Escolar Documentos
Profissional Documentos
Cultura Documentos
Prepared by:
Bruce McCuaig
Chief Risk Officer and Principal Consultant
Risk Rating the Audit Universe
Table of Contents
INTRODUCTION
Introduction 2
Internal vs. External One outcome of the Sarbanes-Oxley Act, and the related Public Company
Auditor Performance 2
Accounting Oversight Board AS2, and more recently AS5, is more information
How Should Internal
Auditors Prioritize Audit 4
in the public domain about the performance (or failure) of internal controls
Guidance For over financial reporting. The information comes from the hundreds of internal
Improvement 9 control deficiencies reported by accelerated filers. Analyzing this data to deter-
About Paisley 10 mine what kinds of companies reported deficiencies, how deficiencies were
detected, what business processes the deficiencies related to, and what ac-
counts and assertions they impacted provides great insight into how controls
work in modern public companies. This information also provides insight into
the role and performance of internal auditors. Knowledge gained from these
deficiency disclosures may challenge internal auditors’ assumptions about
where risk lies and how to better prioritize an audit universe. Specifically,
can we learn more about how to risk rate an audit universe to better focus
resources on where the deficiencies lie? Big risks can lurk under small rocks,
and the indicators of big risks are often ignored in audit planning. Internal
audit has played an important role in finding and reporting SOX deficiencies,
however, external audit has played a far bigger role. This paper will identify
some areas for improvement.
During 2004, analyzes the control deficiency disclosures made by 329 companies
in various SEC filings from November 1, 2003, to October 31, 2004. It analyzes
over 950 disclosures to identify trends to help users of financial statements better
understand the nature of control deficiency reporting made by SEC registrants.
Management and internal auditors appear to have performed poorly in detecting
Internal auditors
and reporting deficiencies. Evidence suggests that only about 28 percent of com-
either used risk panies were proactively bringing reportable deficiencies to the attention of their
audit committees or external auditors. This strongly suggests that internal audi-
prioritization
tors either used risk prioritization models that routinely scoped out high-risk areas
models that
for internal control deficiencies or did not detect or report deficiencies that were
routinely scoped found.
out high-risk
More recent statistics confirm this trend. A February 2007 trend alert from Glass
areas for internal
Lewis & Co, a leading investor analyst firm, reported: 2,931 U.S. companies,
control deficien- about 23 pecent, filed at least one restatement during the last four years; 683
companies restated two or more times.
cies or did not
detect or
There is little to suggest that either internal or external auditors are improving
report deficiencies their track record of looking in the right places or finding problems if they exist.
The February 27, 2007, Yellow Card Trend Alert produced by Glass Lewis & Co
that were found.
titled, The Errors of Their Ways, concluded:
“Companies take note: If you restated, you must have had material weaknesses.
We still have a hard time figuring out how so many companies that restated also
could have reasonably concluded that their internal controls are effective and that
they have no material weaknesses – or that no material weaknesses even existed
at the time of the errors.”
Material The IIA provides practice advisories to assist in the interpretation and imple-
mentation of the Professional Standards. Practice Advisory 2010-2, Linking
weaknesses and
the Audit Plan to Risk and Exposures, suggests that the following risk
significant factors, among others, should be considered:
Individual internal audit departments are free to establish their own prioriti-
zation frameworks, however, based on the last several years of publicly
disclosed information; company management and their internal auditors
may have missed the boat on finding and reporting internal control deficien-
cies. The alarming increase in reported deficiencies begs an evaluation of
how the risk factors suggested by the IIA correlate to reported disclosures.
According to the FERF study, the average large cap company (>$1B) in the
sample reported 3.71 deficiencies and the average small cap (<$250M)
reported 2.51 deficiencies; the reporting rate is far less than the size ratio
would suggest. The relationship between dollar materiality and risk is dis-
proportionate to size. As a risk factor, dollar materiality seems to have an
inverse relationship. Entities or processes with low dollar materiality bear a
disproportionate amount of disclosure risk. Billion-dollar companies do not
report four times as many deficiencies as are reported by companies one
quarter as large. Clearly dollar materiality should be a factor, but its weight
should be determined by other factors.
4
Risk Rating the Audit Universe
The relationship
between dollar
materiality and
risk is dispropor-
tionate to size. As
a risk factor, Asset Liquidity as a Risk Factor
dollar materiality Many internal audit departments are charged with ensuring the safeguarding
of assets and preventing fraud and theft. Liquid assets are perceived to be
seems to have an
particularly vulnerable to fraud and theft. If liquid assets were truly at risk,
inverse relation- one would expect to see a large number of deficiencies related to cash and
ship to risk. equivalents and certain inventories and one would expect to see a large
number of deficiencies related to cash and equivalents and certain invento-
ries and one would expect the existence assertion to be related to many
reported deficiencies. Neither has proven to be true.
According to the FERF study, the following accounts were most frequently
involved in internal control weaknesses: accounts receivable, sales, inven-
tory, cost of goods sold, accrued expenses/reserves, and selling, general
and administrative. Furthermore, according to an analysis of related asser-
tions, the
existence assertion was the one least likely to be attributed to a reported
deficiency in the sample. There is no doubt that liquid assets can be lost or
stolen. But on the whole they have not proven difficult to control and their
existence has not proven to be a significant risk factor for internal control
deficiencies. Internal audit departments may in fact be misdirecting re-
sources by focusing too much attention on liquid assets.
5
Risk Rating the Audit Universe
One would then expect that a significant number of control deficiencies could
be classified as to control activities. In other words, broken or missing control
activities, if they are truly important, should be behind a significant number
of reported control deficiencies in the FERF study sample. This has not proven
to be true. Where sufficient information made it possible, the authors of the
FERF study classified each control deficiency into its related COSO framework
component. Many deficiencies were so poorly reported as to defy
classification, but of those that were classified, control activities were a
relatively minor category.
… on the whole
[liquid assets]
have not proven
difficult to control
and their exis-
tence has not
proven to be a
significant [SOX]
risk factor
As can be seen in Exhibit 2, across the range of companies in the sample,
between 6 percent and 9 percent of reported deficiencies were attributable
to control activities. If the quality of internal control is an important risk
factor, one should expect missing or broken control activities to be associated
with a significant number of control deficiencies. If the lack of evidence of sig-
nificant absences of or breakdowns in control activities suggests they are,
in fact, present and working well in most companies, where are all the
deficiencies coming from? Just how important are control activities as a risk
factor? If internal auditors are using the existence or absence of control
6
Risk Rating the Audit Universe
7
Risk Rating the Audit Universe
However, another picture emerges when one looks at the breakdown of control
deficiencies reported by business process in the FERF study, as partially excerpted
Whatever the
in Exhibit 4. Whatever the complexity of the industry, the vast majority of control
complexity of the deficiencies are concentrated in only a few business processes. Period-end report-
industry, the vast ing and revenue cycles account for 58 percent of the deficiencies in the FERF
sample. Are these two processes significantly impacted by technological or operat-
majority of
ing complexity? Paradoxically, information systems, often assigned high complexity
control scores, accounted for only 5 percent of deficiencies. There is little convincing
deficiencies are
concentrated in
only a few
business
processes.
8
Risk Rating the Audit Universe
Management ethics environment component includes integrity, ethical values, competence and a
range of other factors likely to affect the organization as a whole. As the table in
may be the single
Exhibit 3 indicates, about 50 percent of all reported control deficiencies can be
best risk predictor: attributed to problems with the control environment, making it potentially the
• Does management single most significant risk factor in prioritizing the audit universe.
activity reflect
Clearly, of all the factors considered, an assessment of the control environment of
ethical behavior
a company or any of its auditable entities should play a major role in prioritizing
(think backdated
an audit universe. Internal control deficiencies are directly and strongly correlated
stock options)?
to control environment scores. Soft controls do count. Specifically, gaps in the
• Are earnings following elements of the control environment must be considered as specific risk
being managed? factors:
• Does management • Integrity and ethical values
9
Risk Rating the Audit Universe