How the New SEC Guidance Impacts Eight Key Decisions Driving a
advertisement
How the New SEC Guidance Impacts Eight Key Decisions Driving a Cost-Effective Section 404 Assessment Process By James W. DeLoach Managing Director In May, the U.S. Securities and Exchange Commission (SEC) approved its interpretive guidance to management on implementing Section 404 of the Sarbanes-Oxley Act of 2002. Immediately thereafter, the Public Company Accounting Oversight Board (PCAOB) issued a companion standard directed to external auditors that revised the controversial Auditing Standard No. 2. This white paper explores eight key decisions along the Section 404 compliance process that management needs to consider with the objective of aligning the company’s and auditor’s application of a top-down, risk-based approach and maximizing the cost-effectiveness of the process. What’s New? When the SEC approved in May its interpretive guidance to management on implementing Section 404, the SEC adopted substantially what it proposed back in December 2006. As the SEC staff indicated during the Commission’s open meeting, there were no “wholesale changes” to the proposed guidance. The Commission also adopted amendments to make it clear that an evaluation complying with the guidance would satisfy the requirements of Section 404, as well as eliminate the audit opinion on management’s assessment process. In addition, the SEC modified the definition of the term “material weakness,” and raised the “line of sight” on the part of management and auditors to focus the compliance process on identifying only those control issues involving a reasonable possibility of a material misstatement. Finally, the SEC finalized an amendment to define the term “significant deficiency.” The SEC interpretive guidance has been published in the Federal Register, so it is now effective. The PCAOB also has been busy. They issued Auditing Standard No. 5 (AS5), staying true to the Board’s four objectives of focusing the audit of internal control over financial reporting (ICFR) on the most important matters, eliminating unnecessary audit procedures, providing guidance on scalability to smaller, less complex companies and simplifying the standard. The effective date is fiscal years ended on or after November 15, 2007. Now that the SEC has approved AS5, early adoption is possible for fiscal years ended before November 15, 2007. If the auditor does not early adopt, the auditor must use the AS5 definition of a material weakness, which is the same as the SEC’s definition. Therefore, the new definition is now effective. Protiviti’s SEC Flash Report dated May 23, 2007, SEC Finalizes Guidance on Management’s Assessment of Internal Control Over Financial Reporting, summarizes the key differences in the final standard as compared to the December proposal. The changes to the proposal were not significant. Protiviti’s PCAOB Flash Report dated May 24, 2007, PCAOB Finalizes the Revised Auditing Standard, summarizes the primary differences in the final AS5 compared to the December proposal. These changes were more significant because they aligned AS5 with the SEC guidance. Both flash reports are available at www.protiviti.com. What Hasn’t Changed? There are still concerns regarding Section 404 compliance costs. A recent survey published by Financial Executives International indicated that four out of five CFOs remain dissatisfied with the costs and benefits of Section 404 compliance. While down slightly from the prior year, that finding indicates that the cost-effectiveness of the compliance process is still on the radar screen of top financial executives. 2• • Manual • Detective • Ad hoc OPTIMIZE CONTROLS • Systems-based • Preventive • Managed Self-Assessment Monitoring Automated Controls Testing Self-Assessment Entity-Level Monitoring Process-Level Monitoring Testing of Manual Controls T R A N S P A R E N T Testing of Automated Controls Testing of Manual Controls SUSTAINABILITY COST The ultimate goal also is unchanged. As depicted in the above schematic, the objective is a sustainable and cost-effective compliance process that is top-down, not bottom-up, and risk-based, not inhibited by arbitrary rules leading to unnecessary work and non-value-added activity. The opportunity also remains for improving the quality of upstream business processes and the sustainability of the internal control structure. The value proposition around improving the quality, time and cost performance of processes affecting financial reporting, including the financial close process, and how those improvements will make the Section 404 compliance process even more cost-effective, is still largely unexplored for many companies. The Opportunity for Management The new SEC interpretive guidance provides management with an opportunity to take a fresh look at the company’s compliance process, and specifically at eight key decisions along the Section 404 compliance process. The new guidance gives companies an opportunity to do no more than what they have to do to comply with Section 404 by focusing on risk as they execute the compliance process. The guidance also gives management a chance to examine how it manages and monitors the business and gives itself credit for effective monitoring controls and entity-level controls that operate at a sufficient level of precision with respect to significant financial reporting accounts and disclosures. It also provides management an opportunity to channel some of the cost savings from streamlining the compliance process into process and control improvements. Those improvements can further reduce compliance costs. Time is of the essence if companies seek an impact on the 2007 audit cycle. Companies should be prepared to challenge the status quo, answer questions audit committees are asking about the new guidance, and proactively engage in a dialogue with the external auditor. The eight decisions we are about to introduce provide a context for this preparation. 3• Eight Key Decisions There are eight key decision points along the Section 404 compliance process that warrant a fresh look by every SEC registrant subject to Sarbanes-Oxley. These decision points represent areas for aligning management’s assessment approach and the auditor’s attestation process in the early stages: THE SECTION 404 COMPLIANCE PROCESS 1 2 3 4 5 6 7 8 File Internal Control Report Start Establish methodology to assess the severity of deficiencies Determine auditor’s use of work of others Determine multilocation scopes Consider relative ICFR risk to determine extent of testing evidence Decide on the documentation standards Select key controls addressing each relevant assertion Identify relevant assertions for each significant financial reporting element Select significant financial reporting elements Why are these decision points so important? While the decisions themselves are not new, they are now approached differently under the new SEC guidance than in the past under AS2. It is critical that companies understand the differences in approaching these decisions. There is not any upside to significant disconnects between the company’s risk assessment and the auditor’s risk assessment. Although, in theory, the SEC guidance allows management much more flexibility in exercising judgment during the risk assessment and scoping process, any significant disconnects between management and the auditor on the eight decisions will usually drive up costs, present unwanted problems if issues should arise and potentially spawn increased litigation risk. Therefore, management should take the necessary steps to ensure that the auditor fully understands the company’s rationale driving the approach and scopes applied during the compliance process. The eight decisions we cite above provide a context for management’s dialogue with the external auditor. The risk of disconnects between management and the auditor increases if any of the following occur: • The auditor does not obtain an understanding of management’s assessment process. • Management does not involve the auditor at specific checkpoints, as management applies the topdown, risk-based approach. • Management does not document the rationale for company decisions when applying the top-down, risk-based approach. 4• We believe that it is best practice for management to engage the auditor in dialogue as the company works through the compliance process, particularly during the early stages. The new SEC interpretive guidance does not change this important dynamic. In fact, the application of the top-down, risk-based approach makes this communication even more critical. The external auditor’s application of a top-down, risk-based approach is greatly augmented by and reaches the highest level of efficiency when the auditor understands a well-documented management application of that approach. While obviously important, the determination of materiality is not included in the list of decisions. The SEC guidance and AS5 did not change how financial reporting materiality is measured. They did, however, modify the definition of a material weakness and significant deficiency, as noted in the chart below. The assessed level of materiality is implicit in all of the eight decisions and is explicitly considered in some of them. Severity Likelihood Material Weakness Material Reasonably Possible (2)(3) Significant Deficiency Important Enough to Elevate (1)(4) N/A (5) Insignificant Deficiency Not Important Enough to Elevate Not Relevant (1) Less severe than a material weakness, but important enough to merit the attention of those responsible for financial reporting oversight. (2) The likelihood is either “reasonably possible” or “probable.” (3) Replaces “more than a remote likelihood.” (4) Replaces “more than inconsequential.” (5) Because a probability threshold is not explicit in the definition of a significant deficiency, control deficiencies might warrant elevation if they could result in (a) a material error that is not “reasonably possible” to occur at the present time, (b) an error that is not expected to be material at the present time but is at least “reasonably possible” to occur, or (c) a matter that is sensitive (such as fraud, influence payments, etc.). There is another vitally important reason why the eight decision points we introduce here are so critical: If management and the external auditor can agree on these eight decisions, it leaves open the one remaining critical decision – the testing of operating effectiveness. This particular decision is the most natural point of divergence between management and the auditor in their respective evaluations of ICFR. Since management is an insider and the auditor is not, the two parties do not begin at the same point of knowledge when designing the necessary tests of operating effectiveness. The key point is this: The difference between management and the auditor in their respective approaches to testing operating effectiveness will be much smaller if there is convergence on the eight decision points. A well-documented management assessment maximizes audit cost-effectiveness. The documentation must include supporting rationale for management’s decisions about the critical risks and key controls. The good news is that much of this “rationale documentation” is a one-time investment. We will now discuss each of the eight key decisions. Decision 1: Select significant financial reporting elements Under the old approach, management was required to select significant financial reporting elements based on whether they exceeded a predefined materiality threshold, irrespective of the relative risk. Qualitative factors were then applied to the financial reporting elements falling below the materiality threshold to determine whether they also should be included in scope. Therefore, the approach was “quantitative first, qualitative additive.” 5• Under a risk-based approach, management should consider, at the same time, both the materiality of the particular account or disclosure, as well as the susceptibility of the underlying account balances, transactions or other supporting information to a material misstatement. This means that it is no longer appropriate to consider an account as “high risk” solely on the basis of quantitative factors alone. The goal is to evaluate the inherent risk of material misstatement, without considering the effective operation of controls. Risk factors relevant to the identification of significant accounts and disclosures include, among others: • Size and composition of the account • Susceptibility to misstatement due to error or fraud • Volume of activity, complexity and homogeneity of the transactions processed • Nature of the account or disclosure • Complexities in accounting and reporting associated with the account or disclosure • Exposure to losses in the account, as well as to significant contingent liabilities • Existence of related-party transactions affecting the account As we have noted, management needs to document the rationale for the company’s choices when selecting significant financial reporting elements. Accelerated filers have been evaluating this decision for several years. Now, the key is to adjust their approach so that it considers quantitative and qualitative risk factors together. Decision 2: Identify relevant assertions for each significant financial reporting element Following the selection of priority financial reporting elements, the evaluation team must next identify the assertions applicable to each element based on the nature of that element. Under AS2, all financial reporting elements were considered to be risk equivalent. However, the application of a truly risk-based approach opens the door to take an additional step. Going forward, management assesses the risk in not achieving the assertions by rating the applicable assertions according to the same risk factors applied when selecting the priority financial reporting elements. In other words, management assesses the same quantitative considerations and qualitative risk factors. We recommend that management use the same risk factors provided by the SEC to “perfect” the “safe harbor” for applying the Commission’s interpretive guidance. Decision 3: Select effectively designed key controls addressing each relevant assertion The old approach was bottom-up, starting with process-level controls. The new approach is top-down, starting with entity-level controls. This decision is about selecting those controls – and only those controls – that address the most critical financial reporting assertions, and evaluating the effectiveness of their design. This is an important decision because it addresses what accelerated filer experience has shown to be the most significant cost driver of the process – the number of key controls to evaluate and test. If management’s understanding of the control environment is sufficient and that understanding is documented in reasonable detail, as required by the SEC, then it is more likely that the application of the top-down approach will result in selecting the control set that is the most effective in mitigating financial reporting assertion risks. A deficient understanding of the control environment will lead to a lack of transparency that will likely result in failure to select a reduced number of controls. With respect to the evaluation of design effectiveness, it is the reduced number of controls that will reduce cost – not the documentation itself. There are two key areas of focus for this decision point. First, entity-level controls are the starting point for selecting key controls. Second, if additional evidence is necessary to provide reasonable assurance that a financial reporting assertion is met, other necessary controls must be identified and evaluated. 6• What is particularly new is that there are now three categories of entity-level controls: 1.Controls with an important, but indirect, effect on the likelihood a misstatement will be detected or prevented – many controls in the control environment fall into this category 2. Controls that monitor the effectiveness of other controls, allowing reduction in controls testing 3. Controls designed to operate at a sufficient level of precision to prevent or detect misstatements The absence of the first category of entity-level controls – the controls having an indirect effect on significant financial reporting elements – increases the risk of control failure. The existence of the second and third categories of entity-level controls reduces the scope of testing process-level controls. With respect to identifying other key controls after entity-level controls are considered, management should identify the process-level monitoring controls used to manage the important processes affecting financial reporting and select only those controls that reduce to an acceptable level the risk of a material misstatement to the financial statements. Decision 4: Decide documentation standards at different levels of risk Under the old approach, the evaluator started at the process level and worked up. Documentation was tiered, based on the assessed risk of misstatement. Under the new approach, as defined by the SEC, the evaluator starts at the entity level and works down. From a practical standpoint, the top-down approach is easier to apply when there is a fact base that facilitates an understanding of the flow of critical processes affecting significant financial reporting elements and the interface of such processes with key systems. Large accelerated filers and accelerated filers already have created most of this documentation through past compliance efforts, giving them the transparency they need to apply the top-down approach. For newly public companies and nonaccelerated filers, however, this transparency may not exist. Documentation is driven by the assessed level of ICFR risk, which includes the risk of control failure. The nature and extent of the documentation providing a sufficient fact base should be a function of the risk and complexity of the accounts. For some accounts, walkthroughs and discussions with knowledgeable process owners may be all that is required to understand the likely sources of misstatements and identify the key controls. The company’s existing process documentation may be adequate to support this exercise. For example, centralized processes and shared services environments may have more extensive documentation than decentralized processes. That said, based on our experience, it is not unusual to work with process owners who need to map their process to position themselves to confidently advise management during the risk sourcing and controls identification exercises required by a top-down approach. For newly public companies and nonaccelerated filers to effectively apply the top-down approach, an overall understanding is needed of the control environment and the flow of major transactions. It is impractical for scoping decisions to be determined in a vacuum at the entity level for high-to-moderate risk areas at the level of precision envisioned by the SEC’s interpretive guidance. An adequate understanding of the flow of major transactions and of the control environment at the process level enables management to properly source the risk of material error or fraud and determine whether the selected key controls are properly designed to mitigate that risk. To achieve that understanding, management of newly public companies and other firsttime adopters can use walkthroughs and discussions with, and involvement of, process owners who are sufficiently knowledgeable about the processes and systems underlying the critical financial reporting elements. However, if company personnel are not sufficiently knowledgeable of the control environment or lack a sufficient fact base supporting their input to the top-down approach, then the company must document the control environment sufficiently to obtain the requisite understanding. In summary, the top-down approach is easier to apply when there is a fact base that facilitates an understanding of the flow of critical processes affecting the significant financial reporting elements and the interface of such processes with key systems. 7• Decision 5: Consider ICFR risk to determine extent of evidence required to evaluate operating effectiveness of key controls Under the old approach, all controls were tested, emphasizing coverage and ignoring control failure risk. Under the new approach, ICFR risk is considered when determining the nature, extent and timing of tests of controls. ICFR risk includes control failure risk. When making this decision, it is important to do two things: • Focus on determining whether there is a reasonable possibility of a material weakness. • Consider the risk of control failure. These are the two components of ICFR risk. As in the past, management must determine WHAT to test, WHO does the testing, WHEN to perform testing and HOW testing should be done. What’s new is that these decisions are driven by the assessed level of ICFR risk. The higher the risk, the more persuasive the evidence needs to be. The lower the risk, the less persuasive the evidence needs to be. If more persuasive evidence is required, there is a greater need to identify and document robust entity-level controls, as well as controls at the transaction level, to evaluate with inspection and reperformance tests by competent and objective parties. If less persuasive evidence is required, management can rely on selfassessment and process owner supervision. Under a top-down approach, the extent of robust entity-level controls and monitoring plays a strong role in this important assessment. We recommend that the evaluation of control failure risk be explicit for each key control. For example, factors that affect the risk of control failure include the following: • The nature and materiality of misstatements that the control is intended to prevent or detect • Whether the account has a history of errors • The effectiveness of entity-level controls, especially controls that monitor other controls • The complexity of the control, the frequency with which it operates and the degree to which it is dependent on other controls • Whether the control is people-based or systems-based • The competence of the personnel performing the control • Whether there have been significant changes in personnel, processes or systems, or in the volume or nature of transactions processed Based on this assessment, management might differentiate higher risk, normal risk and lower risk of control failure. The key is to understand the impact of these assessments on testing scope decisions. With respect to tests of operating effectiveness, management has multiple ways to evaluate controls operating effectiveness, not all of which demand the same level of written evidence as the evaluation of design effectiveness. Both the reduced number of controls and the nature of evidence gathering to support a conclusion on operational effectiveness have the potential to reduce the cost of testing. Decision 6: Determine locations and units to include into scope Simply stated, the old approach was to achieve minimum coverage requirements, irrespective of the relative risk. The new approach is to consider ICFR risk when evaluating multilocation scoping decisions. This is an important change. The multilocation decision tree included in AS2 was not retained in AS5. That tree was focused on coverage. The new focus on the degree of ICFR risk suggests the following: • Business units or locations that contribute significantly to financial results and company operations are typically selected in scope if they include critical processes that impact the higher risk financial reporting elements. • A location or unit that is not individually important from a financial reporting standpoint may present specific risks that create a reasonable possibility of a material misstatement. 8• • If management determines that the ICFR risk of the controls at individual locations or business units is low, management may gather evidence through self-assessment routines or other ongoing monitoring activities, combined with the evidence derived from a centralized control that monitors the results of operations at individual locations. • Entity-level controls also may provide sufficient evidence in certain circumstances. For example, the SEC states: “Management may determine that financial reporting risks are adequately addressed by controls which operate centrally.” While the focus of multilocation scoping is now directed to risk, the question arises as to how much of an impact this change will have in practice. The audit firms may take a position that the application of an integrated audit may require some level of symmetry between the audit of the financial statements and the audit of ICFR. The real impact is likely to vary from company to company. Decision 7: Understand and apply the standards driving auditor’s use of work of others Under AS2, the auditor used the work of others within the “principal evidence” cap and under certain restrictions. There was confusion over whether rules written for using the work of internal auditors could be applied to others. Under AS5, the cap and some of the restrictions were removed (e.g., tests of the control environment). The confusion over using the work of others is largely eliminated, as AS5 makes it clear that auditors may rely on company personnel other than internal auditors, as well as third parties functioning under the direction of management. Although this is obviously a determination the auditor will make, management needs to understand the principles and decision rules the auditor intends to apply when making this decision so that management can appropriately plan the company’s evaluation approach. Therefore, this is an area that warrants dialogue with the auditor. AS5 requires auditors to consider whether and how to use the work of others. That said, we can expect auditors to continue to perform work in higher risk areas. The primary criteria for using the work of others continue to be around competence and objectivity. According to the PCAOB: • “Competence” means the attainment and maintenance of a level of understanding and knowledge that enables personnel to perform ably the assigned tasks. • “Objectivity” means the ability to perform assigned tasks impartially and with intellectual honesty. Decision 8: Establish methodology to assess severity of control deficiencies at the conclusion of the evaluation process Under the old approach, the so-called Nine Firm Framework was applied with much attention directed to significant deficiencies. Now, the focus is primarily on identifying material weaknesses. The SEC has changed the definition of a material weakness and a significant deficiency. The PCAOB agrees with these definitions. Given these changes, an agreement on how the identified deficiencies will be evaluated is important. It isn’t enough to say the Nine Firm Framework will be used. Many have raised concerns regarding the excruciating detail driving the evaluation of deficiencies. Part of the reason was the extensive effort to differentiate between significant and insignificant deficiencies. That analysis is no longer the focus of the Section 404 compliance process. Note that the definition of a significant deficiency has been revised to focus only on severity. 9• Summary of the eight decisions This concludes our discussion of the eight decision points. How big is the impact likely to be? The answer is, “It depends.” There is no one-size-fits-all approach. Companies vary in complexity and the extent to which they have applied a top-down, risk-based approach. Following is a brief summary: Key S-O Act Section 404 Decision Points OLD: Bottom-Up, Focused on Coverage NEW: Top-Down, Risk-Based (1) S elect significant financial reporting elements Start with quantitative first, then consider qualitative factors as additive Quantitative and qualitative factors are considered together (2) I dentify relevant assertions for each significant financial reporting element Consider all assertions as risk-equivalent Differentiate assertions based on relative risk (3) S elect effectively designed key controls addressing each relevant assertion Begin bottom-up, starting with process-level controls Begin top-down, starting with entity-level controls (4) D ecide documentation standards at different levels of risk Start at process level and work up; documentation is tiered based on the assessed risk of misstatement Start at entity level and work down; documentation is driven by ICFR risk, including the risk of control failure (5) C onsider ICFR risk to determine extent of evidence required to evaluate operating effectiveness Test all controls, emphasizing coverage and ignoring control failure risk When determining tests of controls, consider ICFR risk (which includes control failure risk) (6) Determine locations and units to include into scope Achieve minimum coverage Base scoping on assessed ICFR risk (7) U nderstand and apply the standards driving auditor’s use of work of others Use work of others within cap and restrictions; confusion over rules written for internal auditors Use work of others with cap and some restrictions removed; confusion over using work of others eliminated (8) E stablish methodology to assess severity of control deficiencies Apply Nine Firm Framework with much attention directed to significant deficiencies Focus solely on material weaknesses To reiterate the premise of this paper, if management and the external auditor can agree on these eight decisions, life will be easier. We believe that the difference between management and the auditor in their respective approaches to testing operating effectiveness will be much smaller, if there is convergence on the eight decisions. 10• Concluding Comments There certainly isn’t a cookie-cutter approach to implementing the new rules. Each company situation is unique. For example, some companies are waiting for advice from the external auditor. While that is certainly important, these companies need to realize that it is their responsibility, not the auditor’s, to read, understand and apply the new SEC guidance. We suggest that they become educated about the eight decisions we have outlined herein. Nonaccelerated filers also should focus on the eight decisions, and use them as a basis for ensuring alignment when the auditor performs an audit of ICFR the following year. Accelerated filers with just a few locations and many centralized processes, and who believe that they already have implemented much of the SEC guidance, should focus their efforts on improving the quality of their upstream business processes. These are just a few examples. What it all boils down to is that the Section 404 compliance process is a whole new ball game requiring some reeducation and application of new knowledge and principles. The changes are not difficult to implement and are a good thing because they lead registrants and auditors to a more cost-effective approach to achieving the objectives of Section 404. Those companies most knowledgeable about their opportunities, and which have the capabilities to capitalize on them, are best positioned to increase the cost-effectiveness of their compliance process. A focus on the eight decisions will help them jump-start the process. About Protiviti Protiviti (www.protiviti.com) is a leading provider of independent risk consulting and internal audit services. We provide consulting and advisory services to help clients identify, assess, measure and manage financial, operational and technology-related risks encountered in their industries, and assist in the implementation of the processes and controls to enable their continued monitoring. We also offer a full spectrum of internal audit services to assist management and directors with their internal audit functions, including full outsourcing, co-sourcing, technology and tool implementation, and quality assessment and readiness reviews. Protiviti, which has 60 locations in the Americas, Asia-Pacific and Europe, is a wholly owned subsidiary of Robert Half International Inc. (NYSE symbol: RHI). Founded in 1948, Robert Half International is a member of the S&P 500 index. For questions about the topics in this white paper, or to find out more about our services, please contact your local Protiviti office at 1.888.556.7420. 11 • Protiviti (www.protiviti.com) is a leading provider of independent risk consulting and internal audit services. The company provides consulting and advisory services to help clients identify, assess, measure and manage financial, operational and technology-related risks encountered in their industries, and assists in the implementation of the processes and controls to enable their continued monitoring. Protiviti also offers a full spectrum of internal audit services to assist management and directors with their internal audit functions, including full outsourcing, co-sourcing, technology and tool implementation, and quality assessment and readiness reviews. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. protiviti.com 1.888.556.7420 © 2007 Protiviti Inc. An Equal Opportunity Employer. PRO0807-103014
