Welcome to GHP Horwath

Industries

Services

Firm Information

News

Events

Careers

Global Network

Industries

Distribution, Manufacturing
& Retail

Energy & Utilities

State and Local Government

Healthcare

Hospitality

Not-For-Profit

Other Industries

Professional Services

Real Estate

Technology

Services

Accounting & Audit

Financial Staffing

Investment Advice
& Management

Hospitality Consulting

International Services

Litigation Support Services

Merger & Acquisition Services

Personal Financial Planning

Sarbanes-Oxley

Specialty Services

Tax Services

Valuation Services

Firm Information

Horwath International

Newsletters

Partnerships & Alliances

Team Members

The GHP Financial Group

News

Events

Careers

Global Network

Sarbanes-Oxley Section 404 Update #5
Entity (Company) Level Internal Control Considerations

The planning process includes the identification and analysis of entity or company level controls. These controls are established by management to provide assurance that controls exist across an organization, regardless of the location or business division. Controls that exist at the entity level have a pervasive impact on controls at the activity or transaction level. Entity level controls should be reviewed first because the results of this review may impact the approach used at the activity level. PCAOB Auditing Standard #2 describes controls as including (but not limited to):

Controls Within the Control Environment (Corporate Culture and Values)

The control environment sets the tone of the organization and controls over the control environment represent the foundation for all other controls. The control environment reflects the attitude of management and is the most important factor in financial reporting. Both the accounting system and the system of internal control operate in this environment.

Considerations in the control environment:

Tone set by the Board of Directors and Audit Committee as evidenced by Board minutes and other actions
Corporate governance documents
Policies directed at employee behavior (human resource policies/procedures, employee job descriptions)
Organizational goals and lines of reporting (assignment of authority and responsibility, budgets, organizational charts)
Ability to align controls with objectives

Management’s Risk Assessment Process

Risk is the chance that some adverse event will or will not happen. All companies and business processes possess a level of risk. Types of risk include general business risks (based on the nature of the business), inherent risks and fraud risks. Risks can come from internal or external sources and exist at the entity and process level. A system of internal control seeks address and limit inherent and fraud risk.

Risk is comprised of three elements:

Identification- a process that identifies conditions that can have a significant effect on the ability of a company to achieve its objectives
Assessment -the process of estimating the significance, assessing the frequency of occurrence, and management’s response to the identified risk
Management- a process, either formal or informal, that monitors identified risks and changes to those risks to assess the degree to which the risk (or new risk) can affect the ability of a company to achieve its objectives

The process of identifying and analyzing risks is an ongoing process.

Entity level considerations include:

Formulation and documentation of the company’s strategic plan
Development of a risk assessment process
Procedures to identify and react to change (external and internal)
Procedures to find out changes in Generally Accepted Accounting Principles (GAAP)
Procedures to communicate business changes which could affect GAAP

Risk assessment directly affects the documentation and testing which will be performed because processes with higher risk factors should be documented and tested more fully.

Risk factors at the transaction or process level will be explained in more detail in Update #7.

Fraud Assessment Process

Management should evaluate all controls specifically intended to address the risks of fraud that have at least a reasonably possible likelihood of having a material effect on the company’s financial statements. Such controls include, but are not limited to:

Controls restraining misappropriation of company assets that could result in a material misstatement of the financial statements.
Company risk assessment processes
Code of ethics/conduct provisions (especially those provisions related to conflicts of interest, related party transactions/illegal acts, etc.)
Adequacy of internal audit activity, if any.
Adequacy of company’s procedures for handling complaints and for accepting confidential submissions of concerns about questionable accounting or auditing matters.

Management has the responsibility to design and implement programs and controls to prevent, and detect fraud.

Fraud assessment is required by PCAOB Auditing Standard No. 2 and Statement on Auditing Standards No. 99.

Financial Statement Reporting Processes (Update #7 will address Period-End Reporting Processes)

Financial statement reporting processes include the processes management follows to identify, gather, record, review and communicate financial information. Two ongoing processes are:

Selection and Application of Accounting Principles

Management must identify events or transactions which require policies
Policies must comply with generally accepted accounting principles and other authoritative literature
Information processing and internal control policies should be designed to appropriately apply the accounting principles selected

Processing of Non-routine or Non-systematic Transactions

Such transactions are properly identified and communicated to management
Management reviews and determines or verifies proper accounting presentation
Management’s response is reviewed and approved

Centralized IT Processing Controls/Shared Service Providers

For many organizations, dependence on electronic systems and IT systems is essential to support critical business functions. This area faces increasing risk due to increasing dependence in those systems by management, potential threats and vulnerability from outside sources and advances in technology. For the purposes of assessing the effectiveness of internal control over financial reporting, the company should concentrate on the controls which manage IT resources to produce information necessary to manage the business.

Considerations for centralized processing systems and controls include:

Understand the number and nature of automated systems; including whether there have been any significant changes to hardware, software or personnel in the past year.
Types of controls on data entering, being processed and leaving the system
How manual data processes interact with computerized processes
Risks associated with automated systems, including how the system could be compromised
Effect of use of external third party service centers for data processing (See Attachment 1)

The COSO framework identifies two types of IT related controls: application controls and general controls. These controls help ensure that transactions are valid, properly authorized, and completely and accurately processed.

General controls -relate to the underlying controls over applications and system software to ensure that the application was properly developed, tested and functions as designed, and that access to the program is limited to authorized users. These controls are generally considered to be significant to the overall system of internal control.

Application controls -are designed to control the processing of individual transactions to ensure that the data is complete and accurate. They include controls over input, processing and output.

The COSO framework does not provide detailed guidance regarding information systems; however the COBIT Framework (released by the COBIT Steering Committee and the IT Governance Institute) establishes a framework which is considered the standard for IT security and control practices.

Monitoring Controls

Monitoring controls assess the functioning of a system of internal control over a period of time. Some controls are ongoing while other controls occur only periodically. Types of controls include:

Results of Operations -includes comparisons to budget, top-level review performed by various levels of management

Controls over Controls- includes activities of the internal audit department, audit committee or self assessment programs.

Note to Reader: This list is not intended to be a complete list of entity (company) level controls. Companies should include in their list of entity controls all controls relevant to their business which may include other controls or exclude certain controls.

Sarbanes-Oxley 404 Update #5

Entity Level Control Considerations
Attachment #1

Use of Service Organizations

Many companies use outside service organizations to process transactions. Management remains responsible for these transactions and all transactions are subject to the provisions of Section 404. If a process constitutes a significant process or function, it must be evaluated under Section 404.

Management should consider the following items when evaluating the use of service organizations:

Determine if a significant process is being performed by the service organization (Reference Statement on Auditing Standards (SAS) No. 70 or AU 324)

Does the service organization have control over classes of transactions which are significant to the financial statements?
Does the service organization control procedures regarding initiation, recording, processing or reporting of information or transactions?
Consider the significance of financial statement assertions and the information processing objectives for the outsourced process

Determine Existence of a Sufficient Type II SAS 70 Report

SAS 70 provides for a service organization to obtain a single audit report for use by its clients (and clients’ auditors). The report is referred to as a SAS 70 report.
Reports typically are known as Type I (limited in scope) and Type II (more detailed in scope)
Access to these reports is often included in the contract between the client and service organization.
Reports should be dated as close as possible to the client’s year end. As the report ages, the need for additional testwork increases.

Develop Alternate Procedures if a Type II Report Doesn’t Exist or is Not Relied On

Management or other third party should perform tests of controls at the service organization
Access to service organization’s records may be limited and is based on contractual agreement

PCAOB Staff Question #28 addresses the failure of management to obtain a SAS 70 report, perform alternative procedures, or attempt to perform alternative procedures. Management’s inability to assess certain controls over financial reporting that should have been included its assessment represents a control deficiency. This deficiency must be evaluated to determine if it is also a significant deficiency or material weaknesses. The auditor would normally consider such a deficiency to be a material weaknesses.

Due to the potential significance of the use of an external service organization, this area should be reviewed by the company as soon as possible during the planning phase of the Section 404 project. Extensive time may be required to obtain a current SAS 70 report or perform alternative procedures.

Updates are designed to provide highly summarized information regarding general Sarbanes-Oxley and PCAOB Auditing Standard No. 2 information and are not intended to be a substitute for any official document. Please refer to the original source documents and other authoritative guidance provided by the SEC, PCAOB and others for more detailed information on these subjects.