PCAOB Inspections Themes

8/17/2019 PCAOB Inspections Themes

1/51


2/51

Page 2

Introductions

Matt Mabel – Senior Manager, Advisory Services – Risk Assurance.

Eleventh year in public accounting. Serves several Fortune 1000 public

company based out of Arizona. Participated in PCAOB and internal

quality inspections and led several internal quality initiatives.

Diana Gomes – Manager, Assurance Services. Seventh year in publicaccounting. Serves multiple public companies based out of Arizona.

Participated in PCAOB and internal quality inspections.

Shirley Karnos – Manager, Advisory Services – Risk Assurance.

Second year in public accounting and ninth year in professional services.

Serves multiple public companies based out of Arizona. Participated ininternal quality inspections.

PCAOB Inspection Themes


3/51

Page 3

Agenda

► Overview of PCAOB, inspection process, and recent

results

► Recent IT-related PCAOB inspect

►

Better understanding flows of transactions, IT interfaces, andconsidering all IT risks

► Testing management’s controls over electronic audit evidence

► Testing precision of review controls

► Evaluating controls over service providers (SOC reports)

► Transition to COSO 2013



4/51

Page 4

Overview of PCAOB, inspection process, andrecent results

► The Public Company Accounting Oversight Board (PCAOB) is a private-

sector, nonprofit corporation created by the Sarbanes–Oxley Act of 2002 to

oversee the audits of public companies and other issuers in order to protect

the interests of investors and further the public interest in the preparation of

informative, accurate and independent audit reports.

► The PCAOB audits “Big 4” accounting firms in calendar Q2 and Q3 each year,and other public accounting firms in Q4. The inspection typically consists of

review of audit documentation over internal controls and substantive audit

testing over selected high risk/focus areas. The inspections typically require

1-2 weeks of on-site fieldwork. Comments can be verbal, written (does not

appear in report) or audit deficiencies (appears in public report)

► EY’s last publicly available inspection report (which covered the results of reviews of 2012 audits) was released on 8/14/14

► The PCAOB inspection 56 audits of public companies during 2013

► 28 issuers had audit deficiencies that appeared the report, 27 of which

(48% of inspections) had comments related to ICFR



5/51

Page 5

IT-related PCAOB inspection themes



6/51

Page 6

Flows of transactions, IT interfaces, andconsidering all IT risks



7/51

Page 7

PCAOB inspection theme

► There have been instances in inspections in which teamshave identified ineffective ITGC's over in-scope IT

systems or have not scoped in key IT systems that

process transactions within significant accounts.

►

In these instances, some teams attempted to identify andtest business process controls that address the risk of an

ineffective IT system, but were unable to identify and test

enough controls, specifically front-end prevent controls

around initiation, to sufficiently address the risks.

► Inspectors have challenged our conclusions that ineffective

ITGCs did not result in a significant deficiency or material

weakness, particularly when ineffective ITGCs have existed

for more than one year.



8/51

Page 8

Common IT risks that need to be consideredwithin significant financial processes

► Unauthorized initiation/authorization of transactions

► Lack of segregation of incompatible duties

► Reliance on IT applications or programs that are

inaccurately processing data

► Potential for errors and fraud within IT applications

► Inappropriate dependence on the results of computer

processing

► Lack of transaction trails or loss of data



9/51

Page 9

System interface diagrams


A system interface flow chart gives a pictorial representation of thesystems that support significant business processes, including how data

flows from system to system.

System Interface flow charts provide the reader with a quick

understanding that can help us to:

► assess the complexity of the IT environment

► identify where application interface controls should exist (or where control

gaps do exist)

► understand the inputs/outputs from systems

► understand the types of electronic audit evidence generated

► Understand applications and tools supporting significant process


10/51

Page 10

Example system interface diagram


E2 HyperionHFM

FRP

EMP

Accurate NXG

FinancialStatements

Caesar

CASH

CDS

CIMS GEAC

Pep+

TMS

CDE

OCRA

Policy

Administrative

Systems

Treasury

Customer Online

CheckRequests

Cost

allocation

files

Payroll

Files

A

B

C D

E

F

G

H I

J

K

L

M

N

A systems

interface

diagram is a key

source of

information

used tounderstand a

complex and

highly

automated IT

environment


11/51


12/51

Page 12

Testing management’s controls over electronic audit evidence



13/51

Page 13


► Not identifying and testing Issuer controls (either ITGC or businessprocess controls) to assess the completeness and accuracy of

system-generated data and reports -- electronic audit evidence or

“EAE” -- used in the performance of a control

► Not testing completeness and accuracy of system generated data

used to select control testing samples or to support our reliance for substantive tests

► Not testing IT general controls over all applications that produce

system-generated data or reports used in the performance or a

control or in our substantive tests

► Not testing appropriate controls over end-user computing solutions

used in performance of controls



14/51

Page 14

Increased focus on issuer controls over EAEused in performance of controls

► Auditor needs to better consider that the specific system-

generated data or report is considered and testing within

IT general control testing

► Report changes need to be considered within change

management testing► Controls over access and changes to reporting tools (e.g.,

Hyperion HFM, Cognos, data warehouses) need to be considered

► Auditor needs to better consider controls that issuer has in

place over completeness and accuracy of underlying data

► Auditor needs to better consider if system-generated data

or reports used in performance of controls are subject to

manual change, and if so the proper controls are in place



15/51

Page 15

An example of audit documentation of EAE

Better documentation

Management has designed and implemented the followingcontrols to support the completeness and accuracy of the PPV

report:

• Business process controls - Ctrl # INV # 3.1, 3.4, 3.7; P&P #

4.1, 4.2, 4.7. We walked through and evaluated the design of the controls at B01, B03 and B04, respectively.

• Changes to the PPV report are subject to the entity’s ITGCsand the completeness and accuracy of the report is

programmed within the Inventory application. We evaluatedthese controls by inspecting the underlying query used to

generate the report and by clerically testing the accuracy of thePPV report, w/o/e (refer to B03).

• Effective ITGCs over the Inventory application that maintains

the PPV report and processes the underlying data. Weevaluated the ITGCs over the Inventory application at IT01 —

IT03 w/ps.

Controls over the

completeness andaccuracy of the

underlying data

Controls over the

completeness and

accuracy of the

report

Controls that support

the continued

integrity of the data

and system

processing


16/51

Page 16

Data and reports supporting the performanceof internal controls

Control: The allowance for doubtful accounts reserve calculation is reviewedby the accounts receivable manager on a monthly basis.

Cash

receipts

A/R

subledger Analys is

prepared by

the credit

manager

Sales and

trade

receivables

Appl icati on

A/R aging

report



17/51


18/51

Page 18



Cash

receipts

A/R

subledger

Sales and

trade

receivables

Appl icati onGreat Plains

A/R aging

report

Step #2: Is the data or report generated by an in-scope

application?

Analys is

prepared by

the credit

manager Excel



19/51

Page 19



Cash

receipts

A/R

subledger Analys is

prepared by

the credit

manager Excel - NO

Sales and

trade

receivables

Appl icati onGreat Plains - YES

A/R aging

report

Step #3: Are ITGCs over the appl ication or end user

computing solution that generated the data or report

effective?



20/51

Page 20



Cash

receipts

YES

A/R

subledger

Sales and

trade

receivablesYES


A/R aging

report

Step #4: Have we tested specific controls over the completeness and

accuracy of the underlying data? Are the controls effective?

Analys is

prepared by

the credit

manager Excel



21/51

Page 21



Cash

receipts

A/R

subledger

Sales and

trade

receivables


A/R aging

report - NO

Step # 5: Is data or report subject to manual change?

Analys is

prepared by

the credit

manager Excel - YES



22/51

Page 22


► Extent of identification and testing of controls over keydata and reports depends on:

► Importance of the data or report to the functioning of the control

► Complexity of the calculations in a spreadsheet or manipulation of the data in the preparation of thereport

► Generally, the “further away” from the application witheffective ITGCs, the greater the importance of controlsover the data and reports used by management

► Focus on the data and reports with greater importance tothe functioning of the controls, particularly review controls,and higher complexity of calculations not performed by theapplication with effective ITGCs



23/51

Page 23

Example of controls over review of A/R agingreport and preparation of bad debt allowance

EAE = A/R Aging Report

Quantities shipped are reconciled to quantities billed (Initiation)

The invoice amount is posted automatically into the customer’s account

upon generation of the invoice (Recording)

The system ages invoices based on the invoice data (Processing)

On a monthly basis, the sub-ledger is posted automatically to the GL

(Processing)

An AR reconciliation is performed by the senior accountant and reviewedfor completeness and accuracy by the accounting manager (Processing)

The controller reviews the bad debt allowance calculation and approves

the adjusting journal entry on a quarterly basis (Processing)



24/51

Page 24

End-user computing solutions

► End-user computing solutions likely are not subject to IT-

general controls

► Excel files

► Access databases

►

Dynamic data warehouse reporting tools► System-generated data in slide decks

► Need to better consider issuer controls over end-user

computing solutions

► Input control – the company reconciles data back to source documents

► Access control – Access is restricted to authorized personnel and is

password protected

►Version control – Standard naming conventions are in place so only

current and approved versions are used



25/51

Page 25

Testing precision of management reviewcontrols



26/51


27/51

Page 27

Example – periodic access review

► Test of control – bad example:► Obtained evidence of review, saw review was signed off and some

updates were noted in the review listing

► Test of control – good example:► Inquired with individual(s) performing review to understand how they

review and identify errors/exceptions

► Obtained understanding of how access reports were generated and how

reviewer knows listings are complete

► Observe the performance of the review

► For each review tested, confirm the review was signed off

► For each review tested, traced a sample of updates requested through to

updated system access

► For each review tested, considered significant instances of inappropriate

access identified and their impact on the overall control environment



28/51

Page 28

Evaluation of controls at service providers(SOC reports)



29/51

Page 29


► Reliance on service organizations was either not identified or not appropriately

documented to determine whether the service auditor’s report provided sufficient audit

evidence about the effectiveness of relevant controls

► Sub-service organizations that were scoped out of the report were not addressed (i.e.,

SOC 1 report was not obtained and there was no documentation of considerations and

conclusion if such sub-servicers were deemed insignificant or not relevant)

► Complementary entity user controls were either not sufficiently tested, or were not

properly linked to engagement team testing of user controls that would address the

relevant considerations

► Update procedures were not properly performed or documented when the service

auditor’s report did not sufficiently cover the entire audit period

► Control exceptions identified by the service auditor were not evaluated to determine

whether sufficient audit procedures to support our combined risk assessments were still

appropriate to prevent or detect potential misstatements



30/51

Page 30

Why do we review SOC reports?

► Many entities outsource aspects of their business to service

organizations that provide services ranging from performing a specific

task under the direction of the entity to replacing an entity’s entire

business unit or function. These services are relevant to the audit

when these services, and the controls over them, are part of the

entity’s information system relevant to financial reporting (e.g., if the client uses electronic audit evidence from a third-party

provider as part of a control activ ity).

► If we plan to place reliance on controls at the service organization, we

ordinarily obtain and review a service auditor’s report (SOC 1)

covering a sufficient portion of the audit year (this includes sub-service providers of those organizations).

► We review the SOC 1 report and document our evaluation of the

service provider and their impact on the audit.



31/51


32/51

Page 32

Complementary User Entity Controls(CEUCs)

► Controls at the service provider alone do not ensure the accuracy of

our client’s financial statements, and the SOC 1 report will outline

control considerations for user (our client) of the service

► For each CEUC, we should evaluate if the CEUC is relevant (e.g.,

does the CEUC directly impact financial reporting risk(s) that we have

identified that the service providers’ controls help mitigate?)

► For IT-related CEUCs, IT specialists should be used and consider the

client’s responsibilities in things like user access administration (e.g.,

who has access to transmit data to the service provider for

processing) and testing/approving program changes from provider

► For each CEUC deemed relevant to the financial reporting risk(s) thatwere identified, we must demonstrate that the client has the

appropriate controls in place and we have tested the operating

effectiveness of those controls (e.g., these controls should be defined

as key SOX controls)



33/51

Page 33

Evaluating time period of the report and gapbetween year-end

► Generally, to rely on a SOC 1 report, the report must cover at least six monthsof our audit period. If the report covers less than six months and a second

report is not available, we must consider/document how we are comfortable

relying on the report with a smaller coverage period (and expect to be

challenged on this).

► At minimum, consider what controls are in place at the user entity that gives us

comfort that the client’s internal controls would detect a material misstatementmade by the service provider if there is a large gap between the report end date

and our client’s year-end date. The client’s controls must be sufficiently precise.

► If there is a gap larger than three months between the report end date and our

client’s year-end date, we again must document our considerations of how we

are comfortable relying on the report with a large time period gap (and expect

to be challenged on this).► At minimum, bridge letters should be obtained; but we should challenge if a bridge

letter alone is sufficient and how else the client gets comfortable over the service

providers’ control environment (e.g., client controls over the reports/data).



34/51

Page 34

Evaluating control exceptions

► The service auditor’s section of the report will summarize the test of controlsperformed and results of controls testing. Exceptions (often called deviations)

will be noted in this section.

► Auditor should evaluate all relevant exceptions noted in review

documentation

►

All exceptions relevant to control objectives that mitigate identified financialreporting risks should be evaluated

► Exceptions related to ITGCs supporting relevant applications that mitigate identified

financial reporting risks should be evaluated

► The exceptions should show an appropriate amount of evaluation of the risk

of the exception. A blanket “This exception has no impact on our audit

approach” is generally not sufficient and could lead to increased scrutinyduring a quality inspection.



35/51

Page 35

Evaluating SOC reports – other considerations

► Management should review/evaluate SOC reports as part

of their testing of controls for management’s opinion on

their internal controls over financial reporting

►

PCAOB appears to have a list of “problem reports”, andwill challenge how teams addressed these “problem

reports” when used in the audit of an issuer

► Some chatter on PCAOB auditing service auditors who

issue SOC reports in the near future



36/51

Page 36

Application controls



37/51

Page 37


► Application controls - Testing without understanding the design

► We did not demonstrate our knowledge of whether the application control was

configured by the entity or embedded into the system

► If the control is configured, we did not gain/demonstrate our knowledge of how

the entity configured the control (e.g., is the three way match control configured

with a tolerance of 10% receiving variance)

► Some teams did not document their considerations around which applicationcontrols need to be re-tested in the roll forward period

► Lack of evidence regarding the identification and

understanding/walkthrough of application controls, as well as

insufficient testing of application controls, including inappropriate

benchmarking procedures, inappropriate reliance on test of one

transaction, lack of consideration of management’s ability to override

the automated control or insufficient evaluation of the effect of

ineffective ITGCs on the audit of application controls



38/51

Page 38

Other IT-related inspection themes



39/51

Page 39


► Multi-location scoping

► Consideration should include commonality of IT systems at the

locations subject to multi-location scoping

► Should ensure alignment with Assurance on scope of testing of de-

centralized applications (e.g. Point of Sale, Revenue applications)

subject to multi-location scoping

► Controls over pricing in revenue

► In certain instances, specifically when significant revenue systems

are not subject to testing or are deemed ineffective, engagement

teams have not identified sufficient controls that address pricing,

quantities sold and the related extension (P x Q).

► Inventory cycle counting

► Failure to test cycle count configuration (logic for A/B/C

completeness, cycle count reports)



40/51

Page 40

Transition to COSO 2013



41/51

Page 41

Original framework (1992)

► Designed to► Establish a common definition serving the needs of different parties

► Provide a standard against which business and other entities could

assess their control systems

Internal control is defined as a process, effected by an entity's people,

designed to accomplish specified objectives.

COSO 2013

Monitoring

Information &communication

Control activities

Risk assessment

Control environment

U n i t A

U n i t B

A c t i v i t y 1

A c t i v i t y 2


42/51

Page 42

COSO’s Internal Control – Integrated Framework (1992 edition)

Refresh

objectives

Enhancements

COSO’s Internal Control – Integrated Framework (2013 edition)

Address signif icantchanges to thebusiness environmentand associated ri sks

Updated, enhanced

and clarified

framework

Increase focus onoperations, complianceand nonfinancialreporting objectives

Expanded internal

and nonfinancial

reporting guidance

Codify criteria to use inthe development andassessment of systemsof internal control

Principles

Point of

Focus

Why the update?

COSO 2013


43/51

Page 43

In the 2013 update, much remained the same

► The cube!

► Five components of internal control

► The core definition of internal control

► Requirement to consider the five

components to assess the

effectiveness of a system of

internal control

► Emphasis on the importance of management judgment

in designing, implementing, and conducting internalcontrol, and in assessing the effectiveness of a system

of internal control

COSO 2013


44/51

Page 44

One of the big changes in the 2013 Framework

• Principles-based approach

• While the 1992 version implicitly reflected the core principles of

internal controls, the 2013 version explicitly states 17 principles that

represent the concepts associated with each of the five components

• The new framework presumes that all 17 princ iples must be

present and functioning in an effective system of internal

control

COSO 2013


45/51

Page 45

17 principles defined

1. Demonstrates commitment to integrity and ethical values

2. Board of Directors demonstrates independence from managementand exercises oversight responsibility

3. Management, with Board oversight, establishes structure, authorityand responsibility

4. The organization demonstrates commitment to competence

5. The organization establishes and enforces accountability

6. Specifies relevant objectives with sufficient clarity to enable

identification of risks7. Identifies and assesses risk

8. Considers the potential for fraud in assessing risk

9. Identifies and assesses significant change that could impactsystem of internal control

10.Selects and develops control activities

11. Selects and develops general controls over technology

12.Deploys through policies and procedures

13.Obtains or generates relevant, quality information14.Communicates internally

15.Communicates externally

16.Selects, develops and performs ongoing and separate evaluations

17.Evaluates and communicates deficiencies

Principles

in the

framework

1. Controlenvironment

2. Risk assessment

3. Control activities

4. Information &communication

5. Monitoring

COSO 2013


46/51

Page 46

Points of focus also provided

► Points of focus are important characteristics of principles

► Some points of focus may not be suitable or relevant, and others may be

identified that may be relevant

► Points of focus may facilitate designing, implementing and conducting internalcontrol, and assessing whether the principles are present and functioning

► While there is no requirement to separately assess whether points of

focus are in place, we think that is the best (and potentially only) way to

determine whether the objectives of the principles are achieved

Control

Environment

Component

Principle 1: The organization demonstrates a

commitment to integrity and ethical values

Points of focus:► Sets the tone at the top

► Establishes standards of conduct

► Evaluates adherence to standards of conduct

► Addresses deviations in a timely manner

COSO 2013 COSO 2013


47/51

Page 47

Other key changes

► Specific risk assessment principle related to fraud

► Principle 8: The organization considers the potential for fraud in

assessing risks to the achievement of objectives

► Specific information and communication principle related

to information quality► Principle 13: The organization obtains or generates and uses

relevant, quality information to support the functioning of

internal control

► Increased discussion of the effect of other organizations

(e.g., other business models, joint ventures, serviceorganizations)

► Management retains responsibility for controls

COSO 2013


48/51

Page 48

Deficiency evaluation

► An effective system of internal control requires that:

► Each of the five components of internal control and all relevant

principles are present and functioning

► The five components are operating together in an integrated

manner

► Principles are fundamental concepts associated with

components

► If a relevant principle is not present and functioning, the associated

component cannot be present and functioning

►

Controls will need to be mapped to the 17 principles anddeficiencies will need to be evaluated in the context of the 17

principles

COSO 2013


49/51

Page 49

Transition

► How long do issuers have to adopt the new framework?

► Updated framework will supersede original framework at the end of

the transition period (i.e., 15 December 2014)

► The SEC staff has indicated that the longer an issuer uses the

1992 framework after the transition period, the more likely it will be

that the SEC staff will have questions regarding the entity’s internal

control assessment

► Are there any additional disclosure requirements?

► During the transition period, entities reporting externally (and their

auditors) should disclose whether the original or updated version

of the framework was used

COSO 2013


50/51

Page 50

Key points

► 2013 COSO framework requires that the company align

its internal control with the newly defined 17 principles

► Although much of what we do today will not change

significantly, the 2013 COSO framework has additionalconsiderations we need to evaluate and document when

understanding the design of and testing internal controls

(transaction level and entity-level)


51/51

Page 51

Available resources

► COSO

► Internal Control – Integrated Framework Executive Summary

► Internal Control – Integrated Framework and Appendices

► Internal Control – Integrated Framework Internal Control over

External Financial Reporting: A Compendium of Approaches

and Examples

► Internal Control – Integrated Framework Illustrative Tools for

Assessing Effectiveness of a System of Internal Control

► EY

►

Publication: Transitioning to the 2013 COSO Framework for External Financial Reporting Purposes (March 2014)► Highlights key changes to the 2013 framework, a suggested project plan, questions

to consider when evaluating whether the 17 principles are addressed and anexample generic documentation template

COSO 2013

PCAOB Inspections Themes

Documents