Escolar Documentos
Profissional Documentos
Cultura Documentos
Introductions
Matt Mabel Senior Manager, Advisory Services Risk Assurance.
Eleventh year in public accounting. Serves several Fortune 1000 public
company based out of Arizona. Participated in PCAOB and internal
quality inspections and led several internal quality initiatives.
Diana Gomes Manager, Assurance Services. Seventh year in public
accounting. Serves multiple public companies based out of Arizona.
Participated in PCAOB and internal quality inspections.
Shirley Karnos Manager, Advisory Services Risk Assurance.
Second year in public accounting and ninth year in professional services.
Serves multiple public companies based out of Arizona. Participated in
internal quality inspections.
Page 2
Agenda
Page 3
The Public Company Accounting Oversight Board (PCAOB) is a privatesector, nonprofit corporation created by the SarbanesOxley Act of 2002 to
oversee the audits of public companies and other issuers in order to protect
the interests of investors and further the public interest in the preparation of
informative, accurate and independent audit reports.
The PCAOB audits Big 4 accounting firms in calendar Q2 and Q3 each year,
and other public accounting firms in Q4. The inspection typically consists of
review of audit documentation over internal controls and substantive audit
testing over selected high risk/focus areas. The inspections typically require
1-2 weeks of on-site fieldwork. Comments can be verbal, written (does not
appear in report) or audit deficiencies (appears in public report)
EYs last publicly available inspection report (which covered the results of
reviews of 2012 audits) was released on 8/14/14
The PCAOB inspection 56 audits of public companies during 2013
28 issuers had audit deficiencies that appeared the report, 27 of which
(48% of inspections) had comments related to ICFR
Page 4
Page 5
Page 6
Page 7
Page 8
identify where application interface controls should exist (or where control
gaps do exist)
Page 9
A systems
interface
diagram is a key
source of
information
used to
understand a
complex and
highly
automated IT
environment
Pep+
Caesar
CDS
CDE
E2
N
B
Hyperion
HFM
K
F
EMP
G
D
OCRA
Treasury
Customer
Online
Check
Requests
Page 10
FRP
TMS
Accurate NXG
Policy
Administrative
Systems
CASH
CIMS
Cost
allocation
files
GEAC
Payroll
Files
Description
CDS E2
E2 TMS
CASH E2
CIMS E2
E2 FRP
Page 11
Data Description
Interface Type
Process
Control Language
Page 12
Page 13
Auditor needs to better consider that the specific systemgenerated data or report is considered and testing within
IT general control testing
Page 14
Better documentation
Management has designed and implemented the following
controls to support the completeness and accuracy of the PPV
report:
Controls over the
completeness and
accuracy of the
underlying data
Application
Cash
receipts
A/R
subledger
Analysis
prepared by
the credit
manager
Sales and
trade
receivables
Page 16
A/R aging
report
Analysis
prepared by
the credit
manager
Sales and
trade
receivables
Page 17
A/R aging
report
Analysis
prepared by
the credit
manager
Excel
Sales and
trade
receivables
Page 18
A/R aging
report
Analysis
prepared by
the credit
manager
Excel - NO
Sales and
trade
receivables
Page 19
A/R aging
report
Application
Great Plains
Cash
receipts
YES
A/R
subledger
Analysis
prepared by
the credit
manager
Excel
Sales and
trade
receivables
YES
Page 20
A/R aging
report
Application
Great Plains
Cash
receipts
A/R
subledger
Analysis
prepared by
the credit
manager
Excel - YES
Sales and
trade
receivables
Page 21
A/R aging
report - NO
Page 22
Excel files
Access databases
Dynamic data warehouse reporting tools
System-generated data in slide decks
Page 25
Page 26
Obtained evidence of review, saw review was signed off and some
updates were noted in the review listing
Page 27
Page 28
Sub-service organizations that were scoped out of the report were not addressed (i.e.,
SOC 1 report was not obtained and there was no documentation of considerations and
conclusion if such sub-servicers were deemed insignificant or not relevant)
Complementary entity user controls were either not sufficiently tested, or were not
properly linked to engagement team testing of user controls that would address the
relevant considerations
Update procedures were not properly performed or documented when the service
auditors report did not sufficiently cover the entire audit period
Control exceptions identified by the service auditor were not evaluated to determine
whether sufficient audit procedures to support our combined risk assessments were still
appropriate to prevent or detect potential misstatements
Page 29
Page 30
Sub-service organizations
We must evaluate the audit impact of all identified subservice providers (including IT sub-service providers) in
our documentation
Page 31
Page 32
Generally, to rely on a SOC 1 report, the report must cover at least six months
of our audit period. If the report covers less than six months and a second
report is not available, we must consider/document how we are comfortable
relying on the report with a smaller coverage period (and expect to be
challenged on this).
At minimum, consider what controls are in place at the user entity that gives us
comfort that the clients internal controls would detect a material misstatement
made by the service provider if there is a large gap between the report end date
and our clients year-end date. The clients controls must be sufficiently precise.
If there is a gap larger than three months between the report end date and our
clients year-end date, we again must document our considerations of how we
are comfortable relying on the report with a large time period gap (and expect
to be challenged on this).
Page 33
The service auditors section of the report will summarize the test of controls
performed and results of controls testing. Exceptions (often called deviations)
will be noted in this section.
Page 34
Page 35
Application controls
Page 36
We did not demonstrate our knowledge of whether the application control was
configured by the entity or embedded into the system
If the control is configured, we did not gain/demonstrate our knowledge of how
the entity configured the control (e.g., is the three way match control configured
with a tolerance of 10% receiving variance)
Some teams did not document their considerations around which application
controls need to be re-tested in the roll forward period
Page 37
Page 38
Multi-location scoping
Page 39
Page 40
Control activities
Unit B
Information &
communication
Unit A
Monitoring
Risk assessment
Control environment
COSO 2013
Activity 2
Activity 1
Refresh
objectives
Address significant
changes to the
business environment
and associated risks
Enhancements
Updated, enhanced
and clarified
framework
Principles
Point of
Focus
Increase focus on
operations, compliance
and nonfinancial
reporting objectives
Expanded internal
and nonfinancial
reporting guidance
Page 42
COSO 2013
The cube!
Five components of internal control
The core definition of internal control
Requirement to consider the five
components to assess the
effectiveness of a system of
internal control
Emphasis on the importance of management judgment
in designing, implementing, and conducting internal
control, and in assessing the effectiveness of a system
of internal control
Page 43
COSO 2013
Page 44
COSO 2013
17 principles defined
1. Control
environment
2. Risk assessment
3. Control activities
4. Information &
communication
5. Monitoring
Page 45
COSO 2013
Principles
in the
framework
Control
Environment
Component
COSO 2013
COSO 2013
Page 47
COSO 2013
Deficiency evaluation
Page 48
COSO 2013
Transition
Page 49
COSO 2013
Key points
Page 50
Available resources
COSO
EY
Page 51
Highlights key changes to the 2013 framework, a suggested project plan, questions
to consider when evaluating whether the 17 principles are addressed and an
example generic documentation template
COSO 2013