SARBANES-OXLEY COMPLIANCE MANAGING CHANGING EXPECTATIONS January 20, 2017

Similar documents
Navigating the PCAOB s and SEC s internal control expectations A discussion. June 2015

How to Maximize Your Internal Controls Program. June 15, 2017 Atlanta, GA

IPO Readiness. Sarbanes-Oxley Compliance & Other Considerations. Presented by:

Chapter 18. Integrated Audits of Public Companies. McGraw-Hill/Irwin. Copyright 2012 by The McGraw-Hill Companies, Inc. All rights reserved.

CLIENT ALERT: INTERNAL CONTROL OVER FINANCIAL REPORTING

Auditing and Attestation (AUD) - Content Outline Effective January 2014

Speech by SEC Staff: Remarks before the 2007 AICPA National Conference on Current SEC and PCAOB Developments

SOX and PCAOB. Introduction. SOX Act. In what year did the Sarbanes Oxley Act pass into law?

Business development companies

February 23, Office of the Secretary Public Company Accounting Oversight Board 1666 K Street, N.W. Washington, D.C.

US U.S. AAM vs. DTTL AAM A Refresher Deloitte Touche Tohmatsu

Managing the Risk of Fraud in the Conversion to IFRS

G13 - ITGCs Role in Internal Control over Financial Reporting William J. Powers

Checkpoint Contents Accounting, Audit & Corporate Finance Library Editorial Materials Audit and Attest PCAOB Audits Chapter 1 Overview 100 Background

Report on Inspection of KPMG AG Wirtschaftspruefungsgesellschaft (Headquartered in Berlin, Federal Republic of Germany)

Public Company Accounting Oversight Board

Community Bankers Conference

B S R & Co. LLP. Reporting on Internal. Reporting An Overview. Sarbanes Oxley Act (SOX) 28 December 2013

FDICIA Reporting for Financial Institutions. Reporting Changes Under Part 363 and SAS 130

By CPA Alfred Lagat Tullon Audit Consulting Ltd 11 th August 2015

Audrey A. Gramling Kennesaw State University. Larry E. Rittenberg. University of Wisconsin Madison. Karla M. Johnstone

The views expressed in these slides are solely the views of the Investor Advisory Group members who prepared them and do not necessarily reflect the

Engagement Performance 49% Independence and Ethical Requirements 40% Human Resources 31% Monitoring 28%

A Guideline for US Non-accelerate Filers to Comply with Sarbanes Oxley Act

29 th Regional Conference of WIRC

PUBLIC COMPANY ACCOUNTING OVERSIGHT BOARD

Negotiating in a Sarbanes-Oxley World

Report on Inspection of Deloitte LLP (Headquartered in Toronto, Canada) Public Company Accounting Oversight Board

STARWOOD HOTELS & RESORTS WORLDWIDE, INC. CHARTER OF THE AUDIT COMMITTEE OF THE BOARD OF DIRECTORS

Financial Statements Framework

covered member immediate family impaired not a covered member close relative not impaired

Chapter 3: Overview of Accounting Analysis

COSO Updates and Expectations. IIA San Diego Chapter January 8, 2014

Does Your Report Pass Muster in a BV Audit?

McGraw-Hill/Irwin. Copyright 2013 by The McGraw-Hill Companies, Inc. All rights reserved.

AUDIT COMMITTEE CHARTER

Audit & Assurance Update January 16, In This Issue. Background. Background. Key Provisions of the Estimates Standard

LIST OF SUBSTANTIVE CHANGES AND ADDITIONS. PPC's Guide to Audits of Nonprofit Organizations

2017 Internal Controls Survey

An Audit of Internal Control Over Financial Reporting Performed in Conjunction with An Audit of Financial Statements

Report on Inspection of KPMG Auditores Consultores Ltda. (Headquartered in Santiago, Republic of Chile)

An Audit of Internal Control Over Financial Reporting Performed in Conjunction with An Audit of Financial Statements

Report on Inspection of PricewaterhouseCoopers Audit (Headquartered in Neuilly-Sur-Seine, French Republic)

PPC Library Template Report

Increasing External Auditor Reliance

Internal Financial Control (IFC)& Internal Financial Controls over Financial Reporting (IFCoFR)

Airports Council International-North America 2006 Economic Specialty Conference June 5, 2006

STANDING ADVISORY GROUP MEETING

Audit Oversight Board

US Inspection Findings and Internal Control Methodology Changes

Reliable Financial Reporting. Evaluating Deficiencies in Internal Control Over Financial Reporting

Report on Inspection of Ernst & Young Accountants LLP (Headquartered in Rotterdam, Kingdom of The Netherlands)

Report on Inspection of Crowe Horwath LLP (Headquartered in Chicago, Illinois) Public Company Accounting Oversight Board

Auditing Standard 16

Financial Reporting Council BDO LLP AUDIT QUALITY INSPECTION

Chapter 2. The CPA Profession

Benchmarking SOX Costs, Hours and Controls

Case Report:Deficiencies in Audit Quality Control (English version)

September 9, 2016 kpmg.ca

What Companies Need to Do

2012 HUD MULTIFAMILY HOUSING OVERVIEW FOR KNOWLEDGE COACH USERS

IFRS and Information Technology. Chris Anderson, Grant Thornton Jim Menzies, Grant Thornton

31 May Dear Ms. Brown:

Internal financial controls

Financial Accounting Resource Center

SEC hot topics: Year-end update The Dbriefs Financial Reporting series

STANDARD-SETTING UPDATE OFFICE OF THE CHIEF AUDITOR SEPTEMBER 30, 2017

See your auditor clearly. Transparency report: How we perform quality audit engagements

AUDIT QUALITY THEMATIC REVIEW

Office of the Secretary Public Company Accounting Oversight Board 1666 K Street, NW Washington, DC

An Overview of the 2013 COSO Framework. August 2013

After completing this Session, you should be able to answer the following questions:

ASC 606 Revenue Recognition Implementation Services

Auditing Standard No. 18, Related Parties. 2. PCAOB AU Section 334, Related Parties. 4

STANDING ADVISORY GROUP MEETING AUDITOR'S REPORTING MODEL MAY 18 19, 2016

ASC 606 Transition: The role of ICFR and Auditor Expectations. Presented by Dave Christensen, Managing Consultant, Finance & Accounting February 2017

SECTION A CASE QUESTIONS (Total: 50 marks)

Report on Inspection of Deloitte & Associes (Headquartered in Neuilly-sur-Seine, French Republic) Public Company Accounting Oversight Board

PCAOB PROPOSED INTERNAL CONTROL AUDIT STANDARD

Present and functioning: Fine-tuning your ICFR using the COSO update

Checklist for Higher Education

Audit Committee Annual Evaluation of the External Auditor

2016 INSPECTION OF BHARAT PARIKH & ASSOCIATES CHARTERED ACCOUNTANTS. Preface

1. Corporate management (including the CEO) must certify monthly and annually their organization s internal controls over financial reporting.

Beyond Compliance. Leveraging Internal Control to Build a Better Business: A Response to Sarbanes-Oxley Sections 302 and 404

Memo. Date: October 2018 INTRODUCTION

Texas Municipal Retirement System Audit plan for the year ended December 31, 2016 March 30-31, 2017

Report on Inspection of K. R. Margetson Ltd. (Headquartered in Vancouver, Canada) Public Company Accounting Oversight Board

AUDIT RESPONSIBILITIES AND OBJECTIVES

2016 DEALERSHIPS OVERVIEW FOR KNOWLEDGE COACH USERS

WORLD-CLASS AUDIT REGULATION March 2016 ANNUAL INSPECTIONS REPORT.

COSO 2013: Updated internal control framework

May 29, F Street, N.E. Washington, DC Washington, DC 20549

Evaluenz Special Edition on Internal Controls Over Financial Reporting (ICFR) 2016

IIROC 2015 Financial Administrators Section Conference

Chapter 7. Auditing Internal Control over Financial Reporting. Copyright 2012 by The McGraw-Hill Companies, Inc. All rights reserved.

AEGON N.V. AUDIT COMMITTEE CHARTER

IOSCO Report on Good Practices for Audit Committees in Supporting Audit Quality

Auditing & Assurance Services, 7e (Louwers) Chapter 2 Professional Standards

VERSION #1 PLEASE WRITE ON YOUR SCANTRON

Transcription:

SARBANES-OXLEY COMPLIANCE MANAGING CHANGING EXPECTATIONS January 20, 2017 Pat Mitchell Managing Director Internal Audit, Risk, Business & Technology Consulting

CHANGES IN THE COST AND SCOPE OF SOX COMPLIANCE EFFORTS

BROAD RANGES FOR DIFFERENT TYPES OF ORGANIZATIONS Estimated internal costs for the organization s most recent year of Sarbanes-Oxley compliance (excluding external audit-related fees): 3

CHANGE IN HOURS How did the total amount of hours your organization devoted to Sarbanes-Oxley compliance change in fiscal year 2015? 4

CHANGE IN EXTERNAL AUDIT FEES If you reported an increase in your external audit fees, please indicate the percentage increase. 5

EFFECTS OF THE PCAOB INSPECTION REPORTS OF EXTERNAL AUDITORS If your external audit firm required significant changes to Sarbanes-Oxley compliance activities in 2015, to what extent do you believe those changes are the result of the inspections of the registered accounting firms by the PCAOB? 44% 27% 13% Very much so 4% Probably 12% Not very much Not at all Don t Know Note: The results in this section reflect responses from public company respondents but exclude those from pre-ipo organizations and emerging growth companies, which are not required to meet the auditor attestation requirement under Sarbanes-Oxley Section 404(b). 6

KEY CONTROLS AND ESTIMATED HOURS During fiscal year 2015, how many hours, on average, would you estimate your organization spent on each key control as it relates to the following activities? Testing management review controls Creating or updating control documentation Evaluating or reevaluating control design Testing for control operating effectiveness 7.3 6.4 6.2 Testing other information produced by entity (IPE) for data used to execute key controls 5.9 5.4 5.8 5.2 Retesting if control operating effectiveness is not initially achieved Remediating control design 7

INTERNAL CONTROL OVER FINANCIAL REPORTING How has the internal control over financial reporting changed since Sarbanes-Oxley Section 404(b) was required for your organization? 8

PCAOB INSPECTIONS PROCESS

2016 PCAOB STAFF INSPECTIONS BRIEF PCAOB inspects registered public accounting firms to assess compliance with the Sarbanes-Oxley Act, the rules of the Board, the rules of the Securities and Exchange Commission, and professional standards, in connection with the firm's performance of audits, issuance of audit reports, and related matters involving U.S. companies, other issuers, brokers, and dealers. This in-depth inspection covers: Certain aspects of a limited number of audits performed by the audit firm Certain elements of the firm s system of quality control over its audit processes PCAOB issued 219 in 2015 and in 2016 issued 148 through 11/9/16 Nine domestic firms are inspected every year Six global network firms which audited 99% of total market capitalization of issuers from 2011-2014: BDO, Deloitte, E&Y, Grant Thornton, KPMG, PwC Three non-affiliate firms: Crowe Horwath, MaloneBailey, McGladrey The Board makes portions of the reports available to the public; however, certain information is restricted from public disclosure, or its disclosure is delayed. 10

2016 PCAOB STAFF INSPECTIONS BRIEF In April 2016, the PCAOB issued a Staff Inspections Brief with a Preview of Observations from 2015 Inspections of Audits of Issuers. The overall number of audit deficiencies has decreased in 2015 compared to the 2014 audit cycle. Contributing factors include new practice aids and checklists, coaching and support to teams, and monitoring the quality of audit work performed. The most frequent audit deficiencies continue to be in the key areas of internal controls over financial reporting, assessing and responding to risks of material misstatement, and auditing accounting estimates, including fair value measurements. The 2015 inspections found an increase in the number of deficiencies around: Business combinations and the accounting estimates related to them Investments and pricing hard to value investment securities Asset impairment due to fluctuating oil prices The most frequently observed audit deficiencies related to revenue and receivables, nonfinancial assets (including goodwill and intangibles), inventory, financial instruments, and allowance for loan losses. Additional focus areas with issues include the statement of cash flows and income taxes. Audit Committee communications, auditor independence and engagement quality control remain ongoing areas of focus with deficiencies found primarily in the non-global network firms. ICFR remains a prominent deficiency area in the PCAOB inspection reports. ICFR deficiency rates range from 18% on the low end to 65% on the high end with the annually inspected firms in their most recent inspection report. 11

DEFICIENCY AREAS HIGHLIGHTED IN THE REPORTS Gaps in evaluating the control procedures performed for appropriateness against the control objectives, including whether they addressed GAAP requirements. Controls not identified or tested, including ITGC and application controls. Management Review Controls: gaps in evaluating design and testing management review controls precision including understanding the nature of review procedures, and criteria for follow-up investigation. Testing issues: Didn t test Information Produced by Entity (IPE). Coverage missed some transaction streams. Centralized control coverage not sufficient and presumption of homogeneous controls across locations. Failed to update testing for year-end and Q4 coverage. Failed to evaluate SOC gap period between the SOC report date and company yearend. Failed to sufficiently test compensating ITGC controls where primary controls failed. Inappropriate reliance on others. Deficiency analysis: Failed to evaluate the effect of errors identified in substantive testing on control operating effectiveness. Failed to evaluate effects of exceptions on its conclusion. 12

CYBERSECURITY

CYBERSECURITY Types of controls for timely recording and disclosure: Management issuing a memo to the Auditor o General description of the relevant risks; o People, processes and technology in place to address these risks; o List of recent internal audit projects (non-sox) performed; and o Statement that management is or is not aware of any relevant breaches this year that would warrant disclosure to investors. Includes known liabilities and contingent liabilities/claims. Cybersecurity Systems and Risks Reporting Act under consideration by congress. Would require Audit Committee cybersecurity expert. Amends Sarbanes-Oxley Act of 2002 to apply to cybersecurity systems and cybersecurity systems officers regarding corporate responsibility for reporting and managements assessments of internal control structures and procedures. AICPA Cybersecurity Attestation Initiative 14

IT SOX TRENDS

IT SOX TRENDS Material weaknesses around ITGC Canned report baselining initial and ongoing schedule Common controls for multiple applications when one application has ITGC issues, you may need to split out controls Scope of ITGC for SOX when new external auditors onboard SDLC for ERP implementations 16

404(A) TO 404(B) TRANSITION IMPLICATIONS

404(A) TO 404(B) TRANSITION IMPLICATIONS It s a big leap to get to the rigor of the PCAOB standards for ICFR Some of the common challenge areas: Management review control precision Depth of walkthroughs Spreadsheet and EUC controls Coordination with external auditors SOC report analysis COSO present and functioning and operating together analysis Fraud risk assessment Using external auditor s templates IPE testing Testing approach Deficiency evaluation 18

OUTSOURCED PROCESSES AND SSAE 16 SOC 1 REPORTS

WHAT TO DO WHEN YOU DON T HAVE A SOC 1 REPORT Management is responsible for gaining an understanding of the controls around its processes. Determine the risk-based scoping priority of the process. Document the process and key controls performed at the service provider. Perform on-site testing. Recommend enhancements for control gaps. 20

EVALUATING THE SOC 1 REPORT Assess the Scope of the Report Outline all of the significant operations that the Service Provider performs for the company. Determine whether the services that the Service Provider performs for the company are included in the report. If significant operations performed by the Service Provider are not included in the scope of the report, determine whether additional procedures may need to be performed. Evaluate the Opinion and Exceptions An opinion can be qualified on or unqualified. Review the depth of testing for sufficiency as the quality of these reports varies amongst auditors. Evaluate the impact a qualified report on the control environment and assess whether mitigating controls exist to reduce the likelihood that a material error at the Service Provider would not be detected. Exceptions in testing may still exist in a clean report and have an impact on the company. Assess the nature, extent and overall significance of the control and the effect of the exception. Evaluate the implications of the exceptions and determine whether the exceptions relate to a key control. Consider the effect of any complementary controls that might mitigate the effect of the exception. Include the exception in the control deficiency list if the exception impacts a key control. 21

EVALUATING THE SOC 1 REPORT (CONT.) Map User Control Considerations Controls relating to services provided by a Service Provider are referred to as "User Controls." User Control Considerations (UCC) are typically documented in the report. Assess the actual controls against the UCCs identified by the Service Provider and identify any gaps. Mapping the UCCs to controls in place helps to provide assurance that your controls would detect or prevent a misstatement in a timely manner, if a breakdown of controls occurred at the Service Provider. Review the control descriptions for robustness around management review controls. Evaluate whether internal controls are in place to monitor the activities performed by the Service Provider. Evaluate sub-service provider implications, if necessary. Cover the Gap Period The subsequent period of time between the "as of" date for a Type I, or the "period end" date for a Type II, and the company s fiscal year-end date is called the Gap Period. Depending on the length of time between the "as of" or "period end" date and the company s year-end date, additional procedures may be necessary to gain comfort over controls at the Service Provider. 22

CONTROLS AROUND DISCLOSURES

CONTROLS AROUND DISCLOSURES Each footnote disclosure needs its own control Areas receiving focus: Segment reporting Going concern assessment Earnings release process Non-GAAP measures and 302 process 24

ON THE HORIZON

RECENT AND UPCOMING CHANGES SSAE 18 is effective for SOC report opinions dated on or after May 1, 2017. Greater focus on subservice providers as well as more clarity around coverage. Registered audit firms are required to submit Form AP, Auditor Reporting of Certain Audit Participants, to disclose the names of engagement partners and other accounting firms that participated in audits of public companies. The work of third party valuation experts is getting a lot more scrutiny. Analysis of the impact and the disclosure of adopting new accounting standards is receiving more focus from the SEC and the external auditors. Enhanced focus on the reliance of work performed by others, including member firms. Some audit firms requiring IA to use random number generators to make their sample selections if they are relying on IA s work. 26

IMPACT ON YOUR PROCESS/METHODOLOGY Plan Scope Document Design Effectiveness Operating Effectiveness Evaluate Results Plan effectively. More frequent touch-points with external auditors to confirm: Scope Approach Reliance on IA Use of auditor templates Timing of joint walkthroughs Sample selection approach Read PCAOB inspection reports and discuss / challenge the impact on your company. Explain rationale for rankings on low risk/ immaterial areas. External auditors improving how they apply the top-down, riskbased approach. Consider any changes to controls due to implementing revenue recognition and other accounting standards. Define control precision in documentation. Identify critical data used as part of key controls (IPE/EAE). Document approach to implementing new accounting standards and disclosure requirements around revenue, cash flow, going concern, leases, non-gaap accounting, etc. Ensure documentation addresses all relevant transaction streams. Increase focus on assessing the key elements of control design. More documentation around conclusion of design effectiveness. Explain why exceptions from the auditor's statutory audit are not material weaknesses. Emphasis on reviewing SOC reports for sufficiency. Continued focus on testing the completeness and accuracy of reports and data in primary controls (IPE/EAE). Continued focus on testing precision of management review controls (BTR). Expanded level of depth of documentation in test results. Emphasis on roll forward testing with more requests to sample Q4. Emphasis on user access with expansion of applications in scope. Unique deficiency analysis templates used by audit firms. Connecting similar deficiencies in different areas and/or locations to assess impact. Increased focus on evaluating compensating controls. Ongoing Communication with External Auditors, Audit Committee, Management & Process Owners 27

2016 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback