Today’s Opportunity: Using the New SEC
and PCAOB Guidance to Make Section
404 Compliance More Cost-Effective
What Companies Need to Do
June 29, 2007
Today’s Agenda
• What’s new?
• What hasn’t changed?
• Eight key decision points
• The new rules of the game
2
© 2007 Protiviti Inc.
This document is for Protiviti’s internal use only and may not be distributed to any third party.
So What’s New?
3
© 2007 Protiviti Inc.
This document is for Protiviti’s internal use only and may not be distributed to any third party.
SEC Guidance to Management – Two
Key Principles
On May 23, 2007, the SEC approved Interpretive Guidance, Management’s
Report on Internal Control Over Financial Reporting
The guidance provides guidance to management in the design and conduct of
its assessment of internal control over financial reporting (ICFR)
The guidance is based upon two broad principles:
•
Management should evaluate whether it has implemented ICFR that adequately
addresses whether a material error or misstatement would not be prevented or
detected on a timely basis
•
Management’s evaluation of ICFR should be based on its assessment of risk,
including the risk of control failure
4
© 2007 Protiviti Inc.
This document is for Protiviti’s internal use only and may not be distributed to any third party.
SEC Guidance to Management –
Other Actions
The SEC also did the following:
•
Adopted amendments to the Exchange Act rules to make it clear that an evaluation
complying with the guidance would satisfy Section 404
•
Adopted amendments to Regulation S-X to require only a single auditor opinion
directly on the effectiveness of ICFR
•
Adopted amendments to the Exchange Act Rules and Regulation S-X to define the
term, “material weakness”
•
Proposed an amendment to the Exchange Act Rules and Regulation S-X to define
the term, “significant deficiency”
Effective date is June 27, 2007.
5
© 2007 Protiviti Inc.
This document is for Protiviti’s internal use only and may not be distributed to any third party.
SEC Guidance to Management – How the
Proposal Changed
Key differences from the SEC’s original December 2006 proposal:
•
Aligned the SEC’s guidance and the PCAOB’s AS2 revisions
•
Clarify further how entity-level controls can impact management’s evaluation
•
Address use of self-assessment and other ongoing monitoring activities
•
Increase the focus on the risk of fraudulent reporting and management override
The SEC also decided NOT to extend further the Section 404 compliance
deadline for non-accelerated filers
•
Therefore, smaller companies should stay on course to comply with the current filing
requirement
In summary, there were no significant changes to the guidance and the SEC
achieved its goal of reconciling its guidance with the PCAOB
6
© 2007 Protiviti Inc.
This document is for Protiviti’s internal use only and may not be distributed to any third party.
PCAOB Auditing Standard No. 5 (AS5) –
What the Board Did
On May 24, 2007, the PCAOB approved Auditing Standard No. 5, An Audit of
ICFR Integrated with an Audit of Financial Statements (AS5)
The PCAOB did the following:
•
Focused the audit of ICFR on the most important matters
•
Eliminated procedures that are unnecessary to achieve the intended benefits
•
Provided guidance on scaling the audit to fit the size and complexity of the company
•
Simplified the standard
Effective date is fiscal years ended on or after November 15, 2007
•
Auditor may early adopt after SEC approves AS5
•
If auditor does not early adopt after SEC approval, must use AS5 definition of material
weakness
7
© 2007 Protiviti Inc.
This document is for Protiviti’s internal use only and may not be distributed to any third party.
PCAOB Auditing Standard No. 5 (AS5) –
How the Proposal Changed
Key differences from the PCAOB’s original AS5 proposal from December 2006:
•
Aligned AS5 with the SEC’s interpretive guidance
•
Differentiated between management’s process and the auditor’s process
•
Reduced number of prescriptive requirements, thus allowing auditor judgment
•
Provided additional guidance on entity-level controls
•
Clarified the requirement for walkthroughs
•
Integrated the discussion around scaling the audit for company size and complexity
•
Broadened the use of the work of others
•
Eliminated requirement for the auditor to opine on management’s process
•
Refocused multilocation scoping process to address the quality of evidence, not
quantity (eliminated “coverage” concept, including the decision tree that was in AS2)
•
Increased focus on prevention and detection of fraudulent financial reporting
8
© 2007 Protiviti Inc.
This document is for Protiviti’s internal use only and may not be distributed to any third party.
The Overarching Change is to Focus the
Process on What Matters
FOCUS ON WHAT MATTERS MOST
SEVERITY
MATERIAL
WEAKNESS
Material
SIGNIFICANT
DEFICIENCY
Important Enough
to Escalate(1)(4)
INSIGNIFICANT
DEFICIENCY
Not Necessary
to Escalate
LIKELIHOOD
Reasonably
Possible(2)(3)
(1) Less severe than a material weakness, but important enough to merit the
attention of those responsible for financial reporting oversight
(2) The likelihood is either “reasonably possible” or “probable”
(3) Replaces “more than a remote likelihood”
(4) Replaces “more than inconsequential”
9
© 2007 Protiviti Inc.
This document is for Protiviti’s internal use only and may not be distributed to any third party.
Some Things Haven’t
Changed
10
© 2007 Protiviti Inc.
This document is for Protiviti’s internal use only and may not be distributed to any third party.
CFOs Are Still Not Satisfied
with SOX Section 404
78% of CFOs surveyed by the
FEI believe the costs of Section
404 compliance have
outweighed the benefits, a
decline from 85% last year*
* 2007 Financial Executives International Survey
11
© 2007 Protiviti Inc.
This document is for Protiviti’s internal use only and may not be distributed to any third party.
The Goal has Not Changed: Transparency, Balance
and Cost-Effectiveness
The objective is a
sustainable, costeffective and valueadded compliance
process that is:
– Top-down, not bottomup
– Risk-based, not
inhibited by arbitrary
rules leading to
unnecessary work
12
© 2007 Protiviti Inc.
This document is for Protiviti’s internal use only and may not be distributed to any third party.
Value Proposition Is
Unchanged
Companies are reducing the
cost of compliance by 30 to
60%, improve internal controls
and improve the quality of key
business processes
13
© 2007 Protiviti Inc.
This document is for Protiviti’s internal use only and may not be distributed to any third party.
Protiviti’s SOX Rationalization Methodology
Remains Intact
Apply RiskBased
Scoping
Link Entity
Level Controls Rationalize
Controls
to Risk
Scope
General IT
Controls
Implement SelfAssessment
Evaluate
Effect on
Test Plan
Leverage
Value-Added
Opportunities
•
The logical flow of our methodology remains unchanged
•
Some minor tweaks have been made based on the final guidance
•
Executing this methodology has assisted many of our clients in achieving
a cost-effective approach to SOX compliance
14
© 2007 Protiviti Inc.
This document is for Protiviti’s internal use only and may not be distributed to any third party.
Eight Key Decision
Points
15
© 2007 Protiviti Inc.
This document is for Protiviti’s internal use only and may not be distributed to any third party.
Eight Key Section 404 Decision
Points
“THE SECTION 404 COMPLIANCE PROCESS”
Start
e
th
ss
se
as
to
of
gy
rk
lo e s o
do ci f w
ho ien o
s
et fic use
pe
m
h f de r’s
co
s
o
ce
is
n
b l y o it
en
ta rit ud
tio
to id
Es ve e a
ca isk ev rds
a
g
r
-l o
s e m in
R tin nd
lti
r
u
CF es ta
te s
s
m
I
t
ch
r
n
e of
De e e
ea
o
h
n
i
iv
ot m i
at nt at
ng
l
i
r
t
e
h t
re xt en
te
ss
ac en
re
De der e e um
i
n c
dd
re m
i
a
ns rm do
fo ele
s
l
Co te he
ns ng ing
ro
t
de
nt on rtio rti rt
de
co rti se po epo
ci
ey se as l re l r
De
s
k
a
t
a
a
ci
ct t an ci
le an ev an an
Se lev rel fin fin
re ify nt ant
a c
t
en fic ifi
Id gni ign
si t s s
c t
le en
Se em
el
16
© 2007 Protiviti Inc.
This document is for Protiviti’s internal use only and may not be distributed to any third party.
File
Internal
Control
Report
8
7
6
5
4
3
2
1
Why these Decision Points Are
Important
1
2
3
4
5
6
7
8
9
Start
File
Internal
Control
Report
• Agreement between management and auditor on eight decisions leaves
open the most natural point of divergence between them – the testing of
operating effectiveness
– Since management is an insider and the auditor is not, the two parties do not
begin at same point of knowledge when designing tests of operating effectiveness
– Demarcation between management and auditor with respect to tests of operating
effectiveness will be much less if there is convergence on eight decision points
• A well-documented management assessment maximizes audit costeffectiveness and includes supporting rationale for management’s decisions
about risk
– Much of this “rationale documentation” is a one-time investment
17
© 2007 Protiviti Inc.
This document is for Protiviti’s internal use only and may not be distributed to any third party.
1. Select Significant Accounts and
Disclosures
1. Select significant accounts and disclosures (financial reporting elements)
•
Not all accounts over a materiality threshold are included in scope and handled
the same
•
Consider both materiality of the element and the susceptibility of the underlying
account balances, transactions or other information to material misstatement
•
The goal is the evaluation of the inherent risk of material misstatement, without
considering the effective operation of controls
•
Management needs a well-documented, repeatable risk assessment (i.e.,
“rationale documentation”)
Old Approach: Quantitative first,
qualitative additive
18
© 2007 Protiviti Inc.
This document is for Protiviti’s internal use only and may not be distributed to any third party.
What’s New: Quantitative and
qualitative together
2. Identify Relevant Assertions for
Each Element
1.
2. Identify the financial reporting assertions relevant to each element
After identifying assertions applicable to each element:
•
Rate the applicable assertions according to the same risk factors applied when
selecting the priority financial reporting elements
•
Use the risk factors provided by the SEC to “perfect” the “safe harbor”
Old Approach: Assertions are riskequivalent
19
© 2007 Protiviti Inc.
This document is for Protiviti’s internal use only and may not be distributed to any third party.
What’s New: Assertions are
differentiated based on relative risk
3. Select Key Controls Addressing
Each Assertion
1.
2.
3. Select the key controls that address the critical assertions, considering
the effectiveness of their design
There are two key areas of emphasis driving this decision point:
•
•
Entity-level controls is the starting point – There are three categories:
(1) Important, but indirect effect
(2) Monitor the effectiveness of other controls
(3) Designed to operate at sufficient level of precision
Rationalization of other controls
–
–
Identify process-level monitoring controls
Select other controls that have the greatest impact
Old Approach: Bottom-up, starting
with process-level controls
20
© 2007 Protiviti Inc.
This document is for Protiviti’s internal use only and may not be distributed to any third party.
What’s New: Top-down, starting with
entity-level controls
4. Decide the Documentation
Standards
1.
2.
3.
4. Decide the documentation standards at different levels of risk
• From a practical standpoint, the top-down approach is easier to apply when
there is a sufficient fact base
• Accelerated filers have already created most of the documentation they need to
apply the top-down approach
• For newly public companies and non-accelerated filers, an overall understanding
is needed of the control environment and the flow of major transactions to enable
management to properly source the risk of material error or fraud and determine
whether the selected key controls are properly designed to mitigate the risk
Old Approach: Start at the process
level and work up; tiered documentation
requirements based on the assessed
risk of misstatement
21
© 2007 Protiviti Inc.
This document is for Protiviti’s internal use only and may not be distributed to any third party.
What’s New: Start at the entity level and
work down; documentation driven by
ICFR risk, including risk of control failure
5. Consider Relative ICFR Risk
Levels to Drive Evidence
1.
2.
3.
4.
5. Consider the relative ICFR risk levels when deciding evidence needed to
support operational effectiveness
•
The goal is to focus management’s evaluation on those risks that could result in
material misstatement
•
When determining the evidence required to support a conclusion that controls
are operating effectively, consider the risk of control failure
•
The level of ICFR risk drives the persuasiveness of the evidence needed
Old Approach: Test all controls,
emphasizing coverage and ignoring
control failure risk
22
© 2007 Protiviti Inc.
This document is for Protiviti’s internal use only and may not be distributed to any third party.
What’s New: When determining tests
of controls, consider ICFR risk (which
includes control failure risk)
6. Determine Multi-Location Scopes
1.
2.
3.
4.
5.
6. Determine the multi-location scoping considerations
•
The multi-location decision tree from AS2 was not retained in AS5
•
Now the focus is on the degree of ICFR risk
•
This decision is going to be unstructured the first year
Old Approach: Achieve minimum
coverage
23
© 2007 Protiviti Inc.
This document is for Protiviti’s internal use only and may not be distributed to any third party.
What’s New: Consider ICFR risk
7. Determine Auditor’s Use of the
Work of Others
1.
2.
3.
4.
5.
•
Dialog with the external auditor to understand how they evaluate the use of the
work of others to reduce audit testing
•
AS5 requires auditors to consider whether and how to use the work of others –
However, auditors must still perform work in higher risk areas
•
The primary criteria continue to be around competence and objectivity
6.
7. Understand and apply the standards driving the auditor’s use of the work
of others
Old Approach: Use work of others
within cap and restrictions; confusion
over rules written for internal auditors
24
© 2007 Protiviti Inc.
This document is for Protiviti’s internal use only and may not be distributed to any third party.
What’s New: No cap and some
restrictions removed; confusion over
using work of others eliminated
8. Establish Assessment
Methodology
1.
2.
3.
4.
5.
•
Material weakness is defined differently
•
The list of indicators of a material weakness is shortened and no longer
represents de facto significant deficiencies
•
The definition of significant deficiency is changing
6.
7.
8. Establish the assessment methodology for evaluating the severity of
control deficiencies
Old Approach: Nine Firm
Framework with much attention
directed to significant deficiencies
25
© 2007 Protiviti Inc.
This document is for Protiviti’s internal use only and may not be distributed to any third party.
What’s New: Focused primarily on
material weaknesses
Summary of Eight Key Section 404
Decision Points
1. Select significant accounts and disclosures (financial reporting elements)
2. Identify the financial reporting assertions relevant to each element
3. Select the key controls that address the critical assertions, considering
the effectiveness of their design
4. Decide the documentation standards at different levels of risk
5. Consider the relative ICFR risk levels when deciding the evidence needed
to support operational effectiveness
6. Determine the multi-location scoping considerations
7. Understand and apply the standards driving the auditor’s use of the work
of others
8. Establish the assessment methodology for evaluating the severity of
control deficiencies
26
© 2007 Protiviti Inc.
This document is for Protiviti’s internal use only and may not be distributed to any third party.
The New Rules
of the Game
27
© 2007 Protiviti Inc.
This document is for Protiviti’s internal use only and may not be distributed to any third party.
The New SOX Rules
1. Management’s approach is no longer auditor-directed
2. It only matters if it could result in a material weakness!
3. The Section 404 compliance process has been turned upside down
4. Management can achieve a “safe harbor” by following the SEC guidance
5. Think risk throughout the process
6. Entity level controls are a critical component, not an afterthought
7. Management is an insider and that makes a difference
8. There is more flexibility in using the work of others
28
© 2007 Protiviti Inc.
This document is for Protiviti’s internal use only and may not be distributed to any third party.
In Closing, We Suggest You…
•
Read and understand your guidance from the SEC
•
Deploy a robust approach to be sure you’ve applied a top-down, risk-based
approach
•
Don’t do more than what you have to do to comply with Section 404
•
Focus on risk throughout the Section 404 compliance process
•
Look at how you manage and monitor your business (“How do you know?”)
and give yourself credit
•
Strengthen your focus on the risk of fraud
•
Channel cost savings into process and control improvements
•
Be prepared…
– To challenge the status quo
– To answer questions Audit Committees are asking about the new guidance
– To proactively engage in a dialog with the external auditor
Time is of the essence to
impact the 2007 audit cycle
29
© 2007 Protiviti Inc.
This document is for Protiviti’s internal use only and may not be distributed to any third party.
Questions?
30
© 2007 Protiviti Inc.
This document is for Protiviti’s internal use only and may not be distributed to any third party.
At Protiviti, we believe the companies that most effectively
understand and manage their risk are the companies that most
often succeed. Or as we like to say…
31
© 2007 Protiviti Inc.
This document is for Protiviti’s internal use only and may not be distributed to any third party.