evaluation of process level control deficiencies 5 20-2016
TRANSCRIPT
Systematic Approach to the Evaluation of Process-Level Control
Deficiencies
Les A. Chaney, CPA, CIA, CGMAICFR Global Consulting, LLC
Mobile: (919) [email protected]
Revised May 20. 2016
2
Systematic Approach for Evaluating “Process-Level” Control Deficiencies, utilizing:
– PCAOB Audit Standard # 5 (approved May 24, 2007, amended June 12, 2007)
– Superseded PCAOB Audit Standard # 2 (March 2004)
– “A Framework for Evaluating Control Exceptions and Deficiencies” (Dec 2004)
2
33
The PLC Deficiency Evaluation Process
• Local Materiality Threshold
• Local Upper Limit of Significant Deficiency
• Estimation of Gross Exposure (Potential Magnitude)
• Evaluation of Design Deficiencies
• Evaluation of Operating Effectiveness Deficiencies
44
Local Materiality Threshold
• To begin the PLC deficiency evaluation process, Executive Management must determine the basis of the Local Materiality Threshold.
• Materiality Threshold is defined as the amount which must be exceeded for a deficiency to be deemed to have a “material” impact on the financial statements.
• Some companies use a percentage of budgeted gross sales or a percentage of net income.– In our example, current year annual budgeted gross
sales of $1.25B and a percentage of 1/2% is used to calculate the Local Materiality Threshold of $6.25M.
55
Local “Significant Deficiency Threshold”
• The “local significant deficiency threshold” is defined as the amount by which a deficiency must exceed to be considered a Significant Deficiency.
• In conjunction with the Materiality Threshold, Executive Management must determine the “Local Upper Limit of Significant Deficiency” by estimating a percentage to be applied to the Local Materiality Threshold.
In our example, Executive Management has determined that 20% of the rounded Local Materiality Threshold of $6.25M is deemed to be the Local Significant Deficiency Threshold, which calculates to be $1.25M.
66
Authoritative Guidance
• Public Company Accounting Oversight Board (PCAOB) Audit Standard (AS) # 2 (superseded by PCAOB AS # 5)
– Paragraph 9: A significant deficiency is a control deficiency, or combination of control deficiencies, that adversely affects the company’s ability to initiate, authorize, record, process, or report external financial date…such that there is more than remote likelihood that a misstatement of the company’s…financial statements that is more than inconsequential will not be prevented or detected.
• PCAOB AS #5, does not use the terms “inconsequential” or “more than inconsequential” to gauge magnitude.
77
Estimation of Gross Exposure
• Step one in the deficiency evaluation process for each PLC Design and Operation deficiency is to estimate the Gross Exposure (Potential Magnitude).
• The Gross Exposure is the worst-case estimate of the magnitude of amounts or transactions exposed to the deficiency with regard to interim or annual financial statements.
88
Estimation of Gross Exposure (continued)
• Practical approach: Determine the general ledger (GL) accounts impacted by the
deficiency Describe the transactions impacted by the deficiency Determine the GL balances, or other estimated Gross Amount
that could be impacted (e.g. in some cases, the amount of the Local Materiality Threshold may be conservatively used if a particular GL account balance or transaction amount can not be determined)
Estimate the percent of the GL balance or transaction total impacted by the deficiency (e.g. in some cases, 100% is the most conservative, if a % can not be readily estimated).
Finally, the Gross Exposure is calculated as the original amount multiplied times the estimated percentage. This amount is then used to begin the evaluation of the Design or Operating Effectiveness deficiency.
99
Authoritative Guidance
• PCAOB AS # 2, paragraph 135, and PCAOB AS # 5, paragraph 66: Several factors affect the magnitude of the
misstatement that could result from a deficiency or deficiencies in controls. The factors include, but are not limited to, the following:
o The financial statement amounts or total of transactions exposed to the deficiency.
o The volume of activity in the account balance or class of transactions exposed to the deficiency that has occurred in the current period or that is expected in future periods.
10
1111
Evaluation of Design Deficiencies
• Per PCAOB AS # 2, paragraph 8: A deficiency in design exists when (a) a control necessary to meet the control objective is missing, or (b) an existing control is not properly designed so that, even if the control operates as designed, the control objective is not always met.
12
1313
Evaluation of Operating Effectiveness Deficiencies
• Per PCAOB AS # 2, paragraph 8: A deficiency in operation exists when a properly designed control does not operate as designed or when the person performing the control does not possess the necessary authority or qualifications to perform the control effectively.
• The steps to evaluate Operation deficiencies are the same as the steps to evaluate Design deficiencies, except immediately after step 2, three additional steps are performed:
1. Determine the “Upper Limit Deviation Rate”2. If the Upper Limit Deviation Rate is < 20%, then calculate the
“Adjusted Gross Exposure” = the Gross Exposure.3. Is the “Adjusted Gross Exposure” > or = Local Upper Limit? If no,
then the deficiency is evaluated as “inconsequential”.
14
15
Deficiency Evaluation“Compensating Controls”
(Automated Spreadsheet)
16
Deficiency Evaluation “Estimation of Gross Exposure”
(Automated Spreadsheet)
17
Deficiency Evaluation “Estimation of ‘Adjusted’ Gross Exposure”
(Automated Spreadsheet)
18
Deficiency Evaluation - “TOD & TOE”(Automated Spreadsheet)
19
Deficiency Evaluation – Decision Input from Corp Mgt(Automated Spreadsheet)
2020
Authoritative Guidance
• PCAOB AS # 2, paragraph 133, and PCAOB AS # 5, paragraph 65: Several factors affect the likelihood that a
deficiency…could result in a misstatement. The factors include, but are not limited to:
o The nature of the financial statement accounts, disclosures, and assertions involved
o The susceptibility of the related assets or liability to loss or fraudo The subjectivity, complexity, or extent of judgment required to
determine the amount involvedo The cause and frequency of known or detected exceptions for the
operating effectiveness of a controlo The interaction or relationship of the control with other controlso The interaction of the deficiencieso The possible future consequences of the deficiency
2121
Authoritative Guidance
• “A Framework for Evaluating Control Exceptions and Deficiencies” was published December 20, 2004. The framework was developed by representatives of the following nine firms: BDO Seidman LLP, Crowe Chizek and Company LLC, Deloitte & Touche LLP, Ernst & Young LLP, Grant Thornton LLP, Harbinger PLC, KPMB LLP, McGladrey & Pullen LLP, and PricewaterhouseCoopers LLP.
2222
Authoritative Guidance
• PCAOB Audit Standard No. 2 – March 9, 2004: “An audit of internal control over financial reporting performed in conjunction with an audit of financial statements” Paragraph 130. “Evaluating Deficiencies in Internal Control
Over Financial Reporting. Paragraph 131. The auditor should evaluate the significance of
a deficiency …by determining the following: o The likelihood that a deficiency, or a combination…could result in a
misstatement…o The magnitude of the potential misstatement…
Paragraph 133. Several factors affect the likelihood that a deficiency or combination…could result in a misstatement…
Paragraph 135. Several factors affect the magnitude…
2323
Authoritative Guidance• PCAOB Audit Standard No. 5 – June 12, 2007:
“An audit of internal control over financial reporting that is integrated with an audit of financial statements” Paragraph 62. The auditor must evaluate the severity of each
control deficiency... Paragraph 63. The severity of a deficiency depends on:
o Whether there is a reasonable possibility that the company’s controls will fail to prevent or detect a misstatement…
o The magnitude of the potential misstatement resulting from the deficiency or deficiencies
Paragraph 65. Risk factors affect whether there is a reasonable possibility… [The factors are the same as AS #2, paragraph 133 factors affecting likelihood. ]
Paragraph 66. Factors affect the magnitude… [Same as AS #2, paragraph 135 factors affecting magnitude]
Paragraph 68. The auditor should evaluate the effect of compensating controls when determining whether a deficiency is a material weakness.
2424
Questions or Request for Automated Spreadsheet?
Les A. Chaney, CPA, CIA, CGMA, CRMA
ICFR Global Consulting, LLCCary, NC
Mobile: (919) [email protected]
www.icfr-consulting.com