Academic journal article Journal of Accountancy

Opportunity Detected: New SEC Interpretive Guidance and AS5 Give Companies and Auditors a Chance to Make Internal Controls More Efficient

Academic journal article Journal of Accountancy

Opportunity Detected: New SEC Interpretive Guidance and AS5 Give Companies and Auditors a Chance to Make Internal Controls More Efficient

Article excerpt

EXECUTIVE SUMMARY

* The crux of the SEC's interpretive guidance for management is a top-down, risk-based approach that puts risk first and foremost. Four key areas of opportunity can be used to reduce an organization's overall SOX 404 compliance effort-risk assessment, entity-level controls, control selection and testing approach.

* AS5 complements the SEC interpretive guidance to management and includes the following key points:

** Risk assessment underlies the entire audit process,

** Evaluation of entity-level controls can result in increasing or decreasing the testing that otherwise would be performed on controls at the process, transaction or application levels.

** Auditors are specifically permitted to consider the nature, timing and extent of procedures performed in the prior year and the results of those procedures in determining the risk associated with a particular control.

** The standard makes it easier to use the work of others and allows auditors to use direct assistance from other parties in performing walk-throughs.

** The external auditor will no longer be required to opine on management's assessment.

** The definition of a material weakness was changed to conform to FASB Statement no. 5 and the definition of a significant deficiency was changed to focus the auditor on the communication requirements rather than scoping issues.

** The authors recommend a "stop-rethink-reuse" strategy for implementing the new guidance: Stop. To avoid changing simply for the sake of change, risk should be at the center of any adjustments that are made to existing compliance frameworks. Rethink. With risk at the forefront, management should consider increasing the rigor of its existing risk assessment to focus on financial reporting elements that represent a higher risk of material misstatement to the financial statements. Reuse. Once a thorough risk assessment has been performed, management should consider revisiting the existing controls portfolio, starting with the entity-level controls. Carefully designed entity-level controls can reduce the number of supporting process-level controls that need testing.

**********

[ILLUSTRATION OMITTED]

Tired of the high cost of compliance with SOX 404? Here is some good news. The SECs new interpretive guidance and the PCAOB's new Auditing Standard no. 5, An Audit of Internal Control Over Financial Reporting That Is Integrated With an Audit of Financial Statements, are intended to reduce the time commitment and cost of compliance with section 404 of the Sarbanes-Oxley Act of 2002.

Controversy over the implementation of SOX 404 has led the SEC and the PCAOB to two basic, but important, conclusions:

* SOX 404 has produced significant benefits, including a stronger focus on corporate governance and higher quality financial reporting.

* These benefits, however, have come at a significant cost.

Based upon requested feedback, in May the SEC finalized guidance specifically for management, and the PCAOB released a new standard for auditors--ASS. The standard, which the SEC approved on July 25, replaces the existing Auditing Standard no. 2 (AS2) for auditing the effectiveness of management's internal control over financial reporting (ICFR) beginning with fiscal years ending on or after Nov. 15, 2007.

The new guidance from the SEC and the PCAOB provides an opportunity for management and auditors to re-evaluate and refine their approach to SOX 404 compliance. This article provides tips for managers to streamline compliance processes. It also provides advice to auditors who want to help their clients understand how the SEC's guidance interacts with ASS.

For those companies that have already achieved compliance in prior years, there is no requirement to align their compliance process with the new SEC guidance. Many companies may also find their initial SOX 404 risk assessments will only need updating rather than overhauling. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed

Oops!

An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.