May 25, 2005
Ontario Securities Commission Discusses 52-111 Implementation
At a session sponsored by the Financial Executives Institute in Toronto, Canada, the Ontario Securities Commission (OSC) gave their guidance and feedback for Canadian filers subject to the upcoming 52-111 legislation - the Canadian version of Sarbanes-Oxley 404.
The Chief Accountant, John A. Carchrae and Jo-Anne Matear, Senior Legal Counsel were the speakers from the OSC. They laid out the details of the proposed legislation and their reasoning behind the closeness in similarity to the Sarbanes-Oxley Section 404.
Both speakers highly recommended to Canadian filers to understand that this legislation is important to the reputation of Canadian financial markets. It is interesting that the Canadian legislation exempts an entire market - the TSX-Venture Exchange. This differs from the US SEC approach of including ALL registrants.
The OSC also has proposed very protracted deadlines - from June 2006 for the largest filers all the way out to June 2009 for the smallest filers.
The OSC has asked for public comment by June 6th, 2005. Thus far, only two comments have been submitted.
Stay tuned for more information on this important topic.
To help your company adequately comply with Sarbanes-Oxley and the Canadian 52-111 legislation, see www.issuescentral.com to learn more about Sarbanes-Oxley Compliance Playbook(tm) or call 800.410.6681 ext 114
The Chief Accountant, John A. Carchrae and Jo-Anne Matear, Senior Legal Counsel were the speakers from the OSC. They laid out the details of the proposed legislation and their reasoning behind the closeness in similarity to the Sarbanes-Oxley Section 404.
Both speakers highly recommended to Canadian filers to understand that this legislation is important to the reputation of Canadian financial markets. It is interesting that the Canadian legislation exempts an entire market - the TSX-Venture Exchange. This differs from the US SEC approach of including ALL registrants.
The OSC also has proposed very protracted deadlines - from June 2006 for the largest filers all the way out to June 2009 for the smallest filers.
The OSC has asked for public comment by June 6th, 2005. Thus far, only two comments have been submitted.
Stay tuned for more information on this important topic.
To help your company adequately comply with Sarbanes-Oxley and the Canadian 52-111 legislation, see www.issuescentral.com to learn more about Sarbanes-Oxley Compliance Playbook(tm) or call 800.410.6681 ext 114
May 16, 2005
No Rule Changes from SEC or PCAOB - Clarification in Implementation
May 16, 2005: Update on Today’s Statements from the SEC and PCAOB with respect to Internal Control Reporting Requirements – Issues Central Review and Commentary
As promised in Washington in April 2005 both the Public Company Accounting Oversight Board (PCAOB) and the U.S. Securities and Exchange Commission (SEC) today they have clarified their guidance with respect to internal control reporting requirements and the consequence for Section 404 activities of the Sarbanes-Oxley Act of 2002 being undertaken by both accelerated and non-accelerated filers.
Issues Central Inc. – Our Preliminary Conclusions with respect to PCAOB Guidance:
Auditors have to use the judgment that is designated in Audit Standard #2. Extreme conservatism increased the cost but not the quality of audits.
No new rules are needed. The Auditing Standards are accurate and pertinent. Risk based approach to audits has been the standard for a long time and this needs to be applied to Section 404/302 audits.
The PCAOB rules provide latitude and encourage judgment by auditors and this was not properly exercised. The PCAOB will work through inspections to improve the quality of audits to get this right.
Costs will be driven down by improved quality of audits not the repeal of Sarbanes-Oxley.
Auditors should be working closely with their clients to assist in complex accounting treatments. Financial Information should be shared between registrant and auditor to increase the quality of reporting.
Key highlights of today’s commentary are as follows:
Highlights of the PCAOB’s “Additional Staff Guidance on Internal Control”:
The PCAOB did not make any new rules, just clarified what they already have outlined in Audit Standard #2.
Integrated audits (Section 404/302) should be done for most registrants moving forward. This should aid consistency and drive down costs and duplication experienced in the first year filings for Accelerated Filers. It will also improve the quality of the audits.
Audit plans were not tailored to fit a company and were implemented in a very rigid checklist format. This is not required nor endorsed by the auditing standards. This was the result of poor planning and training by audit firms.
A top down risk based approach per COSO is what is designated to test those areas that are more risky and not put much time or review into mundane low risk areas. Entity level controls are key to this type of approach.
Auditors have to exercise judgment and this is key to the auditing standards.
Auditors should work with their clients in assisting in complex accounting treatments in frank and open ways.
Costs were too high because auditors did not use the work of others as they are allowed to do in the standards. They can in fact use the work of others and actually use company staff such as internal auditors to assist their review and testing work.
PCAOB will conduct inspections of external audit firm’s audits to determine if they were conducted in a professional and proper manner. Where they find problems, they will “demand improvements”.
For more details please visit http://www.pcaob.us.org/
Issues Central Inc. – Our Preliminary Conclusions with respect to SEC Statement:
The SEC wants to drive costs down for compliance with Section 404 by increasing the quality of management’s assessments of internal controls and the external auditor review. Management should be focused on a ‘Top Down” entity level controls review to provide reasonable assurance of internal controls. A risk based COSO approach is the way to comply with the Act and reduce the amount of low value testing on low risk processes.
Management has to step up and take responsibility for the scope and management of their assessments. Management has the power to designate and manage their own review and must work with their external auditors but fashion their own reasonable assessment.
The use of mitigating and compensating controls to provide reasonable assurance of internal controls is permissible and part of well functioning controls. Over emphasis on IT controls that have little to do with financial reporting is unnecessary and does not prove compliance.
The exorbitant costs of many Year 1 404 filings were mainly due to poor planning and improper project scoping and therefore did not in many cases even accomplish the spirit of the Sarbanes-Oxley Act. The Act is working and this clarification on implementation should help companies in their either first or second year certifications.
Highlights of the SEC’s “Statement on the Implementation of Internal Control Reporting Requirements”:
Risk based – top down approach is important in all companies but has special importance in small companies because management presumably has more direct control over transactions/financial reporting than in larger organizations. Management may have very effective communication and monitoring controls that allows less detailed testing of transactions.
Mitigating or compensating controls are important and valid in evaluation of overall internal control reviews.
Weaknesses that are not re-mediated prior to year end must be reported and fully disclosed and should be explained such that investors can evaluate with complete information.
More attention should be given to significant accounts that have high risk rather than a “check the box” regimen with “one size fits all” approach.
Scoping should utilize quantitative and qualitative items for inclusion and exclusion.
Testing can be done all during the year for internal controls not just at the end of the year. This is because many controls work in a continuous manner not just a snapshot approach. Each year of review can have a different focus.
Clearly one area that was addressed was the lack of use of client documentation and even client staff to cut audit costs. This was a huge area of unnecessary cost overruns for accelerated filers.
Section 404 never stated that a separate framework had to be used for IT controls. In fact the SEC was quite surprised that companies were spending an inordinate effort on IT controls that may not in some cases actually affect financial reporting.
IT controls need only be tested if they affect financial reporting. The approach of including all IT controls is neither necessary nor beneficial to Section 404 compliance.
In the future, audits are most likely going to be integrated Section 404/302 in order to cut duplication and increase the effectiveness of audits.
There will be guidance for smaller companies but they will have to comply with Section 404. “Section 404 is too important not to get right…” (reference: SEC 2005-74.htm page 2 of 3).
The SEC reiterates that the regulations state “reasonable assurance” not “absolute assurance” that internal controls are operating effectively.
“Management should use its own experience and informed” judgment to design an assessment process…: Management has to own its project and not look for external auditors to call the shots for management’s attestation.
Auditors have to allow “a reasonable zone of conduct” for companies for implementation of Section 404.
External Auditors can and should consult with their clients about complex accounting treatments. Auditors cannot make management’s decisions for them, but definitely should assist in the proper use of GAAP etc. This is even to the point of registrants providing auditors draft financial statements for review.
For more details please visit http://www.sec.gov/
For more information on Issues Central, Inc. and the Sarbanes-Oxley Compliance Playbook™, geared to the compliance efforts of mid to emerging public filers, please call 1.800.410.6681 or go to http://www.issuescentral.com/
As promised in Washington in April 2005 both the Public Company Accounting Oversight Board (PCAOB) and the U.S. Securities and Exchange Commission (SEC) today they have clarified their guidance with respect to internal control reporting requirements and the consequence for Section 404 activities of the Sarbanes-Oxley Act of 2002 being undertaken by both accelerated and non-accelerated filers.
Issues Central Inc. – Our Preliminary Conclusions with respect to PCAOB Guidance:
Auditors have to use the judgment that is designated in Audit Standard #2. Extreme conservatism increased the cost but not the quality of audits.
No new rules are needed. The Auditing Standards are accurate and pertinent. Risk based approach to audits has been the standard for a long time and this needs to be applied to Section 404/302 audits.
The PCAOB rules provide latitude and encourage judgment by auditors and this was not properly exercised. The PCAOB will work through inspections to improve the quality of audits to get this right.
Costs will be driven down by improved quality of audits not the repeal of Sarbanes-Oxley.
Auditors should be working closely with their clients to assist in complex accounting treatments. Financial Information should be shared between registrant and auditor to increase the quality of reporting.
Key highlights of today’s commentary are as follows:
Highlights of the PCAOB’s “Additional Staff Guidance on Internal Control”:
The PCAOB did not make any new rules, just clarified what they already have outlined in Audit Standard #2.
Integrated audits (Section 404/302) should be done for most registrants moving forward. This should aid consistency and drive down costs and duplication experienced in the first year filings for Accelerated Filers. It will also improve the quality of the audits.
Audit plans were not tailored to fit a company and were implemented in a very rigid checklist format. This is not required nor endorsed by the auditing standards. This was the result of poor planning and training by audit firms.
A top down risk based approach per COSO is what is designated to test those areas that are more risky and not put much time or review into mundane low risk areas. Entity level controls are key to this type of approach.
Auditors have to exercise judgment and this is key to the auditing standards.
Auditors should work with their clients in assisting in complex accounting treatments in frank and open ways.
Costs were too high because auditors did not use the work of others as they are allowed to do in the standards. They can in fact use the work of others and actually use company staff such as internal auditors to assist their review and testing work.
PCAOB will conduct inspections of external audit firm’s audits to determine if they were conducted in a professional and proper manner. Where they find problems, they will “demand improvements”.
For more details please visit http://www.pcaob.us.org/
Issues Central Inc. – Our Preliminary Conclusions with respect to SEC Statement:
The SEC wants to drive costs down for compliance with Section 404 by increasing the quality of management’s assessments of internal controls and the external auditor review. Management should be focused on a ‘Top Down” entity level controls review to provide reasonable assurance of internal controls. A risk based COSO approach is the way to comply with the Act and reduce the amount of low value testing on low risk processes.
Management has to step up and take responsibility for the scope and management of their assessments. Management has the power to designate and manage their own review and must work with their external auditors but fashion their own reasonable assessment.
The use of mitigating and compensating controls to provide reasonable assurance of internal controls is permissible and part of well functioning controls. Over emphasis on IT controls that have little to do with financial reporting is unnecessary and does not prove compliance.
The exorbitant costs of many Year 1 404 filings were mainly due to poor planning and improper project scoping and therefore did not in many cases even accomplish the spirit of the Sarbanes-Oxley Act. The Act is working and this clarification on implementation should help companies in their either first or second year certifications.
Highlights of the SEC’s “Statement on the Implementation of Internal Control Reporting Requirements”:
Risk based – top down approach is important in all companies but has special importance in small companies because management presumably has more direct control over transactions/financial reporting than in larger organizations. Management may have very effective communication and monitoring controls that allows less detailed testing of transactions.
Mitigating or compensating controls are important and valid in evaluation of overall internal control reviews.
Weaknesses that are not re-mediated prior to year end must be reported and fully disclosed and should be explained such that investors can evaluate with complete information.
More attention should be given to significant accounts that have high risk rather than a “check the box” regimen with “one size fits all” approach.
Scoping should utilize quantitative and qualitative items for inclusion and exclusion.
Testing can be done all during the year for internal controls not just at the end of the year. This is because many controls work in a continuous manner not just a snapshot approach. Each year of review can have a different focus.
Clearly one area that was addressed was the lack of use of client documentation and even client staff to cut audit costs. This was a huge area of unnecessary cost overruns for accelerated filers.
Section 404 never stated that a separate framework had to be used for IT controls. In fact the SEC was quite surprised that companies were spending an inordinate effort on IT controls that may not in some cases actually affect financial reporting.
IT controls need only be tested if they affect financial reporting. The approach of including all IT controls is neither necessary nor beneficial to Section 404 compliance.
In the future, audits are most likely going to be integrated Section 404/302 in order to cut duplication and increase the effectiveness of audits.
There will be guidance for smaller companies but they will have to comply with Section 404. “Section 404 is too important not to get right…” (reference: SEC 2005-74.htm page 2 of 3).
The SEC reiterates that the regulations state “reasonable assurance” not “absolute assurance” that internal controls are operating effectively.
“Management should use its own experience and informed” judgment to design an assessment process…: Management has to own its project and not look for external auditors to call the shots for management’s attestation.
Auditors have to allow “a reasonable zone of conduct” for companies for implementation of Section 404.
External Auditors can and should consult with their clients about complex accounting treatments. Auditors cannot make management’s decisions for them, but definitely should assist in the proper use of GAAP etc. This is even to the point of registrants providing auditors draft financial statements for review.
For more details please visit http://www.sec.gov/
For more information on Issues Central, Inc. and the Sarbanes-Oxley Compliance Playbook™, geared to the compliance efforts of mid to emerging public filers, please call 1.800.410.6681 or go to http://www.issuescentral.com/
May 11, 2005
The Costliest Way to do Sarbanes-Oxley - No Technology
Year 1 (Accelerated Filers) are swearing "never again!". What are they talking about? Never again will they do a Sarbanes-Oxley project with just Excel, Word and painfully created Visio spreadsheets. The use of technology to support the project allows companies huge ROI, decreased time and increased consistency in their projects.
Unfortunately, many accounting firms advised their clients NOT to use technology. What a mistake. More cost and no leverage for Year 2.
An excerpt from an article on this topic:
"Consultants and technology analysts emphasize that while the Sarbanes-Oxley requirements could be met without purchasing new software, companies are finding that that approach puts a severe strain on their resources.
“People realized you couldn’t maintain (adequate) control over a bunch of spreadsheets and word-processing documents” without tying up a lot of manpower, says John Hagerty, an analyst with AMR Research. “And that’s the part that’s causing companies heartburn – how many people would be necessary to manage the task if you didn’t have the software.” For the complete article, click here.
For a complete Sarbanes-Oxley solution, see www.issuescentral.com to learn more about Sarbanes-Oxley Compliance Playbook(tm) or call 800.410.6681 ext 112.
Unfortunately, many accounting firms advised their clients NOT to use technology. What a mistake. More cost and no leverage for Year 2.
An excerpt from an article on this topic:
"Consultants and technology analysts emphasize that while the Sarbanes-Oxley requirements could be met without purchasing new software, companies are finding that that approach puts a severe strain on their resources.
“People realized you couldn’t maintain (adequate) control over a bunch of spreadsheets and word-processing documents” without tying up a lot of manpower, says John Hagerty, an analyst with AMR Research. “And that’s the part that’s causing companies heartburn – how many people would be necessary to manage the task if you didn’t have the software.” For the complete article, click here.
For a complete Sarbanes-Oxley solution, see www.issuescentral.com to learn more about Sarbanes-Oxley Compliance Playbook(tm) or call 800.410.6681 ext 112.
May 09, 2005
IT Controls are the Least Understood by External Auditors
IT professionals beware: In our recent attendance at the SEC Section 404 Review Meetings in Washington DC April 13, it was painfully clear that the Big Four Accounting Firms had little to no expertise in examining IT controls. Therefore, they over did testing and used manual control testing on IT. Make it easy for them or the cost for this portion of the 404 audit may be huge!
For an excerpt a related IT controls topic, see here:
"BE A CONTROL FREAK
Essentially, SOX legislates what used to be IT security best practices. If you've dealt with IT auditors in the past, either internally or via your company's CPA firm, you're already familiar with controls. (However, you should expect an auditor to go deeper into your company's records and be less forgiving than ever before, because CPA firms are determined to avoid another Arthur Andersen debacle and internal auditors could conceivably be held criminally responsible under SOX.) In a nutshell, SOX requires corporations to implement controls that assure the integrity and accuracy of the company's financial reporting. At the highest level of management, this requirement translates to written policies, memos, meeting minutes, and other documents that demonstrate that management is taking the lead and involved in risk management and financial-reporting controls. At a lower level, corporations must show that they have processes that effectively implement the higher-level policies and directives for risk management and financial-reporting controls." For the complete article, click here.
To see how your company can effectively, rapidly and simply comply with Sarbanes-Oxley, see www.issuescentral.com and find out more about our no obligation 30 day evaluation.
For an excerpt a related IT controls topic, see here:
"BE A CONTROL FREAK
Essentially, SOX legislates what used to be IT security best practices. If you've dealt with IT auditors in the past, either internally or via your company's CPA firm, you're already familiar with controls. (However, you should expect an auditor to go deeper into your company's records and be less forgiving than ever before, because CPA firms are determined to avoid another Arthur Andersen debacle and internal auditors could conceivably be held criminally responsible under SOX.) In a nutshell, SOX requires corporations to implement controls that assure the integrity and accuracy of the company's financial reporting. At the highest level of management, this requirement translates to written policies, memos, meeting minutes, and other documents that demonstrate that management is taking the lead and involved in risk management and financial-reporting controls. At a lower level, corporations must show that they have processes that effectively implement the higher-level policies and directives for risk management and financial-reporting controls." For the complete article, click here.
To see how your company can effectively, rapidly and simply comply with Sarbanes-Oxley, see www.issuescentral.com and find out more about our no obligation 30 day evaluation.
