An Audit of Internal Control Over Financial Reporting That Is Integrated with an Audit of Financial Statements
Total Page:16
File Type:pdf, Size:1020Kb
1666 K Street, NW Washington, D.C. 20006 Telephone: (202) 207-9100 Facsimile: (202) 862-8430 www.pcaobus.org STAFF VIEWS AN AUDIT OF INTERNAL CONTROL OVER FINANCIAL REPORTING THAT IS INTEGRATED WITH AN AUDIT OF FINANCIAL STATEMENTS: GUIDANCE FOR AUDITORS OF SMALLER PUBLIC COMPANIES JANUARY 23, 2009 This publication presents the views of the staff of the Public Company Accounting Oversight Board on how auditors can apply certain provisions of Auditing Standard No. 5 to audits of internal control over financial reporting of smaller, less complex public companies. The statements contained in this publication are not rules of the Board, nor have they been approved by the Board. Staff Views January 23, 2009 Page 2 of 62 TABLE OF CONTENTS Chapter Topic Page Introduction ...........................................................................................................3 1 Scaling the Audit for Smaller, Less Complex Companies ............................6 2 Evaluating Entity-Level Controls ..................................................................12 3 Assessing the Risk of Management Override and Evaluating Mitigating Actions ..........................................................................................18 4 Evaluating Segregation of Duties and Alternative Controls.......................24 5 Auditing Information Technology Controls in a Less Complex Information Technology Environment..........................................................27 6 Considering Financial Reporting Competencies and Their Effects on Internal Control.............................................................................35 7 Obtaining Sufficient Competent Evidence When the Company Has Less Formal Documentation..................................................................39 8 Auditing Smaller, Less Complex Companies with Pervasive Control Deficiencies.......................................................................................44 Appendices A The Integrated Audit Process......................................................................49 B Discussion of Comments Received on the Preliminary Staff Views .......55 Staff Views January 23, 2009 Page 3 of 62 Introduction The information in this publication is intended to help auditors apply the provisions of the Public Company Accounting Oversight Board's ("PCAOB" or "Board") Auditing Standard No. 5, An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements ("Auditing Standard No. 5"),1/ to audits of smaller, less complex public companies ("smaller, less complex companies"). If used appropriately, it can help auditors design and execute audit strategies that will achieve the objectives of Auditing Standard No. 5. This publication is not, however, a rule of the Board and does not establish new requirements. All audits of internal control over financial reporting – regardless of the size of the company – must comply with the requirements of Auditing Standard No. 5. Also, this publication does not address all of the requirements and direction in Auditing Standard No. 5 or all issues that may be encountered in audits of smaller, less complex companies. In adopting Auditing Standard No. 5, one of the Board's objectives was to make the audit of management's assessment of the effectiveness of internal control over financial reporting ("audit of internal control") more clearly scalable for smaller, less complex companies. Thus, the standard contains direction to auditors on scaling the audit based on a company's size and complexity. This publication discusses how that direction may be applied to audits of smaller, less complex companies, including smaller companies that are not complex, and how auditors may address some of the challenges that might arise in audits of those companies. Development of This Publication This publication was developed by the staff of the Board's Office of the Chief Auditor ("OCA"). To develop the information in this publication, OCA organized a working group composed of auditors who have experience with audits of internal control over financial reporting in smaller, less complex companies. These auditors identified issues that pose particular challenges in auditing internal control in smaller, less complex companies. The auditors provided insights and examples based on their experiences in addressing these issues, and they assisted in drafting a preliminary version of the guidance. In developing that preliminary guidance, OCA also consulted with financial executives from smaller public companies, who helped the staff evaluate whether it appropriately reflected the smaller, less complex company environment. The staff issued the preliminary guidance for public comment on October 17, 2007, and received 23 comments. After considering those comments, the staff made 1/ PCAOB Release 2007-005A, "Auditing Standard No. 5 – An Audit Of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements and Related Independence Rule and Conforming Amendments" (June 12, 2007) Staff Views January 23, 2009 Page 4 of 62 certain changes in this final version that clarify or enhance the guidance. Appendix B to this publication discusses comments received and related changes. References This publication assumes that the user is familiar with the provisions of Auditing Standard No. 5 and the following publications: • Committee of Sponsoring Organizations of the Treadway Commission ("COSO"), Internal Control – Integrated Framework2/ • COSO, Internal Control over Financial Reporting – Guidance for Smaller Public Companies (June 2006) ("COSO Small Companies Guidance") • SEC Release No. 33-8810, Commission Guidance Regarding Management's Report on Internal Control Over Financial Reporting Under Section 13(a) or 15(d) of the Securities Exchange Act of 1934 (June 20, 2007) ("SEC Management Guidance") The following publications also provide information that might be relevant to the audit of internal control over financial reporting: • SEC Release No. 33-8809, Amendments to Rules Regarding Management's Report on Internal Control Over Financial Reporting (June 20, 2007) • SEC Release No. 33-8829, Definition of the Term Significant Deficiency (August 3, 2007) • SEC Release No. 33-8238, Management's Report on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports (June 5, 2003) • SEC Office of the Chief Accountant, Division of Corporation Finance, Management's Report on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports: Frequently Asked Questions (September 24, 2007) 2/ Auditing Standard No. 5 states that the auditor should use the same internal control framework that management uses in its assessment of internal control. Although this publication uses certain terms and concepts from COSO's Internal Control – Integrated Framework, the principles in this publication could be applied to other internal control frameworks. Staff Views January 23, 2009 Page 5 of 62 Internal Control Examples in This Publication This publication discusses certain types of controls and provides examples of those controls to help auditors understand the types of controls that might be encountered in the audit of a smaller, less complex company and to provide a context for the discussion of audit strategies for evaluating the effectiveness of those controls. The discussions and examples of controls do not establish internal control requirements and are not intended as guidance to management regarding establishing or evaluating internal control over financial reporting. Staff Views January 23, 2009 Page 6 of 62 Chapter 1 Scaling the Audit for Smaller, Less Complex Companies Auditing Standard No. 5 establishes requirements and provides direction that applies when an auditor is engaged to perform an audit of internal control over financial reporting that is integrated with an audit of the financial statements. The complexity of a company is an important factor in the auditor's risk assessment and determination of the necessary audit procedures. Auditing Standard No. 5 provides direction on scaling the audit of internal control based on the size and complexity of a company. Scaling is important for audits of internal control of all companies, especially smaller, less complex companies. This chapter highlights principles for scaling the audit of internal control over financial reporting set forth in Auditing Standard No. 5 and discusses considerations for applying the principles in audits of smaller, less complex companies. The audit of internal control should be integrated with the audit of the financial statements, so the auditor must plan and perform the work to achieve the objectives of both audits.1/ This direction applies to all aspects of the audit, and it is particularly relevant to tests of controls. This chapter discusses testing of controls in an integrated audit of a smaller, less complex company. Appendix A illustrates an audit approach for the integrated audit. Scaling the Audit of Internal Control Scaling the audit of internal control involves tailoring the audit approach to fit the individual facts and circumstances of the company. Many smaller companies have less complex operations, and they typically share many of the following attributes: • Fewer business lines • Less complex business processes and financial reporting systems • More centralized accounting functions • Extensive involvement by