Objective In light of the Sarbanes-Oxley Act, revisit the existing audit guidance on auditing of internal controls to ensure appropriate performance and reporting guidance are available to the practitioners.
Internal Control Reporting Task Force Project Timeline and Current Status February 11 - 13, 2003 –Met with Auditing Standards Board to review draft of proposed guidance. –Board approved for exposure. Early to mid-March 2003 –Release exposure draft for public comment (45-60 day exposure period).
Internal Control Reporting Task Force Project Timeline and Current Status June 3 - 4, 2003 –Meet with Auditing Standards Board to review comments received and recommended changes. July 29 - 31, 2003 –Review final draft with Auditing Standards Board and receive approval for issuance. August 2003 –Issue final guidance.
Internal Control Reporting Task Force Hurdles Public Company Accounting Oversight Board (PCAOB) –Sarbanes-Oxley Act established the PCAOB as the authoritative body to establish auditing standards. Proposed Section 404 guidance has not been issued in final form.
Internal Control Reporting Task Force Assumptions Made in Writing Standards Managements and auditors reports will include the same objectives (Sarbanes-Oxley Act 103 aa and bb). Criteria used by management and the auditor to assess the effectiveness of internal controls over financial reporting will be based on criteria established under due process (i.e., COSO report). The existence of a material weakness in internal control would preclude both management and the auditor from concluding the controls are effective. Managements report on internal controls will disclose all significant deficiencies and material weakness.
Internal Control Reporting Task Force Committee Deliverables New Statement on Auditing Standards Auditing an entitys internal control over financial reporting in conjunction with the financial statement audit Revise Standard for Attestation Engagement (AT 501) Reporting on an entitys internal control over financial reporting Revise Statement on Auditing Standards (SAS 60) Communication of Internal Controls related Matters Noted on an Audit
Internal Control Reporting Task Force Requirements of the Preparer Community Adequate documentation of the design of controls –Inadequate documentation may result in: Significant deficiency Material weakness Scope limitation Sufficient evidence to support managements assertion of effectiveness –Insufficient evidence constitutes a material weakness and results in a report qualification.
Internal Control Reporting Task Force Testing Considerations Nature of Testing Different types of testing – inquiry, observation, re- performance and a combination thereof –Inquiry alone is not adequate. Rotation of Testing All significant locations and all significant controls must be evaluated annually –Specific controls to be tested; and the nature, timing and extent may vary from year to year. –However, some testing would be performed on significant controls each year.
Internal Control Reporting Task Force Testing Considerations Multiple Locations It may not be necessary to understand and test controls at each location –As long as those that are excluded are not capable of being material in the aggregate Need to consider –Similarity of business operations and controls –Degree of centralization of records (Share Services) –Effectiveness of the control environment over the exercise of authority delegated to locations –Nature and amount of transactions and assets at the location –The degree the location could create an obligation on the part of the entity –The nature and extent of monitoring controls that management has in place over the location
Internal Control Reporting Task Force Use of Internal Audits Work by the External Auditor Where management uses internal audits work as a basis for its conclusion about effectiveness –The external auditor should not rely solely on the results of internal audit. However, the external auditor may consider such work in determining the nature, timing and extent of his or her testing –The external auditor must perform independent test of controls related to each significant account, class of transactions, and disclosure.
1:00 - 1:10 Introduction & Overview of Annual Certification of Controls - Dave Richards 1:10 - 1:17Methodology - Sheryl Hildebrand 1:17 - 1:24Testing the Controls - Gary McGuire 1:24 - 1:30FDIC Certification Experience - Brian Szabo 1:30 - 1:45External Auditor Attestation - Gary Stauffer 1:45 - 1:50Break 1:50 - 2:25Questions & Answers - Panel 2:25 - 2:30Concluding Remarks - Dave Richards Agenda