“Regulators Suggest it’s Time to Double Down on Internal … County/IIA OC... · 2016-09-21 ·...
-
Upload
truongcong -
Category
Documents
-
view
216 -
download
0
Transcript of “Regulators Suggest it’s Time to Double Down on Internal … County/IIA OC... · 2016-09-21 ·...
(Headline from Compliance Week)
Robert Conway Professional Practice Director CNM LLP [email protected] (714) 392-2499
“Regulators Suggest it’s Time to
Double Down on Internal Controls”
2
Discussion Overview
Overview of 2015 PCAOB Inspection Results
Focus on Management Review Control Findings
What Does the PCAOB Expect?
Examples of Typical Findings
System Tension – US Watch Dog Barks!
PCAOB / SEC
Response – Double Down!
Implications to Public Companies
SEC Enforcement Actions on ICFR
3
Big Four PCAOB Inspection Findings
Summary for 2015
All Big 4
Issuer Inspections 219
FSA Restatements 2
ICFR Restatements 7
Total # Deficient Audits* 76
Individual Deficiencies 370
* An audit is “deficient” if it has one or more Part 1 findings (Part 1 =
insufficiently supported opinion).
4
Big Four PCAOB Inspection Findings Summary for 2015 All
Big 4
Issuer Inspections 219
Number of Deficient Audits:
ICFR and FSA 47
ICFR only 17
FSA only 12
Total Deficient Audits 76
5
Big Four Deficiencies by Auditing Standard
All Big 4
AS 5 – ICFR 184
AS 13 – Response to Risks* 41
AU 342 – Auditing Estimates 30
AU 328 – Auditing FV Meas. 34
All Others 81
Total Individual Deficiencies 370
* See PCAOB Release No. 2015-007 (Inspection Observations re Risk Assessment Stds.)
ICFR accounts for 50% of all deficiencies!!!
6
PCAOB Summary of Most Frequent Deficiencies
(Frequency of Top 5 Deficiencies for All Big Four)
All
Failed to Test: Big 4
Control Design/Op Effect. 51
Control Addressing Risks 27
Evaluation of Control Def. 8
Report Controls/Accuracy 29
In Response to Risks 23
Assumptions in Estimates 32
All Others (combined) 200
Total 370
7
Digging Deeper into the Nature of ICFR Findings
All
Big 4
Issuer Inspections 219
Number of Deficient Audits 76
Audits w/ ICFR Deficiencies 64
Audits w/ Management 45
Review Control Deficiencies
Mngmn’t Review Controls Are the Biggest Problem!
Failure to Test Reports is Still a Problem, Too!
8
The Use of Management Review Controls
Crosses a Broad Spectrum
Review of a reconciliation
Review of journal entries
Review for triggering events or GW Step Zero
Review of the work supporting an estimate
Review of budget-to-actual variances (aka “the
All Pro Free Safety”)
9
Examples of Common Findings
“The Firm identified a fraud risk related to the timing of revenue
recognition. To address the fraud risk, the Firm selected for testing a
control that consisted of the review of adjustments to revenue for
shipments that were in transit at the end of each period; however, the
Firm’s procedures were limited to determining that the analysis used in
the control had been prepared, inquiring of certain individuals involved in
the process, inspecting documents with comments that indicated reviews
that were part of the control had occurred, and comparing certain
amounts to the general ledger. The Firm, however, failed to sufficiently
test an important aspect of the control related to the specific review
procedures performed by the control owner, as its procedures to test this
aspect were limited to inquiry.”
Possible Fix: More thorough documentation by the control owner of the
procedures to be performed and actually performed.
10
Example # 2 of a Common Finding
“The Firm selected two controls for [testing POC revenue] that consisted of
monthly meetings in which issuer personnel reviewed (1) the estimated cost
to complete each project and (2) the status of each POC contract; however,
the Firm’s procedures to test these controls were insufficient [as] …these
procedures were limited to gathering reports used in the operation of the
controls, comparing information between these reports, and attending one
meeting for each control. The Firm failed to test whether the controls
operated at a level of precision that would prevent or detect material
misstatements, as it failed to ascertain, and evaluate, the criteria used to
identify items for follow-up and how those items were resolved. In
addition, the Firm failed to … test controls over the completeness and
accuracy of the report that the issuer used [to perform these] controls, as
its procedures were limited to the comparisons described above.”
Possible Fix: Define criteria/precision for follow-up, define the follow-up
process, and test reports used for completeness & accuracy.
11
Example # 3 of a Common Finding
“The Firm failed to sufficiently test a control that consisted of the
calculation and review of the reserve for excess inventory. Specifically,
the Firm’s procedures were limited to inspecting documents for
signatures that indicated the review performed as part of the control had
occurred, comparing certain amounts to supporting documents or the
general ledger, and inquiring of management. The Firm failed to test
whether the control operated at a level of precision that would prevent or
detect material misstatements, as it failed to ascertain and evaluate (1)
the scope of the review activities performed, (2) the criteria used to
identify items for follow up, and (3) how those items were resolved.
Possible Fixes:
Define the precision / criteria for investigation in a manner that
assures material misstatements in the aggregate would be detected.
Identify action and resolution steps as part of control design.
More documentation of the review activity and thinking during review.
12
Noise in the System from Auditors and Preparers (from Compliance Week, Dec. 22, 2015)
“The push by the PCAOB is prompting auditors to demand more audit
evidence and more documentation, especially around management
review controls, in ways that has left preparers scratching their heads.”
An Internal Audit Director say she’s seen a drift away from the top-down,
risk-based approach to the audit of internal controls that is mandated
under AS 5. “Were moving away from reliance on management review
controls and wanting an inclusion of a broader set of control activities
rather than relying on the management review controls that are really
important to the running of the business.”
Some are asserting that we have silently reverted to AS 2.
13
What Did the Watch Dogs Say on May 29, 2015?
The US Chamber of Commerce Wrote to the SEC and PCAOB to Say:
Auditors are telling clients they need to expand documentation of
management review controls to satisfy the PCAOB expectations.
No new rules; but assertion is that rules are being expanded by
PCAOB inspections.
Increases in audit and compliance costs are driven by the PCAOB.
PCAOB accused of losing sight of the cost-benefit relationship.
Public companies get no credit for their management review controls.
14
What Did the SEC and PCAOB Do in Response?
The SEC, PCAOB, US Chamber, Auditors, and selected Preparers
met in the Fall of 2015.
Anecdotal concerns rejected.
Only specific facts patterns evidencing concerns were considered.
Nothing revealed until the AICPA Conference on SEC/PCAOB
Matters in December 2015.
SEC says that discussions are ongoing.
15
SEC / PCAOB Position – “Regulators Suggest It’s
Time to Double Down on Internal Controls”
There may be deficiencies in the design of management review
controls. Key issues are:
o Is precision of the review defined and appropriate?
o Is documentation sufficient (consider AS 3)?
o Some high risk areas may be ill-suited for MRCs.
Re-emphasized risk-based approach when auditing ICFR.
The level of documentation needs to be commensurate with the risk.
Re-affirmed that SEC guidance to preparers is aligned with PCAOB
guidance to auditors.
Auditors should discuss documentation expectations with
management and the Audit Committee in advance.
Management should push back when appropriate.
Permissible for management and auditor to take different approaches
to testing controls; but reasons should be understood.
16
Other SEC Observations
On-going concern that Material Weakness are a lagging indicator
o Only reported when there is a restatement (but some
improvement observed)
o Are preparers and auditors properly evaluating deficiencies for
significance? Are Material Weaknesses being under-reported?
o Very important to consider the “could factor.”
o Could a control deficiency enable a material misstatement to
occur without prevention or detection?
ICFR is also important to areas such as:
o Segment reporting determination
o Reporting unit determination
o Application of new accounting pronouncements (i.e., Rev Rec)
17
PCAOB Communications Have Been Limited
No interpretive guidance from the PCAOB since the Staff Audit Practice
Alert # 11 in October 2013, “Consideration for Audits of Internal Controls
Over Financial Reporting.”
The PCAOB has conducted so-called “outreach” programs that have
been useful to those who have participated; however, the PCAOB has
avoided publishing much needed interpretive guidance for the benefit of
auditors, preparers, internal auditors, and 404 outsourcing providers.
Despite the lack of interpretive guidance, ICFR continues to be a high
priority at both the PCAOB and SEC.
18
2016 SEC Enforcements Action re ICFR
Magnum Hunter Resources (“MHR”), an oil and gas producer (1 example)
Growth through acquisitions strained accounting resources; however,
there were no material errors identified.
SOX 404 provider reported to management, “The potential for error in
such a compressed work environment represents a substantial risk.”
The 404 outsource provider, management, and the audit partner all
agreed at the time this was a significant deficiency. The year in
question were later restated.
The SEC concluded that the deficiency should have been reported as
a material weakness based solely on the “could” factor.
In settling this case, the company was fined $250,000; the CFO was
fined $25,000; and the CAO was fined $15,000.
The 404 outsource provider and the audit partner were both subject
to a “Cease and Desist Order” that banished them from public
company practice for one-year.
19
Understanding the “Could Factor”
A “material weakness” is a “deficiency, or a combination of deficiencies, in [ICFR] such that there is a reasonable possibility that a material misstatement of the company’s annual or interim financial statements will not be prevented or detected on a timely basis.” A misstatement is reasonably possible if the chance of a misstatement is more than remote but less than likely. The “severity of a deficiency in ICFR does not depend on whether a misstatement actually has occurred but rather on whether there is a reasonable possibility that the company’s ICFR will fail to prevent or detect a misstatement on a timely basis.
SEC Comment Letters are increasingly incorporating ICFR into their
questions about accounting and disclosures.
20
What are the Audit Firms Doing?
More Training / Refinements to Methodology
Expanded Templates
Adjusting Workloads to Give Managers and
Partners more Review Time
We Anticipate Auditors Will be More Inclined to
Conclude that Certain Management Review
Control Deficiencies are Material Weaknesses
21
What Does CNM Recommend?
Be mindful of needs to specify precision in high
risk areas and how “outliers” are identified.
Document the resolution of “outliers.”
Be mindful that greater control reliance will
generally require better documentation
(especially in high risk areas).
Be vigilant for reports used in controls or
substantive procedures that need to be tested for
completeness and accuracy.
Continue your dialog with your auditors and 404
team re auditor expectations.
22
Management Review Control Suggestions
It may be more productive and efficient to build the required elements into
the original process rather than bolting them on to the reviewer control.
The added effort is pushed down to a lower level.
The supporting documentation will be of higher quality and will facilitate
the reviewer’s review:
o Precision/action items and conclusions will be already identified,
o Contradictory evidence will already be considered,
o Differences in assumptions between the future and past will already
be already vetted.
o Sensitivity analysis, if warranted, will already be completed.
o Credentials and prior knowledge of the preparer will already be
documented.
Reviewer time can be focused on the critical issues and less on
creating a paper trail.
A well prepared analysis will stand more on its own and be less
dependent on extensive documentation of the reviewer’s review.
23
Discussion and Questions
More About Bob Conway and CNM
On the Next Page
24
Robert A. Conway Professional Practice Director at CNM LLP
6 Venture, Suite 365 Irvine, CA 92618 (714) 392-2499
[email protected] www.cnmllp.com
Mr. Conway is an expert in technical accounting matters, SEC reporting, and Sarbanes-Oxley compliance. Mr. Conway’s full-time involvement in CNM’s service delivery process assures a high level of quality and technical accuracy in CNM’s services and deliverables. Mr. Conway regularly shares his subject matter expertise with CNM’s partners, teams, and clients in complex areas of accounting and Sarbanes-Oxley compliance.
Mr. Conway brings over 35 years of professional service in the public accounting field to his leadership role at CNM. Mr. Conway most recently completed nine years at the Public Company Accounting Oversight Board, including six years as a Regional Associate Director with leadership responsibility for the organization’s Orange County and Los Angeles offices. Prior to the PCAOB, Mr. Conway enjoyed a 26-year career with KPMG, including 17 years as audit partner. At KPMG, Mr. Conway specialized in audits of companies in the technology, automotive, manufacturing, and retailing industries.
About CNM LLP
CNM LLP is a 60-person professional services firm with offices in Los Angeles and Orange County. Substantially all of our professionals are very experienced hires directly from the Big Four audit firms.
Our Accounting Technical Services group is devoted to assisting public companies and pre-IPO public companies with technical accounting matters where the company can't simply ask the auditor, "How do we account for this?" Oftentimes, this may be in conjunction with an acquisition, a refinancing, a restructuring, a new share based compensation arrangement, the formation of joint venture with VIE implications, implementation of new accounting standards, and the like. We also assist rapid growth start-up companies with getting their records to a “GAAP compliant and ready-for-audit stage.”
Our Compliance Risk Services group is focused on compliance with the Sarbanes-Oxley requirements applicable to Internal Controls over Financial Reporting (ICFR). Our services range from assisting pre-IPO companies with the creation of their internal control framework to full-scale outsourcing of the ICFR compliance function. We also provide traditional internal audit services tailored to the individual company’s needs.