ongress enacted the Sarbanes-Oxley Act of 2002 in response to a spate of highly publicized business failures, allegations of corporate improprieties and financial statement restatements. Section 404 of the act requires management to acknowledge its responsibility for establishing and maintaining adequate internal controls, including asserting their effectiveness in writing. The financial statement auditor, in turn, must report on management’s assertion about the effectiveness of its internal controls as of the company’s yearend. These provisions apply to entities with market capitalization of more than $75 million for fiscal years ending on or after June 15, 2004. (Smaller companies must comply as of the first fiscal year ending on or after June 15, 2005.) For businesses, following these seemingly innocuous provisions will be costly and time-consuming. For CPAs who audit public companies, the new rules will have a significant impact on how they do their job in the future. To provide guidance the AICPA Auditing Standards Board issued two exposure drafts: Auditing an Entity’s Internal Control Over Financial Reporting in Conjunction with the Financial Statement Audit (the SAS ED) and Reporting on an Entity’s Internal Control Over Financial Reporting (the SSAE ED). This article explains the impact these internal control certification requirements will have on the audit process, as well as the responsibilities management and external auditors have in meeting the act’s requirements.
HOW AUDITS WILL CHANGE Control criteria. The generally accepted definition of this term, as outlined in Internal Control-Integrated Framework , issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), consists of five related components that must be present for an entity to achieve effective internal controls: The control environment. Risk assessment. Control activities. Information and communication. Monitoring. The framework also includes three categories of controls—effectiveness and efficiency of operations, compliance with laws and regulations and reliability of financial reporting. Under section 404, the auditor’s primary focus is on reliability. I n auditing public companies, CPAs have characteristically performed a mix of tests of controls and substantive procedures to reduce the risk of material misstatement of financial statements to an appropriately low level. However the SAS ED says the level of understanding of internal controls CPAs must have to express an opinion on financial statements is not adequate to offer an opinion on the controls themselves. The nature, timing and extent of the tests of controls the CPA performs would ordinarily not be enough to express an opinion on internal controls because The range of tested controls is not sufficiently broad. Tests of controls may not provide appropriate levels of assurance about operating effectiveness. CPAs will find these points have a significant impact on the integrated audit process. New audit approach. To enhance audit efficiency and effectiveness, auditors have in the past used a variety of methods that will no longer be acceptable for integrated audits of public companies. In some financial statement audits, auditors chose to perform only substantive procedures rather than testing controls, or a mixture of the two. In nonauthoritative guidance the AICPA specifically sanctioned cycle rotation as a way to test controls. This involved testing controls in several of an entity’s transaction cycles while doing a transaction “walk-through” to confirm the absence of control changes in the remaining cycles. Since auditors now must report comprehensively on the effectiveness of management’s internal control over financial reporting on an annual basis, cycle rotation is no longer acceptable in public company audits. Another popular approach, minimizing testing of preventative controls, also generally will not be advisable in these audits. Preventative controls are transaction-level controls, frequently automated and principally focused on ensuring transactions are properly authorized and recorded (such as check disbursement controls). “Detective” controls, on the other hand, reveal problems after the fact. They usually focus on populations of transactions (such as bank reconciliations) and are characteristically more cost-effective to test. Primarily testing detective controls is acceptable in financial statement audits only where low or moderate assurance about the effectiveness of internal controls is adequate. However, when expressing an opinion on internal controls, the auditor must do sufficient tests of controls to obtain high levels of assurance about their effectiveness. The EDs suggest this ordinarily will require the CPA to adequately test preventative as well as detective controls. In performing integrated audits, auditors will need to obtain significantly greater evidence about the operating effectiveness of controls for the reasons described earlier. CPAs can use this evidence to reduce the nature, timing and extent of substantive procedures they perform in reporting on audited financial statements. However, due to the inherent limitations of internal controls and the ever-present risk of management override, auditors will still have to perform substantive procedures, including tests of details and analytical procedures for each material account balance or class of transactions. This is true even though the auditor may not have identified any significant deficiencies or material weaknesses in internal controls. THE AUDITOR AND MANAGEMENT Accept responsibility for the effectiveness of its internal controls. Evaluate their effectiveness using suitable control criteria. Support this evaluation with sufficient evidence. Present a written assertion about their effectiveness in either a separate report accompanying the auditor’s report or a representation letter to the auditor. The auditor will require management to identify, document and evaluate significant internal controls. Management cannot delegate these functions to the auditors, nor can it rely on the auditor’s testing to support its assertion. The SSAE ED says such controls include Controls over initiating, recording, processing and reporting significant account balances, classes of transactions and disclosures and related assertions embodied in financial statements. Antifraud programs and controls. Controls, including general ones, on which other significant controls depend. Each control in a group that functions with another one to achieve a control objective. Controls over significant nonroutine and nonsystematic transactions. Controls over the period-end financial reporting process. Auditors are urging their clients to begin the controls-effectiveness assessment as early as possible. The task will be arduous and time-consuming, requiring management to determine which locations or business units it should include in its evaluation. (The SSAE ED has a chart to help make this decision.) Management also will have to evaluate the design and operating effectiveness of controls, determine whether identified deficiencies are significant (previously called reportable conditions) or are material weaknesses and document the results, including the procedures it performed. Management cannot use inquiry alone to adequately evaluate the operating effectiveness of controls. It also must correct any identified deficiencies early enough to allow sufficient time before yearend for the auditor to adequately assess design and operating effectiveness. How much time depends on the nature of the control and the frequency of operation. Management’s failure to allow sufficient lead time could result in a qualified opinion. The Foreign Corrupt Practices Act of 1977 requires all public companies to devise and maintain a system of internal controls to provide reasonable assurance assets are safeguarded and transactions properly authorized and recorded. Consequently, many public companies already have various forms of controls documentation such as policy manuals, accounting manuals, memorandums, flowcharts, decision tables and questionnaires. However, few have comprehensively and consistently documented and evaluated controls to the extent necessary to provide an assertion about their effectiveness. Also, entities often put more emphasis on preventative than detective controls, as it is usually more efficient to prevent misstatements than to detect and correct them. However, the EDs admonish CPAs that a well-run system should have an appropriate mix of both preventative and detective controls. T o ensure a comprehensive and consistent entitywide process, many auditors are recommending clients establish project teams reporting directly to the CEO or CFO in light of the task’s importance. Team leaders should be respected employees and have experience dealing with large-scale projects. Consequently, the CFO, controller or internal audit director should head the team, which should consist minimally of adequately trained personnel from accounting, internal audit, information systems, finance, operations, legal and human resources. If asked to be involved in a client’s project, an auditor must be careful not to impair his or her independence and objectivity. The SSAE ED says auditors may help prepare or gather information as long as management directs and takes responsibility for documenting controls in the process, including determining which controls to document. Auditors can help clients understand the process and advise them on how to identify significant accounts, processes and reporting units, as well as how to evaluate controls’ effectiveness. Indeed some auditors give clients electronic templates to ensure entitywide consistency in assessing controls. However, the auditor cannot be the person to determine which accounts or processes are significant, nor accept management’s responsibility to reach conclusions on the effectiveness of the entity’s internal controls; the auditor’s role is to report on management’s conclusions. Similarly, management cannot base its assertion about design and operating effectiveness on the results of the auditor’s tests.
Form an opinion on the effectiveness of entity internal controls, based on the control criteria. The auditor may consider the results of management’s tests of the operating effectiveness of controls, but never should rely on them as principal evidence. The same is true for testing by third parties or internal auditors. Contrary to guidance in SAS no. 65, The Auditor’s Consideration of the Internal Audit Function in an Audit of Financial Statements, the SSAE ED proposes that when using internal auditor test results the external auditor must both reperform tests of controls and do independent tests for each significant account, class of transactions and disclosure. When using internal auditors for direct assistance, the external auditor should recognize that the former’s objectivity might be impaired where they routinely perform monitoring functions for management. The exhibit shows other key ED proposals on auditor tests of controls. W hen giving an opinion on the effectiveness of the design and operation of an entity’s internal controls, the auditor should consider all evidence, including test results and any identified deficiencies. A material weakness precludes an unqualified opinion that controls are effective. Inadequate client documentation of controls design may result in a significant deficiency or material weakness and may be a scope limitation. A material weakness may exist when management has not obtained sufficient evidence to support its evaluation of operating effectiveness. Ironically, it’s possible for an auditor to issue an unqualified opinion on a public company’s financial statements, while qualifying its opinion of the effectiveness of internal controls. This can happen when a CPA identifies a material weakness that did not cause a material misstatement of the financial statements. However, significant deficiencies in controls might be deemed material weaknesses, even though the auditor found no related misstatements. NEW RESPONSIBILITIES Management and auditors should recognize the process will be valuable for several reasons. Management’s assessment of internal controls should enhance the entity’s risk identification processes by lending entitywide consistency. The assessment also should enhance controls consciousness throughout the company and may reveal unnecessary or duplicate controls, as well as areas for improvement. Better control processes could result in operating efficiencies and reduced litigation and fraud.
How frequently must an auditor test operating effectiveness of controls?the auditor should test the operating effectiveness of such controls at least once every third audit, but avoid testing all controls in one audit period with no testing in the others.
Is the auditor required to test the operating effectiveness of controls on every audit engagement?The auditor should test the operating effectiveness of a control selected for testing by determining whether the control is operating as designed and whether the person performing the control possesses the necessary authority and competence to perform the control effectively.
When should audit controls be tested?Tests of control are only performed when the auditor believes that the control risk is low, enabling them to verify this assessment. However, a test of details is almost always required to obtain sufficient audit evidence.
Do auditors verify the effectiveness of internal controls?The auditor should form an opinion on the effectiveness of internal control over financial reporting by evaluating evidence obtained from all sources, including the auditor's testing of controls, misstatements detected during the financial statement audit, and any identified control deficiencies.
|