External Auditor Reliance on Management Testing
In an effort to reduce overall SOX compliance costs, companies must find a way to reduce external audit fees by increasing the amount of reliance the auditors place on management’s testing of its control environment. In a 2006 comment letter to the SEC/PCAOB, a group of controllers and CFOs made several recommendations including the following:
53% of companies (*see attribution below) indicate that auditor reliance on management testing is their primary discussion issue with their external auditors. We believe that auditors should have more flexibility to rely on management’s work, including process owners, for areas that are not considered to be at high risk. For example, automated transaction controls or controls over routine processes involve lower risk and can be tested by process owners. It is important that process owners are accountable for effective controls, but auditors believe that AS2 prevents them from relying on process owner assessments. This causes duplicate testing and is disruptive to operations. Auditors should be allowed to rely on the quality of managements’ overall compliance approach, including the presence of a robust compliance environment and entity- level controls, rather than focusing on individual assessor independence.
We are therefore recommending that external auditors be required to rely on management’s work in testing (irrespective of entity performing the testing) for a mutually-agreed upon universe of low-risk controls.”
Submission of Comments to the SEC/PCAOB Roundtable, May 10 2006
- *Corporate Executive Board research; http://www.executiveboard.com
AS5 addressed this concern by specifically directing auditors to rely more on the work of others. However, more than 40% of the 257 companies, which participated in a September 2007 poll taken by the Institute of Internal Auditors, indicated their external auditors relied on less than 25% of the testing work performed by management. Clearly, gains can be made - but what can be done to change the minds of auditors? The first, and perhaps most important, step is for management to demonstrate an understanding of its environment via a robust assessment of the risks to accurate financial reporting.
Whether the assessment is the traditional “likelihood and impact” approach for each of the identified risks, or management chooses to utilize the risk factors identified by the PCAOB/SEC, or some other method entirely, the point of the exercise is to give external auditors a view into management’s evaluation of what could go wrong. Ranking the relative risk of the resulting misstatements, and the controls that mitigate those risks, then provides a tool for framing the “reliance” discussion. In year one, auditors may then be more comfortable relying on management’s testing of those controls that mitigate low level risks. As time progresses and the risk discussion matures, management and auditors may achieve a balance of reperformance and reliance resulting in reduced cost of compliance.
No comments yet.
Leave a comment
About
Ever since its first year of required compliance in 2004, Sarbanes-Oxley and Section 404 in particular has been criticized for the excessive cost and disruption it created for companies. The public debate about whether its been worth the effort has at times reached a fever pitch, as recently noted by the former Chairman of the SEC, Harvey Pitt[1], “As costs mounted, and auditors became defensive in their audits of internal control, a crescendo of criticism and despair arose, ultimately persuading the PCAOB and the SEC to revisit their prior guidance to make the beneficial purposes of the SOX 404 more obtainable, with lower costs and more focused efforts”. In this regard, certain statements from both the SEC and PCAOB December releases especially stand out[2]. At the same time, greater use of a risk based approach seems to reflect a return to the original principles of SOX and certainly of the COSO Framework.
[1] Compliance Week, March 2007 issue
[2] SEC Release # 33-8762, 34-54976 (12/15/06) and PCAOB Release # 2006-007 (12/19/06)
About the Author
Christopher D. Coigne CPA, CIA, CFE is the Senior Manager of Client Services and Product Development for BI International. For the past 5 years Chris has worked extensively with organizations seeking compliance with Sarbanes-Oxley (SOX). He has performed materiality planning and risk assessments, led facilitated control discussions, participated in client SOX Project Management Organizations, and overseen global control testing. Other projects have included managing outsourced Internal Audit activities, performing forensic and fraud investigations to aid in management’s deterrence and detection of fraud, and working to develop a web-based SOX and Internal Audit tool.
A graduate of Rowan University, Christopher’s experience includes public accounting financial audits, controllership in the insurance industry, internal audit management at Philadelphia-based ARAMARK, and consulting work for a variety of global organizations including McDonald’s, Sony, ING and Waste Management.
-
Archives
- August 2008 (2)
- July 2008 (2)
- May 2008 (1)
- April 2008 (3)
-
Categories
-
RSS
Entries RSS
Comments RSS
