Financial Reporting April 2004 Compliance with Section 404 of the Sarbanes Oxley Act: A Company Perspective Introduction The upcoming requirement for public companies, going forward, to report on the effectiveness of their internal control over finan- cial reporting (terms in bold are defined in the Glossary accom- panying this communication), and for auditors to report on that assertion and on the effectiveness of internal controls, has raised a lot of questions, such as: • How do I assess my controls? • Do I need assistance, or can I do this project internally? • What can my independent auditor do to help me in this process? • How much should I document and test? • How do I make the critical distinctions between control deficiencies, significant deficiencies, and material weaknesses? • What are my reporting requirements? The list of questions continues to grow as companies document, assess, and test their controls. As this is the first year of implementing this new require- ment, there are both “knowns” and “unknowns,” but the implementation date is approaching, and companies and auditors will need to move forward on a best efforts basis, even in the absence of specific answers to all the questions. This communication focuses on Section 404 of the Sarbanes-Oxley Act of 2002 (“the Act”) from management’s perspective. It summarizes our current understanding of what the SEC and auditors are likely to expect of companies. Contents: Introduction ..........................................1 Management’s Report .........................2 Management’s Project to Comply with Section 404 Requirements ....3 Required Management Representations to the Independent Auditor .......................4 The Scope of the Company’s “Controls Over Financial Reporting” ........................................6 Documenting Controls Over Financial Reporting .........................8 Management’s Required Assessment of Controls ................10 Documenting the Control Environment ..................................11 Information Technology General Controls .........................................11 Extent and Timing of Management Testing ...................12 Managing the Compliance Costs ...17 Concluding Remarks .........................17 Important References and Company Resources .....................17 Glossary - The Definition of Key Terms .......................................18 APPENDIX............................................19 This communication should not be used in lieu of reading Section 404 of the Act, the related SEC rules, and the PCAOB Auditing Standard. Future clarifications or modifications and changes to the SEC rules and PCAOB Auditing Standard may supersede guidance or requirements provided here.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
FinancialReporting
April 2004
Compliance with Section 404 of theSarbanes Oxley Act: A CompanyPerspective
IntroductionThe upcoming requirement for public companies, going forward,to report on the effectiveness of their internal control over finan-cial reporting (terms in bold are defined in the Glossary accom-panying this communication), and for auditors to report on thatassertion and on the effectiveness of internal controls, has raiseda lot of questions, such as:
• How do I assess my controls?
• Do I need assistance, or can I do this project internally?
• What can my independent auditor do to help me in this process?
• How much should I document and test?
• How do I make the critical distinctions between control deficiencies,
significant deficiencies, and material weaknesses?
• What are my reporting requirements?
The list of questions continues to grow as companies document, assess, and
test their controls. As this is the first year of implementing this new require-
ment, there are both “knowns” and “unknowns,” but the implementation date
is approaching, and companies and auditors will need to move forward on a
best efforts basis, even in the absence of specific answers to all the questions.
This communication focuses on Section 404 of the Sarbanes-Oxley Act of
2002 (“the Act”) from management’s perspective. It summarizes our current
understanding of what the SEC and auditors are likely to expect of companies.
This communication should not be used in lieu of reading Section 404 of the Act,the related SEC rules, and the PCAOB Auditing Standard. Future clarifications ormodifications and changes to the SEC rules and PCAOB Auditing Standard maysupersede guidance or requirements provided here.
BDO Seidman, LLP noted in our
comments on the PCAOB Exposure
Draft on auditing internal controls
that more guidance is needed to
assist companies in defining their
responsibilities under the Act. To
date, such additional guidance has
not been forthcoming. Neither the
independent auditor nor the
PCAOB can interpret management’s
responsibilities under the Act. This
needs to come from the SEC.
Issuance of PCAOB Standard No. 2,
An Audit of Internal Control Over Finan-
cial Reporting Performed in Conjunction
with An Audit of Financial Statements, on
March 9, 2004, which is subject to
SEC approval before it becomes
effective, provides some insight into
what auditors are likely to “expect”
regarding management’s documen-
tation and testing of controls, and
thus indirectly creates guidance for
management.
This Financial Reporting Letter
is based on highlights of existing
requirements noted in the Act, SEC
rulemaking to date and Auditing
Standard No. 2. The PCAOB has
formed a Working Party to help
identify the myriad of company and
auditor issues that arise in the
implementation process. Once the
Standard becomes effective, the
PCAOB may disseminate interpre-
tive guidance on those issues that
have been identified. At this time
we are not aware of any project of
the SEC underway to develop spe-
cific implementation guidance for
companies. Careful attention to
subsequent guidance on company
and auditor requirements will be
necessary as this new requirement
for management and the auditor is
implemented.
The process that will take place
over the next several months
regarding Auditing Standard No. 2
includes the posting of the Stan-
dard by the SEC for an exposure
period (occurred on April 12). At the
conclusion of the exposure period,
the Standard, if approved, will be
published in the Federal Register.
Once published, the Standard will
be effective. Implementation guid-
ance should follow the approval by
the SEC of the final Standard, and
thus may not be available until this
summer. We believe there will be a
need for clarifying and implementa-
tion guidance throughout 2004 and
2005, as more practical issues are
identified.
Management’sReportTop management of public compa-
nies (issuers) subject to the Section
404 requirements will be required to
include in their annual reports an
assessment of the effectiveness of
the company’s internal control over
financial reporting. This assessment
is made “as of” the balance sheet
date. If a material weakness is iden-
tified as existing at the balance
sheet date, it must be disclosed in
management’s report.
Management cannot conclude
that the company’s internal controls
over financial reporting are effective
in the presence of one or more
material weaknesses.
The format of the report is flexi-
ble, in order to permit the most
meaningful and relevant reporting
for each company, but the following
elements are required (See Item
308(a) of Regulation S-B and S-K):
• A statement of management’s
responsibility for establishing and
maintaining adequate internal
control over financial reporting;
• A statement identifying the
framework used by management
to conduct the required assess-
ment of the effectiveness of the
company’s internal control over
financial reporting;
• An assessment of the effective-
ness of the company’s internal
control over financial reporting
as of the end of the company’s
most recent fiscal year, including
an explicit statement as to
whether that internal control
over financial reporting is effec-
tive; and
• A statement that the registered
public accounting firm that
audited the financial statements
included in the annual report
has issued an attestation report
on management’s assessment of
the company’s internal control
over financial reporting.
If material weaknesses are dis-
covered prior to the “as of” reporting
date, and there is sufficient time for
the company to remediate them,
they need not be reported as of year-
end. However, the company has
quarterly certifications it must make
to the SEC under Section 302 of the
Act, and such identified material
weaknesses, even if corrected, need
to be reported as a change in con-
trols during the quarter.
If a subsidiary’s financial state-
ments cover a different fiscal period
than the consolidated entity,
required subsequent events proce-
dures relating to that subsidiary
might reveal a material weakness
existing at the “as of” reporting date.
In such cases, we believe the weak-
ness should be included in the con-
solidated management assessment
for that year.
Significant deficiencies do not
need to be publicly reported, but
should be evaluated to assess
whether, in the aggregate, the iden-
tified significant deficiencies consti-
tute a material weakness. The defi-
nition of significant deficiency in
PCAOB Standard No. 2 sets a
2 COPYRIGHT 2004, BDO SEIDMAN, LLP
Financial Reporting
threshold that is very low, so manyof the deficiencies identified duringthe testing of controls, absent effec-tive compensating controls toachieve that control objective andrelated assertion, may rise to thelevel of a significant deficiency.Note that normal managementoversight, and the application ofbroad analytical procedures such ascomparisons to budgeted amounts,are not generally considered ade-quate compensating controls. If alarge number of significant defi-ciencies are identified, manage-ment may conclude that, in theaggregate, they constitute a mate-rial weakness.
The identification of a materialadjustment to the financial state-ments of any sort by the auditor as aresult of performing the audit of thefinancial statements is a strongindicator of the existence of a mate-rial weakness in company internalcontrols.
In addition to the required ele-ments of communication, manage-ment may wish to communicateadditional information in its report.Such information might includedisclosures concerning remediateddeficiencies, plans regarding newcontrols, and cost-benefit state-ments regarding controls (e.g.,statements that remediation costswould exceed the benefits of aneffective control in a particular cir-cumstance). If management choosesto make such disclosures, the audi-tor is required to disclaim an opin-ion on this additional information.
What are the Implications ofReporting that a MaterialWeakness Exists?It is only conjecture how many com-panies will ultimately issue reportsindicating one or more materialweaknesses. Even after remediationof currently known deficiencies and
weaknesses, some estimate the
range of between 10 to 20 percent of
large established entities will still
report the existence of material
weaknesses. Some estimates are
much higher for the first-time
reporting of internal control effec-
tiveness by smaller companies. In
small start-up businesses, the rate
may be much higher, as effective
segregation of duties and the imple-
mentation of a formal controls sys-
tem may be impractical to achieve.
It is not clear how the financial
markets will react to reports of inef-
fective controls. The market gener-
ally dislikes “surprises,” like earn-
ings surprises. Conjecture is that
larger, more established companies
are expected to have more effective
controls. If so, reported weaknesses
by larger companies may be per-
ceived more severely than those of
smaller ones. Only time will tell.
This issue will likely be the focus of
academic research as companies
report under the requirements of
the Act.
Even if a company reports a
material weakness, if it takes prompt
action to correct it, there need be no
long range effect on the perceptions
of the company, as remediation will
indicate a stronger control environ-
ment. Over time, it is likely that
fewer companies will be reporting
weaknesses and thus those that do
report them will stand out.
Management’sProject to Complywith Section 404RequirementsManagement may choose to self-
manage its required documentation
and testing or hire advisors or con-
sultants to assist it in that process.
However, the company’s independ-
ent auditors or members of theirfirm are precluded from serving inany role that could compromise theaudit firm’s independence in per-forming their required assessmentsand procedures. Any permittedinternal control related service theindependent auditor is engaged toperform must be specifically pre-approved by the audit committee.
It is currently believed thatemployees of the independentaudit firm may be engaged to func-tion as a “scribe” in the documenta-tion of management controls,clearly working under the directsupervision of management. How-ever, such employees should not beinvolved in any way in directing thedocumentation efforts or directingwhich controls are documented orbe involved in management’s test-ing of the controls. To date, manyboards of directors and audit com-mittees have hired third party con-sultants so that independencequestions will not arise.
Overview of a Typical ProjectPlan A typical company project plancomprises various phases. A com-monly encountered series of phasesincludes:• Identifying the company individ-
ual with overall responsibility forthe project (e.g., CFO)
• Identifying the designated proj-ect manager and related teammembers
• Identifying the framework thatwill underlie the analysis (e.g.,COSO)
• Scoping (identifying the accounts,locations and processes) of theengagement for documentationand testing purposes
• Selecting an approach and toolsthat will facilitate documenta-tion and testing
COPYRIGHT 2004, BDO SEIDMAN, LLP 3
Financial Reporting
(continued on page 5)
4 COPYRIGHT 2004, BDO SEIDMAN, LLP
Financial Reporting
Required Management Representations to the Independent Auditor
In addition to the representations made by management to independent auditors regarding the audit of the finan-cial statements, additional representations regarding the audit of internal controls will be required. Before the inde-pendent auditor can issue the two control-related opinions on management’s assessment of the effectiveness of itscontrols and on the effectiveness of the company’s internal control, the auditor will require certain written repre-sentations from management, including the following:
• Acknowledging management’s responsibility forestablishing and maintaining effective internal con-trol over financial reporting
• Stating that management has disclosed to theauditor all deficiencies in the design or operationof internal control over financial reporting identi-fied as part of management’s assessment, includ-ing separately disclosing to the auditor all suchdeficiencies that it believes to be significant defi-ciencies or material weaknesses in internal controlover financial reporting
• Stating that management has performed an assess-ment of the effectiveness of the company’s internalcontrol over financial reporting and specifying thecontrol criteria
• Describing any material fraud and any other fraudthat, although not material, involves senior man-agement or management or other employees whohave a significant role in the company’s internalcontrol over financial reporting
* Stating that management did not use the auditor’sprocedures performed during the audits of internalcontrol over financial reporting or the financialstatements as part of the basis for management’sassessment of the effectiveness of internal controlover financial reporting
• Stating whether control deficiencies identified andcommunicated to the audit committee during pre-vious engagements have been resolved, and specif-ically identifying any that have not.
• Stating management’s conclusion about the effec-tiveness of the company’s internal control overfinancial reporting based on the control criteria as ofa specified date
• Stating whether there were, subsequent to the datebeing reported on, any changes in internal controlover financial reporting or other factors that mightsignificantly affect internal control over financialreporting, including any corrective actions taken bymanagement with regard to significant deficienciesand material weaknesses
• Documenting a project plan• Documenting the relevant con-
nally and to the independentauditors as they arise
• Concluding on controls effec-tiveness
Good Practice. Many companieshave benefited from completing aninitial “pilot” project focused onselected accounts at one or twoselected locations in order toensure the company’s envisionedprocess is workable and can becommunicated to others, and toensure that the selected tools areeffective for their purpose. This“shake down” phase is where cor-rections can be made most effi-ciently before committing to a plan.
In practice, these phases maybe blurred, or may be taking placein different locations at differenttimes. Effective scheduling of scarceresources is an important elementof project management. As the proj-ect proceeds, if deficiencies areidentified, a process of remediationand retesting of the effectiveness ofthe controls takes place.
Throughout the various projectstages, the observations of theindependent auditor can be helpful,but project management responsi-bility and project decisions clearlybelong to management.
Choosing a Project Managerand Project TeamWhether an internal or externalresource, a project manager willneed to possess or acquire a strongunderstanding of:• The requirements of the Act and
the related SEC rules
• Any future interpretations of man-
agement requirements under
Section 404 by the SEC or PCAOB
• Internal controls as they relate
to the financial reporting
requirements and processes,
and in that regard, an internal
controls framework (such as
COSO), including the role of
control objectives, and the rela-
tion of controls to those objec-
tives and relevant assertions
such as completeness, exis-
tence, etc.
• Information technology
• Complex project management
skills
Most projects will require a
team of employees to ensure the
project has access to the requisite
manpower and skills. Organiza-
tionally, the project should report to
an appropriate level of manage-
ment such as the CFO. Members of
the core team will need to have the
ability to obtain access to the infor-
mation and individuals necessary to
complete management’s require-
ments to assess, document, and
test internal controls over financial
reporting.
If management believes that the
project management and perform-
ance cannot be effectively staffed
from internal resources, a qualified
consultant will need to be engaged,
and, if so, the quicker the better.
Already, a significant number of com-
panies have engaged consultants
and are in the process of document-
ing their controls. As fewer qualified
resources are available to manage
and staff such engagements through
2004 and into 2005, the engagement
of timely, qualified assistance will
become more difficult.
While it is generally not appro-
priate for the independent auditor
to recommend just one specific
company advisor, we believe the
independent auditor can be helpfulin suggesting a number of possiblealternatives and in helping manage-ment assess the qualifications andtechnical understanding of a pro-spective manager. However, man-agement clearly must make theselection.
Hiring a third party consultantdoes not in itself ensure that theproject will be efficient and meetthe requirements of the SEC rules.Insightful assessment of the projectmanager’s qualifications and care-ful monitoring of the project bymanagement is essential.
Management’s assessment ofthe project management team’sperformance should include contin-ued monitoring of the projectprogress and meeting of importantmilestones, and consider feedbackfrom the internal auditor, the inde-pendent auditor, as well as othercompany personnel.
Benefits of Using InternalAuditors or IndependentConsultantsIn considering the use of a thirdparty consultant to advise, manage,and/or perform procedures, man-agement needs to consider thatthere may be benefits of engaginginternal auditors or a third partyconsulting resource beyond theobvious desire to leverage theirexperience and expertise. Since theindependent auditor may considerthe work of objective and compe-tent “others” (including internalauditors) when determining theirrequired procedures, the use ofsuch resources in the documenta-tion and testing process may resultin lower independent auditor costs.
Management’s attitude towardsthe new requirements may alsoinfluence the likely success and ulti-mate cost of the project. Approach-ing the Section 404 requirements
COPYRIGHT 2004, BDO SEIDMAN, LLP 5
Financial Reporting
using marginally qualified resources,
and testing to the minimum levels
believed possible is a strategy that
has hidden costs and pitfalls that
can de-rail the process at a late
stage, when remediation of weak-
nesses may be impossible. There-
fore, management should approach
the project with a positive attitude
regarding its possible benefits and
should be prepared to devote
enough resources to ensure robust
coverage. Further discussion of this
issue is presented in the section
entitled Extent and Timing of
Management Testing.
The Scope of theCompany’s “ControlsOver FinancialReporting”Companies will need to define the
scope of what accounts and pro-
cesses are being included in their
assessment, documentation, and
testing of internal controls. Auditing
Standard No. 2 suggests that there
are a number of criteria that could
cause a financial statement ele-
ment, process, or location to be
included in the analysis.
• Starting at the consolidated
financial statement level, all sig-
nificant accounts (regardless of
whether they are assessed as
being high risk). For example,
fixed assets are included if they
are significant.
• All significant processes. The
financial statement closing
process (annual and quarterly)
is always a significant process.
Periodic depreciation and amor-
tization, accruals, and the esti-
mation of allowances such as
bad debts will often be signifi-
cant processes.
• Disclosure controls and proce-
dures. Disclosure controls ensure
that the accounting disclosures
in the footnotes are complete
and accurate.
• All financial statement elements
or processes or functions that,
due to a risk of misstatement or
fraud, could give rise to an expo-
sure or a material misstatement.
For example, the trading of cur-
rencies or existence of derivative
financial instruments could give
rise to significant business and
disclosure risks that might not
always be apparent.
Clearly, most accounts at the
consolidated financial statement
level and a significant number of
processes are expected to be
included in the project plan. In
some cases, it is easier to think of
what may be “scoped-out” of the
analysis.
In a multi-location entity, clearly
inconsequential locations that are
immaterial to say, income or signif-
icant account balances, both indi-
vidually and the aggregate, need
not be included in management’s
analysis unless a specific risk is
identified that relates to one or
more of these entities.
Equity method investments,
variable interest entities (VIEs), and
any proportionately consolidated
entities (e.g., this accounting
method may be used in the oil and
gas industry) where management
does not have sufficient access to
the entity to extend the controls
project to those entities are also
“scoped-out.” Management will
include in its analysis, however, the
company’s controls over informa-
tion gathering and any controls over
significant payments or receipts
that involve the scoped-out entity,
unless the amounts are clearly
immaterial. Management should
document the reason for scoping
these entities out of its analysis, as
auditors will be required to review
and concur with this analysis.
We believe that if a company, as
a result of its agreement with the
VIE, joint venture, or other invest-
ment vehicle performs the book-
keeping functions for the invest-
ment, it may need to include those
functions in its internal control
assessments, documentation, and
testing.
Companies acquired at or near
the year-end are currently required
to be included in management’s
assessment of controls. This often
will create a practical problem when
these entities are significant, as
there may be insufficient time for
management to adequately docu-
ment and test their controls, and for
the auditor to perform the required
procedures. Auditing Standard No.
2 indicates that the SEC may be
considering a provision that would
allow companies to exclude certain
year-end acquisitions from compli-
ance with the Section 404 require-
ments (with some required disclo-
sures). Companies should consider
discussing this issue in advance
with their independent auditors
when year-end acquisitions are
foreseeable. Be alert for future SEC
rulemaking on this specific issue.
While controls that impact only
operations and not the financial
reporting process are not generally
relevant for inclusion in manage-
ment’s internal control assessment
plan, special consideration may
need to be given to issues that may
arise in heavily regulated industries.
Evidence of failures to meet regula-
tory and compliance requirements
may indicate the need for additional
disclosures or could have an impact
on the determination of accrual or
reserve amounts. Auditors will be
6 COPYRIGHT 2004, BDO SEIDMAN, LLP
Financial Reporting
reviewing any identified regulatory
compliance issues to determine
whether there is an impact on the
financial statements or disclosures
or the effectiveness of internal con-
trols, such as the “tone at the top”
within the company.
Common processes, common
control environments, and com-
pany-wide controls may sometimes
provide an appropriate basis for
documenting and assessing con-
trols at locations that may aggre-
gate to a material amount, but are
not individually material. For exam-
ple, in many multi-location entities,
common control processes have
been implemented over significant
processes such as sales and
accounts such as cash. Various loca-
tions may also share common
accounting systems.
For some highly decentralized,
multi-location companies that do
not have common processes and
controls, covering all but an imma-
terial portion of significant accounts
and processes of the entity will be
difficult to achieve, as the corporate
structure may involve the inclusion
of hundreds of independent entities.
Nevertheless, such companies must
develop a basis for their assertion
about the effectiveness of internal
controls. These situations will need
special consideration by manage-
ment and the independent auditor,
and may be an area of future inter-
pretive guidance by the PCAOB.
Good Practice. Companies have
found it helpful to prepare a matrix
of all accounts at the consolidated
level. This matrix helps management
identify the significant accounts. The
matrix is often expanded to show the
breakdown of the accounts by signif-
icant location, line of business, or
some other division of the entity.
This matrix helps management to
document its scope and analyze thecoverage attained by management’splan.
A well-designed project plan anda well-documented system of inter-nal controls has value to the entityand the auditor. While the burdenthat this expected scope of companycoverage imparts on managementseems significant, the first-time doc-umentation and assessment is themost challenging, and even as sys-tems evolve over time, the experi-ence and insight gained in this ini-tial year of implementation will havefuture benefits.
Use of Service OrganizationsThe phenomenon of outsourcing
has expanded considerably in the
last decade. Many companies are
surprised when they examine the
extent and variety of the outsourc-
ing that has become an integral part
of their internal accounting and pro-
cessing systems. Functions that
may commonly be outsourced
include payroll processing, network
administration and information
technology management, human
resources, and even the accounting
and transaction recording process
in its entirety.
When a service organization is
used in lieu of an internal process,
management’s responsibility regard-
ing internal control is unchanged,
including the responsibility to
assess, test, and monitor the con-
trols. However, those controls may
be resident in the service organiza-
tion, and management may have
limited access to that entity’s pro-
cessing environment. Nevertheless,
management must satisfy itself that
effective controls are in place over
the transactions processed by the
service organization. This can be
accomplished in different ways.
The auditing profession’s mech-
anism for dealing with this situation
to date has been to have the service
organization engage an auditor to
perform procedures and issue a
report on the controls over process-
ing by the entity. This report is dis-
cussed in Statement on Auditing
Standards No. 70, Service Organiza-
tions. Commonly referred to as a
“SAS 70” report, this document was
designed as an auditor-to-auditor
communication regarding the inter-
nal controls over the processing or
other functions performed by the
service organization. One type of
report only assesses the design of
internal controls over the function
being performed. However, this type
of report will not be useful to meet
the requirements of Section 404.
The reports must address both
design and operating effectiveness
of controls.
Additionally, the SAS 70 reports
must be timely to be able to provide
assurance to the company’s inde-
pendent auditor. A report dated
more than a year before the “as of”
date of the company’s required
report on internal controls provides
little evidence of current controls
effectiveness. Reports issued nearer
the “as of” date of the company’s
report on internal control effective-
ness, are stronger evidence of con-
trols effectiveness. Obviously, man-
agement must also be assured the
controls and functions reported on
by the service organization’s auditor
are the ones of interest and focus to
the company.
When a service organization’s
auditor report is not available, is not
relevant or timely, or does not
extend to the operating effective-
ness of the controls, management
needs to obtain information from
the service organization to support
their assertion over the effectiveness
COPYRIGHT 2004, BDO SEIDMAN, LLP 7
Financial Reporting
of company controls. Obtaining
access to this information about the
provider’s processing environment
can be difficult so the issue should
be covered in the contractual
arrangement between the service
organization and the company. It
can also be awkward for the service
organization with numerous public
clients (and auditors), all of whom
have need for this information.
It has been observed that the
market for service organization
auditor reports has changed in
recent months. More service organ-
izations are requiring them, and
many more are being scheduled for
update every 6 months or so to
accommodate different client fiscal
years. The procedures and related
testing being performed are also
being aligned with the Section 404
requirements.
Even so, there are complex
issues that can arise in the current
environment that will need to be
addressed in future guidance. Cur-
rent standards regarding service
organization reports were devel-
oped prior to the Act, and may not
fit well in a variety of areas with the
current Section 404 environment.
For example:
• Can management rely on a serv-
ice organization auditor’s report
issued by the company’s inde-
pendent audit firm, since man-
agement cannot rely on proce-
dures of the auditor for its assur-
ance? Is the answer different
when the service organization
has one or a few customers ver-
sus thousands of customers?
• Is a service organization’s audi-
tor report sufficient when the
function outsourced is an impor-
tant part of the business (e.g.,
outsourcing the entire IT func-
tion or entire transaction pro-
cessing function)?
• If a company obtains a service
organization’s auditor report
that covers an important pro-
cess or function when viewed
from the company’s perspective,
even if not significant to the
service organization, must the
auditor issuing the service
organization report be regis-
tered with the PCAOB?
• How will companies obtain a
service organization report on
processes outsourced to other
countries? The concept of such
reports is not generally well
established outside of the U.S.,
and the work may need to be
performed by an auditor regis-
tered with the PCAOB to be
acceptable.
These and other issues are likely
to be addressed by future guidance.
We suggest companies identify
these situations early and alert their
independent auditors to the issues.
Be alert for further guidance or
modifications of the professional
auditing standards addressing serv-
ice organizations later this year.
There is one more issue that
companies need to consider. Some
larger organizations, to meet spe-
cific contractual arrangements with
other companies, may perform cer-
tain record-keeping functions that
pertain to another business. For
example, some companies may
only provide summary reports of
the transactions they process and
the commissions that are due on
those transactions. Such compa-
nies may never have considered
themselves “service organizations,”
but the current environment puts
them into this role as it relates to
other businesses. In such circum-
stances, the company needs to
consider whether it should engage
an auditor to issue a SAS70 report
in lieu of receiving substantive
inquiries by the company beingserviced and their auditors on therelevant underlying controls andtheir operating effectiveness.Because such arrangements aremore likely to involve a single com-pany and may also cover a signifi-cant process from the perspectiveof the company receiving the serv-ice, the auditor selected to preparethe report may need to be differentfrom the one used by the companyfor which the service is performed,and the “service auditor” may needto be registered with the PCAOB.
DocumentingControls OverFinancial ReportingThere is no specific format specifiedfor management’s documentation.Flowcharts, narratives, and othermeans may be used to supplementthe documentation of controls.Excel, Word, and manual documen-tation certainly can be used, butspecial purpose software may helpcompanies consistently documenttheir controls and processes andfacilitate updating and versioncontrol.
Software Software packages are in use nowand new ones are continually com-ing to market to help companiesdocument their controls. The selec-tion of a tool or software programthat is appropriate to the entity andits special characteristics or is tai-lored to its industry is itself animportant responsibility of projectmanagement.
When considering a softwarepackage, in addition to price, man-agement should consider the ven-dor’s experience and reputation,recommendations from otherusers, the ease of learning the soft-
8 COPYRIGHT 2004, BDO SEIDMAN, LLP
Financial Reporting
COPYRIGHT 2004, BDO SEIDMAN, LLP 9
Financial Reporting
ware by possibly a wide number ofusers, and degree of flexibility andtechnical guidance inherent in thesoftware’s functionality. The ease ofupdating the data over time and ameans of archiving each year’s doc-umentation and testing results assupport for management’s asser-tion in the financial statements arealso considerations when reviewinga package. Management shouldalso consider whether the archivingprocess results in a record that canbe reviewed in the future (givingconsideration to likely futureadvances in technology and howthe vendor will ensure the readabil-ity of the documentation) as maybe required for regulatory or legalpurposes.
Methodology Whether software or anothermethod is used, the documentationmethodology will generally startwith a control objective. The frame-work (e.g., COSO) used will providea starting point for some genericcontrol objectives. These may needto be tailored for certain specificindustries such as banking andinsurance, and an element of proj-ect management will be to obtaininformation about tailored controlobjectives that are being used in theindustry. The controls that supporteach objective are then articulated,whether preventive or detective innature.
Documentation should be insufficient detail to communicate:
• The design of controls over allrelevant assertions related to allsignificant accounts and disclo-sures
• How transactions or processesare initiated, authorized, record-ed, processed, and reported (insufficient detail to assist auditorsin their required “walkthroughs”)
• Points in the process wherefraud or error could occur. The following example illus-
trates the relationship between con-trol objectives, risks, controls, andrelated assertions for one risk relat-ing to a control objective.
Retaining Management’sBasis for Their AssertionThe management assessments,
documentation of the controls, and
the results of management’s tests
that form the basis of manage-
ment’s assertion regarding controls
should be archived annually, and
retained in a retrievable form for a
period of time to meet regulatory
and legal requirements. We believe
this is consistent with the existing
general requirement that compa-
nies retain documents supporting
information in SEC filings and the
SEC requirement that companies
maintain adequate books and
records.
Management’sRequiredAssessment ofControlsAuditors will be anticipating that
management’s process for assess-
ing the effectiveness of the com-
pany’s internal control over finan-
cial reporting will address the fol-
lowing elements:
• Determining which controls
should be documented and
tested, including controls over
all relevant assertions related to
all significant accounts and dis-
closures in the financial state-
ments. Such controls would
include:
1. Controls over initiating, auth-
orizing, recording, processing,
and reporting significant
accounts and disclosures and
related assertions embodied
in the financial statements.
2. Controls over procedures used
to enter transaction totals into
the ledgers and the general
ledger.
3. Controls over the selection
and application of accounting
policies.
4. The design and implementa-
tion of antifraud programs and
controls.
5. Controls over the quarterly
and year-end closing process
(for example, consolidation
adjustments and eliminations
and reclassifications).
6. Controls, including informa-
tion technology general con-
trols, on which other controls
are dependent. For example,
the integrity of financial sys-
tems is potentially impaired
when systems security is
inadequate.
7. Controls over significant non-
routine and non-systematic
transactions, such as accounts
involving judgments and esti-
mates and recording of such
adjustments.
8. Controls over the safeguard-
ing of assets. Either protective
or detective controls to en-
sure against financial state-
ment misstatement due to
loss or theft.
9. Company level controls, in-
cluding the control environ-
ment, risk assessment pro-
cess, centralized processing
and controls, and controls
over the period-end (quarterly
and annual) financial report-
ing process.
• Assessing the risk that a control’s
failure could lead to a material
misstatement.
10 COPYRIGHT 2004, BDO SEIDMAN, LLP
Financial Reporting
• Evaluating the design and oper-
ating effectiveness of the con-
trols.
• Determining whether any identi-
fied deficiencies in internal con-
trol constitute significant defi-
ciencies or material weaknesses.
• Communicating any findings to
the auditor and others.
Documenting theControl EnvironmentAn important element of the COSO
framework is the control environ-
ment. It comprises a number of
overarching components, including:
• Integrity and Ethical Values
• Management Philosophy and
Operating Style
• Assignment of Authority and
Responsibility
• Governance – Board of Directors
and the Audit Committee
• Commitment to Competence
• Organizational Structure
• Human Resource Policies and
Practices
While these are subjective ele-
ments, management must assess
them and document how the com-
pany has addressed each one. Since
the auditor must also assess these
factors, good documentation will
facilitate the auditor’s review.
Auditing Standard No. 2 clarified
the importance of the effectiveness
of the audit committee within the
context of overall corporate gover-
nance. Specifically, it is expected
that management will make and
document an assessment of the
effectiveness of the audit commit-
tee. In making this assessment,
companies will generally review the
committee’s charter; and examine
the members’ independence from
management, and interactions and
relations with the internal auditors,
the CFO, CEO, and the independent
auditors.
Management probably already
has many of the components to
begin the documentation of the
control environment. Charters of
the board and audit committee, a
corporate ethics or code of conduct
policy, and the human resources
policy and procedures manual are
often essential elements of the doc-
umentation process.
Anti-fraud programs and proce-
dures are also an element of the
control environment. An exhibit
published with the recent auditing
standard on fraud (SAS 99,
Consideration of Fraud in a Financial
Statement Audit) entitled Guidance to
Help Prevent, Deter, and Detect Fraud
included recommendations to help
companies develop and implement
anti-fraud programs and proce-
dures. For some companies, those
programs may already be well doc-
umented due to their recent imple-
mentation.
Contributing to the current
focus on fraud in financial reporting
are the instances of management’s
override of existing controls that
have come to light in recent years.
In assessing the control environ-
ment, fraud prevention programs,
and the operating effectiveness of
controls, management should be
particularly sensitive to any
instances where an override of con-
trols is indicated. Auditors will be
alert to any instances identified and
the corrections taken by manage-
ment to address the issue.
Good Practice. The testing and
monitoring of these programs to
provide the support for manage-
ment’s assertion that these controls
are operating effectively will be
challenging, as the assessment of
their effectiveness is largely subjec-
tive. However, some best practicesevolving to date regarding testingand monitoring the effectiveness ofcorporate policies involve inter-views or questionnaires with a sam-ple of management and non-man-agement employees that focus ontheir awareness of the policies andtheir perceptions of compliancewith and management’s attitudetowards corporate policies and pro-cedures.
InformationTechnology GeneralControls IT General controls are intended to
establish a framework of control
over all aspects of computerized
processing, and therefore will affect
many applications. General controls
also provide assurance about the
effective operation of the controls
throughout the period. For reliance
on the automated operation of con-
trols over routine transaction pro-
cessing, these controls need to be
in place and effective.
While defined differently in vari-
ous resource materials, general
controls cover the following areas:
• IT control environment
• Systems development and imple-
mentation
• Program changes
• Access and security
• Computer operations (schedul-
ing, daily backup, day-to-day
issue management, etc).
General controls over the infor-
mation systems (IS) organization
and division of duties are designed
to ensure that the IS organization
meets the needs of the company, is
responsible to management, and
that adequate segregation of duties
is maintained within the IS organi-
zation.
COPYRIGHT 2004, BDO SEIDMAN, LLP 11
Financial Reporting
All of the elements of general
controls may not be relevant to all
companies. For example, if no new
systems are being implemented or
if there are no customizable soft-
ware options, controls over systems
implementation and program
changes may not be relevant in a
reporting period.
IT professionals and organiza-
tions have developed detailed
frameworks of the controls environ-
ment, which may help management
define appropriate control objec-
tives for controls, including general
controls. For example, the Infor-
mation Systems Audit and Control
Association (ISACA) has developed
an IT controls framework, COBIT.
Also see IT Control Objectives for
Sarbanes-Oxley – A Discussion Docu-
ment, www.itgi.org and www.isaca.org.
However, these frameworks may be
more complex and detailed than
currently envisioned as necessary to
meet the requirements of Section
404, and may be primarily useful as
company background resource
material.
Some IT professionals note that
weaknesses in access and security
controls are a widespread problem
for many companies. Careful reme-
diation of weaknesses should per-
mit reliance on the general controls
and reduce the level of testing
required on the controls that rely on
general controls to operate effec-
tively.
In established companies,
“legacy” systems, implemented long-
ago, may still perform critical pro-
cessing procedures and implement
significant controls. These systems
may have a long history of perceived
effective operation, but may lack
robust documentation. Manage-
ment should nevertheless docu-
ment the system and test the
embedded controls as a basis for
their assertion on the effectivenessof internal controls. It may beimpossible in some instances to gobackwards in time to assess the ini-tial implementation process oversuch systems, but the related appli-cation controls over the processingof significant transactions shouldbe tested on an annual basis.
Information technology profes-sionals are key in today’s environ-ment in ensuring the effective oper-ation of general controls. Manage-ment must assess its general con-trols. Unfortunately, the individualswith the extensive information tech-nology skill sets required to under-stand and test these controls inmany companies may be limited tothe individuals already performingthe controls. Thus, many companiesmay be forced into a “self assess-ment” process when assessing, doc-umenting, and testing these impor-tant controls, and thus little or noindependent auditor reliance will beable to be placed on management’stests.
Multiple significant deficienciesidentified in company general con-trols will often lead to a conclusionthat a material weakness exists inthe internal control due to the per-vasive role of general controls.
Extent and Timingof ManagementTesting Management and the auditors arerequired annually to monitor andtest the controls over significantaccounts and processes as well asgeneral controls. BDO Seidman’scomment letter to the PCAOB out-lined our recommendation thatcompanies be given guidance bythe SEC on the nature and extent ofrequired documentation and test-ing. Neither the PCAOB nor the individ-
ual auditing firms can specify the com-pany’s responsibility to meet the require-ments under Section 404 of the Sarbanes-Oxley Act.
In the absence of further com-
pany guidance from the SEC, the
determination of the sufficiency of
testing rests initially with manage-
ment. However, the judgments of
independent auditors regarding the
adequacy of management’s assess-
ment will be guided by Standard
No. 2, so management needs to
consider the guidance in Standard
No. 2 when developing their plans.
The following guidance is directed
at helping companies understand
the judgments required, and the
implications of those judgments
when determining sample sizes. It is
focused on company considerations
when determining sample sizes for
testing manual controls that oper-
ate frequently. Many companies are
surprised at the number of controls
that rely on human (manual) opera-
tion, despite the extensive comput-
erization of certain transaction pro-
cessing operations.
How Much ShouldManagement Test? In response to issues raised in
questions and in speeches, repre-
sentatives of the SEC and PCAOB
have publicly stated that they
expect that the company’s testing
generally will be greater than that
performed by the auditor. Auditing
Standard No. 2 indicates that man-
agement should not consider the
required auditor testing as evidence
when determining the extent of its
own required testing in support of
its assertion that its controls are
operating effectively. Thus, manage-
ment’s testing should stand alone
in providing management with a
high level of assurance that its con-
trols are operating effectively.
12 COPYRIGHT 2004, BDO SEIDMAN, LLP
Financial Reporting
COPYRIGHT 2004, BDO SEIDMAN, LLP 13
Financial Reporting
Companies should plan to test
robustly to confirm the effective
operation of the controls. Auditors
are required by Standard No. 2 to
test “a large portion” of the com-
pany’s operations or financial posi-
tion to meet their professional
responsibility. Our view is that
between 60% and 75% of the entity
would constitute a “large portion” in
this context. This guidance was
developed for auditors, not compa-
nies. Considering the expectation
that management should not test
less than the auditor, the targeted
testing scope for companies should
exceed this range. Management
should consider that portions of
significant accounts and processes
that remain untested, even though
they are documented and assessed
regarding design, constitute a risk
to the company.
Substantially all of the com-
pany’s relevant controls should be
documented as a result of the
analysis of significant accounts,
processes, and locations. Even
though management may have
tested a sufficient portion of their
controls to constitute a basis for
their assertion about controls effec-
tiveness, they may not have tested
all controls at all locations. Thus, we
recommend that when manage-
ment does not test all controls and
locations, they should develop a
testing strategy based on rotation
or sampling theory that causes
them to visit and test controls at
locations that are individually
immaterial, but may be part of a
material aggregate.
Good Practice. To support the
auditor’s opinion on internal con-
trols, auditors may test any account,
process, or location to ensure con-
trols are operating effectively.
Management is required to assess,
document, and test controls, andassert their effectiveness through-out the company, except for animmaterial portion. Auditors arenot precluded from testing loca-tions or accounts not tested bymanagement. The lack of operatingeffectiveness identified by tests ofsignificant local controls andasserted “company-wide controls”at one location may call into ques-tion the assertion regarding theeffective operation of controls atother locations that were not testedby the auditor.
Parameters For DeterminingSample SizesThe following two sections discussimportant parameters for determin-ing appropriate sample sizes.
How Effective Do Controls Needto Be? To be considered effective, acontrol should operate at a highdegree of effectiveness. When acontrol is first designed, a very highlevel of “expected” performance isoften targeted. In operation,though, controls, particularly man-ual controls, may not alwaysachieve the targeted performancelevel. While a goal, perfection is nota realistic expectation for the oper-ation of a manual control. Auto-mated (programmed) controls, as atype of control, are most likely toconsistently operate as designed. Inmany cases, a control that operatescorrectly 95% of the time would beconsidered by many to be “highlyeffective.”
How Much Assurance is Neededthat the Controls OperatedEffectively? To be certain that thecontrols operated at the desiredeffectiveness level, you would needto test most, and maybe nearly all,of the instances of the control’soperation. This is not practical, so
there is a risk, when sampling is per-formed, that the testing will notreveal the condition in the true pop-ulation. This risk is controlled whendetermining a statistically sup-ported sample size, by setting alevel of required “confidence” forthe test. Confidence levels of 90% to95% are consistent with the highlevel of assurance that is soughtregarding the test’s conclusions.
Determining a Sample SizeSample sizes can be computed byreference to statistical tables or pro-grams that will provide the desiredconfidence level that the actual rateof deviation in the population doesnot exceed the tolerable rate (i.e.,the greatest deviation rate thatmanagement will tolerate beforeconcluding that the control is notoperating effectively). There is norequirement to use statistical sam-pling, but its principles can be help-ful when setting sample sizes inarticulating the assurance and accu-racy of the sample.
For example: A sample designedto achieve a 90% assurance (confi-dence) level with a high effective-ness (no more than a true deviationrate of 5%) leads to a sample size of45 items. To achieve a 95% confi-dence level, the sample would needto be around 60 items. These sce-narios assume zero deviations willbe identified from testing from alarge population.
With such a sample, the deci-sion rule is simple:If no deviations are found in the sample, thecontrol passes the test. If one or more devi-ations are found, then the control “fails.”
Deviations should always be evalu-ated for the cause of the deviation.The identified deficiency must alsobe evaluated for its significance – asa deficiency, significant deficiency,or material weakness.
In general, the required sample
size increases when more devia-
tions are expected and also when
the tolerable deviation rate is low-
ered.
Where companies wish to allow
for a deviation to occur without
“failing” the test, a sampling plan
can be developed so the sample
size initially allows for one deviation
without “failing” the test, or a two-
stage plan can be developed such
that if a deviation is found in the
first sample, an additional sample
can be validly added to the first.
Since some types of sampling plans
allow for an occasional deviation, a
deviation may not as quickly be cat-
egorized as a significant deficiency
based on incidence alone. After a
deviation is identified it is often
appropriate for the company to con-
sider whether it needs to strengthen
the control before proceeding with
any further testing. Of course, if the
deviation identified at the first stage
indicates a material weakness exists
(e.g., management override of con-
trols), then a second stage sample
would not be performed.
These plans that allow for the
occurrence of one deviation as part
of the sampling plan are more effi-
cient than the alternative of taking
two full independent samples when
unexpected deviations are found.
You may wish to consult with your
BDO Seidman engagement team to
provide you with more detailed,
specialized guidance for developing
a sampling plan consistent with
management’s stated objectives.
Illustrative sample size tables
that relate confidence levels, tolera-
ble deficiency rates, and expected
deficiency rates and an illustrative
two-stage sampling plan (for large
populations) are illustrated in an
Appendix to this Financial Report-
ing Letter.
Tests of Automated ControlsWhen testing automated (pro-grammed) controls, often examiningone or just a few instances of theoperation of the control is sufficient.This assumes that the relevant gen-eral controls are assessed to bestrong. When general controls areless effective, sample sizes tendingtowards the manual control envi-ronment sample sizes should beused if the general controls weak-ness could impact the reliability ofthe control being tested. Because oftheir importance to testing plans ofautomated controls, general con-trols should be documented, testedand assessed as effective at an ear-lier project stage than the testing ofautomated controls.
The Risk of PerformingMinimal Testing when SettingCompany Sample Sizes When considering the testingrequirements, companies need tobe cognizant of the risks they facefrom under-testing. Under-testingexposes the tester to the risk thatinternal control weaknesses will notbe exposed until the auditor teststhe control, or in the near or postyear-end substantive testing phaseor the closing phase of the audit,when such weaknesses are difficultor impossible to correct. Worse yet,such weaknesses, if they exist, couldbe detected in future periods, rais-ing questions about the adequacyof the work supporting the previ-ously made internal controls asser-tion. Restatements of financialstatements will likely imply that cer-tain controls were not effective in apast period.
Furthermore, since only theimportant controls are being tested,a deviation identified may quicklyrise to the level of a significant defi-ciency when a deviation is found ina small “minimum sample size” test.
Good Practice. We believe thatduring this period of uncertaintyand initial implementation, “mini-mum” testing could be a very costlystrategy to an issuer. Some compa-nies have indicated that they intendto test some controls initially morethan 100 times, to form an effective“base line” for any required remedi-ation and further risk assessment.When the company objectively andadequately documents and robustlytests controls, auditors can makemeaningful reductions in the testlevels they perform. However, com-panies that have designed “mini-mum” testing plans will probablyincur additional audit costs, asindependent auditor sample sizereductions will not be supportable.
It is always important to remem-ber that the cost of testing is notonly associated with the number ofitems examined. There is a “fixed”cost of setting up the test in the firstplace. Additionally, there is a dimin-ishing cost of examining additionalitems as the tester becomes morefamiliar and proficient with the pro-cedure. Thus, doubling a samplesize from 20 items to 40 will notnecessarily double the cost of thetest.
Early, robust testing provides aneffective “base line” of understand-ing the state of current controls andidentifying remediation opportuni-ties before the auditor begins toevaluate and test.
A Minimum Sample Size?There is no “bright line” minimumsample size, but companies mayhave to explain how they haveattained a high level of assurancethat controls are operating effec-tively if they are testing very fewitems (e.g., 20 items or less on anannual basis) for a frequently oper-ating manual control.
14 COPYRIGHT 2004, BDO SEIDMAN, LLP
Financial Reporting
If the auditor concludes that thelevel of testing by the company isinsufficient to enable the companyto conclude with a high level ofassurance that the controls areoperating effectively, the auditorwill consider this a deficiency. Ifdeemed serious enough, the issuecould be elevated to the level of amaterial weakness, which wouldpreclude the auditor from conclud-ing that management had an ade-quate basis for its assertion. Theauditor would have to state this inthe auditor’s report on manage-ment’s process. Obviously, the audi-tor in this situation would be ableto place little reliance on the proce-dures that the company performedwhen determining the requiredscope of the auditor’s procedures.
Independent AuditorReliance on TestingPerformed by OthersIt is an auditor judgment as to theextent of reliance that can be placedon company procedures. Unless theauditor is required to rely solely onits own tests in a particular areasuch as the control environment,the auditor may place significant,little, or no reliance on companytests, depending on the extent ofmanagement’s testing and theobjectivity and competence of man-agement’s work.
Therefore, the independent audi-tor can, subject to some limitations,rely on the company’s testing toreduce its own testing that is neces-sary to issue an opinion on internalcontrols. However, there are severalcaveats that are explicit in AuditingStandard No. 2. The auditor mustperform sufficient procedures overthe control environment to reach con-clusions on its effectiveness withoutreliance on the company’s tests, andthe auditor must also perform suffi-cient procedures so that most of the
evidence obtained on which the
auditor’s opinion is based is from
procedures the auditor performed.
Additionally, the auditor must per-
form tests of controls over highly
judgmental areas such as certain
allowance and reserve calculations,
and can place limited reliance on
the tests of others. In other cases,
the extent of testing by manage-
ment and others may be a greater
factor to be considered in reducing
the extent of auditor procedures.
There are obvious cost savings
when the independent auditor can
rely on company tests to the great-
est extent allowed.
In order to consider the testing
the company performs, the auditor
will need to assess the objectivity
and competence of the work per-
formed that supports the company’s
assertion of controls effectiveness.
The greatest objectivity of com-
pany testing may be present when
an objective third party or internal
auditor performs the tests. When
testing using company employees,
objectivity can also be improved by
testing controls using employees
from unrelated functions or differ-
ent departments. Competence is
often assessed by examining the
procedures employed, and reper-
forming some of the procedures. It
is further corroborated when the
independent auditor tests the con-
trol and observes similar results.
However, the auditing standard
requires that company procedures
that result from a “self assessment”
cannot be relied on by the inde-
pendent auditor. A self assessment
is where the employee performing
the test of the control is also the
employee responsible for the oper-
ation of the control. The obvious
problem is that in such a case, the
objectivity of the employee in
selecting the test items or perform-
ing the test is questionable. Never-theless, such tests are acceptablefor the company to perform to sup-port its own assertion.
The Timing of Company TestsThe “as of” date of the company’sassertion regarding internal con-trols is the year-end balance sheetdate. Performing significant testingearly in the year places greatreliance on the continuity of thecontrols throughout the year. Also,management will need to considerhow it will extend the conclusionsof its tests performed earlierthrough year-end by some means(e.g., further testing, observations ofcontrol operations, walk-throughs).
Planning to perform tests ineach quarter throughout the year isa strategy that that some compa-nies are considering for controllingthe level of effort expended duringthe year. However, recall that thecost of performing a test alsoincludes the cost of test set-up,sample selection, and evaluation.Thus, designing numerous smallsamples is likely to be less efficientthan designing fewer larger sam-ples. Other companies are consid-ering testing strategies that concen-trate the annual testing in fewerperiods, with some testing beingperformed in the last quarter toextend the earlier conclusions. Forexample, on a continuing basis thecompany may plan to test most ofits controls during the third quarter,followed by some testing in thefourth quarter.
Another complexity introducedby early period testing is that devia-tions identified in early testing willstill require follow-up to assesstheir nature and possible extent,and may have implications for quar-terly SEC attestations and financialreporting. For example, if an annualsample size of 60 items is split into
COPYRIGHT 2004, BDO SEIDMAN, LLP 15
Financial Reporting
4 equal samples per quarter, a devi-
ation found in a sample of 15 items
during a quarter may loom larger
than if it was the only deviation
found in the context of the larger
sample.
Good Practice. In this first year of
implementation, companies are
urged to test controls robustly as
soon as possible after the documen-
tation of the controls and assess-
ment of the effectiveness of the
design of the controls is made for
each significant location, process,
etc. This provides the best possibil-
ity of identifying documentation and
operating problems and remediat-
ing them in a timely manner in
advance of auditor testing.
Certain controls can only be
tested in the timeframe in which
they are operating. Quarterly clos-
ing controls can only be examined
at the interim quarters. Controls
over the accrual process, valuation
allowance accounts, the year-end
closing process, etc. can only be
observed and tested during specific
periods, which may actually be at or
after the “as of” year-end date. In
such cases, remediation of devia-
tions is often not possible, so sig-
nificant attention must be devoted
to “getting it right” the first time.
The shortening of the filing dead-
lines for accelerated filers will exac-
erbate the problem of focusing
attention on the control reporting
requirement this year. Any issues
arising in this process will likely be
identified as significant deficiencies
and, more likely, as material weak-
nesses.
Good Practice. In this first year of
implementation, companies may
wish to simulate the year-end clos-
ing process using their most recent
closing process as a reference inorder to assist them in the assess-ment of the design, documentation,and testing that will be required atthe next closing date.
Testing Considerations inOther SituationsModified guidance is needed whentesting infrequently operating con-trols (e.g., daily, weekly, monthly,quarterly). A table of small popula-tion sampling guidance is providedin an Appendix to this FinancialReporting Letter.
Judgment needs to be exercisedand documented about the extentof reliance being placed on any gen-eral controls that are determined tocontain significant deficiencies orweaknesses. For example, a weak-ness in data backup proceduresmight have no impact on thereliance on certain general controlswhen testing transaction levelapplication controls. However,weaknesses in program change con-trols or weaknesses in user accesscontrols might often have a signifi-cant impact on automated applica-tion control sample sizes.
When examining informationtechnology general controls, thesampling framework is sometimesapplicable. For example, one couldselect a sample of program changeauthorizations to examine the man-ual aspects of the process andproper granting of approvals for thechange made. On the other hand,the performance of certain regularbackup procedures may only needto be corroborated with personsperforming the procedures andobserved on a surprise basis a fewtimes to confirm their effectiveoperation. In cases where docu-mentary documented evidence ofthe operation of the control is notgenerated, such as the physicallocking of a room containing sensi-tive equipment or program informa-
tion, observation of the operation ofthe control a few times during theyear is a logical procedure.
Final Testing CommentsAs the implementation date for
expressing management’s assertion
regarding internal controls approaches,
we hope that further guidance will
be forthcoming from the SEC. This
interim guidance has been devel-
oped to assist companies strug-
gling to document and test internal
controls in this period of uncer-
tainty. There are many more sub-
jects relating to the extent of test-
ing (e.g., testing controls over cor-
porate governance) that are not
included herein.
Provided that the company
determines the approach and crite-
ria it wishes to use for its testing of
controls, both initially and continu-
ing, we believe the independent
auditor can assist the company,
internal auditors, or independent
consultants in designing a sampling
plan that will meet those criteria.
Independent auditors are some-
times more familiar with tables and
computer software that can com-
pute a sample size from specific cri-
teria, or develop two-stage sam-
pling plans to meet management’s
stated needs.
Good Practice. When the company
robustly tests its controls and when
the tests were objectively and com-
petently performed, it obtains sig-
nificant evidence that the control
operates as designed and can per-
mit the maximum reductions in
procedures by the external auditor.
Companies may wish to discuss
some of the sample size trade-offs
with their independent auditors to
better understand how the extent of
company testing can result in
reduced levels of auditor testing.
16 COPYRIGHT 2004, BDO SEIDMAN, LLP
Financial Reporting
Managing theCompliance Costs Total projects costs have two keycomponents – company costs andauditor costs.
Preparing the initial detaileddocumentation and company test-ing as a basis for its assertion on theeffectiveness of internal controls isa significant effort, particularly inthe first year. The extent of effort willdepend on the prior extent of con-trols, their documentation, andeffectiveness, and will vary greatlyamong companies. Early projecteffort estimates of time and cost tocomplete the first year of companycompliance continue to rise.
Good Practice. Company costs canbe best controlled by:• Assembling the right manage-
ment team• Making timely, objective, and
critical assessments of potentialweaknesses
• Testing robustly, particularly inthe first year, to identify poten-tial weaknesses for remediation
• Remediating control weak-nesses early in the process
• Preparing documentation that iscomplete, accurate, and clear
All these elements will facilitatethe review by the independent audi-tor of management’s process andpermit the auditor to rely, to theextent possible, on the underlyingwork supporting management’s
assertion regarding controls. Theyalso provide management with thestrong foundation to “roll-forward”the documentation into future peri-ods, as well as provide a basis forreducing the extent of future testingand monitoring costs in low riskareas.
Communication between com-pany project management and theindependent auditor will facilitateearly identification and resolution ofissues. Such conversations shouldinclude the intended scope of thecompany’s assessment, documenta-tion, and testing procedures.
When the auditor can rely to themaximum extent permitted byAuditing Standard No. 2 on thework of others underlying manage-ment’s assertion, audit costs arereduced. This should be a consid-ered when setting out the initialoverall project plan.
Companies should be confidentthat they have adequately fulfilledtheir responsibilities under theexisting rules before indicating tothe independent auditors that theyare ready to have them performtheir required detailed reviews andtesting. Once the independent audi-tor begins work towards issuing anopinion on management’s assertionand internal controls, they will beresponsible for evaluating the doc-umentation and testing of manage-ment’s data, and are required toassess observed deficiencies inmanagement’s process or executionand communicate significant defi-
ciencies in documentation and test-ing to the audit committee.
Concluding RemarksCompanies should understand thatneither their own project team, theiradvisors, nor their independentauditor possess all the answers toall the possible issues that will arisein the process of implementing theSection 404 requirements. It isimportant to make the best effortspossible to comply with the require-ments and identify issues whereclarification is necessary.
Implementation working groupshave been established by the PCAOBto assist in identifying issues arisingfrom the company and auditor per-spectives. Current practice has beenevolving since the enactment of theSarbanes-Oxley Act in 2002 andthrough various exposure drafts ofauditor guidance.
Additional guidance is antici-pated in 2004 and 2005 that mayclarify or modify our understandingof the intent and requirements ofthe Act and SEC rules as they relateto company responsibilities. We willkeep you apprised through variousBDO Seidman publications andthrough communications from yourBDO Seidman engagement team asissues are clarified.
Please contact your BDO Seidmanengagement team representative forquestions that are specific to yourcompany circumstances.
COPYRIGHT 2004, BDO SEIDMAN, LLP 17
Financial Reporting
Important References and Company ResourcesThe COSO Internal Control Integrated Framework. AICPA product order number 990012kk at www.cpa2biz.com
SEC Rules on Section 404 www.sec.gov/rules/final/33-8238.htm
PCAOB Standard No. 2 www.pcaobus.org/rules/Release-20040308-1.pdf
Sarbanes-Oxley Act of 2002 The United States Congress (2002), The Sarbanes-Oxley Act
AICPA Antifraud & Corporate Responsibility Center www.aicpa.org/antifraud/
AICPA Audit Committee Effectiveness Center http://www.aicpa.org/audcommctr/homepage.htm
18 COPYRIGHT 2004, BDO SEIDMAN, LLP
Financial Reporting
“Internal control over financial reporting” is definedby PCAOB Standard No. 2, paragraph 7 and SecuritiesExchange Act Rules 13a-15(f) and 15d-15(f). The SECrules use the word “registrant” rather than company.
“A process designed by, or under the supervision of,the company’s principal executive and principal finan-cial officers, or persons performing similar functions,and effected by the company’s board of directors, man-agement, and other personnel, to provide reasonableassurance regarding the reliability of financial reportingand the preparation of financial statements for exter-nal purposes in accordance with generally acceptedaccounting principles and includes those policies andprocedures that:• Pertain to the maintenance of records that, in rea-
sonable detail, accurately and fairly reflect thetransactions and dispositions of the assets of thecompany;
• Provide reasonable assurance that transactions arerecorded as necessary to permit preparation offinancial statements in accordance with generallyaccepted accounting principles, and that receiptsand expenditures of the company are being madeonly in accordance with authorizations of manage-ment and directors of the company; and
• Provide reasonable assurance regarding preventionor timely detection of unauthorized acquisition, useor disposition of the company’s assets that couldhave a material effect on the financial statements.”
“A control deficiency” (PCAOB Standard No 2, para-graph 8) “exists when the design or operation of a con-trol does not allow management or employees, in thenormal course of performing their assigned functions,to prevent or detect misstatements on a timely basis.• A deficiency in design exists when (a) a control nec-
essary to meet the control objective is missing or(b) an existing control is not properly designed sothat, even if the control operates as designed, thecontrol objective is not always met.
• A deficiency in operation exists when a properlydesigned control does not operate as designed, orwhen the person performing the control does notpossess the necessary authority or qualifications toperform the control effectively.”
“A significant deficiency” (PCAOB Standard No. 2,paragraph 9) “is a control deficiency, or combination ofcontrol deficiencies, that adversely affects the com-pany’s ability to initiate, authorize, record, process, orreport external financial data reliably in accordancewith generally accepted accounting principles suchthat there is more than a remote likelihood that a mis-statement of the company’s annual or interim financialstatements that is more than inconsequential will notbe prevented or detected. “
The term “remote” as used here has the samemeaning as in Financial Accounting Standards BoardStatement No. 5, Accounting for Contingencies, “ the chance ofthe future event or events occurring is slight.”
Guidance in PCAOB Standard No. 2 notes that the“inconsequential” threshold references the expecta-tions of a “reasonable person” that any misstatementas a result of a noted deficiency, either alone or in com-bination with other misstatements, would not be mate-rial to the financial statements. Note that in our viewthis indicates a low threshold for classifying a defi-ciency as a significant deficiency.
Note: The threshold for a significant deficiency isvery low and will likely result in a large number of sig-nificant deficiencies being identified by managementand the auditor. For example, while specific exampleshave not been cited, a projected impact of no less thansay 5% of financial statement materiality would be apractical rule of thumb for identifying a deficiency assignificant, since allowance should be made for theaccumulation of such deficiencies before reaching themateriality threshold (e.g., a material weakness).Accumulation of all deficiencies projected to be 1% ormore of materiality for consideration as to their naturemay be a conservative first year practice.
A material weakness is a significant deficiency, orcombination of significant deficiencies, that results inmore than a remote likelihood that a material mis-statement of the annual or interim financial statementswill not be prevented or detected.
Glossary - The Definition of Key Terms
COPYRIGHT 2004, BDO SEIDMAN, LLP 19
Financial Reporting
Assurance (Confidence, Reliability) Level – 95%Large Population
Tolerable Deviation Rate (%)
Expected Deviation Rate (%) .5 1 2 3 5 8 10
0 598 299 149 99 59 36 29
.5 1181 313 157 93 58 46
1.0 590 257 93 58 46
1.5 2257 392 124 58 46
2.0 846 181 77 46
3.0 361 95 61
4.0 1348 146 89
Small Population Sample Size Guidance – High AssuranceFor Manual Controls Operating Quarterly, Monthly, Weekly, and Daily
Frequency Sample Sizes
Daily 16 – 25
Weekly 7 – 10
Monthly 3 – 5
Quarterly 2
Companies may wish to initially test controls at the higher end of the range, and reduce testing to the lower end ofthe range when the effectiveness of the operation of the controls is clear.
Assurance (Confidence, Reliability) Level – 90%Large Population
Tolerable Deviation Rate (%)
Expected Deviation Rate (%) .5 1 2 3 5 8 10
0 460 230 114 76 45 28 22
.5 738 194 129 77 48 38
1.0 398 176 77 48 38
1.5 1463 265 105 48 38
2.0 590 105 48 38
3.0 233 65 52
4.0 873 98 65
APPENDIX – Sample Size Plans
20 COPYRIGHT 2004, BDO SEIDMAN, LLP
Financial Reporting
Two Stage Sampling Plan – Decision Rules and PlanTwo Stage Sampling Plan – Decision Rules
No Deviations One Deviation Two or More Deviations
The COSO Internal Control Integrated FrameworkThis framework was developed by the Committee of Sponsoring Organizations of the Treadway Commission and waspublished in 1992. It was an outgrowth of the Commission on Fraudulent Financial Reporting studying fraudulentfinancial reporting. The focus of the Act is internal control over financial reporting.
The basic framework consists of five integrated compo-nents, which should be considered as a whole when eval-uating the effectiveness of internal control. • Control environment. This element is the “base” of the
framework and includes senior management setting anappropriate “tone at the top” regarding controls andfraud prevention.
• Risk assessment. Companies must identify risks that itscontrol objectives might not be satisfied, and developresponses to manage these risks.
• Control activities. These constitute the “nuts and bolts” ofthe company’s controls including the implementationof effective general and application controls.
• Information and communication. This element is essentialin providing management with the timely and relevantinformation needed for effective company manage-ment, risk identification and developing effectivereporting, including disclosures.
• Monitoring. To ensure effective controls, they need tobe monitored on a continuing basis. Monitoring mayinclude inquiries, observations, management over-sight and review and testing the effectiveness ofcontrols.
The framework is flexible, and requires adaptation tospecific industries or types of business organizations.
Material discussed in this Financial Reporting newsletter is meant to provide general information and should not be acted upon without first obtaining professional advice appropriately tailored to your