2014 Internal Auditing Update
Richard Turpen
Auburn University Montgomery
Contact Information
Richard A. Turpen
Department of Accounting
College of Business
Auburn University Montgomery
P.O. Box 244023
Montgomery, AL 36124
rturpen@aum.edu
334-244-3496 Phone
334-244-3792 FAX
2
Today’s Topics

New frameworks



COSO’s Internal Control
GAO’s “Green Book”
New guidance


IAASB’s ISA 610
AICPA’s SAS 128
3
The New COSO Framework
Who?

The Committee of Sponsoring Organizations
of the Treadway Commission (COSO):


Organized in 1985 to sponsor the National
Commission on Fraudulent Financial Reporting.
Supported jointly by five organizations:





American Accounting Association (AAA)
American Institute of Certified Public Accountants (AICPA)
Financial Executives International (FEI)
The Institute of Internal Auditors (IIA)
Institute of Management Accounting (IMA)
5
What?

Internal Control—Integrated Framework


Developed in response to corporate frauds and
financial scandals of the 1970s.
Issued in 1992, becoming the predominant model
for internal control over financial reporting (ICFR)
and remaining so for 20 years.
6
Why?

Internal Control—Integrated Framework
(the “New Framework” or the “Framework”)







Accelerated pace of changes in technology
Globalization of markets and operations
Increased complexity of business structures
More dramatic frauds and financial crises
Proliferation of regulations and standards
Greater demands for improved governance
Widespread use of risk-based oversight
7
Timeframe


Released in spring of 2013 after two and a
half years in development.
Issued with an “effective date” of
December 15, 2014.
8
Transition


After this date, an issuer will not be able to
take the position that the 1992 framework
qualifies under SEC criteria as a “suitable
framework” for purposes of complying with
Section 404 of Sarbanes-Oxley (SOX).
Companies that continue using the old
framework after the transition deadline likely
will receive negative comments from the SEC
and from their external auditors.
9
Structure





Executive Summary
Framework
Appendices
Applications guide with illustrative tools
Compendium of approaches and examples
applicable to internal control over financial
reporting (ICFR)
10
Overview
11
What’s still the same?



The core definition of internal control is
largely unchanged, and its five components
remain.
Organizations will continue to establish
relevant objectives relating to operations,
reporting, and compliance.
As before, these can be set for the entity as a
whole or targeted to specific divisions,
functions, or operating units.
12
What’s new?

The new framework broadens the reporting
objective to include all types:



Both financial and non-financial.
Both external and internal.
It also incorporates an enhanced discussion
of governance, particularly as relates to
compliance, and considers the increased
relevance of technology and anti-fraud
measures.
13
What else is new?



But the most significant change is the explicit
articulation of 17 principles that provide the
foundation for the five components.
Every principle applies to all three of the
objectives.
Supporting each principle are 77 points of
focus intended to provide management with
design and implementation guidance.
14
The “big picture”

The goal is to apply a top-down, risk-based
approach to determine whether an effective
system of internal control exists:


One that provides reasonable assurance that an
organization’s objectives are met.
One that reduces to an acceptable level the risk
that an organization will not achieve its objectives.
15
The “big picture,” cont’d.

To do so requires determining that:


Each of the 5 components and 17 principles is
“present and functioning.”
All of the 5 components and 17 principles are
“operating together” in an integrated manner.
16
The “big picture,” cont’d.

Thus, there are two determinations:

That each component and principle exhibits:



Effective design and implementation (i.e., is “present”).
Effective operation (i.e., is “functioning”).
That all components and principles collectively
reduce the risk of not achieving an objective to an
acceptable level (i.e., are “operating together”).
17
About “operating together” . . .


Evaluating a component (and its principles)
requires determining how it is being applied
within the overall system of internal control—
not about whether it is “present and functioning”
on its own.
Management can conclude that components
are “operating together” when internal control
deficiencies aggregated across components do
not result in a “major deficiency.”
18
Major deficiencies


An organization cannot conclude that it has
met the requirements for an effective system
of internal control if a “major deficiency” exists.
Major deficiencies are internal control
deficiencies or combinations of deficiencies
that severely reduce the likelihood that the
organization can achieve its objectives.
19
Major deficiencies, cont’d.

Because the framework is intended to be
universal across borders and regulations,
the “major deficiency” concept should not
complicate SOX 404 compliance evaluations—
a major deficiency under the new COSO
framework will most likely be regarded as
a “material weakness” under SOX.
20
A closer look


As before, the new framework’s first
component is the control environment,
“the set of standards, processes, and
structures that provide the basis for carrying
out internal control across the organization.”
It then establishes five principles applicable
to this component and a total of twenty points
of focus.
21
A closer look, cont’d.


The first principle speaks to an organization’s
ethics: “The organization demonstrates a
commitment to integrity and ethical values.”
Four points of focus support this principle:




“Sets the ‘Tone at the Top.’”
“Establishes Standards of Conduct.”
“Evaluates Adherence to Standards of Conduct.”
“Addresses Deviations in a Timely Manner.”
22
A closer look, cont’d.



It is important to emphasize that the
components and principles are key.
They are the criteria that management must
use to assess internal control.
The points of focus may be helpful in that
effort, but they are not evaluated separately
and they need not all exist for a related
principle to be present and functioning.
23
A closer look, cont’d.


In addition to determining how to use the
points of focus, organizations will probably
want to give certain of the new principles
greater consideration.
Although the concepts they embody are not
new, by establishing them as principles,
COSO has raised the bar for determining
their functionality.
24
A closer look, cont’d.

Key “new” internal control principles state that
the organization:



Considers the potential for fraud in assessing risks to
the achievement of objectives (Risk Assessment,
#8).
Selects and develops general control activities
over technology to support the achievement of
objectives (Control Activities, #11).
Obtains or generates and uses relevant, quality
information to support the functioning of internal
control (Information and Communication, #13).
25
A closer look, cont’d.

Primary issues to address early in the
transition period is the extent to which
controls relevant to these principles are:



Embedded within business processes.
Supported by existing documentation.
Included in the scope of assessment.
26
Getting going

Though there is no one-size-fits-all approach,
most transition plans should include:



Establishing buy-in.
Performing gap analysis.
Implementing a response.
27
Establishing buy-in




Education and training are key.
Initial discussions should include, minimally,
the CAE, CFO, and CAO.
Communication with governance members is
vital—it will be important to anticipate the
questions and concerns of the audit
committee and governing board.
Equally important is to meet with the external
auditors early in the process.
28
Performing gap analysis


The core step in the transition process is
mapping either controls to principles or
principles to controls to identify gaps.
The direction chosen may depend upon the
extent of existing documentation:


Where ample, mapping to the framework may be
easier and more efficient.
In addition, mapping controls to principles may
help avoid rationalization bias.
29
Performing gap analysis, cont’d.

Mapping outcomes will vary:

“Worst” case:



Any gaps identified will likely require remediation.
Material weaknesses under new COSO probably
represent the same under the former framework.
“Best” case:

Mapping may reveal:



Redundant controls (mapped from same principle).
Unneeded controls (mapped from no principle).
Some controls not previously assessed can now be
scoped in.
30
Performing gap analysis, cont’d.

Certain cautions should be kept in mind
during the mapping process:



It must stay focused on the risks that the
organization has identified.
It ought to be viewed as an opportunity to take a
fresh look at controls.
It should not become just another checklist
exercise.
31
Performing gap analysis, cont’d.


As a further caution, early communication
with the external auditors is essential.
Firms registered with the Public Company
Accounting Oversight Board (PCAOB) are
likely to be more rigorous in their ICFR audits
this year as the result of a highly critical
report the PCAOB issued last fall.
32
Performing gap analysis, cont’d.



The report faults auditors for failing to test
certain controls sufficiently.
As a result firms are under pressure to go
beyond what’s been acceptable in the past.
Key areas of focus will include:



More scrutiny of management review.
More validation of IT-generated data and reports.
More testing of the work performed by internal
auditors.
33
Performing gap analysis, cont’d.


Given the more intensive approach that the
auditing firms will bring to bear on this year’s
ICFR audits, organizations should make sure
to give their external auditors opportunity to
comment on the planned gap analysis.
Entities not subject to SOX still should
discuss transition to the new framework with
their external auditors to understand the
firms’ expectations.
34
Implementing a response




Responses to the gap analysis will require
establishing priorities and will be driven in
part by regulatory requirements (e.g., SOX).
Most organizations will probably find that they
need to shore up documentation.
Many will need to develop and implement
new assessment strategies.
Still others may discover that they must plan
for remediation.
35
Final observations


Ideally, publicly held entities have already
completed or soon will complete transition.
Other organizations, including those with
non-calendar fiscal years, should have their
processes well underway.
36
The Forthcoming “Green Book”
Background


Standards for Internal Control in the Federal
Government is the federal government’s
equivalent of COSO.
First issued in 1983 and last updated in 1999,
these standards are required of federal
agencies under the Federal Managers’
Financial Integrity Act (FMFIA).
38
Background, cont’d.


Known as the “Green Book,” these standards
serve as the basis for assessing and reporting
on controls in the federal government under
Office of Management and Budget (OMB)
Circular No. A-123, Management’s
Responsibility for Internal Control.
They may also be applied by state, local,
and quasi-governmental entities, as well as
not-for-profit organizations.
39
Background, cont’d.

Moreover, under the OMB’s final guidance for
federal awards published last December and
effective this year, non-federal entities (NFEs)
receiving such awards must establish and
maintain effective internal control over such
awards, in compliance with the Green Book.
40
Background, cont’d.

The Green Book provides:



A framework for management to follow.
Criteria for auditors to apply.
Thus, it can be used in conjunction with
the Yellow Book, Government Auditing
Standards (GAGAS) of the Governmental
Accountability Office (GAO), e.g., the
cause of an audit “finding” is often an
internal control deficiency.
41
Overview


This past fall the GAO released the still
outstanding Exposure Draft of an updated
Green Book that is expected to be released on
September 30, 2014.
It will closely mirror the new COSO framework
as adapted to governmental entities.
42
Overview, cont’d.


But given its purpose, the Green Book’s
language is less “commercial” than COSO’s.
For example, while COSO makes reference to
“board of directors” and “investors,” the Green
Book uses “oversight body” and “stakeholders.”
43
Overview, cont’d.


Nevertheless, the Green Book’s definitions
and concepts are substantially the same as
those of the new COSO framework.
In addition, at the highest levels, the new
Green Book uses the same terminology:



Objectives
Components
Principles
44
Overview, cont’d.

However, it uses the term “attributes” instead
of COSO’s “points of focus” and combines
many of the latter:
COSO
Green Book
Control Environment
20
13
Risk Assessment
17
10
Control Activities
16
11
Information and Communication
14
7
Monitoring
10
6
45
Requirements


Like COSO, the Green Book defines an
effective internal control system as one
providing reasonable assurance that the
organization will achieve its objectives.
Therefore, to be effective:


Each of the components, principles, and
relevant attributes must be effectively designed,
implemented, and operating.
The components must operate together in an
integrated manner.
46
Requirements, cont’d.

However, the Green Book notes that there
may be situations in which management has
determined that a principle or attribute is not
relevant in order for the entity to achieve its
objectives and address related risks.
47
Requirements, cont’d.

In such cases, management must document
the rationale of how, in the absence of that
principle or attribute, the associated
component could be designed, implemented,
and operated effectively.
48
Requirements, cont’d.


In addition, the Green Book contains further
specific documentation requirements,
described in certain of the attributes.
These include, for example, the results of:



Monitoring activities conducted on an ongoing
basis.
Separate evaluations performed to identify
internal control issues.
Corrective actions taken to remediate internal
control deficiencies.
49
Requirements, cont’d.


These documentation requirements apply to
any entity that elects to use the Green Book.
More broadly, management of NFEs that
choose to use the Green Book must follow all
of its applicable requirements.
50
ISA 610
Background


Globally, the International Auditing and
Assurance Standards Board (IAASB) is
recognized as the authoritative voice of the
auditing profession.
Last year it issued a new International
Standard on Auditing—ISA 610 (Revised
2013), Using the Work of Internal Auditors.
52
Background, cont’d.


The new standard “raises the bar” for
external auditors when making decisions
about how, if at all, to use the work of internal
auditors on a financial statement audit.
Unlike U.S. auditing standards, previous
guidance was ambiguous about the use of
internal auditors under the supervision of the
external auditor (i.e., “direct assistance”).
53
Highlights


The new standard eliminates that ambiguity
by providing explicit guidance for making
“direct assistance” decisions.
It also adds a further condition that must hold
in order for the external auditor to use work
previously performed by internal auditors
working in their (internal audit) capacity.
54
Highlights, cont’d.


A subsequently issued U.S. auditing standard
is, in the main, consistent with ISA 610’s
requirements.
It is, however, somewhat less restrictive with
respect to the “direct assistance” decision,
primarily because of cultural and regulatory
differences that exist in certain jurisdictions
outside the U.S.
55
SAS 128
Background


In spring of this year, the Auditing Standards
Board of the American Institute of Certified
Public Accountants (AICPA) issued its long
delayed “clarified” Statement on Auditing
Standards No. 128, Using the Work of
Internal Auditors (SAS 128).
SAS 128 is largely converged with the
requirements of ISA 610.
57
Background, cont’d.


Its release signifies the completion of the
Auditing Standards Board’s “Clarity Project,”
at least as relates to its auditing standards.
Issuance was delayed pending the IAASB’s
finalization of the revised ISA 610 so that
SAS 128 could, to the extent deemed
appropriate, incorporate the international
standard’s requirements and language.
58
Highlights


Like its IAASB counterpart, SAS 128 prohibits
the external auditor’s use of the internal audit
function (i.e., of the work performed by the
internal auditors) unless that function meets
certain restrictive criteria.
Two of the three conditions already existed
prior to the release of SAS 128, specifically, a
positive judgment about the internal auditors’
competence and objectivity.
59
Highlights, cont’d.


The third and new requirement is that the
internal audit function use a “systematic
and disciplined approach, including quality
control.”
Though not specified in SAS 128, compliance
with the International Standards for the
Professional Practice of Internal Auditing of
The Institute of Internal Auditing (The IIA)
would presumably satisfy this condition.
60
Highlights, cont’d.


The IIA’s Standards reflect a “systematic
and disciplined approach.”
In addition, Attribute Standard 1300, Quality
Assurance and Improvement Program,
explicitly addresses “quality control” within
the internal audit function.
61
Highlights, cont’d.


Thus, unless the external auditor can
conclude that the internal audit function
follows a “systematic and disciplined
approach,” internal auditors’ work cannot
be used as external audit evidence.
However, the external auditor may still
be able to use the internal auditors in a
“direct assistance” capacity, but extensive
testing of their work is required.
62
Highlights, cont’d.

SAS 128 is effective for audits of financial
statements for periods ending on or after
December 15, 2014.
63
Postscript
Other Developments


Another framework
Another standard
65
NIST’s Cybersecurity


Last year, pursuant to concern for national and
economic security, President Obama issued
an Executive Order directing the National
Institute of Standards and Technology (NIST)
to develop a voluntary framework for reducing
cyber risks to critical infrastructure.
Earlier this year, NIST issued in response
Framework for Improving Critical Infrastructure
Cybersecurity.
66
NIST’s Cybersecurity, cont’d.


The framework was developed with broad
industry input and represents, in effect, a
summary of best practices.
It is a risk-based approach to managing
cybersecurity risk composed of three parts,
each reinforcing the connection between
business drivers and cybersecurity activities.
67
NIST’s Cybersecurity, cont’d.

All organizations should recognize that, if an
entity’s cybersecurity practices are ever
questioned during a regulatory investigation
and litigation, the baseline for what’s
considered commercially reasonable is likely
to become the NIST Framework.
68
NIST’s Cybersecurity, cont’d.

At a minimum, critical infrastructure
companies as identified by the Department of
Homeland Security should be prepared to
document and demonstrate that their
cybersecurity practices are consistent with
those promoted through the framework.
69
NIST’s Cybersecurity, cont’d.

These include the following industries:








Banking and finance
Communications
Defense companies
Energy and utilities
Emergency services
Food and agriculture
Healthcare
Transportation systems
70
NIST’s Cybersecurity, cont’d.


The framework is likely to become the basis
for what’s regarded commercially reasonable
for securing an organization’s infrastructure.
Even if they don’t follow it completely,
organizations should at least understand
where they are deficient and why.
71
NIST’s Cybersecurity, cont’d.



Although the framework is voluntary, it will
probably become the de-facto standard of
care that organizations will be judged against
if a breach occurs.
Therefore, minimally, they need to have
someone in charge of security and a plan
that’s current, including an incidence
response strategy.
Internal auditor involvement is essential.
72
ASU 2014-09


In May the Financial Accounting Standards
Board (FASB) finally released its long-awaited
revenue recognition standard.
The “crown jewel” in its convergence efforts
with the International Accounting Standards
Board (IASB), the new standard is sweeping
in its scope and likely effects.
73
ASU 2014-09, cont‘d.


“Revenue from Contracts with Customers”
applies to all industries and transactions.
It eliminates current GAAP’s transactionand industry-specific revenue recognition
guidance and replaces it with a principlebased approach.
74
ASU 2014-09, cont‘d.

All nongovernmental entities, including
nonprofits (and FASB-based components)
are within its scope.
75
ASU 2014-09, cont‘d.

The AICPA observes:
“This standard has the potential to affect every
entity’s day-to-day accounting and, possibly, the
way business is executed through contracts with
customers.”
76
ASU 2014-09, cont‘d.



This impact is due in large part to how the
standard defines a “contract.”
It is not limited to written documents—it is any
“agreement between two or more parties that
creates enforceable rights and obligations.”
Thus, the standard emphasizes that contracts
“can be written, oral, or implied by an entity’s
customary business practices.”
77
ASU 2014-09, cont‘d.

Currently GAAP’s revenue recognition
principles provide two criteria—to be
recognized, the revenue must be both:


Realized or Realizable
Earned
78
ASU 2014-09, cont‘d.

In practice, SEC guidance has equated these
to four conditions:




Persuasive evidence of an arrangement exists.
Delivery has occurred/Services have been rendered.
Prices are fixed or determinable.
Collectibility is reasonably assured.
79
ASU 2014-09, cont‘d.

These criteria have been replaced with a
“core principle,” i.e., that “an entity shall
recognize revenue to depict the transfer of
promised goods or services to customers in
an amount that reflects the consideration to
which the entity expects to be entitled in
exchange for those goods or services.”
80
ASU 2014-09, cont‘d.

To achieve that principle, an entity must
apply five steps:





Identify the contract with a customer.
Identify the separate performance obligations.
Determine the transaction price.
Allocate the transaction price to the separate
performance obligations in the contract.
Recognize revenue when (or as) the entity
satisfies a performance obligation.
81
ASU 2014-09, cont‘d.


The standard includes some examples to
assist with the transition.
Given the challenges of implementation,
the FASB has established a longer than
usual timeframe.
82
ASU 2014-09, cont‘d.


For public companies, the effective date will
be annual reporting periods beginning after
December 15, 2016.
For nonpublic entities, the effective date will
be annual reporting periods beginning after
December 15, 2017.
83
ASU 2014-09, cont‘d.


The new standard offers two complex
methods of implementation.
Organizations will need to modify existing
systems or create new ones to meet the
comparative year reporting requirements
(as well as to capture the data needed under
the extensive new disclosure rules).
84
ASU 2014-09, cont‘d.


The potential for misstatement is enormous
and will require careful transition planning
and internal control modifications.
Internal auditor involvement will be critical.
85
Postscript to Postscript
The bad news

The demands that internal auditors are facing
and will continue to face over the next few
years are tremendous.
87
The good news

The demands that internal auditors are facing
and will continue to face over the next few
years are tremendous:
Full employment for internal auditors!
88
Thank You!
[end]
90