Translating the PCAOB Guidance:

1
Translating the PCAOB Guidance

• Plain Talk About the New Rules

2
Translating the PCAOB GuidancePlain Talk About
the New Rules
3
Who am I?

• David E. Smith, CISSPDavid.Smith_at_BindView.com
• 8 Years in Information SecurityGlobal Fortune
  500 Financial Companies
• BindView-
• Professional Services Consultant
• RAZOR TeamSecurity Compliance Analyst

4
Sarbanes Oxley Changed Everything

• Section 101 (a)
• There is established the Public Company
  Accounting Oversight Board, to oversee the audit
  of public companies that are subject to the
  securities laws, and related matters, in order to
  protect the interests of investors and further
  the public interest in the preparation of
  informative, accurate, and independent audit
  reports for companies the securities of which are
  sold to, and held by and for, public investors.
• The Board shall be a body corporate, operate as a
  nonprofit corporation, and have succession until
  dissolved by an Act of Congress.

5
PCAOBs Role

• Issue Standards
• Solicit feedback
• Act as a conduit between companies, auditors and
  regulators

6
PCAOB Audit Standards

• Audit Standard 1
• Requires reference to PCAOB standards in all
  audits and reviews of financial statements
  eliminates AICPA references
• Re-asserts authority of PCOAB for rulemaking
• Audit Standard 2
• Defines the standards auditors must follow in
  auditing internal controls over financial
  statements
• Audit Standard 3
• Details documentation requirements

7
Audit Standard 2 Major Components

• Define the auditors objective
• Evaluate Management's assessment
• Evaluate internal controls
• Name COSO as the model framework
• Clarify the concept of Reasonable Assurance
• State the responsibility of management to present
  an adequate written assessment
• Describe considerations for evaluating material
  assessment and fraud

8
Audit Standard 2 Major Components

• Performing an audit of internal controls over
  financial statements
• Relationship between the audit of controls and
  the audit of financial statements
• Reviewing managements disclosures
• Documentation requirements
• Communication requirements

9
May 16, 2005

• PCAOB and SEC issue simultaneous commentary
  related to SOX Auditing
• Responded to questions raised during an April 13,
  2005 roundtable on SOX efforts
• Key Concern
• Cost Effectiveness of SOX audits

10
PCAOB Commentary Five Objectives

• Integrate internal control audits with financial
  statements audits
• Exercise judgment to tailor audit plans for
  individual audit clients
• Use a top-down approach based on Risk Assessment
• Use the work of others
• Engage in direct and timely communication with
  audit clients

11
Integrated audits

• Audit Standard No. 2 is an integrated audit
  standard
• should be designed to achieve their results
  simultaneously.

12
Tailored audit plans

• Standardized audit checklists
• ARE BAD

13
Use a top-down approach

• Focus on a High-Risk first based approach
• -Company Controls
• -Significant Accounts
• -Significant Processes
• -Individual Controls

14
Use the work of others

• Can External Auditors use the work of Internal
  Auditors on SOX Audits?
• Audit Standard No. 2 - Principle Evidence
  Audit Opinion must be based on auditors own work
• AU Section 322- Allows the work of others to be
  incorporated into the audit
• Final Verdict The auditor must do enough
  independent work to validate their own opinion

15
Communication with audit clients

• Auditors may not make accounting decisions on
  behalf of their clients
• Auditors can and should
• Review draft financial statements
• Provide advice on accounting and internal
  controls
• Discuss freely with management the significance
  of financial controls
• Make technical suggestions on proper application
  of GAAP

16
The SEC Commentary

• The purpose of internal control over financial
  reporting
• Reasonable assurance, risk-based approach, and
  scope of testing and assessment
• Evaluating internal control deficiencies
• Disclosures about material weaknesses
• Information technology issues
• Communications with auditors
• Issues related to small business and foreign
  private issuers

17
The purpose of internal controls auditing

• Focus on items that could lead to material errors
• Decline to prescribe amount of testing and
  documentation
• Each company makes an informed decision in
  designing an assessment process

18
Reasonable Assurance, Risk, Testing

• Reasonable is not Absolute Assurance
• Use top-down, risk based approach
• Testing is an on-going process

19
Evaluating Internal Control Deficiencies

• Identification of deficiencies should be based on
  the significance of the deficiency on financial
  statements
• Errors in reporting (restatements) do not
  necessarily indicate a control deficiency

20
Disclosures About Material Weaknesses

• Material Weaknesses must be reported
• Companies encouraged to include enough
  information about
• The nature of the weakness
• The impact of the weakness
• The plans for remediating the weakness
• that investors can make informed decisions

21
Information technology issues

• Tested IT controls should be relevant to
  Financial Reporting
• IT Control frameworks (CobiT) may be useful, but
  are too broad to be required
• New IT Systems will not be exempted from testing
• controls should be built in and tested as part of
  deployment

22
Communications with auditors

• Auditors can and should
• Review draft financial statements
• Provide advice on accounting and internal
  controls
• Discuss freely with management the significance
  of financial controls

23
Small Business and Foreign Issuers

• SEC continues to assess the burdens of SOX on
  Small Business and foreign businesses
• Founded an advisory committee on small business
  impact
• Foreign Companies still not required to comply,
  but included in discussions

24
Implications for Internal Audit

• Internal Audit can and should
• Advise on how to manage SOX costs
• Develop and implement year-round testing
• Advise on account controls implementations
• Work with and possibly under external auditors to
  complete assessments

25
Partnering with Independent Auditors

• Refer to
• PCAOBs Interim StandardAU 322
• http//www.pcaobus.org/Standards/Interim_Standards
  /Auditing_Standards/

26
The Challenges

• Balancing Audit Role with Advisory Role
• Meeting the standard of independence
• Containing costs

27
Your Thoughts

• Does Internal Audit have a responsibility to the
  organization to help contain Sarbanes related
  audit costs?

28
Your Thoughts

• At what level should Internal Audit be involved
  in the process of evaluating controls for
  financial reporting?

29
Your Thoughts

• At what level should Internal Audit be involved
  in assisting external auditors with their
  assessments?

30
Your Thoughts

• Where have PCAOB and SEC missed opportunities to
  provide better guidance?

31
Real things you can do today

• Work to build a consistent testing cycle
• Identify the high priorities
• Automate to reduce costs and increase
  repeatability
• Educate Management about controls on a consistent
  basis
• Build the control testing process into new
  projects and technologies.