(Headline from Compliance Week)

Robert Conway Professional Practice Director CNM LLP Rconway@cnmllp.com (714) 392-2499

“Regulators Suggest it’s Time to

Double Down on Internal Controls”

2

Discussion Overview

Overview of 2015 PCAOB Inspection Results

Focus on Management Review Control Findings

What Does the PCAOB Expect?

Examples of Typical Findings

System Tension – US Watch Dog Barks!

PCAOB / SEC

Response – Double Down!

Implications to Public Companies

SEC Enforcement Actions on ICFR

3

Big Four PCAOB Inspection Findings

Summary for 2015

All Big 4

Issuer Inspections 219

FSA Restatements 2

ICFR Restatements 7

Total # Deficient Audits* 76

Individual Deficiencies 370

* An audit is “deficient” if it has one or more Part 1 findings (Part 1 =

insufficiently supported opinion).

4

Big Four PCAOB Inspection Findings Summary for 2015 All

Big 4

Issuer Inspections 219

Number of Deficient Audits:

ICFR and FSA 47

ICFR only 17

FSA only 12

Total Deficient Audits 76

5

Big Four Deficiencies by Auditing Standard

All Big 4

AS 5 – ICFR 184

AS 13 – Response to Risks* 41

AU 342 – Auditing Estimates 30

AU 328 – Auditing FV Meas. 34

All Others 81

Total Individual Deficiencies 370

* See PCAOB Release No. 2015-007 (Inspection Observations re Risk Assessment Stds.)

ICFR accounts for 50% of all deficiencies!!!

6

PCAOB Summary of Most Frequent Deficiencies

(Frequency of Top 5 Deficiencies for All Big Four)

All

Failed to Test: Big 4

Control Design/Op Effect. 51

Control Addressing Risks 27

Evaluation of Control Def. 8

Report Controls/Accuracy 29

In Response to Risks 23

Assumptions in Estimates 32

All Others (combined) 200

Total 370

7

Digging Deeper into the Nature of ICFR Findings

All

Big 4

Issuer Inspections 219

Number of Deficient Audits 76

Audits w/ ICFR Deficiencies 64

Audits w/ Management 45

Review Control Deficiencies

Mngmn’t Review Controls Are the Biggest Problem!

Failure to Test Reports is Still a Problem, Too!

8

The Use of Management Review Controls

Crosses a Broad Spectrum

Review of a reconciliation

Review of journal entries

Review for triggering events or GW Step Zero

Review of the work supporting an estimate

Review of budget-to-actual variances (aka “the

All Pro Free Safety”)

9

Examples of Common Findings

“The Firm identified a fraud risk related to the timing of revenue

recognition. To address the fraud risk, the Firm selected for testing a

control that consisted of the review of adjustments to revenue for

shipments that were in transit at the end of each period; however, the

Firm’s procedures were limited to determining that the analysis used in

the control had been prepared, inquiring of certain individuals involved in

the process, inspecting documents with comments that indicated reviews

that were part of the control had occurred, and comparing certain

amounts to the general ledger. The Firm, however, failed to sufficiently

test an important aspect of the control related to the specific review

procedures performed by the control owner, as its procedures to test this

aspect were limited to inquiry.”

Possible Fix: More thorough documentation by the control owner of the

procedures to be performed and actually performed.

10

Example # 2 of a Common Finding

“The Firm selected two controls for [testing POC revenue] that consisted of

monthly meetings in which issuer personnel reviewed (1) the estimated cost

to complete each project and (2) the status of each POC contract; however,

the Firm’s procedures to test these controls were insufficient [as] …these

procedures were limited to gathering reports used in the operation of the

controls, comparing information between these reports, and attending one

meeting for each control. The Firm failed to test whether the controls

operated at a level of precision that would prevent or detect material

misstatements, as it failed to ascertain, and evaluate, the criteria used to

identify items for follow-up and how those items were resolved. In

addition, the Firm failed to … test controls over the completeness and

accuracy of the report that the issuer used [to perform these] controls, as

its procedures were limited to the comparisons described above.”

Possible Fix: Define criteria/precision for follow-up, define the follow-up

process, and test reports used for completeness & accuracy.

11

Example # 3 of a Common Finding

“The Firm failed to sufficiently test a control that consisted of the

calculation and review of the reserve for excess inventory. Specifically,

the Firm’s procedures were limited to inspecting documents for

signatures that indicated the review performed as part of the control had

occurred, comparing certain amounts to supporting documents or the

general ledger, and inquiring of management. The Firm failed to test

whether the control operated at a level of precision that would prevent or

detect material misstatements, as it failed to ascertain and evaluate (1)

the scope of the review activities performed, (2) the criteria used to

identify items for follow up, and (3) how those items were resolved.

Possible Fixes:

Define the precision / criteria for investigation in a manner that

assures material misstatements in the aggregate would be detected.

Identify action and resolution steps as part of control design.

More documentation of the review activity and thinking during review.

12

Noise in the System from Auditors and Preparers (from Compliance Week, Dec. 22, 2015)

“The push by the PCAOB is prompting auditors to demand more audit

evidence and more documentation, especially around management

review controls, in ways that has left preparers scratching their heads.”

An Internal Audit Director say she’s seen a drift away from the top-down,

risk-based approach to the audit of internal controls that is mandated

under AS 5. “Were moving away from reliance on management review

controls and wanting an inclusion of a broader set of control activities

rather than relying on the management review controls that are really

important to the running of the business.”

Some are asserting that we have silently reverted to AS 2.

13

What Did the Watch Dogs Say on May 29, 2015?

The US Chamber of Commerce Wrote to the SEC and PCAOB to Say:

Auditors are telling clients they need to expand documentation of

management review controls to satisfy the PCAOB expectations.

No new rules; but assertion is that rules are being expanded by

PCAOB inspections.

Increases in audit and compliance costs are driven by the PCAOB.

PCAOB accused of losing sight of the cost-benefit relationship.

Public companies get no credit for their management review controls.

14

What Did the SEC and PCAOB Do in Response?

The SEC, PCAOB, US Chamber, Auditors, and selected Preparers

met in the Fall of 2015.

Anecdotal concerns rejected.

Only specific facts patterns evidencing concerns were considered.

Nothing revealed until the AICPA Conference on SEC/PCAOB

Matters in December 2015.

SEC says that discussions are ongoing.

15

SEC / PCAOB Position – “Regulators Suggest It’s

Time to Double Down on Internal Controls”

There may be deficiencies in the design of management review

controls. Key issues are:

o Is precision of the review defined and appropriate?

o Is documentation sufficient (consider AS 3)?

o Some high risk areas may be ill-suited for MRCs.

Re-emphasized risk-based approach when auditing ICFR.

The level of documentation needs to be commensurate with the risk.

Re-affirmed that SEC guidance to preparers is aligned with PCAOB

guidance to auditors.

Auditors should discuss documentation expectations with

management and the Audit Committee in advance.

Management should push back when appropriate.

Permissible for management and auditor to take different approaches

to testing controls; but reasons should be understood.

16

Other SEC Observations

On-going concern that Material Weakness are a lagging indicator

o Only reported when there is a restatement (but some

improvement observed)

o Are preparers and auditors properly evaluating deficiencies for

significance? Are Material Weaknesses being under-reported?

o Very important to consider the “could factor.”

o Could a control deficiency enable a material misstatement to

occur without prevention or detection?

ICFR is also important to areas such as:

o Segment reporting determination

o Reporting unit determination

o Application of new accounting pronouncements (i.e., Rev Rec)

17

PCAOB Communications Have Been Limited

No interpretive guidance from the PCAOB since the Staff Audit Practice

Alert # 11 in October 2013, “Consideration for Audits of Internal Controls

Over Financial Reporting.”

The PCAOB has conducted so-called “outreach” programs that have

been useful to those who have participated; however, the PCAOB has

avoided publishing much needed interpretive guidance for the benefit of

auditors, preparers, internal auditors, and 404 outsourcing providers.

Despite the lack of interpretive guidance, ICFR continues to be a high

priority at both the PCAOB and SEC.

18

2016 SEC Enforcements Action re ICFR

Magnum Hunter Resources (“MHR”), an oil and gas producer (1 example)

Growth through acquisitions strained accounting resources; however,

there were no material errors identified.

SOX 404 provider reported to management, “The potential for error in

such a compressed work environment represents a substantial risk.”

The 404 outsource provider, management, and the audit partner all

agreed at the time this was a significant deficiency. The year in

question were later restated.

The SEC concluded that the deficiency should have been reported as

a material weakness based solely on the “could” factor.

In settling this case, the company was fined $250,000; the CFO was

fined $25,000; and the CAO was fined $15,000.

The 404 outsource provider and the audit partner were both subject

to a “Cease and Desist Order” that banished them from public

company practice for one-year.

19

Understanding the “Could Factor”

A “material weakness” is a “deficiency, or a combination of deficiencies, in [ICFR] such that there is a reasonable possibility that a material misstatement of the company’s annual or interim financial statements will not be prevented or detected on a timely basis.” A misstatement is reasonably possible if the chance of a misstatement is more than remote but less than likely. The “severity of a deficiency in ICFR does not depend on whether a misstatement actually has occurred but rather on whether there is a reasonable possibility that the company’s ICFR will fail to prevent or detect a misstatement on a timely basis.

SEC Comment Letters are increasingly incorporating ICFR into their

questions about accounting and disclosures.

20

What are the Audit Firms Doing?

More Training / Refinements to Methodology

Expanded Templates

Adjusting Workloads to Give Managers and

Partners more Review Time

We Anticipate Auditors Will be More Inclined to

Conclude that Certain Management Review

Control Deficiencies are Material Weaknesses

21

What Does CNM Recommend?

Be mindful of needs to specify precision in high

risk areas and how “outliers” are identified.

Document the resolution of “outliers.”

Be mindful that greater control reliance will

generally require better documentation

(especially in high risk areas).

Be vigilant for reports used in controls or

substantive procedures that need to be tested for

completeness and accuracy.

Continue your dialog with your auditors and 404

team re auditor expectations.

22

Management Review Control Suggestions

It may be more productive and efficient to build the required elements into

the original process rather than bolting them on to the reviewer control.

The added effort is pushed down to a lower level.

The supporting documentation will be of higher quality and will facilitate

the reviewer’s review:

o Precision/action items and conclusions will be already identified,

o Contradictory evidence will already be considered,

o Differences in assumptions between the future and past will already

be already vetted.

o Sensitivity analysis, if warranted, will already be completed.

o Credentials and prior knowledge of the preparer will already be

documented.

Reviewer time can be focused on the critical issues and less on

creating a paper trail.

A well prepared analysis will stand more on its own and be less

dependent on extensive documentation of the reviewer’s review.

23

Discussion and Questions

More About Bob Conway and CNM

On the Next Page

24

Robert A. Conway Professional Practice Director at CNM LLP

6 Venture, Suite 365 Irvine, CA 92618 (714) 392-2499

rconway@cnmllp.com www.cnmllp.com

Mr. Conway is an expert in technical accounting matters, SEC reporting, and Sarbanes-Oxley compliance. Mr. Conway’s full-time involvement in CNM’s service delivery process assures a high level of quality and technical accuracy in CNM’s services and deliverables. Mr. Conway regularly shares his subject matter expertise with CNM’s partners, teams, and clients in complex areas of accounting and Sarbanes-Oxley compliance.

Mr. Conway brings over 35 years of professional service in the public accounting field to his leadership role at CNM. Mr. Conway most recently completed nine years at the Public Company Accounting Oversight Board, including six years as a Regional Associate Director with leadership responsibility for the organization’s Orange County and Los Angeles offices. Prior to the PCAOB, Mr. Conway enjoyed a 26-year career with KPMG, including 17 years as audit partner. At KPMG, Mr. Conway specialized in audits of companies in the technology, automotive, manufacturing, and retailing industries.

About CNM LLP

CNM LLP is a 60-person professional services firm with offices in Los Angeles and Orange County. Substantially all of our professionals are very experienced hires directly from the Big Four audit firms.

Our Accounting Technical Services group is devoted to assisting public companies and pre-IPO public companies with technical accounting matters where the company can't simply ask the auditor, "How do we account for this?" Oftentimes, this may be in conjunction with an acquisition, a refinancing, a restructuring, a new share based compensation arrangement, the formation of joint venture with VIE implications, implementation of new accounting standards, and the like. We also assist rapid growth start-up companies with getting their records to a “GAAP compliant and ready-for-audit stage.”

Our Compliance Risk Services group is focused on compliance with the Sarbanes-Oxley requirements applicable to Internal Controls over Financial Reporting (ICFR). Our services range from assisting pre-IPO companies with the creation of their internal control framework to full-scale outsourcing of the ICFR compliance function. We also provide traditional internal audit services tailored to the individual company’s needs.