Short, engaging headline

Similar documents
IIROC 2015 Financial Administrators Section Conference

September 9, 2016 kpmg.ca

Working better by working together

Speech by SEC Staff: Remarks before the 2007 AICPA National Conference on Current SEC and PCAOB Developments

Sarbanes-Oxley Act of 2002 Can private businesses benefit from it?

B S R & Co. LLP. Reporting on Internal. Reporting An Overview. Sarbanes Oxley Act (SOX) 28 December 2013

Beyond Compliance. Leveraging Internal Control to Build a Better Business: A Response to Sarbanes-Oxley Sections 302 and 404

Public Company Accounting Oversight Board

Powered by technology, our experts are unlocking the value of your audit. Dynamic Audit

CFO Financial Forum Webcast

Insights into Mining Issue 12: Unlocking the value of D&A

Re: PCAOB Rulemaking Docket Matter No. 37

SAMPLING AND ERROR EVALUATION RSM US LLP. All Rights Reserved.

Data, Analytics and Your Audit

Internal Audit and Robotic Process Automation

Third Party Risk Management ( TPRM ) Transformation

IPO Readiness. Sarbanes-Oxley Compliance & Other Considerations. Presented by:

Auditing Standard 16

Report on Inspection of Deloitte LLP (Headquartered in Toronto, Canada) Public Company Accounting Oversight Board

Your unique family, our unique approach.

WORLD-CLASS AUDIT REGULATION November Big Four Inspections Report.

J. Gordon Seymour, Secretary Martin F. Baumann, Chief Auditor and Director of Professional Standards

Insights into Mining. Project risk and the role of the board. How can a mining company come to grips with capital cost overrun?

Report on Inspection of KPMG Auditores Consultores Ltda. (Headquartered in Santiago, Republic of Chile)

Report on Inspection of KPMG AG Wirtschaftspruefungsgesellschaft (Headquartered in Berlin, Federal Republic of Germany)

Giving you clarity on your change programmes

Automotive suppliers. IFRS 15 Revenue Are you good to go? December kpmg.com/ifrs

GRI s G4 Guidelines: the impact on reporting

CLAconnect.com/creditunions. Impact the Future of Credit Unions

February 23, Office of the Secretary Public Company Accounting Oversight Board 1666 K Street, N.W. Washington, D.C.

Rising to the challenge Delivering Internal Audit excellence

SARBANES-OXLEY COMPLIANCE MANAGING CHANGING EXPECTATIONS January 20, 2017

The audit report journey

ERP IMPLEMENTATION RISK

Definition of a lease: Applying the new lease standards

KPMG s Dynamic Audit. Powered by Data+ Analytics. January kpmg.com

CRESCENT CAPITAL BDC, INC. AUDIT COMMITTEE CHARTER

Andrea ROSIGNOLI Partner KPMG

Collaboration between humans and technology is creating a new labor class

) ) ) ) ) ) ) ) ) ) ) )

GRI s G4 Guidelines: the impact on reporting

Digital Labor Analytics

US Inspection Findings and Internal Control Methodology Changes

Back to School for Business Services how to get it right?

Real-Life Examples: Oracle Advanced Controls (OAC) Benefits in Oracle EBS R12 Upgrades/Implementations

SOX Audit Environment

Can the public sector deliver a zero tolerance approach to corruption risk?

Sarbanes Oxley Impact on Supply Chain Management

See your auditor clearly. Transparency report: How we perform quality audit engagements

Evaluating Internal Controls

Make the complex manageable

Set Sails Conference. 3 questions you need to answer to master the digital storm. Michael Pritzer, Alexander Jonke. Munich

Increasing External Auditor Reliance

KPMG s Audit Committee Institute

Devon and Cornwall Police May 2017

The client. The challenge. CASE STUDY: From Supply Chain Insights to Value

Risk consulting. Conduct risk: Aligning product, customer and value. kpmg.ie

189,000. Operates in. countries. Europe, Middle East and Asia (EMA) is KPMG s fastestgrowing. Global Green Initiative. KPMG was founded.

Scenario planning and uncertainty

Report on Inspection of KPMG Audit Limited (Headquartered in Hamilton, Bermuda) Public Company Accounting Oversight Board

2015 SURVEY Data & Analyticsenabled. Internal Audit. kpmg.co.za

Spend visibility and shared services Strategies to address growing pains for long-term care organizations

A Strategic Approach to Bank Fraud

Financial Reporting Council BDO LLP AUDIT QUALITY INSPECTION

Strategy Group kpmg.ca

Quality Assessments what you need to know

STANDARD-SETTING UPDATE OFFICE OF THE CHIEF AUDITOR DECEMBER 31, 2017

KPMG Smart Controls. Putting you in control of your controls. kpmg.co.uk

SOUTHWEST AIRLINES CO. AUDIT COMMITTEE CHARTER

[RELEASE NOS ; ; FR-77; File No. S ]

Financial Accounting Resource Center

Intelligent Automation and Internal Audit

An Oracle White Paper December Reducing the Pain of Account Reconciliations

Using a balanced scorecard to help measure facilities management performance

Report on. Issued by the. Public Company Accounting Oversight Board. June 16, 2016 THIS IS A PUBLIC VERSION OF A PCAOB INSPECTION REPORT

AASB 15 Revenue from contracts with customers. Consumer and industrial markets 15 November 2016

Human Resources Audit. XYZ Group

Dynamic Risk Assessment

AN AUDIT OF INTERNAL CONTROL THAT IS INTEGRATED WITH AN AUDIT OF FINANCIAL STATEMENTS: GUIDANCE FOR AUDITORS OF SMALLER PUBLIC COMPANIES

Transforming Data Into Value. Rotterdam October 28, 2015

Corporate Governance Principles of Auditing: An Introduction to International Standards on Auditing - Ch 14

The New COSO Framework: Avoiding Deficiencies and Driving Change

Capital Markets: IPO Advisory

Managing Fraud Risk: New Professional Guidance

Internal Financial Controls New perspectives as per Companies Act 2013 and CARO 2016

STANDARD-SETTING UPDATE OFFICE OF THE CHIEF AUDITOR SEPTEMBER 30, 2017

SOX Optimization: Improving Compliance Efficiency and Effectiveness

Report on Inspection of KAP Purwantono, Sungkoro & Surja (Headquartered in Jakarta, Republic of Indonesia)

MARIANNE E. ROCHE ATTORNEY AT LAW

Optimizing the value of audit quality indicators Lessons we have learned

Sample Audit Committee. of Auditors and Management

LeiningerCPA, Ltd. RISK MANAGEMENT POLICY STATEMENT

Fiduciary Duty of Board of Directors to Oversee Financial Affairs

Independent Auditor s report

VIRGINIA STATE UNIVERSITY RISK ANALYSIS SURVEY OPERATIONAL. 1. Operating Concerns of the Assessable Unit and/or Business Process

STANDARD-SETTING AGENDA OFFICE OF THE CHIEF AUDITOR JUNE 30, 2016

Report on Inspection of KPMG SAS (Headquartered in Bogota, Republic of Colombia) Public Company Accounting Oversight Board

Services to Local Government

Reliable Financial Reporting. Evaluating Deficiencies in Internal Control Over Financial Reporting

Transcription:

Short, engaging headline Internal controls over financial reporting Designing a healthy program that evolves to meet changing needs kpmg.ca

In this series of white papers, KPMG s Risk Consulting practice looks at how companies can design a healthier internal controls over financial reporting (ICOFR) approach to better manage risks, reduce costs, and find opportunities to improve operational performance. Responsible individuals, even if they have not had serious health issues in recent years, still have regular medical checkups. Similarly, companies whose ICOFR programs appear to be running smoothly should still periodically evaluate the health of their ICOFR program and controls portfolio. In addition to identifying and correcting potentially unhealthy aspects of the programs or control problems before they occur, a welldesigned evaluation (health check) can provide significant insights: Assessing the total cost of controls, including an understanding of costs that are often hidden (such as the costs to perform the control activities), may identify opportunities for cost savings and better allocation of resources. These opportunities are growing as documentation requirements, particularly around completeness and accuracy, increase. An effective ICOFR program assessment may identify specific areas that are less mature than others. A common example is ICOFR program governance, where there may be disconnects between who owns the overall program, who designs the controls, who performs the controls and who tests the controls. The result is often inefficiencies and/ or omissions. Defining an ICOFR strategy may reduce financial reporting risks without increasing spend by helping identify a company s most critical areas. A strong, effective financial statement risk assessment process helps establish and support the ICOFR strategy, control selection, testing approach, and other program decisions. Companies can then focus both their control performance and testing efforts on the most critical areas. A more strategic and focused ICOFR program allows internal audit resources to focus more on the broader risk assessment, process improvement and value-creation audits, leading to better organizational performance. Future papers in this series will look at these points in detail. The rest of this paper will delve into how the evolution of Sarbanes-Oxley 404 (SOX) has impacted ICOFR programs and offer insights on how to evaluate whether your company s ICOFR program is providing value as a mature, healthy program should.

Understanding themes in material weaknesses No company expects to discover costly and damaging weaknesses in its ICOFR program, but failures happen, even in companies that devote extensive and expensive resources to performing and testing controls. Several consecutive years without material weaknesses or significant deficiencies is no guarantee that a control issue is not looming, particularly if the company does not have a healthy ICOFR program. The seven primary themes for material weaknesses are as follows. 1 Theme Lack of documentation, policies and procedures Lack of accounting resources/expertise Material and/or numerous auditor year-end adjustments IT, software, security, and access issues Issues around the segregation of duties Inadequate control design or a lack of controls Non-routine/ complex transactions Example a deficiency in the effectiveness of a control intended to properly document and review relevant facts and apply the appropriate tax accounting under accounting standards The Company did not maintain a sufficient complement of personnel with an appropriate level of knowledge of accounting, experience, and training commensurate with its financial reporting requirements we identified a material weakness in our internal control over financial reporting with respect to the application of complex technical accounting standards Insufficient information technology controls and documentation The Company has not appropriately restricted access to the accounting applications to appropriate users and does not have processes in place that ensure that appropriate segregation of duties is maintained. The internal audit department did not develop its functions to comply with the analysis of the controls during the year, consequently, this limited the functions of the Audit Committee Management has identified a material weakness in internal control over financial reporting relating to the accounting for significant and complex transactions 1 Based on a KPMG study of annual filings released by all SEC-registered public companies between November 2014 and June 2017. Understanding these themes can help companies take continuing measures to reduce the risk of future errors. As an added benefit, these measures can also reduce the total cost of ICOFR and improve efficiency throughout the company. Internal controls over financial reporting 1

The evolution of Sarbanes-Oxley Since the Sarbanes-Oxley (SOX) Act was passed in 2002, the related demands on companies and external auditors have evolved, as seen in the graphic below: SOX Effort 2 Management s Testing External Auditor Testing High number of controls, low level of testing detail Low number of controls, high level of testing detail Level of Effort Increased complexity of accounting and ICOFR 2002 2004 2005 2006 2007 2011 2012 2016 2018 2019 Sarbanes Oxley Act passed 3 AS2 4 AS 5 6 SEC issues interpretative guidance for management 5 PCAOB SAPA 11: Considerations for audits of ICOFR 7 Revenue Recognition & Leasing Standards 9 PCAOB SAPA12: Auditing Revenue 8 2 Based on trends observed by KPMG professionals 3 Source: U.S. Securities and Exchange Commission Web site; Laws SOA 2002 4 Source: Public Company Accounting Oversight Board (PCAOB) Web site; Docket 008: Auditing Standard No. 2 (March 9, 2004) 5 Source: U.S. Securities and Exchange Commission Web site; 17 CFR Part 241 (Release No. 33-8810), Commission Guidance Regarding Management s Report on Internal Control Over Financial Reporting Under Section 13(a) or 15(d) of the Securities Exchange Act of 1934 6 Source: PCAOB Web site; Rulemaking Docket section; Docket 021: Auditing Standard No. 5 An Audit of Internal Control Over Financial Reporting that is Integrated with an Audit of Financial Statements (June 12, 2007) 7 Source: PCAOB Web site; PCAOB Staff Audit Practice Alert (SAPA) No. 11 Considerations for Audits of Internal Control Over Financial Reporting (October 2013) 8 Source: PCAOB Web site; Standards section; Guidance section; Matters Related to Auditing Revenue in an Audit of Financial Statements (September 9, 2014) 9 Source: Revenue Recognition & Leasing Standards Accounting Standards Codification (ASC) 606, Revenue from Contracts with Customers; ASC 842, Leases

Without entering into too much detail on each phase in the ICOFR evolution, it is still possible to identify several broad trends: SOX continues to evolve from a high number of controls with a low level of testing detail to a lower number of controls with more in-depth testing. Companies that have not recently updated their programs, especially if they also lack a focus on aligning with the PCAOB and SEC focus areas, may have SOX programs that are out of alignment with leading practices. The type of effort required from process and control owners to execute and document controls has changed. Management must now provide more detailed documentation, especially around management review controls, and appropriately consider completeness and accuracy for key reports. Creating and maintaining documentation in a timely and efficient manner is critical to an efficient program. The SEC and the PCAOB are both messaging that management and auditors have not yet finished the controls journey, and we expect a continued trend of increasing requirements for the external auditor and therefore, indirectly, for companies. In particular, companies that strive to increase external auditor reliance may see internal testing efforts increase to meet PCAOB expectations. The balance of cost and reliance should be a deliberate consideration in establishing a company s ICOFR program strategy. Currently, many ICOFR programs are focused on maximizing external auditor reliance on the company s internal testing. That could mean the company s internal testing efforts are focused on the lower-risk controls instead of on those areas that pose greater financial reporting risks. The new accounting standards around revenue recognition and leases bring new internal control challenges. Companies need to design controls around the new processes, systems, and governance required to implement these standards as well as around the calculation of the transition amounts. These standards also require new types of data and estimates, which rely on historical details and trends (e.g., average length for leases, how many extensions are usually entered into, etc.) that have not previously required controls to be in place. The increasingly complex nature of business transactions also has an impact on internal control considerations, as acquisitions, divestitures, restructurings, and refinancings are all significant unusual transactions that need extra attention from a controls perspective. These are also focus areas for the SEC and PCAOB. ICOFR can be costly, and many companies are looking for opportunities to reduce expenditures while maintaining compliance. But if companies do not continue to examine and evaluate their ICOFR programs, the natural tendency is for rising complexity and requirements to lead to rising effort and cost. Better strategy, governance, and performance can meet higher demands without a higher budget. Internal controls over financial reporting 3

Assessing the health of an ICOFR program A thorough health check can identify the potential for a more effective and efficient ICOFR program. Answering the following questions will provide perspective on where your company s ICOFR program currently stands: 1 2 3 4 5 6 Is the ICOFR program s value clear to senior management and the board of directors? If your ICOFR program is merely seen as a necessary cost, then it is not demonstrably fulfilling its role of ensuring the reliability of financial statements and avoiding costly errors. An ICOFR program should serve management and the board by providing insight beyond compliance to enable and support process improvement, thereby decreasing risk and adding value to the business. Does your organizational culture support the ICOFR program? Even the best set of controls will not function well if key personnel are not collaborating fully. This culture should start at the top. Companies with significant control issues often end up identifying the root cause as senior management s failure to place appropriate emphasis on controls and not allocating sufficient resources to fully remediate control failures with sustainable processes. Have you identified the 10 20 most critical internal controls and directed efforts toward them? Not all key controls are created equal. Some are far more likely to catch errors. The program as a whole should show a visible difference in approach for the most critical controls. ICOFR programs often allocate the same amount of time and effort to all key controls, rather than designing, operating, and testing controls with a greater focus on the most critical areas. Do those critical internal controls include a strong set of direct entity level controls (ELCs)? Well-designed direct ELCs operating at the right level of precision can function as an insurance policy to mitigate lower level control failures and keep them from becoming material to the company. These direct ELCs are often the key operational controls that management relies on to run the business. Since they are complex and time consuming to document and test, ICOFR programs often do not include them, but they are important to a well-balanced ICOFR program. Are you confident that your controls are effective, even without testing them each year? If you cannot answer yes to this question, or are concerned with testing your controls before the external auditor does, it is a sign you are worried the controls are not operating effectively. In that case, you should consider the cause of this uncertainty, which may be incorrectly designed controls, problems in the control environment, or cultural issues. Do you have KPIs to identify potential issues? Defining control-related KPIs is one of the best ways to measure and monitor ICOFR program and control performance. Monitoring controls can assess whether controls are failing elsewhere in the company. For example, how many terminated users are identified during a periodic user access review should be used to identify and address shortcomings in the regular employee termination process where access for those users should have been revoked.

I have not had an issue, why should I check the health of my ICOFR program? Need for a strong 404a process, irrespective of PCAOB or external auditor perspective The external auditor cost is high once you end up with a material weakness Focus on total cost of control In extreme circumstances, the external auditor may resign Even if you do not think you have a problem, you should have a check up It is expensive to remediate once something has gone wrong Drive continuous improvement and efficiencies Potential impact on management compensation related to material weaknesses A link between stronger controls and greater predictability of earnings/overall valuation of a company Potential loss of Audit Committee trust You have had a significant deficiency or some close calls Impact on share price/total cost of the business Internal controls over financial reporting 5

Final thoughts Like any other important program, ICOFR is vulnerable to mission creep, rising costs and inefficiencies, especially if the program has gone for years without a thorough health check of its activities. In the case of ICOFR, an unhealthy program can be expensive and increase the risk of a material weakness. But beneath these risks are opportunities, as the journey to continuously improve and mature ICOFR programs can reduce risk, cut costs, and increase efficiency. A healthy ICOFR program can drive value through a positive impact on business processes and risk management and therefore on business performance. Future papers will further explore these opportunities. Contact us Bruce Willis Partner & National Lead, Internal Audit, Risk & Compliance (IARCS) T: 306-791-1209 E: brucewillis@kpmg.ca Heather Cheeseman Partner, Internal Audit, Risk & Compliance (IARCS) T: 416-777-3314 E: hcheeseman@kpmg.ca Genevieve Leong Partner, Internal Audit, Risk & Compliance (IARCS) T: 416-777-3226 E: genevieveleong@kpmg.ca Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates. kpmg.ca/iarcs The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation. 2018 KPMG LLP, a Canadian limited liability partnership and member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback