Identifying Significant Control Objectives

3. Coordinate with Independent Auditors

Reach a consensus with the independent auditors regarding key decisions about significant control objectives. For example:

● Communicate and reach agreement with the auditors on matters such as:

The process used to identify significant control objectives

The list of control objectives determined to be significant

Appendix 4B

Example Significant Control Objectives

Corporate Culture

Establish a culture and a “tone at the top” that fosters integrity, shared values, and teamwork in pursuit of the entity’s objectives.

● Articulate and communicate codes of conduct and other policies regarding accept- able business practice, conflicts of interest, or expected standards of ethical and moral behavior.

● Reduce incentives and temptations that can motivate employees to act in a manner that is unethical, opposed to the entity’s objectives, or both.

● Reinforce written policies about ethical behavior through action and leadership by example.

Personnel Policies

The entity’s personnel have been provided with the information, resources, and support necessary to carry out their responsibilities effectively.

● Identify, articulate, and communicate to entity personnel the information and skills needed to perform their jobs effectively.

● Provide entity personnel with the resources needed to perform their jobs effec- tively.

● Supervise and monitor individuals with internal control responsibilities.

● Delegate authority and responsibility to appropriate individuals within the orga- nization.

General Computer Controls

The entity’s IT governance structure and policies create an environment in which computer application programs and controls can operate effectively.

● Develop, communicate, and plan an overall IT strategy that allows the achieve- ment of entity-wide controls.

● Provide the resources and organizational infrastructure necessary to implement the IT strategy.

● Identify, acquire, and integrate IT applications and solutions that are necessary for implementing the IT strategy.

● Monitor IT processes to ensure their continued effectiveness.

Alignment between Objectives and Organizational and Control Structures

The entity’s business objectives, organizational structure, and internal control struc- tures are linked to and consistent with each other.

● Articulate and communicate entity-wide objectives and related business strategies.

● Design and periodically review activity-level objectives and resources to ensure they are linked to and consistent with each other and the entity-wide objectives.

Risk Identification

Implement a process that effectively identifies and responds to conditions that can significantly affect the entity’s ability to achieve its objectives.

● Develop mechanisms to anticipate, identify, and react to:

Routine events or activities that affect the entity or activity-level objectives.

Unusual, significant events that can have a more dramatic and pervasive effect on the entity

Antifraud Programs and Controls Reduce the incidence of fraud.

● Create a culture of honesty and high ethics.

● Evaluate antifraud processes and controls.

● Develop an effective antifraud oversight process.

Top-Level Financial Reporting Processes

Nonroutine, nonsystematic financial reporting adjustments are appropriately iden- tified and approved.

● Management is aware of and understands the need for certain financial reporting adjustments.

● Information required for decision-making purposes is

Identified, gathered, and communicated.

Relevant and reliable.

● Management analyzes the information and responds appropriately.

● Management’s response is reviewed and approved.

● Selection and application of accounting principles result in financial statements that are “fairly presented.”

● Management identifies events and transactions for which accounting policy choices should be made or existing policies reconsidered.

● The accounting policies chosen by management have general acceptance and result in a fair presentation of financial statement information.

● Information processing and internal control policies and procedures are designed to apply the accounting principles selected appropriately.

System-wide Monitoring

Identify material weaknesses and changes in internal control that require disclosure.

● Reach a common understanding of internal control deficiencies and changes that are considered “material” and require disclosure.

● Identify material weaknesses in internal control on a timely basis.

● Identify material changes in internal control on a timely basis.

Activity-Level Control Objectives

Adequately control the initiation, processing, and disclosure of transactions.

● Identify, analyze, and manage risks that may cause material misstatement of the financial statements.

● Design and implement an information system to record, process, summarize, and report transactions accurately.

● Design and implement control activities, including policies and procedures applied in the processing of transactions that flow through the accounting system in order to prevent or detect material misstatements promptly.

● Monitor the design and operating effectiveness of activity-level internal controls to determine whether they are operating as intended and, if not, to take corrective action.

Appendix 4C

Map to the COSO Framework

Chapter 2 described the COSO Internal Control—Integrated Frameworkas consisting of five separate components. This chapter describes a process for identifying sig- nificant control objectives within the overall COSO Framework. The information presented in this chapter does not follow the exact organization of the COSO report but rather has been interpreted and organized in a way that will facilitate the iden- tification of significant controls and their documentation and testing. Exhibit 4.8 links the five components of internal control described in the COSO Frameworkto the main topics presented in this chapter.

139 Exhibit 4.8Internal Control in the COSO Framework Chapter 4 Reference Top-System-Acti ComputerRiskAnti-LevelwideLe COSO Control ComponentsCulturePeopleControlsAlignmentIdentificationfraudProcessesMonitoringControls Control Environment Integrity and ethical valuesX Commitment to competenceX Senior managementX Management philosophyX Organizational structureX Assign authority and responsibilityX Human resources policies and practicesX Risk Assessment Objectives and linkageX Entity-level risk assessmentX Activity-level risk assessment Managing changeX Control Activities Computer general controlsX Computer application controls Information and Communications Information Communication Monitoring Ongoing monitoring activitiesXXX

Appendix 4D

Map to the Auditing Literature

PCAOB Auditing Standard No. 2 for the independent auditor’s audit of internal control requires the auditor to evaluate management’s process for assessing inter- nal control. The proposed standard also provides management with guidance on the execution and documentation of its evaluation of internal control. Exhibit 4.9 links controls that the independent auditors will probably expect management to test to the main topics presented in this chapter.

Appendix 4E

Working with the Independent Auditors:

Lessons Learned from the Initial Implementation of Sarbanes-Oxley

During the first-year implementation of Sarbanes-Oxley, several firms (or rather, individual Partners at firms) generally refused to look at anything the auditee did until the auditee completed its Sarbanes-Oxley compliance activities and issued an assertion. These auditors took the position that if the client did something (for example, showed the auditors an example of some documentation or a testing plan), and sought the auditors’ advice, then the auditors would be effectively “functioning in the capacity of management”; thus their independence would be impaired.

Even though there was early guidance from PCAOB regarding coordination between the auditee and the independent auditors, it has taken time for auditors and man- agement to reach a common sense approach to collaboration on areas such as per- missible sharing of audit documentation and proffering of audit advice. Federal agencies should be able to profit from these early lessons learned by industry, as discussed further in this appendix.

Working with the Independent Auditors

To render an opinion on either the financial statements or the effectiveness of inter- nal control, an entity’s independent auditors are required to maintain their inde- pendence, in accordance with applicable SEC rules. These rules are guided by certain underlying principles, which include:

● The audit firm must not be in a position where it audits its own work.

● The auditor must not act as management or as an employee of the client.

PCAOB Auditing Standard No. 2 incorporates SEC’s principles and then expands on these principles in important ways. Although maintaining independence is pri- marily the responsibility of the auditors, several of the independence requirements

141 Exhibit 4.9Auditing Standard Requirements Top-System-Acti ComputerRiskAnti-LevelwideLe CulturePeopleControlsAlignmentIdentificationfraudProcessesMonitoringControls Initiation, recording, processing, and reporting of significant accounts and disclosures Selection of accounting principlesX Antifraud programs Controls on which other controls dependXXXXXXX Nonroutine and nonsystematic transactionsX Period-end financial reporting processX

of the auditing standard impose certain responsibilities on management and the audit committee. These requirements (taken from Auditing Standard No. 2, paragraphs 32 through 35) include:

● Preapproval by the audit committee. Each internal control-related service to be provided by the auditor must be preapproved by the audit committee. In its intro- duction to the standard, PCAOB clarifies that “the audit committee cannot pre- approve internal control-related services as a category, but must approve each service.”

● For proxy or other disclosure purposes, the entity may designate some auditor services as “audit” or “nonaudit” services. The requirement to preapprove inter- nal control services applies to any internal control-related service, regardless of how it may be designated.

● Active involvement of management. Management must be “actively involved”

in a “substantive and extensive” way in all internal control services that the audi- tor provides. Management cannot delegate these responsibilities, nor can it sat- isfy the requirement to be actively involved by merely accepting responsibility for documentation and testing performed by the auditors.

● Independence in fact and appearance. The entity’s audit committee and exter- nal auditors must be diligent to ensure that independence, both in fact and appear- ance, is maintained. As articulated in paragraph 35 of Auditing Standard No. 2:

The test for independence in fact is whether the activities would impede the abil- ity of anyone on the engagement team or in a position to influence the engage- ment team from exercising objective judgment in the audits of the financial statements or internal control over financial reporting. The test for independence in appearance is whether a reasonable investor, knowing all relevant facts and cir- cumstances, would perceive an auditor as having interests which could jeopard- ize the exercise of objective and impartial judgments on all issues encompassed within the auditor’s engagement.

Determining How the Auditors May Assist Management

No matter how detailed the independence rules may become, they cannot possibly address every possible interaction between the entity and its auditors. During the initial implementation of Sarbanes-Oxley, many situations arose that called into question whether the auditor could interact with the entity in a particular way and still maintain its independence.

For example, if the entity was unsure of whether its documentation of internal control would be acceptable, could it approach its auditors for advice? If the audi- tors made recommendations on how to improve the documentation and the entity then incorporated those recommendations, wouldn’t that put the audit firm in the position of auditing its own work when it reviewed that documentation? The form and content of an entity’s documentation of its internal control is the responsibil- ity of management. If the auditor becomes significantly involved in that decision, doesn’t that imply that they are acting in the capacity of management?

In the initial implementation of Sarbanes-Oxley, it became common for audi- tors to provide as little advice as possible to their clients on internal control mat- ters. Due to concerns over possible violations of the independence rules, auditors chose to largely remove themselves from their clients’ efforts.

As a practical matter, both the SEC and the PCAOB understood that public inter- est is not well-served if the independent auditors are completely detached from the entity’s efforts to understand and assess its internal control. There must be some sharing of information between the entity and its auditors, and the auditors must be able to provide assistance and advice on some matters.

In June of 2004, the SEC and PCAOB issued guidance in this area. That guid- ance essentially allows the auditor to provide “limited assistance to management in documenting internal controls and making recommendations for changes to inter- nal controls. However, management has the ultimate responsibility for the assess- ment, documentation and testing of the entity’s internal control.”

PCAOB provided more extensive guidance on how entity management may solicit advice from and share advice with their auditors on internal control matters.

The guidance was in response to a question directed specifically to an auditor’s review of the entity’s draft financial statements or their providing advice on the adop- tion of a new accounting principle or emerging issue— services that historically have been considered a routine part of a high quality audit. The PCAOB staff had the following observation, which is taken from “PCAOB’s Staff Questions and Answers Auditing Internal Control Over Financial Reporting June 23, 2004 (Revised July 27, 2004) Answer No. 7.”

The inclusion of this circumstance in Auditing Standard No. 2 as a significant defi- ciency and a strong indicator of a material weakness emphasizes that a company must have effective internal control over financial reporting on its own. More specifically, the results of auditing procedures cannot be considered when evaluating whether the company’s internal control provides reasonable assurance that the company’s financial statements will be presented fairly in accordance with generally accepted accounting principles. There are a variety of ways that a company can emphasize that it, rather than the auditor, is responsible for the financial statements and that the company has effective controls surrounding the preparation of financial statements.

Modifying the traditional audit process such that the company provides the auditor with only a single draft of the financial statements to audit when the company believes that all its controls over the preparation of the financial statements have fully oper- ated is one way to demonstrate management’s responsibility and to be clear that all the company’s controls have operated. However, this process is not necessarily what was expected to result from the implementation of Auditing Standard No. 2. Such a process might make it difficult for some companies to meet the accelerated filing deadlines for their annual reports. More importantly, such a process, combined with the accelerated filing deadlines, might put the auditor under significant pressure to complete the audit of the financial statements in too short a time period thereby impairing, rather than improving, audit quality. Therefore, some type of information- sharing on a timely basis between management and the auditor is necessary.

A company may share interim drafts of the financial statements with the auditor. The company can minimize the risk that the auditor would determine that his or her

involvement in this process might represent a significant deficiency or material weak- ness through clear communications (either written or oral) with the auditor about the following:

● State of completion of the financial statements;

● Extent of controls that had operated or not operated at the time; and

● Purpose for which the company was giving the draft financial statements to the auditor.

For example, a company might give the auditor draft financial statements to audit that lack two notes required by generally accepted accounting principles. Absent any communication from the company to clearly indicate that the company recognizes that two specific required notes are lacking, the auditor might determine that the lack of those notes constitutes a material misstatement of the financial statements that represents a significant deficiency and is a strong indicator of a material weakness.

On the other hand, if the company makes it clear when it provides the draft finan- cial statements to the auditor that two specific required notes are lacking and that those completed notes will be provided at a later time, the auditor would not con- sider their omission at that time a material misstatement of the financial statements.

As another example, a company might release a partially completed note to the audi- tor and make clear that the company’s process for preparing the numerical information included in a related table is complete and, therefore, that the company considers the numerical information to be fairly stated even though the company has not yet com- pleted the text of the note. At the same time, the company might indicate that the audi- tor should not yet subject the entire note to audit, but only the table. In this case, the auditor would evaluate only the numerical information in the table and the company’s process to complete the table. However, if the auditor identifies a misstatement of the information in the table, he or she should consider that circumstance a mis- statement of the financial statements. If the auditor determines that the misstatement is material, a significant deficiency as well as a strong indicator of a material weak- ness would exist.

This type of analysis, focusing on the company’s responsibility for internal control, may be extended to other types of auditor involvement. For example, many audit firms prepare accounting disclosure checklists to assist both companies and auditors in eval- uating whether financial statements include all the required disclosures under GAAP.

Obtaining a blank accounting disclosure checklist from the company’s auditor and independently completing the checklist as part of the procedures to prepare the finan- cial statements is not, by itself, an indication of a weakness in the company’s controls over the period-end financial reporting process. As another example, if the company obtains the blank accounting disclosure checklist from its auditor, requests the auditor to complete the checklist, and the auditor determines that a material required disclosure is missing, that situation would represent a significant deficiency and a strong indicator of a material weakness.

These evaluations, focusing on the company’s responsibility for internal control over financial reporting, will necessarily involve judgment on the part of the auditor. A discussion with management about an emerging accounting issue that the auditor has recently become aware of, or the application of a complex and highly technical accounting pronouncement in the company’s particular circumstances, are all types of timely auditor involvement that should not necessarily be indications of weaknesses

in a company’s internal control over financial reporting. However, as described above, clear communication between management and the auditor about the purpose for which the auditor is being involved is important. Although the auditor should not determine that the implications of Auditing Standard No. 2 force the auditor to become so far removed from the financial reporting process on a timely basis that audit quality is impaired, some aspects of the traditional audit process may need to be carefully structured as a result of this increased focus on the effectiveness of the company’s internal control over financial reporting.

Thus, “some type of information-sharing on a timely basis between management and the auditor is necessary.” However, when management seeks the assistance of the entity’s auditors to help with its internal control assessment, it should make it clear that management retains the ultimate responsibility for internal control.

The PCAOB places the burden on management to clearly communicate with the auditors the nature of the advice they are seeking and the purpose for which the auditor is being involved.

Notes

1. The term accidental valuesis described by Patrick Lencioni in his article, “Make Your Values Mean Something,” Harvard Business Review,July (2002).

2. This article originally appeared in the Harvard Business Review,March (2003).

3. This document may be downloaded free of charge from the American Institute of Cer- tified Public Accountants (AICPA) website at www.aicpa.org/antifraud/homepage.htm.

From the “select a topic” menu, choose “Prevent Fraud” and you will be linked to a new page. Select “Instituting Antifraud Programs and Controls” to link to the documents.

4. See AICPA Professional Standards,vol. 1, sec. 411.04, 411.09, 411.14, and 411.15.

5. Michael Hammer and James Champy, Reengineering the Corporation: A Manifesto for Business Revolution(New York: Harper Business, 1993), 35.