How do we conduct an audit? Actg 493 Advanced Auditing Spring 2007

Which “audit” are we talking about? Financial statement audit Audit of internal control effectiveness (SOX Rule 404) These audits are separate, yet connected!

“Big Picture” Financial Statement Audit We must attest to whether financial statements are “right” (i.e. “fairly stated”) Specific dimensions of “right” Existence Completeness Valuation Rights and Obligations Presentation and Disclosure

“Big Picture” 404 Audit We audit management’s assertion that they maintained an effective system of internal controls See Monaco statements What do we mean by “effective system of internal controls”? COSO Controls over system of financial reporting are effective in preventing the F/S from being misstated If system is determined to have “material weaknesses”, then an adverse report is issued on I/C

What tests can we use in a financial statement audit? Tests to obtain an understanding Tests of controls Company level Transaction level Tests of transactions and balances Substantive tests of details Substantive analytics

What do we test? All aspects of financial statements that could have a material effect Revenue Cycle (Ch 14) Expenditure Cycle (Ch 15) Production & Personnel Services Cycles (Ch16) Investing & Financing Cycles (Ch 17) Investments & Cash Balances (Ch 18) Financial Reporting Cycle

How do we decide which tests to perform & to what extent? AR = IR x CR x DR AR = IR x CR x AP x TD

Basic audit approaches 1.Low Inherent Risk (IR) Focus on gaining an understanding and use analytics Limited tests of controls and details of transactions and balances 2.Low Control Risk (CR) Focus on testing controls Limited tests of details of trans and balances 3.Primarily substantive approach Focus on testing testing trans and balances Limited tests of controls and AP Q: What approach is used various companies?

“Bucket” Approach to Audit Comfort 1.Determine the level of comfort you need taking into consideration the acceptable level of Audit Risk as well as the Inherent Risk of the audit/account. The larger the risk, the larger size of “bucket” you need. 2.Determine how you will “fill your bucket” based on Controls, Substantive Tests and Analytical procedures. Public companies subject to 404 procedures will likely have more of the “bucket” filled with Tests of Controls, some Substantive Tests and some Analytical Procedures. Smaller private companies without strong controls, will have a much lower level of comfort being obtained from Controls and the Substantive Tests and Analytical Procedures will make up most of the “bucket.” Reviews…mostly Analytical Procedures with maybe a little Substantive Tests and/or Controls. Analytical Procedures Substantive Tests Tests of Controls Lines move depending on the level of comfort you need from each type of test

SOX 404 Overview

404 Background Effective dates: Accelerated filers (market cap > $75 million) Non-accelerated and foreign filers: fiscal years ending on or after July 15, 2006 Who is impacted? Appx. 13,700 filing companies Appx 1000 firms registered with PCAOB Management’s Certification Rule 302: “Told the whole truth and nothing but the truth” statements signed by management

404 Background cont’d Requirements Report to be included in each annual filing with the SEC stating that management is responsible for establishing and maintaining adequate system of internal controls for financial reporting. Must also contain an assessment of the effectiveness of the internal control structure and procedures at year end. Managements’ assessment Registered auditors attest to managements’ assessment Quarterly must disclose changes (to correct problems)

404 Background cont’d “Not effective” defined as: Control deficiency – Failure of a control, however inconsequential to financial statements – reported to management Significant deficiency - Reported to BOD unless company chooses to disclose Material weakness - Automatic adverse opinion

Material Immaterial Probable Remote Material Weakness SIGNIFICANCE LIKELIHOOD Significant Deficiency Significant Deficiency

How do we do a 404 audit? Recall types of controls Reporting controls and disclosure controls Entity wide and transaction level controls Review client documentation for adequacy of design Test controls for effectiveness Daily (many times)25 Daily (once)15 Weekly5 Monthly2 Quarter and y/e1 What happens if control fails? Is there time for company to remediate and auditors to test?

404 Reporting If significant deficiencies only, clean opinion but may disclose One firm: 67% of clients had significant deficiencies If material weakness, adverse opinion Local adverse opinions Hollywood Video 2004 (PWC): leases Mentor Graphics (KPMG): calculation of tax provision

Adverse Opinion Summary Year 2 as ofEntire Annual Filings through March Year 33/26/2006Year 2Year 1 Annual Filings with 404 Opinions2,7512,6113,7323,651 Total Annual Filings with Adverse Opinions Adverse Opinions as a % of Total Annual Filings with 404 Opinions4.1% 10.1%16.3%

How does 404 audit relate to financial statement audit? Intersection between f/s and 404 audits occurs through tests of controls. How can we have a “clean” audit opinion and an adverse opinion on controls?

Intended (and Unintended) Consequences of 404 Real question is whether we have greater integrity and reliability in financial reporting. Impact on profession Impact on audit quality Impact on financial markets See “Ripple Effects of the Sarbanes Oxley Act” published in 2004 and “Revisiting the Ripple Effects of the Sarbanes Oxley Act”

One company’s thoughts… We are in the process of our compliance efforts mandated by Section 404 of the Sarbanes-Oxley Act of As we have done our due diligence in trying to understand the requirements and corresponding work necessary to successfully document our system of internal controls to the standards and satisfaction of third parties, we have encountered egregious estimates of time, dollars, outside consultant fees, and volumes of paperwork. As our implementation has progressed, we have yet to realize any control, operations or governance improvements or benefits. Additionally, and most importantly, the estimated potential cost to our shareholders in relation to the benefits, or even potential benefits, is unconscionable. We believe that these additional costs and expenses will merely confirm the existence of an already effective and functioning control system that already conforms with a recognized system of internal controls.

Although we intend to diligently pursue implementation and compliance with the Section 404 requirements, we do not believe it is in our shareholders' best interests to incur unnecessary outsized costs in this effort. As we are a single location company with an extremely involved, hands-on senior management group in a highly regulated industry with significant insider ownership, the potential benefits to be derived from the Section 404 requirements are believed to be minimal. Consequently, we will make every effort internally to comply with the Section 404 requirements but will minimize what we believe to be the unreasonable and unnecessary expense of retaining outside third parties to assist in this effort. As a result of this cautioned approach and the complexity of compliance, there is a risk that, notwithstanding the best efforts of our management group, we may fail to adopt sufficient internal controls over financial reporting that are in compliance with the Section 404 requirements. Monarch Casino, 10K notes