On this page the requirements of the PCAOB AS 5 standard to satisfy sections 302 and 404 of the Sarbanes-Oxley Act (2002). The focus of the chapter is on the information technology (IT) implications of the audit of SOx compliance. It is important to understand these requirements and their relevance to designing and implementing internal controls.
Sarbanes-Oxley Sections 302 and 40412 Explained
The Sarbanes-Oxley Act was signed into law on 30 July 2002. Among other provisions, section 302 requires “disclosure of internal controls.” Section 404 provides for “the assessment of internal controls.”
Who An enterprises management, with the participation of the principal executive and financial officers (the certifying officers) Corporate management, executives and financial officers (“management” has not been defined by the PCAOB)
What Certifying officers are responsible for establishing and maintaining internal control over financial reporting.
2. Certifying officers have designed such internal control over financial reporting, or caused such internal control over financial reporting to be designed under their supervision, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles.
3. Any changes in the enterprise’s internal control over financial reporting that have occurred during the most recent fiscal quarter and have materially affected, or are reasonably likely to materially affect, the company’s internal control over financial reporting are disclosed. 1 A statement of management’s responsibility for establishing and maintaining adequate internal control over financial reporting for the enterprise
2. A statement identifying the framework used by management to conduct the required assessment of the effective- ness of the enterprise’s internal control over financial reporting
3. An assessment of the effectiveness of the enterprise’s internal control over financial reporting as of the end of the enterprise’s most recent fiscal year, including an explicit statement whether internal control over financial reporting is effective
4. A statement that the registered public accounting firm that audited the financial statements included in the annual report has issued an
attestation report on management’s assessment of the enterprise’s internal control over financial reporting
4. When the reason for a change in internal control over financial reporting is the correction of a material weakness, management has a responsibility to determine whether the reason for the change and the circumstances surrounding that change are material information necessary to make the disclosure aboutthe change not misleading.
5.; A written conclusion by management about the effectiveness of the enterprise’s internal control over financial reporting included both in its report on internal control over financial reporting and in its representation letter to the auditor. The conclusion about the effectiveness of an enterprise’s internal control over financial reporting can take many forms.
However, management is required to state a direct conclusion about whether the enterprise’s internal control over financial reporting is effective.
6. Management is precluded from concluding that the enterprise’s internal control over financial reporting is effective if there are one or more material weaknesses. In addition, management is required to disclose all material weaknesses that exist as of the end of the most recent fiscal year.
How Often Quarterly and annual assessment. Annual assessment by management and independent auditors
The Sarbanes-Oxley Act has fundamentally changed the business and regulatory environment. The Act aims to enhance corporate governance through measures that will strengthen internal controls and corporate accountability. Section 404 of the Act requires senior management and business process owners to establish and maintain an adequate internal control structure, and, importantly, to assess the effectiveness of those internal controls on an annual basis.
The mandate of the PCAOB, established under the Act, is to set auditing standards for the audit of SEC registrants and to license and regulate the auditors of those registrants.
In 2003, the PCAOB published the key standard AS 2 that was the main driving force for SOX audits of the effectiveness of ICFR. In 2007, AS 5 superseded AS 2. The revised standard simplified the audit requirements and instructed to use a top-down risk-based approach to the design and execution of the audits of internal controls.
Key Requirements of Auditing Standard No. 514
The PCAOB Auditing Standard No. 5, “An Audit of Internal Control Over Financial Reporting That Is Integrated With an Audit of Financial Statements,” introduces risk-based concepts in the design of the audit of ICFR. The emphasis of the standard is on the testing of effectiveness of enterprise-level controls that are oriented to the inherent risk of the enterprise, as reflected in the financial statements. Further, AS 5 calls on external auditors to consider relying on the work of internal auditors and other sources of audit evidence. The standard requires that the auditor consider the competence and objectivity of these sources.
Defining Significant Deficiencies and Material Weaknesses
Weaknesses in internal controls have differing levels of impact on the quality of financial reporting. The SOX Act differentiates between significant deficiencies and material weaknesses in ICFR. AS 5 significant deficiency in ICFR as:
A deficiency, or a combination of deficiencies, in internal control over financial reporting that is less severe than a material weakness, yet important enough to merit attention by those responsible for oversight of the enterprise’s financial reporting.”
AS 5 defines a material weakness as:
“A deficiency, or combination of deficiencies, in internal control over financial reporting such that there is a reasonable possibility that a material misstatement of the enterprise’s annual or interim financial statements will not be prevented or detected on a timely basis.”
The following is an overview of the audit steps in completing the audit of the effectiveness of ICFR:
• Planning the Audit
A. Obtain knowledge of internal controls and other matters.
B. Assess the role of risk assessment. Include a “what could go wrong” scenario.
C. Scale the audit to the size and complexity of the enterprise.
D. Address the risk of fraud.
E Consider using work of others, such as internal audit and other client personnel.
F. Use the same materiality considerations as when planning a financial statement audit.
• Developing a Top-Down Audit Approach
A. Identify entity-level controls.
B. Identify application controls.
C.; Identify IT general controls.
D. Identify significant accounts and disclosures and their relevant assertions.
E. Understand likely sources of misstatement.
F.Select controls to test.
A. Consider the prior year’s audit reports.
B Test design effectiveness.
C.Test operating effectiveness.
D. Relate risk to the obtained testing evidence.
• Evaluating Identified Deficiencies
A. Evaluate the severity of control deficiencies.
B. Evaluate whether control deficiencies, individually or collectively, rise to the level of significant deficiencies or material weaknesses.
Wrapping Up the Audit
A.; Write the audit opinion.
B. Obtain written management representations.
C Communicate matters to management and the audit committee.
• Reporting on Internal Control
A Issue a report with the auditors opinion.
B. Report any material weaknesses.
C. Review for subsequent events.
Role of Risk Assessments
Risk assessment underlies the entire audit process set out in AS 5. This includes the:
• Determination of significant accounts and disclosures and relevant assertions
•; Selection of controls to test
• Determination of the evidence necessary for a given control
Risk assessments are a fundamental and underlying process when performing
SOX-related audits. There is a direct relationship among the significance of the financial disclosure to which a particular control relates, the degree of risk that a material weakness could exist in a particular aspect of internal controls and the level of audit attention that should be devoted to those controls. Only those entity-level controls and application and general IT controls that have the biggest impact on the financial statements should be the priority focus of a SOX audit. At the same time, AS 5 provides guidance on how lower risk controls should be addressed. In addition, the risk that an enterprise’s ICFR will fail to prevent or detect misstatement caused by fraud usually is higher than the risk of failure to prevent or detect errors.
Identifying Entity-level Controls
AS 5 places considerable emphasis on entity-level controls. The standard notes the following:
“The auditor must test those entity-level controls that are important to the auditor’s conclusion about whether the company has effective internal control over financial reporting. The auditor’s evaluation of entity-level controls can result in increasing or decreasing the testing that the auditor otherwise would have performed on other controls.
Some entity-level controls, such as certain control environment controls, have an important, but indirect, effect on the likelihood that a misstatement will be detected or prevented on a timely basis. These controls might affect the other controls the auditor selects for testing and the nature, timing, and extent of procedures the auditor performs on other controls. Some entity-level controls monitor the effectiveness of other controls. Such controls might be designed to identify possible breakdowns in lower-level controls, but not at a level of precision that would, by themselves, sufficiently address the assessed risk that misstatements to a relevant assertion will be prevented or detected on a timely basis. These controls, when operating effectively, might allow the auditor to reduce the testing of other controls.”15
Entity-level controls include, but are not limited to, the following:
• Controls related to the overall control environment
• Controls over management override
•The enterprise’s risk assessment process
• Centralized processing and controls, including shared service environments
• Controls to monitor results of operations
• Controls to monitor other controls, including activities of the internal audit function, the audit committee and self-assessment programs
• Controls over the period-end financial reporting process
• Policies that address significant business control and risk management practices
Controls over management override are important for all enterprises. However, they may be particularly important at smaller enterprises because of the increased direct involvement of senior management in performing controls and in the period-end financial reporting process. For smaller enterprises, the controls that address the risk of management override might be different from those at larger enterprises. For example, a smaller enterprise might rely on more detailed oversight by the audit committee that focuses on the risk of management override.
Many of the entity-level controls have IT implications. For example, COBIT 5 process APO02 Managing IT strategy can be an entity-level control and requires that IT provides a holistic view of the business and IT environment, the future direction and the initiatives that are required to migrate to the future environment, which leverages the enterprise’s architecture (including externally provided services and related capabilities) to enable nimble, reliable and efficient responses to strategic objectives.
Identifying Application Controls
Application controls are discussed fully in chapter 4 of this guide. Application controls refer to the transactions and data relating to each computer-based application system and are, therefore, specific to each such application. The PCAOB AS 5 states that entirely automated application controls are generally not subject to breakdowns due to human failure.16 This feature allows the auditor to use a “benchmarking” strategy.
AS 5 goes on to state the following:
“If general controls over program changes, access to programs, and computer operations are effective and continue to be tested, and if the auditor verifies that the automated application control has not changed since the auditor established a baseline (i.e., last tested the application control), the auditor may conclude that the automated application control continues to be effective without repeating the prior year’s specific tests of the operation of the automated application control. The nature and extent of the evidence that the auditor should obtain to verify that the control has not changed may vary depending on the circumstances, including depending on the strength of the company’s program change controls.”17
According to AS 5, to determine when to re-establish a baseline, the auditor should evaluate the following factors18:
•The effectiveness of the IT control environment, including controls over application and system software acquisition and maintenance, access controls and computer operations
• The auditor’s understanding of the nature of changes, if any, on the specific programs that contain the controls
• The nature and timing of other related tests
• The consequences of errors associated with the application control that was benchmarked
• Whether the control is sensitive to other business factors that may have changed. For example, an automated control may have been designed with the assumption that only positive amounts will exist in a file. Such a control would no longer be effective if negative amounts (credits) begin to be posted to the account.
• Whether the control relies on performance by an individual or is automated
(i.e., an automated control would generally be expected to be lower risk if relevant information technology general controls are effective).
Identifying IT General Controls
IT general controls are described by the PCAOB as controls that are embedded within IT processes, provide a reliable operating environment and support the effective operation of application controls. These controls are discussed further in this guide in chapter 2 in the section on Information Systems and Technology Controls and are the key direct controls used to audit the effectiveness of internal controls over financial reporting. They include the following:
• Program development
• Program changes
• Access to programs and data
• Computer operations
Addressing the Risk of Fraud
AS 5 also gives considerable emphasis to fraud and fraud-prevention controls. Some of these controls have IT implications. For example, AS 5 pays particular attention to journal entries and adjustments. Lack of good application controls in accounting
systems and general IT controls, such as access controls, can make fraud that employs journal entries and adjusting entries more difficult to prevent and/or detect.
Where to Find IT Controls
In understanding where IT controls exist within the typical enterprise, consideration of at least three elements is necessary. Figure 3 illustrates the common elements of enterprises.
Increasingly, IT systems help automate business processes. In doing so, these systems often replace manual control activities with automated or IT-dependent control activities. As a result, compliance programs need to consider system-based controls to keep pace with changes in business processes and new system functionality.
Information Systems and Technology Controls
The SOX Act makes corporate executives explicitly responsible for establishing, evaluating and monitoring the effectiveness of ICFR. For most enterprises, the
role of IT is crucial to achieving this objective. Whether through a unified enterprise resource planning (ERP) system or a disparate collection of operational and financial management software applications, IT is the foundation of an effective system of ICFR.
Enterprises need representation from IT on their SOX teams to determine whether IT monitoring controls, general controls and application controls exist and support the objectives of the compliance program. Some of the important areas of responsibility for IT include:
• Understanding the enterprise’s internal control program and financial reporting process
• Mapping the IT environment (IT services and processes) that supports internal control and the financial reporting process that results in a set of financial statements
• Identifying risk that is related to these IT services and processes
• Designing and implementing controls to mitigate identified risk factors, monitoring and maintaining them for continued effectiveness
• Documenting and testing IT and systems-based controls
• Ensuring that IT controls are updated and changed, when necessary, to correspond with changes in internal control or financial reporting processes
• Monitoring IT controls for effective operation over time
• Participating in the SOX project management office
IT Control Environment
The IT control environment relates to the entity-level controls defined by the PCAOB AS 5, which were outlined previously. This environment includes the IT governance process, monitoring and reporting. The IT governance process includes information systems strategic planning; the IT risk management process; compliance and regulatory management; and IT policies, procedures and standards. Monitoring and reporting are required to align IT with business requirements.
The IT governance structure should be designed so that IT adds value to the business and IT risk factors are addressed. This governance structure also includes an IT organization structure that supports and promotes the achievement of the enterprise’s objectives.
These include controls over the definition, acquisition, installation, configuration, integration and maintenance of the IT infrastructure. Ongoing controls over operations address the day-to-day delivery of information services, including service-level management, management of third-party services, system availability, customer relationship management, configuration and systems management, problem and incident management, operations management scheduling and facilities management.
The system software component of operations includes controls over the effective acquisition, implementation, configuration and maintenance of operating system software, database management systems, middleware software, communications software, security software, and utilities that run the system and allow applications to function. System software also provides the incident tracking, system logging and monitoring functions. System software can report on users of utilities, so if someone accesses these powerful data-altering functions, that individual’s use is recorded and reported for review.
Access to Programs and Data
Access controls over programs and data assume greater importance as internal and external connectivity to entity networks grows. Internal users may be halfway around the world or down the hall, and there may be thousands of external users accessing, or trying to access, entity systems. Effective access security controls can provide a reasonable level of assurance against inappropriate access and unauthorized use of
systems. If designed well, they can intercept unethical hackers, malicious software and other intrusion attempts.
Adequate access control activities, such as secure passwords, Internet firewalls, data encryption and cryptographic keys, can be effective methods of preventing unauthorized access. User accounts and related access privilege controls restrict the applications or application functions only to authorized users that need them to do
their jobs, supporting an appropriate segregation of duties. Review of the user profiles that permit or restrict access should be frequent and timely. Former or disgruntled employees can be a threat to a system; therefore, terminated employee passwords
and user IDs should be revoked immediately. By preventing unauthorized use of, and changes to, the system, an entity protects its data and program integrity.
Program Development and Change Management
Application software development and maintenance have two principal components: the acquisition and implementation of new applications and the maintenance of existing applications. The acquisition and implementation process for new applications tends to result in a high degree of failure.
To reduce acquisition and implementation risk, entities often employ an appropriate system development and quality assurance (QA) methodology. Standard software tools and IT architecture components often support this methodology. The methodology provides structure for the identification of automated solutions, system design and implementation, documentation requirements, testing, approvals, project management and oversight requirements, and project risk assessments.
Application maintenance addresses ongoing change management and the implementation of new releases of software. Appropriate controls over changes to the system should exist so that all changes are made properly. The extent of testing that is required for the new release of a system should also be determined. For example, the implementation of a major new software release may require the evaluation of enhancements to the system, extensive testing, user retraining and the rewriting of procedures. Controls may involve required authorization of change requests; review of the changes, approvals, documentation, testing and assessment of changes on other IT components; and implementation protocols. The change management process
also needs to be integrated with other IT processes, including incident management, problem management, availability management and infrastructure change control.