SOX 302 and 404
Management's Written Representations In an audit of ICOFR, the auditor should obtain written representation from management:
-Acknowledging their responsibility for establishing and maintaining effective ICOFR. -Stating that management has performed an evaluation and made an assessment of the effectiveness of the companies ICOFR. -Stating that management did not use the auditor's procedures as part of their basis for their assessment. -Stating management' conclusion about the effectiveness of the company's ICOFR Stating that management has disclosed all deficiencies in the design and operation of the ICOFR -Describing any fraud resulting in a material misstatement to the company's financial statements and any other fraud that involves senior management or other employees who have a significant role in the company's ICOFR. -Stating whether any control deficiencies that have been communicated to the audit committee in previous engagements have been resolved, specifically identifying those that have not. -Stating whether there were, subsequent to the date being reported on, any changes in ICOFR or other factors that might significantly affect ICOFR, including any corrective action taken by management with regard to significant deficiencies and material weaknesses
Section 302: Who Signs Off? Effective Date? What's it About? How Often?
-CEO, CFO -Aug. 29, 2002 -Provide reasonable assurance of effective disclosure controls & procs -Disclose all known significant deficiencies, material weaknesses, and all acts of fraud -Quarterly, Annually
Section 404: Who signs off? Effective date? What's it about? How often?
-Management, independent accountant -Fisc. yrs 2004+ for accelerated filers, 2005+ for others -Assessment of the effectiveness of ICOFR, including material weaknesses -Auditor's attestation on mgmt's assessment -Disclosure of changes in ICOFR -Annual assessment, quarterly review for change
Section 302 Certification
(1) Certifying officer states they reviewed the report being filed. (2) Based on the officer's knowledge, the report does not contain any untrue statement of material fact or omission which would make the statements misleading. (3) The financial statements and other financial information fairly present, in all material respects, the financial condition, results of operations and cash flows of the entity. (4) Officers are responsible for disclosure controls and procedures and internal control over financial reporting. (5) Officers have to disclose, based on most recent evaluation of the entity's internal controls over financial reporting, to the entity's independent auditors and audit committee any control deficiencies or fraud.
Section 404 - What is COSO
A framework and evaluation tool for internal control, that business and other entities could use to evaluate their systems. Originally created by the Committee of Sponsoring Organizations of the Treadway Commission in 1992. Updated in 2013
Material Weakness
A significant deficiency that, by itself, or in combination with other significant deficiencies, results in reasonable possibility that internal control will not prevent or detect material financial statement misstatements on a timely basis. Material Weakness = Adverse Opinion
Section 404 Management Annual Reporting Requirements
A statement of management's responsibility for establishing and maintaining adequate internal control over financial reporting for the company Management's assessment of the effectiveness of the company's internal control over financial reporting as of the end of the company's most recent fiscal year. A statement identifying the framework used by management to evaluate the effectiveness of the company's internal control over financial reporting A statement that the registered public accounting firm that audited the company's financial statements included in the annual report has issued an attestation report on management's assessment of the company's internal control over financial reporting. Additional requirement: Management evaluate any change in the company's internal control over financial reporting that occurred during a fiscal quarter that has materially affected, or is reasonably likely to materially affect, the company's internal control over financial reporting.
What is an internal control deficiency?
An internal control deficiency exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis. A deficiency in DESIGN exists when -a control necessary to meet the control objective is missing -an existing control is not properly designed so that even if the control operates as designed, the control objective is not always met. A deficiency in OPERATION exists when -a properly designed control does not operate as designed -when the person performing the control does not possess the necessary authority or qualifications to perform the control effectively.
What is a Significant Deficiency?
An internal control deficiency that adversely affects the company's ability to initiate, record, process or report external financial data reliably in accordance with GAAP. Could be a single deficiency or a combination of deficiencies that is less severe than a material weakness but important enough to merit attention by those responsible for oversight of the company's financial reporting.
A Top-Down Approach
Approach begins at the financial statement level and with the auditor's understanding of the overall risks to internal control over financial reporting. Focus begins at entity-level controls and works down to significant accounts and disclosures and their relevant assertions. This approach directs the auditor's attention to accounts, disclosures, and assertions that present a reasonable possibility of material misstatement to the financial statements and related disclosures. The auditor then verifies his or her understanding of the risks in the company's processes and selects for testing those controls that sufficiently address the assessed risk of misstatement to each relevant assertion. NOTE: the top down approach describes the auditor's sequential thought process in identifying risks and the controls to test, not necessarily the order in which the auditor will perform the auditing procedures
Section 302 Officer Responsibilities
CEO & CFO must be personally involved in the disclosure process: Review all reports, Review specific issues addressed in the reports, Talk with key people who prepared the report, and Review reports with appropriate third parties. NO ONE CAN SIGN ON THEIR BEHALF!!!
Use of Work of Management and Others
CHECK THE SLIDE DECK!!!
Section 302 Disclosure Controls & Procedures
Company's controls and other procedures designed to ensure that information required to be disclosed is recorded, processed, summarized, and reported within the required period of time
Examples of Entity Level Controls (per AS 2201)
Controls related to the control environment. Controls over management override. The company's risk assessment process. Centralized processing and controls, including shared service environments. Controls to monitor results of operations. Controls to monitor other controls, including the activities of the internal audit function, audit committee and self assessment programs. Controls over the period-end reporting process. Policies that address significant business control and risk management practices.
Fraud Considerations
Controls restraining the inappropriate use of company assets. Company's risk assessment processes. Code of ethics/conduct provisions, especially those related to conflicts of interest, related party transactions, illegal acts and the monitoring of the code by management and the Audit Committee or board. Adequacy of the internal audit activity and whether it reports functionally to the Audit Committee. Adequacy of the company's procedures for handling complaints and for accepting confidential submissions of concerns about questionable accounting or auditing matters.
Evaluating Effectiveness of IC DESIGN
Design Effectiveness Will controls be effective if operated as designed? Are all necessary controls in place? Inquiry, observation, inspection, and walkthroughs. Specific evaluation of whether the controls are likely to prevent, detect or correct the financial misstatements. Specifically evaluate audit committee. Use of SOC reports for service organizations.
Entity Level Controls
Entity level (company level ) controls are controls at the corporate-wide level or sometimes business unit level that have a pervasive effect on the organization such as setting the tone from the top and policies and procedures.
Section 302 Designing DC & P - Parameters of Disclosure
Establish parameters of disclosure controls and procedures: Which reports are to be covered? Which internal controls are to be included? Which business units are to be included? Who is responsible to perform this process? What is materiality? How the business units collect and communicate the information to be disclosed? Checklist and timeline
Understanding Management's Assessment
Evaluation should include: Whether management has properly stated its responsibility. Whether the framework used is suitable. Whether management's assessment of the effectiveness of internal control is free of material misstatement. Whether management has expressed its assessment in acceptable form. Whether material weaknesses in internal control have been properly disclosed.
Continuous Reassessment
Evidence obtained throughout the audit may cause us to continually reassess our initial conclusions about the effectiveness of entity level controls.
Section 404 - Audit Process
External auditors will: Evaluate the reliability of the process used by management to assess the entity's internal control. Review and rely on the results of some of the tests performed by management, internal auditors, and others during their assessment. Perform their own tests. SEC rules prohibit certain non-audit services to a client BUT auditors may assist management in documenting internal controls. Management has to be actively involved in the process. They cannot delegate responsibility to the auditor.
Evaluating Identified Deficiencies
If deficiencies have been found, the auditor must evaluate the severity of each control deficiency to determine whether the deficiencies, individually or in combination, are material weaknesses as of the date of management's assessment. The severity of a deficiency depends on - **Whether there is a reasonable possibility (likelihood) that the company's controls will fail to prevent or detect a misstatement of an account balance or disclosure; and **The magnitude of the potential misstatement resulting from the deficiency or deficiencies. The severity of a deficiency does not depend on whether a misstatement actually has occurred but rather on whether there is a reasonable possibility that the company's controls will fail to prevent or detect a misstatement.
The Integrated Audit: Objectives & Design
In an integrated audit of internal control over financial reporting and the financial statements, the auditor should design testing of controls to accomplish the objectives of both the audits simultaneously - To obtain sufficient evidence to support the auditor's opinion on internal control over financial reporting as of year-end, and To obtain sufficient evidence to support the auditor's control risk assessments for purposes of the audit of financial statements. AS 2201(formerly AS 5) is the guidance for the integrated audit.
Required Communications for the Auditor
In writing to the audit committee, all significant deficiencies and material weaknesses, differentiating between the two. To management, all deficiencies in internal control over financial reporting (i.e., those deficiencies in internal control over financial reporting that are of a lesser magnitude than material weaknesses) identified during the audit and inform the audit committee when such a communication has been made. If the auditor concludes that the oversight of the company's external financial reporting and internal control over financial reporting by the company's audit committee is ineffective, the auditor must communicate that conclusion in writing to the board of directors Fraud involving senior management must be communicated to the audit committee. Illegal acts unless the matter is clearly inconsequential must also be communicated to the audit committee.
Purpose of Internal Control over Financial Reporting
Internal Control Over Financial Reporting is meant to ensure the integrity of the financial statements and guard the assets of the company. If one or more material weaknesses exist, the company's internal control over financial reporting cannot be considered effect.
Section 404 Testing & Evaluating Controls
Internal controls over financial reporting must be evaluated at both the entity and at process levels.
Section 404 - Overview
Issuers are required to publish information in their annual report concerning the scope and adequacy of the ICOFR. This statement should also assess the effectiveness of the internal controls and procedures. The registered accounting firm shall also, in the same report, attest to and report on the assessment of the effectiveness of the internal control structure and procedures for financial reporting.
Section 404 Management Policies on Internal Control over Financial Reporting
Maintain records, in reasonable detail, that accurately and fairly reflect the purchases and sales of the company's assets; Provide reasonable assurance that transactions are properly recorded to prepare financial statements according to GAAP, Ensure that receipts and expenditures of the company are authorized by management/directors; and Provide reasonable assurance that unauthorized use of company assets that could materially impact the financial statements will be detected in a timely manner.
What are Qualities of the Control Environment?
Management demonstrates character, integrity & ethical values. The company is committed to excellence in all areas. The board of directors and audit committee have a significant influence over the company. Management's philosophy and operating style are consistent with a sound control environment. The organizational structure promotes a sound control environment. Human resource policies and procedures fully support management's vision. Entity level objectives are established, documented and communicated. Management considers the entire organization as well as its extended relationships in its risk assessment process. Management has implemented mechanics to anticipate, identify, and react to change. Management evaluates and mitigates risk appropriately. Accounting principles are properly applied in the preparation of financial statements. Financial reporting and related application and information systems are reliable.
Auditor Understanding
Must understand that controls have ACTUALLY BEEN IMPLEMENT and are OPERATING AS DESIGNED MUST perform walkthroughs for: -Major classes of transactions -Routine and unusual transactions Identify significant accounts processes. Identify relevant assertions.
Evaluating Effectiveness of IC OPERATION
Operating Effectiveness Evaluation as of end of fiscal year. Can test at different times and update. Inquiries, inspection of documentation, observation, re-performance. May use tests by management, internal audit and 3rd parties Read internal audit reports.
Section 404 Management's Actions
Plan & Scope the Evaluation Identify Financial Risks Identify Control Objectives Document Controls Test Design & Effectiveness Identify & Correct Deficiencies Report on Internal Control Obtain an Independent Audit of ICOFR
Section 302 - Internal Controls Over Financial Reporting (ICOFR)
Process designed by, or under the supervision of, the company's board and management, to provide reasonable assurance for the reliability of financial reporting and preparation of financial statements for external purposes according to GAAP
Process Level Controls
Process level or activity level controls relate to a particular class of transactions, account balance or financial statement disclosure. Controls in each of these areas will affect a limited portion of the financial statements and will directly affect the nature, timing and extent of substantive auditing procedures for the external auditor.
Section 302 - Overview
Requires the principal executive and financial officers of each reporting company to certify each periodic (annually, quarterly) report filed / submitted to the SEC
Significant Deficiencies/Potential Material Weaknesses
Restatement of previously issued financial statements. Identification by the auditor of a material misstatement in the financial statements. Ineffective oversight by the company's Audit Committee. Ineffective internal audit or risk assessment function, for more complex entities. Ineffective regulatory compliance function for complex entities in highly regulated industries. Identification of fraud of any magnitude on the part of senior management. Significant deficiencies communicated to management and the Audit Committee which remain uncorrected after some reasonable period of time.
Section 302 Reviewing DC & P
Reviewing the disclosure controls and procedures: Are the right people involved and how carefully they review the reports? Do the procedures allow enough time to prepare full and accurate disclosure? How the procedures ensure completeness and accuracy of the reports? How key risk areas are identified and addressed? Where the system might fail and how to address those weaknesses? Has the SEC or others raised concern about the company's disclosure and how the company has addressed these issues?
Choosing Controls to test- Significant Accounts and Disclosures
Risk factors relevant to the identification of significant accounts and disclosures and their relevant assertions include: Size and composition of the account. Susceptibility to misstatement due to error or fraud. Volume of activity, complexity, and homogeneity of the individual transactions processed through the account or reflected in the disclosure. Nature of the account or disclosure. Accounting and reporting complexities associated with the account or disclosure. Exposure to the losses in the account. Possibility of significant contingent liabilities arising from the activities reflected in the account or disclosure Existence of related party transactions in the account. Changes from the prior year in account or disclosure characteristics
Entity Level Controls (cont'd)
Some entity level controls have an important but indirect effect on the likelihood that a misstatement will be detected or prevented in a timely manner. (such as control environment controls). Some entity level controls monitor the effectiveness of other controls. They are usually designed to identify the possibly breakdown in other controls but do not have the precision that would, by themselves, sufficiently address the assessed risk of misstatement. Some entity level controls might be designed to operate at a level of precision that would adequately prevent or detect in a timely manner misstatements to one or more relevant assertions In an integrated audit, we MUST test the operating effectiveness of those entity level controls that our important to our conclusion about whether the entity has effective internal controls over financial reporting. Entity level controls have a pervasive impact on control activities over accounts and disclosures.
Final Report & Opinion
The auditor may choose to issue a combined report (i.e., one report containing both an opinion on the financial statements and an opinion on internal control over financial reporting) or separate reports on the company's financial statements and on internal control over financial reporting.
Management's Documentation Requirements
The design of controls over relevant assertions related to all significant accounts and disclosures in the financial statements. Enough information about the flow of transactions to identify where material misstatements due to error or fraud could occur. Controls designed to prevent or detect fraud, including who performs the controls and the related segregation of duties. Controls over the period-end financial reporting process & safeguarding of assets. The results of management's testing and evaluation.
Evaluating Management's Process for Assessing Internal Controls
The more extensive and reliable management's is, the less extensive the auditor's work needs to be. Can incorporate work of internal audit and others Must assess competence and objectivity Limited reliance Can't reduce work on control environment Auditor MUST perform work related to Company-wide anti-fraud programs Controls that have a PERVASIVe effect Auditor must obtain "principal evidence"
Planning the (Integrated) Audit
When planning an integrated audit, the auditor should evaluate whether the following matters are important to the company's financial statements and ICOFR, and if so, how they will affect the auditor's procedures: Knowledge about risks related to the company evaluated as part of the auditor's client acceptance and retention evaluation, Knowledge of the company's operations, its size and complexity, and structure and internal controls over financial reporting Knowledge of industry; including practices, regulations Awareness of legal or regulatory matters and control deficiencies previously communicated to the audit committee or management. Extent of changes in the company's operations or its internal control over financial reporting Preliminary judgments about materiality, risk, and other factors relating to the determination of material weaknesses; and the effectiveness of internal control over financial reporting; The type and extent of available evidence related to the effectiveness of the company's internal control over financial reporting; Relative complexity of the company's operations
COSO Internal Control Definition
a process effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding achievement of the objectives in each of the following categories: Effectiveness & Efficiency of Operations Reliability of Financial Reporting Compliance with Applicable Laws and Regulations
Management's Responsibilities
Accept responsibility for the effectiveness of the company's internal control over financial reporting. Evaluate the effectiveness of the company's internal control over financial reporting using suitable control criteria (like COSO). Support its evaluation with sufficient evidence, including documentation. Present a written assessment about the effectiveness of the company's internal control over financial reporting as of the end of the company's most recent fiscal year. If responsibilities are not fulfilled, the auditor should communicate in writing to the Audit Committee and disclaim an opinion.
