements increased the workload of public accounting firms. Now, not only did they have to audit the financial statements, but also the internal controls of public companies. Internal auditors seemed the most logical partners in this new initiative, and were looked upon to help comply with these requirements in an efficient and cost-effective way. With the release of Accounting Standard 5 (AS 5: An Audit of Internal Control Over Financial Reporting That Is Integrated with an Audit of Financial Statements) in 2007, the partnership between the external and internal auditor received a fresh impetus. AS 5 states: The auditor should evaluate the extent to which he or she will use the work of others to reduce the work the auditor might otherwise perform himself or herself. For purposes of the audit of internal control, however, the auditor may use the work performed by, or receive direct assistance from, internal auditors, company personnel (in addition to internal auditors), and third parties working under the direction of management or the audit committee that provides evidence about the effectiveness of internal control over financial reporting. In an integrated audit of internal control over financial reporting and the financial statements, the auditor also may use this work to obtain evidence supporting the auditor's assessment of control risk for purposes of the audit of the financial statements. With rising audit costs driven by increasing auditor workload and growing expectations on audit quality, more and more organizations are starting to realize the benefits of increasing external auditors reliance on the work of internal auditors. 5

Section II: Factors impacting external auditor reliance ertain factors impact the external auditor s reliance decisions more than others. An analysis of these factors is important in understanding how best to structure an Internal Audit function in an organization. AS 5 states that during an integrated audit of the financial statements and ICFR, the auditor should apply AU sec. 322 (SAS No. 65) when evaluating the extent to which he or she will use the work of others to reduce the work the auditor might otherwise perform himself or herself. While AU 322 (SAS 65) (and more recently AU-C 610 [SAS 128] for GAAS audits) contains brief instructions and factors to consider before relying on the internal auditor s work, there is no single ground rule illustrating all the major points. Based on existing guidance and other industry research, here is a detailed explanation of the factors impacting external auditor reliance on Internal Audit: 6

1. COMPETENCE OF THE INTERNAL AUDIT FUNCTION When external auditors are satisfied with the internal auditors competence, they place more reliance on the procedures performed by the internal auditors. Qualification, practices, and documentation are key elements in gaining the trust of the external auditor. AU 322 lists the following factors as key in determining internal auditor competence: Educational level and professional experience of internal auditors. Professional certification and continuing education. Audit policies, programs, and procedures. Practices regarding assignment of internal auditors. Supervision and review of internal auditors' activities. Quality of working-paper documentation, reports, and recommendations. Evaluation of internal auditors' performance. 2. OBJECTIVITY OF THE INTERNAL AUDIT FUNCTION Objectivity refers to the ability to perform tasks without bias, to avoid conflicts of interest and to reject the influence of others. The internal auditor s objectivity primarily depends on the prevailing reporting hierarchy and the existence of company policies that curtail his/her independence. AU 322 mentions the following factors as impacting the organizational status of the internal auditor: Whether the internal auditor reports to an officer of sufficient status to ensure broad audit coverage and adequate consideration of, and action on, the findings and recommendations of the internal auditors. Whether the internal auditor has direct access and reports regularly to the board of directors, the audit committee, or the owner-manager. Whether the board of directors, the audit committee, or the owner-manager oversees employment decisions related to the internal auditor. 7

The same section also advises of policies that will maintain the internal auditor s objectivity. Policies prohibiting internal auditors from auditing areas where relatives are employed in important or audit-sensitive positions. Policies prohibiting internal auditors from auditing areas where they were recently assigned or are scheduled to be assigned on completion of responsibilities in the Internal Audit function. 3. SCOPE OF WORK PERFORMED BY THE INTERNAL AUDIT FUNCTION External auditors must consider whether the planned nature or scope of the work performed by Internal Audit is relevant to the external auditor s overall audit strategy and plan. When evaluating the scope of work performed by the internal auditor, the external auditor will consider the following factors: Scope of work is commensurate and appropriate to meet the audit objectives Existence of any limitations on the scope of Internal Audit s activities The adequacy of audit plan and test procedures, including nature, timing, and extent The appropriateness and adequacy of period covered by audit procedures 8

4. ASSESSED RISK OF MATERIAL MISSTATEMENT Risk and reliance have an inverse relationship. If there is a high risk of material misstatement, the auditor will choose to rely less on the work of the internal auditor. AS 5 mentions this risk and reliance relationship: The extent to which the auditor may use the work of others in an audit of internal control also depends on the risk associated with the control being tested. As the risk associated with a control increases, the need for the auditor to perform his or her own work on the control increases. Other determinants impacting the assessed risk of material misstatements include prior history of qualified opinions in the audit report, complexity of audit procedures, degree of judgment related to evaluating audit evidence, and past deficiencies in the internal control framework. 5. QUALITY OF THE WORK OF THE INTERNAL AUDIT FUNCTION External audit firms maintain high quality standards and pride themselves on the accuracy, completeness and consistency of audit procedures. They expect the same quality of work from other parties on whom they rely. External auditors place more reliance on the Internal Audit function when they notice the following characteristics: Standardization, consistency, and completeness of test procedures Quality assurance procedures, including adequate review and supervision Competence of internal audit testers, reviewers and supervisors Deliverables (including work papers) are on par with external auditor s expectations 9

Section III: Benefits of increasing external auditor s reliance on the work of internal audit 1. REDUCED EXTERNAL AUDITOR FEES - SOX COMPLIANCE COSTS External auditor s fees are rising every year. A survey done by the Financial Executives Research Foundation revealed that public companies paid an average of $1.5 million in audit fees in 2014, with a median audit fee of $402,812, representing a median increase of 3.4 percent over the audit fees paid in 2013. About 63% of public companies indicated that the volume of annual audit work by external auditors in 2014 has increased compared to 2013, mainly to obtain an auditor s report on internal controls. Another interesting observation in this survey was that 20.6 percent of SEC filers reported ineffective internal controls over financial reporting. The median increase in audit fees for SEC 10

filers that reported ineffective internal controls over financial reporting was 3.0 percentage points higher than the median for all SEC filers. Through these findings we observe the direct correlation between an ineffective internal control system and higher audit fees. When external auditors are faced with ineffective internal controls in an organization, more procedures are performed, meaning more man hours for testing, reviewing, and documenting, eventually leading to higher audit fees. A robust Internal Audit function in an organization helps ensure the adequacy of internal controls and minimizes the frequency/severity of internal control issues, which in turn, results in reduced external auditor work and man hours. 2. INCREASES THE INTERNAL AUDIT FUNCTION S VALUE-ADD TO COMPANIES The role of the Internal Audit function has evolved to one that adds value to an organization by achieving operational excellence. An increase in external auditors reliance on internal auditors work will only reinforce this mission. Management will look to utilize Internal Audit in other critical business improvement programs such as operational audits, inventory verifications or due diligence exercises to name a few. 3. SUPPORTING TRANSPARENT AND COLLABORATIVE RELATIONSHIPS BETWEEN EXTERNAL AUDITORS AND INTERNAL AUDIT Organizations understand the importance of maintaining healthy relationships between the audit committee, internal auditor and external auditor. Both from a financial reporting and internal controls perspective, collaboration among these parties is critical for the organization. Increasing external auditor reliance will strengthen these relationships, as effective coordination between the external and internal auditors can contribute positively to the external audit. 11

Section IV: Company s action plan to increase external auditor s reliance on internal audit The obvious goal for the organization is to reduce the number of hours spent by the external auditor on validating internal controls. This goal, simple as it may seem, will require concerted effort on the part of management to create an internal control environment that meets or exceeds the high standards expected from the PCAOB. Some ways in which companies can increase external auditors reliance on internal audit are: 12

1. REGULARLY MONITOR THE CONTROLS ENVIRONMENT AND PERFORM RISK AND CONTROLS OPTIMIZATION ACTIVITIES In order to achieve a robust internal control environment, it is vital to have a process that assesses the system s performance over time. Regular monitoring could include management supervisory activities and separate evaluations. Internal control deficiencies have to be brought to the notice of Senior Management as soon as possible, and necessary remediation plans have to be determined. The internal control system should be interlinked with the organization s operating infrastructure and be part of the essence of the enterprise. When the controls are built into the fabric of the organization, they help avoid unnecessary costs and support quality initiatives. Risk and Controls Optimization activities should be high on the priority list of companies that are dealing with high costs of compliance and struggling to convince the business about the value propositions of controls. Optimization is a continuous process of improvement, reflecting a company s objectives and risks and management s risk appetite by establishing effective and efficient internal controls. It basically implies establishing the right controls at the right cost for the organization. Some steps that companies can take to move towards an optimized control environment are: Evaluate and assess risk that impacts operational and strategic value of the business Enable stakeholders within company to view status of compliance activities Develop metrics to illustrate quantitative and qualitative benefits of control improvements to the business Design controls that can adapt to the ever-changing business environment 13

2. IMPLEMENT SUSTAINABLE AND INDUSTRY-LEADING PROCESSES, INCLUDING CONTROL AUTOMATION Using automated controls in the process can directly impact SOX compliance costs by cutting down the number of manual touch points (thus reducing the risk of manual control errors) and labor-intensive detective controls. In certain processes such as backups of application and data files, network security (use of firewalls, intrusion detection /prevention systems, etc.) and change management, the use of automated controls is highly recommended to ensure consistency and reliability of operations. At the same time, certain controls like reconciliations and user access reviews cannot be performed without some degree of manual intervention. It is important to strike the right balance between automated and manual controls within the control environment. 3. UTILIZE NEW TECHNOLOGY TO HELP MANAGE SOX COMPLIANCE EFFORTS, NOT JUST BUSINESS OPERATIONS Achieving Sarbanes-Oxley compliance imposes a significant cost on companies. This cost is mainly incurred on external auditor fees and the cost of running the Internal Audit function. Technology can play a key part in reducing this cost. It is no more a question of if SOX compliance efforts can be aided by a compliance software, but rather a question of which software to implement in order 14

to better serve the organization. There are plenty of software solutions in the market that offer a range of solutions for enterprise GRC, internal audit, SOX, etc. It is necessary to understand the specific compliance requirement to be satisfied, the complexities in the organizational structure, and then select a software that best fits the company s needs and internal control environment. SOXHUB is one such solution that has been successfully accepted by many public companies in the U.S. for SOX compliance. Conclusion External audit and internal audit are complementary functions, and both are essential to the effective governance of an organization. It is to the benefit of the organization to ensure the activities these two functions perform are coordinated rather than duplicated. The PCAOB is constantly pressuring the audit profession to perform at a higher standard which directly impacts internal auditors and the companies being audited. The end result will be a more thorough audit requiring more time and resources to complete. Organizations should strive to develop an independent, efficient and competent Internal Audit function, armed with the necessary tools such as SOXHUB to help take on a portion of this increased audit burden. Presently, the jury is still out as to what extent Internal Audit functions can step up to this task and save SOX compliance costs for their organizations. Only time will tell! 15

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback