Page 1

Internal Audit Outsourcing

The Moss Adams Approach to Internal Audit Outsourcing

Proposed SOX 404 Changes

Page 2

Agenda

• Introductions

• Brief Review of History

• Summary of Events

• Guesses of what will happen

• Questions

Page 3

The Early Environment

• Corporate Scandals

• Sarbanes-Oxley (SOX) Rules

• Shareholder Suits

• Stakeholder, Investor and/or Public Uncertainty

• Severe Impact of Non-Compliance

• Organization Exposures

Page 4

Certification Required

• Section 302

• Section 404

Page 5

Annual Review

Section 404 – Management Must Assess Internal Controls Annually

– Management’s responsibility for establishing and maintaining adequate internal control structure and procedures for financial reporting

– Management must assess effectiveness of internal control structure and procedures for financial reporting as of the end of each fiscal year

– Attestation by external auditor (Section 404 and 103)

Page 6

SOX 404 Coverage COSO Standard

Control Activities

• Policies/procedures that ensure management directives are carried out.

• Range of activities including approvals, authorizations, verifications, recommendations, performance reviews, asset security and segregation of duties.

Monitoring

• Assessment of a control system’s performance over time.

• Combination of ongoing and separate evaluation.

• Management and supervisory activities.

• Internal audit activities.

Control Environment

• Sets tone of organization-influencing control consciousness of its people.

• Factors include integrity, ethical values, competence, authority, responsibility.

• Foundation for all other components of control.

Information and Communication

• Pertinent information identified, captured and communicated in a timely manner.

• Access to internally and externally generated information.

• Effective information technology internal controls

• Flow of information that allows for successful control performance

Risk Assessment

• Risk assessment is the identification and analysis of relevant risks to achieving the entity’s objectives-forming the basis for determining control activities.

All five components must be in place for an effective internal control structure.

Page 7

Where are we?

• Initial Adversarial Relationship with External Auditors

• Expensive processes to comply

• Duplicative efforts

• Inconsistent application of SOX

Page 8

Update

• Feb. 7, Some Groups not satisfied, file lawsuit.

• Feb. 26, Comment Period over.

• Apr. 4, SEC says change AS5.

• Apr. 18, PCAOB reports that Auditors could be more efficient.

Page 9

SEC Proposed SOX 404 Implementation Guidance

SEC Meeting Held on December 13, 2006

SEC Provided Interpretive Guidance on Management’s Assessment of Internal Control Over Financial Reporting (ICFR)

PCAOB to Revised AS2 on December 19, 2006

SEC Delayed Audit Requirement for Non-Accelerated Filers until 2008

Page 10

What will change?

Sarbanes-Oxley Act, Section 404 (SOX 404) Opinion Only one opinion on the effectiveness of internal controls Elimination of separate opinion on management’s assessment process

Implications: Management must perform an assessment Emphasis on less auditor intervention in management’s process Management has more flexibility in documentation Inquiry and minimal documentation of second year walkthrough work as needed to

validate controls existence Auditor reliance on management’s work requires adequate documentation

of the work performed

Page 11

What will change? (Cont.)

Guidance on Risk-Based Scoping Interpretive release is to include a description of a principals oriented and risk

based approach included in guidance In-scope areas are only those that are material and pose a risk to financial

misstatement The guidance does not require that every control in a process be identified, only

those that adequately address the risk of material misstatement in the financial statements

Implications: Risk assessment will still be required and more important than ever Account and location scope coverage could be reduced Only key controls will be in scope

Page 12

What will change? (Cont.)

Reporting the Overall Results of Management’s Evaluation The proposed guidance provides management with a framework, outside of the

auditing literature, for determining the effectiveness of internal control Includes examples of situations that are considered strong indicators that a

material weakness exists The guidance describes the factors that management should consider to

evaluate the severity of a deficiency

Implications: Deficiency evaluation will still be required New guidance should help with how to do this evaluation

Page 13

What is still required?

Management is still required to assess ICFR

Management must still issue an opinion on the effectiveness of ICFR

Management must still document and test internal controls, including: Overall risk assessment and scoping Mapping of key controls to accounts, disclosures and locations Entity-level controls evaluation Control matrices preparation and maintenance Risk based sampling and test procedures Gap log Fraud analysis Deficiency evaluation and aggregation process

Page 14

Where are the opportunities to better manage SOX 404 cost?

Management needs to lead the ICFR assessment process, not the external auditor

Management now has solid ground for having a separate process from the external auditor

The external auditors ability to leverage management’s assessment process will become more important to controlling overall costs

The PCAOB is expected to issue a new audit standard strongly encouraging the reliance on management’s work

Page 15

Management should pursue:

Reduced SOX 404 coverage

Reduced number of key controls identified and tested

Extent of testing based on risk

More auditor reliance on management testing

Amount of documentation (narrative and walkthrough)

Cost Saving Opportunitiesto Pursue

Page 16

Future???

• May 24 PCAOB scheduled to vote on Final AS5.

Page 17

Questions

&

Answers