a practical guide to internal control testing - cbinet.com · a practical guide to internal control...

A Practical Guide to Internal Control Testing

1. Applicable Laws and Relevant Guidance

2. Management’s Responsibilities

3. Creating a Control Testing Plan

A. Assessing Materiality & FS Risks

B. Testing Design Effectiveness

C. Testing Operating Effectiveness

D. Control Testing Techniques / Control Test Design

E. Sampling

4. Performing Control Testing & Documenting Test Results

5. Assessing Control Exceptions / Deficiencies

6. Wrap Up & Questions

Learning Objectives

3/22/2017 SOX: Internal Control Testing 2

Applicable Laws & Relevant Guidance



Applicable Laws & Relevant Guidance

SOX 404: Management’s Assessment of Internal Controls

• For public companies, all annual financial reports must include an Internal Control Report stating:

• Management’s responsibility for maintaining an "adequate" internal control structure.

• Management’s assessment of the effectiveness of the control structure.

• Depending on a company’s filer status/market cap, a registered external auditor must attest to the accuracy of management’s assertion that internal controls are in place, operational and effective:

Filer Status Market Cap EGC or Non-EGC External Auditor Attestation on internal control required?

Non-accelerated filer Less than $75 million EGC or non-EGC No

Accelerated Filer $75 million Non-EGC Yes

Accelerated Filer $75 million EGC No

Large accelerated filer $700 million N/A Yes

5

The JOBS Act

• Created an “IPO on-ramp” providing Emerging Growth Companies (EGC) with a phase-in period to comply with Sarbanes-Oxley.

• Prior to the JOBS Act, any company that went public had up to two years after its IPO to comply with certain Sarbanes-Oxley auditing requirements (upon filing the second 10-K after becoming a public company).

• Extends that period to a maximum of five years, or less if during the on-ramp period a company achieves $1 billion in gross revenue, $700 million in public float, or issues more than $1 billion in non-convertible debt in the previous three years.

• Companies that meet the exemption criteria will not be required to have an audit opinion on their internal controls for up to a five year period from the date of their IPO.

• The JOBS Act does not limit management’s requirement to maintain and attest to the company’s internal control environment.

• A registrant that loses EGC status would be required to file its annual report for that year as a non-EGC.

3/22/2017 SOX: Internal Control Testing

Applicable Laws & Relevant Guidance (cont.)

6

International Standards for the Professional Practice of Internal Auditing

• Companies that trade on the NYSE must have an Internal Audit function.

• An Internal Audit Charter should be in place to govern Internal Audit activities.

• Generally, IIA’s Standards are used to guide the Internal Audit function.

• Includes “Attribute Standards” and “Performance Standards”

• Attribute Standards include topics such as: Responsibilities, Ethics, Proficiency, Due Professional Care, Quality Assurance & Improvement.

• Performance Standards include topics such as Managing Internal Audit Activities, Engagement Planning, Performing the Engagement and Communicating Results.



7

• PCAOB Guidance including:

• AS-5: An Audit of Internal Control Over Financial Reporting that is Integrated with an Audit of Financial Statement

• Staff Audit Practice Alert No. 11 – Considerations for Audits of Internal Control Over Financial Reporting

• PCAOB news releases/publications (pcaobus.org)

• Firm Inspection Reports

• Audit Firm Publications

• Each firm has its own guidance with regards to Management’s Assessment of Internal Controls.



Management’s Responsibilities


Management’s Responsibilities

9

• Accept responsibility for the effectiveness of internal control.

• Evaluate the design and operating effectiveness of its internal control using a suitable, recognized control framework (covered in this training).

• Support its evaluation with sufficient evidence, including documentation and testing of controls (covered in this training).

• Provide written assessment of effectiveness of its internal control over financial reporting as of fiscal year-end.


Creating a Control Testing Plan


11

Overview

• Assessing materiality and financial statement risks of material misstatement

• Testing design effectiveness

• Testing operating effectiveness

• Identifying controls to test

• Selecting a testing strategy

• Designing testing procedures


Creating a Control Testing Plan


Creating a Control Testing Plan (cont.)

Assessing Financial Risks of Material Misstatement

• To perform this assessment, management considers the vulnerability of one or more financial statement assertions to the risks of material misstatement, whether due to error or fraud.

• Typically, it is an exercise that assigns risk levels (high, medium, low) to a number of risks (financial statement assertions, fraud, other) at the account level.

• Risk assignment will help determine the type and extent of control testing warranted.



Testing Design Effectiveness

• Testing design effectiveness requires obtaining an understanding of the company’s material and significant business processes and internal control environment.

• Questions to answer when testing design effectiveness:

• Do the Company’s controls satisfy their control objectives?

• Can the Company’s controls effectively prevent or detect errors or fraud that could result in a material misstatement in the financial statements?

• This information can best be obtained through discussions with the process owners, the review of business process narratives, control matrices, flow charts, prior year control testing documentation and the performance of process walkthroughs.



Testing Design Effectiveness (cont.)

• The PCAOB has described the following key factors in understanding the processes and controls that are relevant to financial reporting:

• The classes of transactions in the company's operations that are significant to the financial statements;

• The procedures, within both automated and manual systems, by which those transactions are initiated, authorized, processed, recorded and reported;

• The related accounting records, supporting information, and specific accounts in the financial statements that are used to initiate, authorize, process and record transactions;

• How the information system captures events and conditions, other than transactions, that are significant to the financial statements;

• The period-end financial reporting process.



Testing Operating Effectiveness

• PCAOB AS-5: “The auditor should test the operating effectiveness of a control by determining whether the control is operating as designed and whether the person performing the control possesses the necessary authority and competence to perform the control effectively.”

• Testing operating effectiveness involves:

1. Identifying controls to test.

2. Selecting a testing strategy.

3. Designing testing procedures, determining the number of items to test and the period that testing should cover.

4. Performing control tests and evaluating the impact of any deviations found.



Testing Operating Effectiveness (cont.)

1. Identifying controls to test.

• All significant (normally identified as “key”) controls over financial reporting need to be tested.

• Control testing should be performed throughout the year so that management can:

1. Identify and address control deficiencies in real-time.

2. Have sufficient evidence to evaluate the operating effectiveness of those controls as of year-end.




2. Understanding different testing techniques

Evidence

Most

LeastInquiry alone does not provide sufficient

evidence to support a conclusion about the

effectiveness of a control.




Inquiry consists of:

• Seeking information of knowledgeable people.

• Discussions with control operators to develop an understanding of the procedures performed as part of the control.

Inquiry must be combined with another testing technique.




Observation:

• Consists of viewing or experiencing a process being performed by others

• Less common during testing, however, may occur with certain system reports to verify Information Produced by Entity (IPE), or other automated IT controls


Creating a Control Testin


Inspection:

• Examination of information, data or documentation provided by the process owner.

• Includes control walkthroughs

• Generally appropriate for approval controls such as:

• Granting access

• Approving payments

• Review of checklists (disclosure, non-routine JEs, related parties)

• Review of reconciliations

g Plan (c ont.)




Inspection:

• Only effective if the control support contains the proper documentation including evidence of review.

• Example: Internal Audit obtained system evidence (screenshots) for each of the sampled new hires and inspected the system documentation to ensure that each new hire’s employee profile was reviewed and approved by a member of HR and Finance.




Reperformance:

• Independent execution of procedures that were originally performed as part of management’s internal controls.

• Important to remember: the mere absence of errors does not provide evidence that the control activity has historically been performed effectively.



Designing Testing Procedures

• Determining which testing technique to use; considerations include:

a) Susceptibility of the control to change

b) Frequency and extent of the control

c) Initial view of the likelihood of control weakness

d) Significance of the control to the control environment and how much reliance is being placed on it



Designing Testing Procedures

• Testing procedures should be designed at the individual control level to address the control objective. The result should be a set of procedures that are tailored to the specific control that they are designed to assess.

• Each procedure performed by the control owner should be addressed.

• The extent of control testing documentation should be considered.

*Technical accounting knowledge should be applied.



Designing Testing Procedures – Sampling

• Sampling is the application of auditing procedures to a representative group of less than 100% of the items within a population.

• There are three steps to follow:

1. Determine the control test objective, population, sampling unit and sample size.

2. Establish the accuracy, completeness and validity of the population.

3. Select the sample for testing.




Step 1: Determine the control test objective, population, sampling unit and sample size.

There are different sample size considerations for manual controls vs. automated controls.

• Automated Controls:

• If IT General Controls have been tested and found to be effective, it may be sufficient to only test one operation of the Automated Control.

• Examples include:

• System error messages

• Automated workflow controls

• System preventative controls




Step 1 (cont.):

• Manual Controls:

• When selecting a sample size, it is important to consider:

a. The frequency of the control and population size.

b. Level of evidence that is judged to be necessary.

c. Requirements for auditor reliance.




Step 2: Establish the accuracy, completeness and validity of the population.

• Common mistake - lack of verification over sampling population, including insufficient documentation of that verification.

• Internal control auditors should:

a) Consider the source of the data.

b) Document completeness and accuracy.




Step 2 (cont.) :

For the most part, population listings come from the following sources:

• Reports and data from internal systems or manually prepared listings.

• These listings will need to be evaluated separately by the internal audit team.

IPE (Information Produced by Entity)

• Reports and data from third party systems (ADP, Fidelity, etc.).

• First, the internal auditor will need to establish that the related SOC report has been appropriately assessed by the company, including the user considerations.

• Once management’s assessment of the SOC report has been addressed, these populations can be established through a combination of observing the report running and other completeness/accuracy checks (such as tie-outs to the general ledger, full/false testing, spot checking individual line items, etc.).

Third Party Source Documents




Step 3: Select the sample for testing.

• According to SAS 112 from the AICPA: “The auditor should select items for the sample in such a way that the auditor can reasonably expect the sample to be representative of the relevant population and likely to provide the auditor with a reasonable basis for conclusions about the population.”

• Two ways to perform population sampling: Statistical and Non-Statistical.

• Statistical sampling is an approach to sampling that has the following characteristics:

• Random selection of the sample items.

• An appropriate statistical technique to evaluate sample results, including measurement of sampling risk.

• It is commonly used when assessing homogenous populations that do not include specific instances with higher risk than others.

• Example: A population of system access approvals for new hires.




Step 3 (cont.):

• Non-statistical sampling methods are those that do not have the characteristics of statistical sampling.

• Non-statistical sampling is commonly used when assessing heterogeneous populations that include specific high-value or high-risk instances.

• Example: A population of customer refunds to be tested for appropriate approval where a few large refunds make up the majority of the population.

• Example: A population of twelve monthly fixed asset reconciliations where significant write-off activity occurred in two of the twelve months.

• A mix of statistical / non-statistical sampling methods can also be used at the judgment of the sampler.

• Example: A selection including: one monthly investment impairment review in a month where an impairment was booked and three haphazardly selected investment impairment reviews.

Performing Control Testing & Documenting Test Results



Performing Control Testing & Documenting Results

Documenting Testing Results

• Testing documentation must contain sufficient information to enable an experienced auditor, having no previous connection with the engagement to:

1. Understand the nature, timing, extent and results of the procedures performed, evidence obtained, and conclusions reached.

2. Determine who performed the work and the date such work was completed, as well as the person who reviewed the work and the date of such review.

• Ex. What specifically did the reviewer do to review the control?

• Was the review done timely?

3. Understand the linkage between conclusions and facts.


Performing Control Testing & Documenting Results (cont.)

Specific Considerations for Information Produced by Entity (IPE)

As discussed throughout this training, there are two different situations where IPEs need to be considered when performing tests of controls.

1. When the control owner uses an IPE or multiple IPEs as part of completing their control procedures.

• Example: As part of an allowance for bad debt assessment, the control owner utilizes an A/R aging schedule exported from the ERP system.

2. When the control auditor needs to use IPE to represent a population of control instances for sampling/testing.

• Example: To make a selection of new hires, Internal Audit acquired the New Hire Listing from the HR Department.

When IPEs are identified as part of control testing in these two situations, auditors and management must take the appropriate steps to validate the data before reviewing the control, or making selections from the report.



Specific Considerations for Information Produced by Entity (IPE) (cont.)

• To properly validate any IPEs perform the following:

1. Identify what system the report is generated from

2. Assess whether the company tests ITGC’s over the system

3. Validate parameters (Ex., dates) that are entered to run the report

4. Assess whether the report can be edited after downloaded (if so, refer to Step #5 for incremental procedures to be performed)

5. If the report is not generated from a system with ITGC coverage, is manually created, or can be edited after download, then consider performing the following :

a) Verify that totals agree to the general ledger or other validated reports/sources

b) Perform checks on certain attributes including mathematical accuracy

c) Review formulas and look for hidden tabs and columns

d) Retain screenshots from the system showing that totals tie to the report

• Documentation of all validation procedures performed should be retained with the control testing documentation.



Specific Considerations for Management Review Controls

• PCAOB has issued a number of reports and findings to Big 4 audit firms for inadequate documentation of management review controls.

• Management review controls require judgment which is generally based on a person’s experience, history and knowledge of the company. Testing procedures around these controls also require judgment and knowledge of the company.

• When testing these controls, we need to have a complete understanding of the following:

I. Level of precision and thresholds: What steps were performed to identify and investigate significant differences? A review process that is not formally defined or documented is most likely not being executed accurately or consistently.

II. What conclusions were reached in the reviewer's investigation, including whether potential misstatements were appropriately investigated and whether corrective actions were taken as needed.



Specific Considerations for Management Review Controls (cont.)

Typical Description:

The CFO reviews the impairment analysis for appropriateness. Monthly, the Controller prepares an undiscounted cash flow analysis, which is then reviewed and approved by the CFO. The CFO reviews the various schedules and signs off on the control package.

• What are the problems with this control description?

• Insufficient control description (does not describe what the CFO does to review), unnecessary process description.

• Inconsistent references to the inputs (impairment analysis, discounted cash flow analysis, schedules, control package).

• Lack of cross-references to where the information used in the control has been appropriately addressed.



Specific Considerations for Management Review Controls (cont.)

Improved description:

Control Inputs: Undiscounted Cash Flow Analysis (UCFA), including supporting schedules; specific monthly review activities of the CFO:

(1) Discusses the current and forecasted business environment with the CEO, the COO, and the Vice President of Operations;

(2) Reviews each of the assumptions and support within the UCFA with a particular focus on the weighting assigned to each outcome;

(3) Challenges any assumptions or weights that may have a significant impact on the conclusion. Any questions are sent to the Controller to be addressed and resolved to the satisfaction of the CFO, at which point the CFO signs off on the UCFA.

• Example of how to complete a test script matrix.



Specific Considerations for SOC Report Review (Service Organization Controls)

• Definition: SOC 1 Report is a report on controls at a service organization relevant to company’s internal control over financial reporting. There are two types of SOC 1 reports:

• Type 1: Report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives.

• Type 2: Report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives.



Specific Considerations for SOC Report Review (Service Organization Controls) (cont.)

Determining in-scope service organizations

• On periodic basis, review all service organizations and in-scope service organizations that the company obtains a SOC 1 report for. Use input from management and knowledge of the Company to ensure that all significant service relationships are identified.

• If there will be changes in service organizations during the year, consider timing of change in conjunction with the year-end audit.

• Are there new processes or outsourcing which will cause the company to use a new service organization? Address user controls upon implementation rather than waiting until year end.




Timing of SOC 1 Reports

• Important to consider the need for bridge letters in advance to avoid a scramble at year-end.

• Period of coverage of SOC 1 reports is not standard and generally varies by organization.

• Example: A company may have a March 31st year-end, issued SOC 1 report covers period through September 30th leaving a 6 month gap period - Management should request a bridge letter for this period.

• Alternative procedures need to be performed if the gap period > 9 months.


Reviewing and Documenting a SOC Report Review

• Consideration of SSAE No. 18 Attestation Standards: Clarification and Recodification. Effective for reports dated on or after May 1, 2017

• SOC Report Auditor Opinion

• Determine if the opinion is unqualified (clean) or qualified. If a qualified opinion exists, you will need to understand the cause and impact to the company.

• Review the sub-service organizations utilized by the service organization and if they have been carved out of the scope of the report.

• Obtain and review SOC reports for sub-service organizations that play a critical part in supporting a service organization’s control objectives.




Reviewing and Documenting a SOC Report Review

• User Control Considerations

• Controls the Service Organization has carved out of their report and have identified as being the responsibility of the company.

• A matrix that clearly shows each user consideration matched with the company’s procedures and controls should be documented as part of the SOC Report Review.

• Control Exceptions Identified

• Documentation should include a response and conclusion as to the impact of the control exception, mitigating controls in place at the company, etc. should also be included.




Assessing Control Exceptions / Deficiencies

Auditing Standard 5 provides the following deficiency definitions:

A deficiency in internal control over financial reporting exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis.

a. A deficiency in design exists when (a) a control necessary to meet the control objective is missing or (b) an existing control is not properly designed so that, even if the control operates as designed, the control objective would not be met.

b. A deficiency in operation exists when a properly designed control does not operate as designed, or when the person performing the control does not possess the necessary authority or competence to perform the control effectively.



Assessing Control Exceptions / Deficiencies (cont.)

Auditing Standard 5 definitions continued:

A material weakness is a deficiency, or a combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the company's annual or interim financial statements will not be prevented or detected on a timely basis.

Indicators of a material weakness include all of the following:

• Identification of fraud, whether or not material, on the part of senior management

• Restatement of previously issued financial statements to reflect the correction of a material misstatement

• Identification by the auditor of a material misstatement of financial statements in the current period in circumstances that indicate that the misstatement would not have been detected by the company's internal control over financial reporting; and

• Ineffective oversight of the company's external financial reporting and internal control over financial reporting by the company's Audit Committee.




Deficiencies may be uncovered within the design of the control or the operation of the control.

• Design deficiencies are generally identified in the walkthrough phase of testing. Examples include: missing controls, lack of identification of key controls, an inappropriate control reviewer, a control test that does not fully mitigate the intended control risk, or a control that is not designed at a high level of precision.

• Control operating deficiencies are identified during testing of the operating effectiveness. Examples include: control activity not performed timely, failure to perform a control, or lack of sufficient review.




• All deficiencies require a response and assessment from Management

• We should determine the root cause and significance of each internal control deficiency identified. Start by analyzing the particular circumstances and reasons for the deficiency. Document the details of the individual control deficiencies within our testing work papers.

• Significant judgment, review and consideration needs to be applied to determine whether a significant deficiency or material weakness has been identified.

• Significant deficiencies are identified, reviewed and reported to the audit committee while material weaknesses are required to be disclosed in the company’s annual financial statements.




• When evaluating the severity of a control deficiency management should consider the following for inclusion in the company’s documentation:


Deficiency Assessment Exception 1 Exception 2

Business Unit / Location

Control Type (IT or FC)

Deficiency Type (Design or Operating)

Control Description

Description of deficiency - Describe the identified deficiency (if an operating

deficiency, also describe the nature and frequency of control deviations):

Indicate who identified the deficiency and how it was identified (e.g.,

management through its assessment process, internal auditors through the

monitoring process, the external auditor):

Exists at period-end

Compensating Controls Indicate the effectiveness of compensating

controls. Consider whether the compensating controls operate at a level of

precision that would prevent or detect a misstatement that could be material.

Qualitative Factors

Indicate whether there is a reasonable possibility that the company's

controls will fail to prevent or detect a misstatement of the account balance

or disclosure:



• Control deficiency template (cont.)


Deficiency Assessment Exception 1 Exception 2

Indicate the magnitude of the misstatement that might result from the

deficiency - include the following 1) the financial statement amounts or total

of transactions exposed to the deficiency and 2) the volume of activity in the

account balance or class of transactions exposed to the deficiency that has

occurred in the current period or that is expected in future periods (indicate

both $ amount and volume of activity) :

Indicate whether the significant account/disclosure and relevant assertion

are susceptible to loss or fraud, or involve a significant amount of

subjectivity, complexity, or judgment in determining the amounts:

Important enough to merit the attention of those responsible for oversight of

the Company's financial reporting?

Would this deficiency prevent a prudent official from concluding transactions

are processed as necessary to ensure financial statements are prepared in

conformity with GAAP as (per AS-5 Par. 70):

Conclusion on individual deficiency: (D, SD, MW)

Are there other deficiencies affecting the same accounts or disclosures and

relevant assertions?

Aggregated Result



Remediation plans:

• A remediation plan does not impact the assessment of a significant deficiency or a material weakness.

• It may be manual in nature (such as implementing a policy, review control etc.) or system related (such as system modification, reporting, etc.).

• Companies may need help with developing and implementing an appropriate remediation plan, as well as performing the necessary remediation testing once the plan has been executed.


Questions? Comments?
