California State University, Fullerton SOX 404

1
California State University, FullertonSOX 404

• April 29, 2005
• Glenn Burr
• Ernst Young

2
Topics

• Material Weaknesses
• Using the Work of Management and Others
• Best Practices
• Thinking Beyond Year One

3
Evaluating and Classifying Deficiencies(1)

• See Paragraphs 9 and 10 of PCAOB auditing
  standard 2 for expanded description
• For quantitative significance, inconsequential is
  generally defined as lt1 of pretax earnings and
  material to financial statements is gt5 of pretax
  earnings (20 of overall annual or interim
  financial statement materiality). See A
  Framework for Evaluating Control Exceptions and
  Deficiencies December 20, 2004

4
Internal Control Deficiencies

• The PCAOB clarified the term inconsequential as
  follows
• A misstatement is inconsequential if a
  reasonable person would conclude, after
  considering the possibility of further undetected
  misstatements, that the misstatement, either
  individually or when aggregated with other
  misstatements, would clearly be immaterial to the
  financial statements. If a reasonable person
  could not reach such a conclusion regarding a
  particular misstatement, that misstatement is
  more than inconsequential.
• Reasonable Person criteria involves significant
  judgment

5
Deficiencies and Weaknesses

• Material Weakness
• Is a significant deficiency or combination of
  significant deficiencies that result in more than
  a remote likelihood that a material misstatement
  will not be prevented or detected
• Must be reported publicly
• Significant Deficiency
• Is a control deficiency or combination of control
  deficiencies that results in more than a remote
  likelihood that a misstatement will not be
  prevented or detected
• Must be reported to the Audit Committee but are
  not required to be reported publicly

6
Evaluating and Classifying Deficiencies (1)
Generally regarded as at least a significant
deficiency and as a strong indicator of a
material weakness

• Restatement of previously issued financial
  statements to reflect the correction of an error
• Material audit adjustments in the current year
• Ineffective audit committee oversight
• Ineffective internal audit or risk assessment
  function
• Ineffective regulatory compliance function for
  highly regulated industries
• Identification of fraud of any magnitude on the
  part of senior management
• Lack of progress on correcting significant
  deficiencies over time
• Ineffective control environment (e.g., tone at
  the top)
• (1) See paragraph 140 of PCAOB auditing standard
  2 for a more expanded discussion

7
Internal Control Deficiencies

• Likelihood of potential misstatement should be
  determined after considering compensating
  controls
• Deficiencies should first be evaluated
  individually, and the determination as to whether
  they are significant deficiencies or material
  weaknesses should be made considering the effects
  of compensating controls
• The effects of compensating controls should be
  taken into account when assessing the likelihood
  of a misstatement occurring and not being
  prevented or detected

8
Remediating Deficiencies

• Managements report for SOX 404 is as at fiscal
  year-end and deficiencies fixed by that time
  generally do not result in an adverse opinion
• In order to say that a deficiency is fixed, it
  must be remediated and tested to show that it is
  working over a sufficient period of time for
  example, a quarterly control needs to be working
  over two quarters to be considered closed
• It is important to remediate deficiencies in
  sufficient time before year-end for testing by
  both management and the internal auditor to show
  the remediation is working

9
Using the Work of Management and Others

• Overall, auditors own work must provide
  principal evidence for audit opinion (considering
  qualitative and quantitative factors)
• Auditors consideration focuses on
• Nature of controls being tested
• Competence and objectivity of individuals
  performing the work
• Testing the work performed by others to evaluate
  the quality and effectiveness of their work (it
  should be noted that testing the work of others
  does not count as principal evidence of the
  auditor)
• An effective internal audit function permits the
  auditor to reduce the work that otherwise would
  be necessary
• Auditor prohibited from using the work of others
  in evaluating the control environment, including
  fraud programs and controls, and in performing
  walk-throughs of major classes of transactions
  (should review results of work performed by
  others)
• Testing performed by internal auditors as direct
  assistance does not qualify as part of the
  principal evidence supporting the auditors
  opinion

10
Using the Work of Management and Others
The auditor should evaluate the following factors
when evaluating the nature of the controls
subjected to the work of others. As these factors
increase in significance, the need for the
auditor to perform his or her own work on those
controls increases. As these factors decrease in
significance, the need for the auditor to perform
his or her own work on those controls decreases.

• The materiality of the accounts and disclosures
  that the control addresses and the risk of
  material misstatement
• The degree of judgment required to evaluate the
  operating effectiveness of the control (that is,
  the degree to which the evaluation of the
  effectiveness of the control requires evaluation
  of subjective factors rather than objective
  testing).
• The pervasiveness of the control
• The level of judgment or estimation required in
  the account or disclosure
• The potential for management override of the
  control

11
Best Practices

• Scoping
• Identification of key controls (company and
  external
  accountants)
• Development of appropriate test plans
• Coordinating project with external auditors
  (avoid expectation gap)
• Focus on softer COSO components
• Outsourcing responsibility (documenting/defining
  key controls)
• Focus on IT controls

12
Best Practices

• Disciplined project management
• Oversight of foreign locations
• Aggressive remediation plan
• Address known problem areas

13
Best Practices

• Full-time/100 dedicated and qualified project
  leader with real authority and respect in
  organization, as well as a clear and obvious
  channel to and support from CEO, CFO and Audit
  Committee
• Project plan by location, by all components, by
  person, by date
• Monitor progress no tolerance for delays
• Ensure methodologies fully understood between
  company / accountants / third party providers
• Continuous communication with Audit Committee
• Plan on a significant remediation effort

14
Thinking Beyond Year One

• Sarbanes Section 404 is not a one-time event
• A more efficient and effective process must be
  developed to sustain compliance at a reasonable
  cost
• Comply by designing and sustaining a process
  that
• Provides for management reliance for quarterly
  and annual attestations
• Is seamlessly embedded with other business
  processes
• Achieves efficiency and effectiveness in
  documenting, updating, archiving and assessing
  company control documentation, as well as company
  policies
• Manages administrative burden of compliance
• Enables teams to identify, report and remediate
  failures in a timely manner
• Proactively deal with change in people, processes
  and technology a formalized change management
  process