SOA 404 Update Jakarta 290104

National Accounting and Auditing
Standards
Sarbanes-Oxley Act Section 404
Scott Ward
Partner, National Accounting and Auditing Standards
Ernst & Young Australia
Liability limited by the Accountants Scheme approved

under the Professional Standards Act 1994 (NSW)
Sarbanes Oxley Act and US GAAS
• Sarbanes Oxley Act – Sections 302 and 404 Overview

• Management’s assessment process for Section 404
• Scope of service and independence considerations
• Auditing internal controls under Section 404

1
Standards
Sarbanes Oxley Act – Sections 302

and 404 Overview

SOA Section 404 Technical Update
• Sarbanes-Oxley Act of 2002:

– Section 404(a) – SEC to prescribe rules to report on internal control over financial reporting
in annual report
– Section 404(b) – Report to be audited by external auditor in accordance with auditing
standards established by PCAOB
• Final SEC rules under SOA 404 issued June 03:
– Scope, documentation, reporting and application
– No further changes/extensions expected
• PCAOB proposed standard exposed Oct 03:
– Authoritative interpretation of SEC rules
– Significant impact on management and auditors
– Revised standard to be submitted to SEC early 2004

3
SEC Commentary on Final 404 Rules:
Scope
• Company to document, evaluate and report on the effectiveness of
internal controls over financial reporting:
– Controls providing reasonable assurance regarding preparation of reliable financial
reports in accordance with GAAP, including:
• Initiating, recording, processing and reconciling account balances, classes of transactions and
disclosures in the financial statements
• Initiating and processing non-routine and non-systematic transactions
• Selecting and applying appropriate accounting policies
• Preventing, identifying and detecting fraud
• Authorising receipts and expenditures
• Safeguarding assets from unauthorised acquisition, use or disposal
– Defined consistent with COSO framework
• External auditor to attest to management’s assertions

4
Documentation
• Company must maintain evidential matter, including
documentation, to provide reasonable support for management's
assessment, including:
– Design of internal control and testing processes
– Evaluation of whether internal control is designed to prevent and detect material
misstatements or omissions
– Conclusion that the tests of controls were appropriately planned and performed
– Appropriate consideration of the results of tests of controls
• Developing and maintaining evidential matter is an inherent
element of effective internal control:
– Insufficient documentation may therefore in itself represent a deficiency

5
Reporting
• Content of management’s internal control report:
– Statement of responsibility for establishing and maintaining adequate internal control over
financial reporting
– Statement identifying framework used to conduct the evaluation of effectiveness
– Assessment of the effectiveness of internal control over financial reporting as of the end
of the most recent financial year:
• Must disclose any 'material weaknesses' identified by management
• Cannot conclude internal control effective if there are one or more material weaknesses
– Statement that auditor has issued an attestation report on management's assessment
• No prescribed format

6
Application
• Foreign subsidiaries of U.S. accelerated filers:
– First comply for financial years ending on or after 15 June 2004
• Foreign private issuers:
– First comply in their 20-F filings for financial years ending on or after 15 April 2005
– Includes foreign subsidiaries of any other SEC registrants, including U.S public companies
that are not accelerated filers and other foreign private issuers

7
SOA Section 302 Technical Update
• Final SEC rules issued 27 August 2002

– Then modified by final SEC rules under 404
• CEO and CFO to separately certify each periodic report
– Filed as exhibits to periodic report in exact form specified by SEC rules
– For foreign private issuers, annual certification in Form 20-F
• Effective now (periods ending after 29/8/02)
• Format prescribed by SEC rules
– Additional representations about internal control over financial reporting made with first
Section 404 report
• Filed as unaudited exhibit to SEC filing

8
Final Section 302 Certification
I certify that:
• I have reviewed the report
• The report fairly presents, in all material respects, financial condition, results of operations and
cash flows
• I and the other certifying officers are responsible for maintaining disclosure controls and procedures
and internal control over financial reporting and have:
– Designed disclosure control and procedures to ensure material information is made known to
us
– Designed internal control over financial reporting to provide reasonable assurance regarding
the reliability of financial reporting and preparation of financial statements in accordance with
GAAP
– Evaluated the effectiveness of disclosure controls and procedures and presented conclusions
in the report
– Disclosed any changes in internal control over financial reporting that has materially
affected, or reasonably likely to materially effect, internal control over financial reporting
• I and the other certifying officers have disclosed to the auditors and audit committee:
– All significant deficiencies and material weaknesses in internal control over financial reporting
– All fraud involving persons with a significant role in internal control over financial
reporting

9
Standards
Management’s Assessment Process

for Section 404

Management’s assessment process for Section 404
• Impact of PCAOB Proposed Standard

• EY methodology

11
PCAOB Proposed Auditing Standard:
Impact on management responsibilities
• Defines management responsibilities consistent with SEC Final Rules
• Describes management’s assessment process:
– Broad scope, e.g., accounting policies, fraud, IT general controls, financial statement close, asset
safeguarding
– Consistent with EY methodology
• Establishes minimum documentation standards:
– Information about initiating, recording, processing and reporting transactions
– Enough information about transaction flow to identify ‘what could go wrong’
– Controls over relevant assertions for significant accounts & disclosures
– Controls designed to prevent or detect fraud
– Controls over safeguarding of assets
– Results of testing and evaluation
• Some clarification of nature and scope of tests and evaluations:
– Self-assessments, monitoring, work of internal audit and others, SAS 70 reports

12
E&Y Methodology - Process
Approach:
Scope Prepare Documentation Test and Monitor Report
the Project and Evaluate Controls Controls
Evaluation Phases:
Evaluate Overall
Understand and Effectiveness,
Organize a Management’s
Understand Evaluate Evaluate Internal
Project Identify Matters Report
the Internal Controls at the
Team to for Improvement, on
Definition Control at Process,
Conduct and Internal
of Internal the Entity Transaction, or
the Control
Control Level Application Establish
Evaluation
Level Monitoring
Systems

13
E&Y Methodology - Publications
• Overview guide/ approach

• Entity level controls evaluation Preparing for Internal
Control Reporting
• Significant account/ process level

A Guide for Management’s Assessment under
Section 404 of the Sarbanes-Oxley Act
control evaluation
• Evaluating overall effectiveness, identifying Evaluating Internal
Controls
improvements and ongoing assessment Considerations for Evaluating Internal Control at the
Entity Level
Evaluating Internal
Controls
Considerations for Documenting Controls at the
Process, Transaction, or Application Level
Evaluating Internal
Evaluating Internal
Controls
Controls
Considerations
Evaluating for Effectiveness,
Overall Documenting Controls at Matters
Identifying the for
Process, Transaction,
Improvement, or Application
and Ongoing AssessmentLevel
of Controls

14
Understand definition of internal control
• Report ‘Internal Control – Integrated Framework’ (1992)

– By Committee of Sponsoring Organizations of the Treadway Commission
– Response to recommendations of National Commission on Fraudulent Financial Reporting
(Treadway Commission) in 1985
• Practical, broadly accepted criteria for establishing internal control
and evaluating control effectiveness
– Defines internal control and its objectives
– Describes different components of internal control
– Provides examples and tools
• Widely accepted criteria
– Controls framework in U.S. auditing standards
– Used for Federal Deposit Insurance Corporation Improvement Act (FDICIA)
• Exposure draft – COSO 2.0

15
COSO – Definition and objectives
Internal control is a process, effected by a entity’s board of directors,

management and other personnel, designed to provide reasonable
assurance regarding the achievement of objectives in the following
categories:
Financial
Operations Compliance
Reporting
Effective and Compliance with Preparation of
efficient use of applicable laws reliable published
resources and regulations financial
statements

16
COSO - Components
Control Attributes of the people conducting the entity’s activities
environment and the environment in which they operate
Establishment of objectives and mechanisms to identify,

Risk assessment
analyse and manage risks
Policies and procedures established and executed to help

Control activities
ensure management’s directives are carried out
Information & Systems enabling identification, capture & exchange of

Communication information for the conduct and control operations
Assess performance of internal control over time and

Monitoring
making modifications as conditions change

17
COSO - Internal Control Framework
B Internal Control
U
over Financial
Control Environment F S
U
Reporting under
N U Section 404
Risk Assessment N
C
T I
Control Activities I T
O S
N
Information & Communications
S
Monitoring

18
COSO 2.0 - Enterprise Risk Management Framework
• COSO sponsored study by PwC
– Exposure draft released April 03; comment
period closed 14 October 2003
– Final framework expected early 2004
• Defines and describes
components of enterprise risk
management
Internal control is defined and described in Internal Control – Integrated

Framework. Because Internal Control – Integrated Framework is the basis for
existing rule, regulations and laws, that document remains in place as the
definition of and framework for internal control. The entirety of Internal Control
– Integrated Framework is incorporated by reference into this framework.

19
Evaluate Entity Level Controls
Area Points to Consider
• Key executive integrity, ethics and behavior
• Control consciousness and operating style
Control Environment • Commitment to competence
• Board/Audit Committee governance and oversight
• Organisational structure, authority and responsibility
• HR policies and procedures
• Risk assessment process

• Mechanisms to anticipate, identify, and react to significant events
Risk Assessment • Process and procedures to identify changes in GAAP, business practices and
internal control
• Adequate performance reports produced

• Connected with business strategy
Information & • Commitment of HR and finance to develop, test and monitor IT systems and
Communication programs
• Business continuity/disaster plan for IT
• Established communication channels for employees to fulfill responsibilities
• Existence of necessary policies and procedures

• Clear financial objectives with active monitoring
• Logic segregation of duties
Control Activities • Periodic comparisons of book to actual
• Adequate safeguards of documents, records and assets
• Access controls in place
• Periodic evaluations of internal controls

Monitoring • Implementation of improvement recommendations
• Internal audit function established to monitor activities

20
Evaluate Process, Transaction or Application Level Controls
Activity
Evaluate/
ID Significant Accounts and Related Processes Document Processes and Controls
Monitor
Financial
Implications
2003
Financial
Statements
Financial Significant
Process
Statements Accounts
?
Process Significant What Can Controls Evaluate/
Implications
Processes Go Wrong? Monitor
Inherent and Key Management’s F/S

Business Risks Statement Assertions
Key Considerations
Significant Accounts • Existence (B/S) or Occurrence Types: For Each Assertion Ask: Detect: Monitors for errors Factors in Evaluation:
Selected Based on the (I/S) • Flows of transactions • Where are the points in the flow of Prevent: Prevents an error • Competence, integrity and
extent that Errors of • Routine transactions where errors can occur? Who Performs? continuity of personnel and
importance* could occur • Completeness
• Non-Routine • Example: Programmed Control? degree of supervision;
• Valuation (B/S) or Measurement Accounts: Cash or Payables
(I/S) • Estimation • Identify processing system • Potential for mgmt override
Process: Disbursements
• Rights and Obligations (B/S) • Segregation of duties
Assertion: Valuation
What are the manual and programmed • Stability of controls
procedures to ensure that the amount of a
check or transfer agrees with the amount
approved for payment?
* Errors that individually or collectively could have a material effect on the financial statements, or other matters such as illegal acts, conflicts of interest, and unauthorised management perquisites that, even though they are not material, could adversely affect the company’s reputation or
its relationship with its customers, shareholders, or the public if they were to remain undetected.

21
Common methodology issues
ID Significant Accounts Document Processes
Evaluate/ Monitor
and Related Processes and Controls
• Materiality and TE • Nature and extent of • Evaluating internal
thresholds process control design for all
documentation COSO elements
• TE allocations
• Understanding
• Financial statement shared/common • Nature, timing and
assertions applications and extent of tests of
• Process framework systems operation of controls
• Multi-location • Identifying significant • What constitutes
considerations risks relevant to sufficient evidence?
financial reporting, • Nature and extent of
including asset
safeguarding controls documentation
• Identifying key
internal controls
22
Step 6: Management’s 404 report
Sample Paragraphs from CEO & CFO Report on Assessment of Internal Control
Internal Control System
The Company maintains a system of internal control over financial reporting, which is designed to
provide reasonable assurance to the Company’s management and board of directors regarding
the preparation of reliable published financial statements and the safeguarding of assets against
unauthorized acquisition, use or disposition.
****
The Company assessed its internal control system as of 30 June 2005 in relation to the criteria for
effective internal control over financial reporting described in “Internal Control – Integrated
Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission.
Based on its assessment, the Company believes that, as of 30 June 2005, its system of internal
control over financial reporting, including the safeguarding of assets against unauthorized
acquisition, use or disposal, met those criteria.

23
Management’s 404 report - Internal control deficiency
• Design deficiency - a necessary control is missing or an existing

control is not properly designed so that even when the control is
operating as designed, the control objective is not always met.
• Operating deficiency - a control is not operating as designed or
the person performing a control does not possess the
necessary authority or qualification to perform the control
effectively.

24
Management’s 404 report - Significant deficiency
• A significant deficiency is an internal control deficiency that

could adversely affect the entity’s ability to initiate, record,
process, and report financial data consistent with the assertions
of management in the financial statements.
– Could arise from a single deficiency or an aggregation of deficiencies.
• PCAOB: “…results in a more than remote likelihood that a
misstatement of the annual or interim financial statements that
is more than inconsequential in amount will not be prevented or
detected.” (PCAOB Proposed Standard, para 8)

25
Management’s 404 report - Material weakness
• A material weakness is a significant deficiency in one or more of

the internal control components that alone or in the aggregate
precludes the entity’s internal control from reducing to an
appropriately low level the risk that material misstatements in
the financial statements will not be prevented or detected on a
timely basis.
• PCAOB: “…results in a more than remote likelihood that a
material misstatement of the annual or interim financial
statements will not be prevented or detected.” (PCAOB
Proposed Standard, para 9)

26
Significant deficiencies and material weaknesses
• Deficiencies ordinarily SD (para 123):

– Controls over selection and application of accounting policies in conformity with GAAP
– Anti-fraud programs and controls
– Controls over non-routine and non-systematic transactions
– Controls over the period-end financial reporting process
• Deficiencies at least SD and strong indicator of MW (para 126):
– Restatements
– Material misstatements identified by auditor not identified by controls
– Ineffective audit committee oversight of financial reporting and internal control
– Ineffective internal audit or risk assessment function, for larger and more complex entities
– Ineffective regulatory compliance function, for complex entities in highly regulated industries
– Identification of fraud of any magnitude on the part of senior management
– Significant deficiencies communicated to management/audit committee remain uncorrected

27
Standards
Scope of service and independence

considerations, service opportunities

Scope of service and independence considerations
• Scope of service determined by SEC independence rules

– Regulation S-X Rule 2-01 – Qualifications of Accountants
• Recently modified for SOA Section 201
– SEC Commentary on final rules, FAQ and Staff Speeches
• Can provide many services to audit clients to assist prepare for 404
– Project management assistance, diagnostic reviews, documentation assistance, education,
certain testing of controls
• But, management must both take full responsibility for its evaluation
of internal control and actively participate in and own the process
– Mere ratification by management of the results of the external auditors work is insufficient

29
Service Chan 1 Chan 2
• Assist understanding requirements and Yes Yes
develop process and timetable
• Provide project management assistance Yes* Yes
• Lead project team No Yes
• Perform controls diagnostic review Yes* Yes
(review documentation, perform walk-
through and comment on controls)
• Assist documenting processes and Yes* Yes
controls
* Ensure management’s assertion on internal control is theirs, not ours.
Management should be actively involved in and takes responsibility for
documenting process and controls.

30
• Assist developing documentation Yes+ Yes
templates or training client in
documentation approach
• Assist designing and implementing No Yes
controls
• Provide recommendations to improve Yes Yes
existing controls
+ Engagements should be limited in scope and not to provide assurance

31
• Perform tests of controls and issue Maybe^ Yes
report of findings and recommendations
• Perform tests of controls to support No Yes
management’s assertion
• Issue attestation report on Yes No
management’s assertion
^ Agreed-upon procedures to test controls where not yet issuing

attestation report, provided management have documented and
evaluated controls

32
Sharing documentation in audit working papers
 Basic flowcharts and narratives that describe process

 Client prepared documentation in audit working papers
X Any evaluative information in audit working papers
– Significant accounts, relevant financial statement assertions, significant
processes
– Financial reporting risks (WCGW) and internal controls
– Evaluations of control design and operating effectiveness, including
control risk assessment
Most documentation relating to internal controls in the

audit working papers is evaluative and should not be
shared with clients

33
Service opportunities
• SEC registrants and subsidiaries:

– Channel 1
• Expand external audit scope
• Non-assurance services e.g., technical advice, documentation assistance, readiness reviews
– Channel 2 – Broad service offering – no independence limitations
• Other:
– Best practice corporate governance
– Support CEO and CFO certifications
– SAS70 reports

34
Example 1: Readiness Review
• Large Canadian retail bank, Channel 1 client

• Agree upon procedures e.g.,:
– Read & comment on detailed plan compared to SEC rules, PCAOB standard & EY
methodology
– Check account/disclosure linkage to processes
– Read & comment on process to evaluate entity-level controls
– Compare process and IT documentation to project instructions
• Fee C$450k (A$500k)

35
Example 2: Gap Analysis and Implementation Plan
• Hong Kong transportation, Channel 2 client

• Gap analysis:
– Survey entity-level controls using EY questionnaire
– Take inventory of control documentation for significant accounts/disclosures and processes
– Identify and prioritise gaps
• Implementation plan:
– Develop 404 plan applying EY methodology
• Fee US$50k (A$70k)

36
Australian Examples
• Telstra (Channel 1)
– Post-implementation review of 404 pilot program (Fee A$100k)
– External audit impact as yet undefined
• 404 Steering Committee
• Quarterly report to Audit Committee
• Macquarie Bank (Channel 2 – Technical advisor)
– Technical advisor
– Post-implementation review of 404 Phase 1 Pilot (Fee A$60k)
– Design and review Phase 2 Pilot (Est. Fee A$100k)
• ANZ Bank (Channel 2 – Technical advisor)
– Technical advisor
– Design 404 process and tools, instruct 404 training sessions and facilitate risk and control
workshops (Fee A$40k - ongoing)

37
Standards
Auditing Internal Controls under

Section 404

Impact on Financial Statement Audit
Public Company Audit is an integrated activity that consists of:
Audit of financial statements Audit of internal controls
Procedures we perform to audit Procedures we perform to
and issue our opinion on the examine and issue an opinion on
client’s financial statements the client’s internal control
SAS ED Auditing an Entity’s Internal SSAE ED Reporting on an Entity’s

Control over Financial Reporting in Internal Control over Financial
Conjunction with the Financial Reporting
Statement Audit
PCAOB Proposed Auditing Standard – An Audit of Internal Control over Financial

Reporting Performed in Conjunction with an Audit of Financial Statement
ERMA Section 9.3

39
Internal control audit - Objective
4. The auditor’s objective in an audit of internal control over financial
reporting is to express an opinion on management’s assessment of
the effectiveness of the company’s internal control over financial
reporting. To form a basis for expressing such an opinion, the
auditor must plan and perform the audit to obtain reasonable
assurance about whether the company maintained, in all material
respects, effective internal control over financial reporting as of the
date specified in management’s assessment.
• Our objective is to express an opinion on management’s assertion

about the effectiveness of internal control over financial reporting
– Achieved by auditing the subject matter (internal control over financial reporting)
– May express an opinion on subject matter in certain circumstances

40
Internal control audit - Objective
27. In the audit of internal control over financial reporting, the auditor
must obtain sufficient competent evidence about the design and
operating effectiveness of controls related to all relevant financial
statement assertions for all significant accounts and disclosures in
the financial statements.
• Our opinion relates to the effectiveness of internal controls related to

all relevant FS assertions for all significant accounts and disclosures
• Our opinion relates to the effectiveness of internal control taken as a
whole, and not to the effectiveness of each individual component
– We still need to evaluate the design and effectiveness of each component to make the
assessment

41
Internal control audit - Key activities
1. Plan engagement
2. Understand and evaluate design effectiveness of controls
3. Test operating effectiveness of controls
4. Communicating results and obtaining representations
5. Form opinion on management’s assertion about internal control
effectiveness

42
1. Plan engagement
• Develop overall strategy for scope and performance of engagement
– Plan integration with financial statement audit
– SOA Section 404(b) requires same auditor perform IC audit and FS audit
• Understand management’s process for evaluating internal control
effectiveness
77. The auditor must obtain an understanding of, and evaluate,
• management’s process for assessing the effectiveness of the
company’s internal control over financial reporting.
• Consider use of service organisations
• Consider multiple locations or business units
– Excludes equity accounted investments
– Includes proportionate consolidations (e.g., join ventures) where undivided interest >50% or
responsibility for managing assets

43
Plan engagement - Materiality
• Materiality for IC audit has same conceptual definition as FS audit
– Both qualitative and quantitative considerations
• Apply at two levels:
– Financial statement level – for evaluating whether significant deficiencies are material
weaknesses
– Account balance level – for evaluating whether deficiencies are significant deficiencies
• May also need allocate account balance level materiality between
business segments or significant processes/systems

44
2. Understand and evaluate design effectiveness of
controls
• Obtain management’s documentation of significant processes and
controls
• Perform walkthroughs for all significant processes
– Encompass all five control components, not just control activities
– Follow process flow using the same documents and IT that the company uses
– Make inquiries of relevant personnel involved in significant aspects
• Design effectiveness evaluation same as for FS audit
79. Walkthroughs are required procedures. The auditor should perform
a walkthrough for all of the company’s significant processes. In a
walkthrough, the auditor should trace all types of transactions and
events, both recurring and unusual, from origination through the
company’s information systems, until they are reflected in the
company’s financial report.

45
3. Testing operating effectiveness of controls - Extent
101. Each year the auditor must obtain sufficient evidence about whether
the company’s internal control over financial reporting, including the
controls for all internal control components, is operating effectively.
• Obtain evidence for each IC component in each year

– No rotating tests of controls
– May vary nature, timing and extent e.g., use of work of others, interim period
• Obtain high level of assurance of control operation
– Opinion on IC system as a whole, not individual controls
– Test controls on which other controls depend (e.g., IT general controls) more extensively
• Do not test insignificant controls identified by management

46
Testing operating effectiveness of controls - Extent
• Do not use work of others for:
– Controls that are part of the control environment, including fraud programs
– Controls over FSCP
– Controls with pervasive effect; e.g., IT general controls
– Walkthroughs
• Limit use work of others for:
– Controls over non-routine and estimation processes
– Controls over significant accounts/disclosures where risk of control failure is high
107.…In addition to assessing the objectivity and competence of those
performing the tests, the auditor should re-perform some tests of
controls originally performed by others.
109.…the auditor must perform enough testing himself or herself so that
the auditor’s own work provides the principal evidence for the auditor’s
opinion

47
EY guidance on extent of tests
Nature of Control and Frequency of Minimum Number of Items to Test (Extent of
Performance Test of Controls)
Manual control, performed many times At least 25
per day
Manual control, performed daily At least 25
Manual control, performed frequently but 25% of the number of occurrences or at least 25
less than daily
Manual control, performed weekly At least 10
Manual control, performed monthly At least 3
Manual control, performed quarterly At least 2
Manual control, performed annually Test annually
Programmed control Test one application of each programmed control for
each type of transaction if supported by effective IT
general controls; otherwise test at least 25
IT general controls Follow guidance above for manual and
programmed aspects of IT general controls

48
EY guidance on extent of tests
• Applicable where testing more than one control related to a

significant account, class of transactions or disclosure and we do
not expect to find exceptions in control operation
• Based on discovery sampling:
– 90% confidence, 10% tolerable error rate, 0% expected error rate = 25 sample units
– Any exception requires either a conclusion that control is not effective or additional testing
(e.g., larger sample size).
• Consider larger sample sizes where the control we plan to test is the
only control for one or more significant assertions
– 95% confidence, 5% tolerable error rate, 0% expected error rate = 60 sample units

49
Testing operating effectiveness of controls - Timing
.94 The auditor must perform tests of controls over a period of time that is
adequate to determine whether, as of the date specified in
management’s report, the controls necessary for achieving the
objectives of the control criteria are operating effectively.
• Timing of tests a matter of professional judgment
– Test non-routine and estimation processes closer to or at year end
– FSCP and other processes may be tested after year end
• Superseded controls may not need to be considered in IC audit:
– IC opinion at point in time
– Controls exceptions identified at interim and corrected by year-end
– But, consider FS audit implications
• When testing at interim, obtain evidence of operation for stub period:
– Nature and extent of any significant changes in internal control
– Operating effectiveness of internal control since interim date (e.g., monitoring)

50
4. Communicating results and obtaining representations
• Required communications
– Audit Committee
• Prior to report issuance, report all material weaknesses in writing
• Prior to report issuance, determine awareness of significant deficiencies
• Advise that management informed of all internal control deficiencies of a lesser magnitude
– Communicate all internal control deficiencies to management on a timely basis
• Written representation from management:
– Acknowledge responsibility for internal control
– State an evaluation of effectiveness has been performed and specify criteria
– State assertion about effectiveness of internal control based on criteria as of a specific date
– State all significant deficiencies and material weaknesses disclosed to auditor
– Describe any material fraud, or any fraud involving employees with a significant role in
internal control
– State any significant changes in, or factors that might significantly affect, internal control

51
5. Form opinion on management’s assertion about
internal control effectiveness
• Issue single report containing opinions on both FS audit and IC
audit, or two separate reports.
– Combined report when opinion on internal control unqualified
– Separate reports when opinion on internal control qualified
• If separate reports issued:
– Date the same
– Both reports to be included in annual report

52
Attestation reports - Modifications
• Conditions requiring us to modify our report:

– Management assessment inadequate or management’s report is
inappropriate
– Material weakness in internal control
– Scope limitation
– Referring to the report of another auditor
– A significant subsequent event
– Other information in management’s report

53
Attestation reports – Material weakness
• Definition of material weakness
• Description of the material weakness identified
• If weakness not identified by management, disclosure of that fact
• Impact of material weakness on audit of financial statements
• Adverse opinion
PCAOB Proposed Standard prohibits use of ‘except for’ opinion (because

PCAOB interprets SEC rules as prohibiting management from reporting on
an ‘except for’ basis).

54
Impact on FS audit – FS audit evidence about controls
insufficient for IC audit purposes
• IC audit requires understanding of control activities for all significant
accounts, classes of transactions, disclosures and related assertions
• Nature, timing and extent of tests of controls insufficient:
– Range of controls tested not sufficiently broad:
• Test entity-level controls
• Test controls for all processes, including non-routine, estimation and FSCP
• Test controls for all COSO elements
– Tests may not provide sufficient assurance about operating effectiveness
• IC audit requires high assurance about operation of controls
• FS audit required low or moderate assurance because of substantive procedures

55
Impact on FS audit – Substantive procedures
138.Regardless of the assessed level of control risk or the assessed risk
of material misstatement in connection with the audit of the financial
statements, the auditor should perform substantive procedures for all
relevant assertions for all significant accounts and disclosures.
Performing procedures to express an opinion on internal control over
financial reporting does not diminish this requirement.
• High level of assurance about control operating effectiveness does

not overcome need to perform substantive procedures
• Consider internal control deficiencies in designing nature, timing and
extent of substantive procedures

56
Impact on FS audit - Strategy and execution
• Reconcile to management’s assessments:

– Significant accounts, financial statement assertions and significant processes
– Financial reporting risks (WCGW) and controls
• Modify tests of controls
– ‘Effective - not tested no longer an option for public clients
– ‘Moderate’ control risk assessment not applicable
– No rotating tests of controls
– Plan for higher assurance of IC operation (for IC audit), but for period of reliance (for FS
audit)
• Integrate IC audit and FS audit
– First design tests of controls for IC audit, then design substantive procedures for FS audit
• Maximise reliance on tests of controls - Challenge substantive tests
– But, IC audit is ‘as at’ , FS audit is for period

57
Effect of FS audit adjustments on IC audit opinion
144.However, the absence of misstatements detected by substantive
procedures does not provide evidence that the controls related to the
assertion being tested are effective.
143.…the auditor should evaluate the effect of the findings of all
substantive auditing procedures performed in the audit of financial
statements on the effectiveness of internal control over financial
reporting…
• Consider misstatements detected by substantive procedures when
assessing effectiveness of internal controls
– “Judgmental differences” may or may not be evidence of a control deficiency
– “Errors”: who found it? Management? Auditors?
• How many audit adjustments were identified, and do “aggregate”
deficiencies represent a significant deficiency or material weakness?
• “Restatements” likely viewed as evidence of material weakness
58
59

SOA 404 Update Jakarta 290104

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

SOA 404 Update Jakarta 290104

Hochgeladen von

Copyright:

Verfügbare Formate

National Accounting and Auditing

Sarbanes-Oxley Act Section 404

Liability limited by the Accountants Scheme approved

• Sarbanes Oxley Act – Sections 302 and 404 Overview

Liability limited by the Accountants Scheme approved

Sarbanes Oxley Act – Sections 302

Liability limited by the Accountants Scheme approved

• Sarbanes-Oxley Act of 2002:

Liability limited by the Accountants Scheme approved

Liability limited by the Accountants Scheme approved

Liability limited by the Accountants Scheme approved

Liability limited by the Accountants Scheme approved

Liability limited by the Accountants Scheme approved

• Final SEC rules issued 27 August 2002

Liability limited by the Accountants Scheme approved

Liability limited by the Accountants Scheme approved

Management’s Assessment Process

Liability limited by the Accountants Scheme approved

• Impact of PCAOB Proposed Standard

Liability limited by the Accountants Scheme approved

Liability limited by the Accountants Scheme approved

Liability limited by the Accountants Scheme approved

• Overview guide/ approach

• Significant account/ process level

Liability limited by the Accountants Scheme approved

• Report ‘Internal Control – Integrated Framework’ (1992)

Liability limited by the Accountants Scheme approved

Internal control is a process, effected by a entity’s board of directors,

Liability limited by the Accountants Scheme approved

Establishment of objectives and mechanisms to identify,

Policies and procedures established and executed to help

Information & Systems enabling identification, capture & exchange of

Assess performance of internal control over time and

Liability limited by the Accountants Scheme approved

Liability limited by the Accountants Scheme approved

Internal control is defined and described in Internal Control – Integrated

Liability limited by the Accountants Scheme approved

• Risk assessment process

• Adequate performance reports produced

• Existence of necessary policies and procedures

• Periodic evaluations of internal controls

Liability limited by the Accountants Scheme approved

Inherent and Key Management’s F/S

Liability limited by the Accountants Scheme approved

Liability limited by the Accountants Scheme approved

• Design deficiency - a necessary control is missing or an existing

Liability limited by the Accountants Scheme approved

• A significant deficiency is an internal control deficiency that

Liability limited by the Accountants Scheme approved

• A material weakness is a significant deficiency in one or more of

Liability limited by the Accountants Scheme approved

• Deficiencies ordinarily SD (para 123):

Liability limited by the Accountants Scheme approved

Scope of service and independence

Liability limited by the Accountants Scheme approved

• Scope of service determined by SEC independence rules

Liability limited by the Accountants Scheme approved

Liability limited by the Accountants Scheme approved

+ Engagements should be limited in scope and not to provide assurance

Liability limited by the Accountants Scheme approved

^ Agreed-upon procedures to test controls where not yet issuing

Liability limited by the Accountants Scheme approved

 Basic flowcharts and narratives that describe process