1 / 90

2014 Internal Auditing Update

2014 Internal Auditing Update. Richard Turpen Auburn University Montgomery. Contact Information. Richard A. Turpen Department of Accounting College of Business Auburn University Montgomery P.O. Box 244023 Montgomery, AL 36124 rturpen @ aum.edu 334 -244- 3496 Phone

ady
Download Presentation

2014 Internal Auditing Update

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 2014 Internal Auditing Update Richard Turpen Auburn University Montgomery

  2. Contact Information Richard A. Turpen Department of Accounting College of Business Auburn University Montgomery P.O. Box 244023 Montgomery, AL 36124 rturpen@aum.edu 334-244-3496 Phone 334-244-3792 FAX

  3. Today’s Topics • New frameworks • COSO’s Internal Control • GAO’s “Green Book” • New guidance • IAASB’s ISA 610 • AICPA’s SAS 128

  4. The New COSO Framework

  5. Who? • The Committee of Sponsoring Organizations of the Treadway Commission (COSO): • Organized in 1985 to sponsor the National Commission on Fraudulent Financial Reporting. • Supported jointly by five organizations: • American Accounting Association (AAA) • American Institute of Certified Public Accountants (AICPA) • Financial Executives International (FEI) • The Institute of Internal Auditors (IIA) • Institute of Management Accounting (IMA)

  6. What? • Internal Control—Integrated Framework • Developed in response to corporate frauds and financial scandals of the 1970s. • Issued in 1992, becoming the predominant model for internal control over financial reporting (ICFR) and remaining so for 20 years.

  7. Why? • Internal Control—Integrated Framework(the “New Framework” or the “Framework”) • Accelerated pace of changes in technology • Globalization of markets and operations • Increased complexity of business structures • More dramatic frauds and financial crises • Proliferation of regulations and standards • Greater demands for improved governance • Widespread use of risk-based oversight

  8. Timeframe • Released in spring of 2013 after two and a half years in development. • Issued with an “effective date” of December 15, 2014.

  9. Transition • After this date, an issuer will not be able to take the position that the 1992 framework qualifies under SEC criteria as a “suitable framework” for purposes of complying with Section 404 of Sarbanes-Oxley (SOX). • Companies that continue using the old framework after the transition deadline likely will receive negative comments from the SEC and from their external auditors.

  10. Structure • Executive Summary • Framework • Appendices • Applications guide with illustrative tools • Compendium of approaches and examples applicable to internal control over financial reporting (ICFR)

  11. Overview

  12. What’s still the same? • The core definition of internal control is largely unchanged, and its five components remain. • Organizations will continue to establish relevant objectives relating to operations, reporting, and compliance. • As before, these can be set for the entity as a whole or targeted to specific divisions, functions, or operating units.

  13. What’s new? • The new framework broadens the reporting objective to include all types: • Both financial and non-financial. • Both external and internal. • It also incorporates an enhanced discussion of governance, particularly as relates to compliance, and considers the increased relevance of technologyand anti-fraud measures.

  14. What else is new? • But the most significant change is the explicit articulation of 17 principles that provide the foundation for the five components. • Every principle applies to all three of the objectives. • Supporting each principle are 77 points of focus intended to provide management with design and implementation guidance.

  15. The “big picture” • The goal is to apply a top-down, risk-based approach to determine whether an effective system of internal control exists: • One that provides reasonable assurance that an organization’s objectives are met. • One that reduces to an acceptable level the risk that an organization will not achieve its objectives.

  16. The “big picture,” cont’d. • To do so requires determining that: • Each of the 5 components and 17 principles is “present and functioning.” • All of the 5 components and 17 principles are “operating together” in an integrated manner.

  17. The “big picture,” cont’d. • Thus, there are two determinations: • That each component and principle exhibits: • Effective design and implementation (i.e., is “present”). • Effective operation (i.e., is “functioning”). • That all components and principles collectively reduce the risk of not achieving an objective to an acceptable level (i.e., are “operating together”).

  18. About “operating together” . . . • Evaluating a component (and its principles)requires determining how it is being applied within the overall system of internal control—not about whether it is “present and functioning” on its own. • Management can conclude that components are “operating together” when internal control deficiencies aggregated across components do not result in a “major deficiency.”

  19. Major deficiencies • An organization cannot conclude that it has met the requirements for an effective system of internal control if a “major deficiency” exists. • Major deficiencies are internal control deficiencies or combinations of deficiencies that severely reduce the likelihood that the organization can achieve its objectives.

  20. Major deficiencies, cont’d. • Because the framework is intended to be universal across borders and regulations,the “major deficiency” concept should not complicate SOX 404 compliance evaluations— a major deficiency under the new COSO framework will most likely be regarded as a “material weakness” under SOX.

  21. A closer look • As before, the new framework’s first component is the control environment,“the set of standards, processes, and structures that provide the basis for carrying out internal control across the organization.” • It then establishes five principles applicable to this component and a total of twenty points of focus.

  22. A closer look, cont’d. • The first principle speaks to an organization’s ethics: “The organization demonstrates a commitment to integrity and ethical values.” • Four points of focus support this principle: • “Sets the ‘Tone at the Top.’” • “Establishes Standards of Conduct.” • “Evaluates Adherence to Standards of Conduct.” • “Addresses Deviations in a Timely Manner.”

  23. A closer look, cont’d. • It is important to emphasize that the components and principles are key. • They are the criteria that management must use to assess internal control. • The points of focus may be helpful in that effort, but they are not evaluated separately and they need not all exist for a related principle to be present and functioning.

  24. A closer look, cont’d. • In addition to determining how to use the points of focus, organizations will probably want to give certain of the new principles greater consideration. • Although the concepts they embody are not new, by establishing them as principles, COSO has raised the bar for determining their functionality.

  25. A closer look, cont’d. • Key “new” internal control principles state that the organization: • Considers the potential for fraud in assessing risks to the achievement of objectives (Risk Assessment, #8). • Selects and develops general control activities over technology to support the achievement of objectives (Control Activities, #11). • Obtains or generates and uses relevant, quality information to support the functioning of internal control (Information and Communication, #13).

  26. A closer look, cont’d. • Primary issues to address early in the transition period is the extent to which controls relevant to these principles are: • Embedded within business processes. • Supported by existing documentation. • Included in the scope of assessment.

  27. Getting going • Though there is no one-size-fits-all approach, most transition plans should include: • Establishing buy-in. • Performing gap analysis. • Implementing a response.

  28. Establishing buy-in • Education and training are key. • Initial discussions should include, minimally, the CAE, CFO, and CAO. • Communication with governance members is vital—it will be important to anticipate the questions and concerns of the audit committee and governing board. • Equally important is to meet with the external auditors early in the process.

  29. Performing gap analysis • The core step in the transition process is mapping either controls to principles or principles to controls to identify gaps. • The direction chosen may depend upon the extent of existing documentation: • Where ample, mapping to the framework may be easier and more efficient. • In addition, mapping controlstoprinciples may help avoid rationalization bias.

  30. Performing gap analysis, cont’d. • Mapping outcomes will vary: • “Worst” case: • Any gaps identified will likely require remediation. • Material weaknesses under new COSO probably represent the same under the former framework. • “Best” case: • Mapping may reveal: • Redundant controls (mapped from same principle). • Unneeded controls (mapped from no principle). • Some controls not previously assessed can now be scoped in.

  31. Performing gap analysis, cont’d. • Certain cautions should be kept in mind during the mapping process: • It must stay focused on the risks that the organization has identified. • It ought to be viewed as an opportunity to take a fresh look at controls. • It should not become just another checklist exercise.

  32. Performing gap analysis, cont’d. • As a further caution, early communication with the external auditors is essential. • Firms registered with the Public Company Accounting Oversight Board (PCAOB) are likely to be more rigorous in their ICFR audits this year as the result of a highly critical report the PCAOB issued last fall.

  33. Performing gap analysis, cont’d. • The report faults auditors for failing to test certain controls sufficiently. • As a result firms are under pressure to go beyond what’s been acceptable in the past. • Key areas of focus will include: • More scrutiny of management review. • More validation of IT-generated data and reports. • More testing of the work performed by internal auditors.

  34. Performing gap analysis, cont’d. • Given the more intensive approach that the auditing firms will bring to bear on this year’s ICFR audits, organizations should make sure to give their external auditors opportunity to comment on the planned gap analysis. • Entities not subject to SOX still should discuss transition to the new framework with their external auditors to understand the firms’ expectations.

  35. Implementing a response • Responses to the gap analysis will require establishing priorities and will be driven in part by regulatory requirements (e.g., SOX). • Most organizations will probably find that they need to shore up documentation. • Many will need to develop and implement new assessment strategies. • Still others may discover that they must plan for remediation.

  36. Final observations • Ideally, publicly held entities have already completed or soon will complete transition. • Other organizations, including those with non-calendar fiscal years, should have their processes well underway.

  37. The Forthcoming “Green Book”

  38. Background • Standards for Internal Control in the Federal Government is the federal government’s equivalent of COSO. • First issued in 1983 and last updated in 1999, these standards are required of federal agencies under the Federal Managers’ Financial Integrity Act (FMFIA).

  39. Background, cont’d. • Known as the “Green Book,” these standards serve as the basis for assessing and reporting on controls in the federal government under Office of Management and Budget (OMB) Circular No. A-123, Management’s Responsibility for Internal Control. • They may also be applied by state, local, and quasi-governmental entities, as well as not-for-profit organizations.

  40. Background, cont’d. • Moreover, under the OMB’s final guidance for federal awards published last December and effective this year, non-federal entities (NFEs) receiving such awards must establish and maintain effective internal control over such awards, in compliance with the Green Book.

  41. Background, cont’d. • The Green Book provides: • A framework for management to follow. • Criteria for auditors to apply. • Thus, it can be used in conjunction with the Yellow Book, Government Auditing Standards (GAGAS) of the Governmental Accountability Office (GAO), e.g., the cause of an audit “finding” is often an internal control deficiency.

  42. Overview • This past fall the GAO released the still outstanding Exposure Draft of an updated Green Book that is expected to be released on September 30, 2014. • It will closely mirror the new COSO framework as adapted to governmental entities.

  43. Overview, cont’d. • But given its purpose, the Green Book’s language is less “commercial” than COSO’s. • For example, while COSO makes reference to “board of directors” and “investors,” the Green Book uses “oversight body” and “stakeholders.”

  44. Overview, cont’d. • Nevertheless, the Green Book’s definitions and concepts are substantially the same as those of the new COSO framework. • In addition, at the highest levels, the new Green Book uses the same terminology: • Objectives • Components • Principles

  45. Overview, cont’d. • However, it uses the term “attributes” instead of COSO’s “points of focus” and combines many of the latter:

  46. Requirements • Like COSO, the Green Book defines an effective internal control system as one providing reasonable assurance that the organization will achieve its objectives. • Therefore, to be effective: • Each of the components, principles, and relevant attributes must be effectively designed, implemented, and operating. • The components must operate together in an integrated manner.

  47. Requirements, cont’d. • However, the Green Book notes that there may be situations in which management has determined that a principle or attribute is not relevant in order for the entity to achieve its objectives and address related risks.

  48. Requirements, cont’d. • In such cases, management must document the rationale of how, in the absence of that principle or attribute, the associated component could be designed, implemented, and operated effectively.

  49. Requirements, cont’d. • In addition, the Green Book contains further specific documentation requirements, described in certain of the attributes. • These include, for example, the results of: • Monitoring activities conducted on an ongoing basis. • Separate evaluations performed to identify internal control issues. • Corrective actions taken to remediate internal control deficiencies.

  50. Requirements, cont’d. • These documentation requirements apply to any entity that elects to use the Green Book. • More broadly, management of NFEs that choose to use the Green Book must follow all of its applicable requirements.

More Related