Issue 8 of Volume 2 of The Bulletin, Section 404 Compliance: Lessons Learned for the Next 12 Months, outlined seven lessons for improving processes and compliance approaches:
- Deploy a top-down approach to focus on what’s important
- Consider qualitative and quantitative factors to implement a truly risk-based approach
- Optimize IT controls to increase the cost-effectiveness of the controls portfolio
- Apply continuous process-level testing techniques to improve reliability of results
- Improve operational effectiveness and efficiency of upstream financial reporting processes
- Incorporate management’s knowledge of controls into the assessment process
- Don’t wait for Washington to act
This Supplement to Issue 8 of Volume 2 of The Bulletin is intended to supplement the above lessons. Therefore, the above lessons will not be duplicated herein. The Supplement provides more granular lessons by phase of work:
- Plan and organize the project
- Document and evaluate controls design effectiveness
- Validate controls operating effectiveness
- Design and implement solutions for control deficiencies
- Communicate results
- Overall project documentation
Additional lessons are provided at the conclusion of the document.
It is not appropriate to use this summary as a substitute for reviewing applicable Securities and Exchange Commission and Public Company Accounting Oversight Board (PCAOB) standards and guidance. Note that the lessons herein were articulated prior to the release by the SEC of its guidance following the May 10, 2006 roundtable and the revision of Auditing Standard No. 2 (AS2) by the PCAOB. While not intended as all-inclusive in scope and to address all possible lessons, this supplement provides observations, recommendations and suggestions for management and audit committees to consider. It may be especially useful for those companies just beginning their compliance and preparing to file their first internal control report.
Plan and organize the project
Key lessons relating to planning and organizing an assessment of internal control over financial reporting (ICFR) include the following:
- For large and complex companies, Section 404 compliance is a major effort requiring coordinated multitasking. The coordination required of multiple tasks by multiple people and teams for multiple locations and units involving multiple processes in which multiple controls are embedded and for which there are multiple action steps to identify, document, assess, test and remediate controls can become too difficult a task for even the most talented individuals. For that reason, companies should view initial Section 404 compliance as they would any major project, and dedicate sufficient resources and project management discipline to hold the appropriate personnel accountable and bring the project to successful completion. Subsequent to initial year compliance, monitoring will be required to ensure successful compliance and to keep things on track.
- Top management support is vital. It is difficult, if not impossible, to succeed without executive management setting the tone for the effort, and committing the right resources and personal involvement. Certifying officers should understand the approach, insist on status reports, ask tough questions and provide leadership, so personnel within the organization know the project is important.
- Engage unit managers and process owners (both in-house and outsourced) and hold them accountable. Involve process owners in documenting controls, evaluating design effectiveness and validating operating effectiveness. Make sure they are prepared for auditor walkthroughs. Going forward, clarify roles and responsibilities for ICFR through company policies and explicit job descriptions. Reinforce accountability by insisting on sub-certifications and self- assessments from process owners. Updated SAS 70 requirements may need to be negotiated into outsourcing agreements.
- Answer key scoping questions early. For example, address questions regarding which financial reporting elements are important; which locations and units should be covered; which processes should be documented, and which systems should be understood. Factor in quantitative and qualitative considerations into the scope determination.
- Financial reporting elements include footnote disclosures. Don’t limit the scoping process to balance sheet and income statement accounts.
- Take charge of the project. Avoid managing the project at too low a level within the organization or letting the project team get lost in details. Communicate up, down and across the organization. And don’t ignore the clock. Begin early.
- Involve the external auditor at appropriate points during the planning process. Understand the auditor’s views on materiality during the scope-setting process. This process is highly judgmental; so expect an iterative dialogue with the auditor who may not agree with certain aspects of management’s scope decisions.
- Document the results of project planning and organization. For example, include: (1) an analysis of financial reporting elements to select the priority accounts and disclosures, (2) the decomposition of the reporting entity into locations and units and business processes and (3) supporting analyses selecting for inclusion into scope the critical control locations and units and the significant processes feeding the priority financial reporting elements.
Document and evaluate controls design effectiveness
Some of the key lessons relating to documenting and evaluating controls design effectiveness are as follows:
- Inventory the company’s existing controls documentation. No one should begin with a blank sheet of paper. Every organization has some documentation somewhere. Find it and use it.
- As early as possible in the process, assess your entity-level controls, evaluate your general IT controls, document and evaluate the controls over the period-end financial reporting process, and plan on making fraud explicit in the process to assess controls designed to prevent or detect fraud (including segregation of duties). These are important areas and should be addressed early to allow time to remediate deficiencies.
- Focus controls documentation and evaluation at the process level on the priority financial reporting elements, assertions and risks. Link the priority elements, processes, key assertions, risks and controls. Integrate IT risks and controls with the Section 404 assessment at the process level.
- Pay attention to the details. Until the SEC issues more granular guidance, read and understand the PCAOB’s AS2 and document your roadmap for complying with it. Understand and apply the COSO framework (or some other suitable framework) as it is designed, which means explicitly addressing the five components and considering controls at both the entity and process levels.
- Expect the initial annual Section 404 assessment to be a learning experience. No one has all of the answers, not even the auditors. Expect to encounter “bumps” along the road. The first year experience is a challenge – for everyone.
- Involve the external auditor at appropriate points during the controls documentation and evaluation process. Understand their expectations and timing requirements, conduct periodic checkpoints and plan to give them sufficient time to perform their audit work.
- Document the results of the evaluation of controls design effectiveness. For example, project documentation completed through this stage of the assessment might include, among other things:
- Documentary support for the company-level controls, general IT controls and anti-fraud program in place, including controls in place that address the identified risk of material misstatements due to error or fraud
- Process maps or equivalent documentation evidencing (1) the period-end financial reporting process and identification of the points at which material misstatements due to error or fraud could occur, and (2) how significant transactions are initiated, authorized, recorded, processed and reported, and identification of the points at which material misstatements due to error or fraud could occur
- Evidence of design of controls addressing all relevant assertions related to all significant accounts and disclosures, including the linkage of accounts to assertions to controls
- Evidence of the five components of COSO (including the control environment and company-level controls) are addressed
- Evidence of controls in place that safeguard assets
- Documentary support for and results of management’s evaluation of controls design effectiveness, including identification of design deficiencies
Validate controls operating effectiveness
Some of the key lessons relating to validating controls operating effectiveness are as follows:
- Define the testing plan and “rules of engagement” up-front. A testing plan is management’s plan for testing internal controls. In the plan, management defines the testing approaches, scopes and sample sizes that are required to support the assertions in the internal control report. Following are some points to remember:
- Filter the controls for testing down to the ones that really matter, i.e., the so-called “key controls.”
- Define the “failure conditions” so evaluation teams will know the criteria for “passing” and “failing” controls.
- Articulate testing documentation protocols and decision rules for the steps evaluation teams must take when failure conditions are encountered (i.e., when a control fails a test).
- Vary testing scopes according to frequency of the control.
(Note: Reconcile the use of small sample sizes with your knowledge of the population you are testing. Use of small samples may require “perfect test results” (i.e., no exceptions), which may be an unrealistic expectation.)
- Apply self-assessment1 in moderate- to low-risk areas.
(Note: See explanation of self-assessment in Issue 1, Volume 2 of The Bulletin.)
- Use appropriate sample sizes to obtain a high level of assurance.
- Use competent and objective evaluators.
- Don’t forget to perform year-end refresh testing.
- Recognize that automated controls need be tested only once or a few times, provided management is satisfied the general IT controls are performing effectively.
- Testing coverage should address all required controls. The PCAOB requires auditors to test the following controls:
- Controls over initiating, authorizing, recording, processing and reporting significant accounts and disclosures and related assertions inherent in financial reporting
- Controls over the selection and application of accounting policies that are in conformity with generally accepted accounting principles
- Anti-fraud programs and controls
- Controls, including information technology general controls, on which other controls are dependent
- Controls over significant non-routine and non-systematic transactions (e.g., accounts involving judgments and estimates)
- Company-level controls, including the control environment and controls over the period- end financial reporting process
Build the above requirements into the testing plan, so the evaluation team’s controls testing will be sufficiently comprehensive.
- Involve the external auditor at appropriate points during the process of validating controls operating effectiveness. Offer the auditors an opportunity to review your testing plan. The more explicit the definition of scopes, failure conditions and steps to take upon encountering exceptions, as outlined in the testing plan, the more meaningful auditor interaction will be at this stage. Furthermore, it is also more likely the auditor will use the work of competent and objective evaluators. Conduct periodic checkpoints, particularly early in the testing process to ensure agreement in depth and breadth of testing documentation. While it is also appropriate to pay attention to the tests performed by the auditor, remember that management cannot rely on the auditor’s tests of controls. In fact, management is required to represent that they did not rely on the auditor’s procedures when evaluating the body of evidence supporting the assertions in the company’s internal control report.
- Document the results of the validation of controls operating effectiveness. For example, project documentation completed through this stage of the assessment might include, among other things management’s testing plan and the results of (1) process owner self-assessments, (2) entity-level and process-level monitoring, and (3) independent interim tests of controls operating effectiveness, refresh tests of controls operating effectiveness and retests of remediated controls.
Design and implement solutions for control deficiencies
Some of the key lessons relating to remediating control design and operating deficiencies are as follows:
- Consider timely the nature and extent of remediation. Begin the evaluation process as soon as possible to allow for sufficient remediation time. Tackle significant design deficiencies as soon as practicable. Thoughtfully remediate operating deficiencies. Be sure to retest remediated controls, leaving sufficient time for the external auditors to perform the attest process.
- Document the results of remediating control deficiencies. Project documentation completed through this stage of the assessment might include, among other things:
- The results of management’s evaluation of control deficiencies and communications of findings to the auditor and audit committee
- The results of management’s remediation of control deficiencies
- The results of management’s retesting of remediated controls
Nine auditing firms2 issued in 2004 a series of white papers, which outlined a framework for evaluating control exceptions and deficiencies resulting from the evaluation of a company's ICFR. With these white papers as a context, some of the key lessons relating to assessing and classifying control deficiencies are as follows:
- Keep the list short. Due to the judgmental nature of assessing and classifying control deficiencies, reasonable men and women may differ – both in terms of the extent of the analysis required and the conclusion as to the severity of a deficiency. Completing controls testing and aggressively remediating control deficiencies promptly is a preventive strategy for dealing with an environment in which the analysis can be excruciatingly detailed and highly arbitrary. The last scenario management should want to face is the evaluation of many unremediated deficiencies at year-end.
- Understand how the auditors will approach the task. Communicate with the audit firm's engagement team to determine how they will apply this white paper framework. Working with the engagement team to understand their approach to applying this guidance and developing a few examples to clear up confusion is time well spent.
- Pay attention to IT general controls. Without linkage to related application control deficiencies constituting a material weakness, it is rare that an IT general control deficiency alone will constitute a material weakness. However, companies with poor IT general controls can expect higher compliance and audit costs. If IT general controls are evaluated separately from application controls, companies are going to experience difficulty meeting the auditor’s deficiency analysis requirements.
- Consider the COSO components when aggregating deficiencies. Deficiencies are considered in the aggregate by significant account balance, disclosure and COSO component to determine whether they collectively result in significant deficiencies or material weaknesses.
- Document the results of assessing and classifying control deficiencies. For example, project documentation completed during this stage of the assessment primarily includes (a) the results of management’s determination of the status of control deficiencies, (b) evidence of timely disclosure of significant deficiencies to the audit committee and the external auditor and (c) documentation supporting public disclosures made regarding material weaknesses.
Overall project documentation
According to the PCAOB, the Section 404 compliance team must document management’s approach and the basis for management’s decisions, including the processes, procedures and due diligence management completed in executing its responsibilities and supporting its conclusions. Therefore, there must be sufficient documentation of the rationale and framework for identifying significant financial reporting elements, location coverage and testing scopes and for addressing exceptions. The compliance team’s documentation should indicate who is involved in making decisions and should maintain minutes and memoranda to record key decisions made. All of this documentation evidences management’s assessment process.
While not necessarily all-inclusive, the suggested documentation provided above illustrates documentation developed during the compliance process. In addition to this documentation, an overall high-level memorandum is recommended to evidence management’s assessment process. This memorandum should describe the steps of the process and refer to the project documents and work products. Examples of the project documents and work products may be attached to the overall memorandum as exhibits. The memorandum should describe the results of the controls design effectiveness work and the control testing work, including the identification and disposition of control deficiencies. The high-level memorandum might list by process the number of key controls, the number of key controls deemed “effective” and “ineffective” based on the initial testing, the number of “ineffective” controls remediated and retested, the disposition of unremediated control deficiencies and management’s final conclusions regarding the design and operating effectiveness of ICFR. The memorandum should accomplish four important objectives:
- Support the assertions to be included in management’s internal control report.
- Provide support that management has addressed all of the specific points provided by the PCAOB to the auditor as to what to look for with respect to evaluating management’s assessment process and the comprehensiveness of management’s controls documentation.
- Address the certifying officers’ need for overall documentation to enable them to (a) walk through the work done without having to wade through all of the details and (b) gain confidence that the work done is complete and responsive to the requirements.
- Serve as a tool for providing transparency to the external auditor and the audit committee as to management’s assessment process.
Some more lessons
Following are additional lessons to apply in years following the initial year of compliance:
- Evaluation of audit committee effectiveness. Integrate the assessment of audit committee effectiveness with the board’s requirement to make that assessment.
- Look for opportunities to refine testing plans. Selection of controls to test and the determination of the nature, timing and extent of testing (including refresh testing) warrant a fresh look in view of self-assessments from process owners, entity-level monitoring and process improvements.
- Continuously improve company-level controls. These controls include the control environment, risk assessment process, entity-level monitoring, period-end financial reporting process, anti-fraud program and self-assessment process. An effective enterprise risk assessment process will infuse the disclosure process with emerging issues on a timely basis. For large and complex companies, management should evaluate the effectiveness of the risk management function and, if operating in a regulated environment, the regulatory compliance function.
- Examine the new systems conversion and upgrade cycle. Some companies are evaluating ways to coordinate the planning and execution of systems conversions and upgrades with the Section 404 assessment process. If the internal control structure is a moving target close to year-end, Section 404 compliance is more difficult. Companies have two options – ignore the issue or optimize the two activities.
- Refine the merger and acquisition process. The merger integration process must be aligned with the Section 404 compliance process to ensure that integration of an acquired entity’s processes and systems with the acquirer’s processes and systems does not “taint” any Section 404 exclusion allowed by SEC rules and desired by management.
- Get the most out of your committees. The members of both the disclosure and Section 404 steering committees should be knowledgeable of the business and its risks and have sufficient stature within the organization to initiate the appropriate action when necessary. Members of the disclosure committee should be familiar with the disclosure practices of peer companies. While not as concerned with the details underlying the Section 404 compliance process, the disclosure committee is interested in its results and the disclosure implications. Thus, both the disclosure committee and Section 404 steering committee should interact to review control deficiencies to recommend for disclosure in public reports.
While not intended to be comprehensive, the lessons learned herein represent keys to success for those companies who have yet to file an internal control report under Section 404. Accelerated filers also should take stock of lessons learned when formulating their plans for compliance subsequent to the initial year of compliance. The Third Edition of Protiviti’s Guide to the Sarbanes-Oxley Act: Internal Control Reporting Requirements provides additional insights for companies to consider. It is available at www.protiviti.com.
1As discussed in Issue 1 of Volume 2 of The Bulletin, a self-assessment process is a predetermined approach whereby managers and process owners self-review or self-audit the key controls for which they are responsible and then communicate the results to management. Important characteristics of a self-assessment process include: predetermined questions approved by management, criteria for supporting responses, rigorous deployment throughout the organization, timely follow-up and resolution of issues, and periodic internal audit testing of results.
2The nine auditing firms included the Big Four firms and five middle-tier firms.
The Bulletin (Volume 2, Issue 8 Supplement)