The SEC has recently approved the PCAOB’s Auditing Standard #5 for Independent Auditors opining on internal controls for financial reporting (ICFR) for SEC reporting companies. Enclosed is a synopsis of the Standard taken directly from the PCAOB, along with Taylor White’s interpretation.

Internal control over financial reporting is a process designed by, or under the supervision of, the company's principal executive and principal financial officers, or persons performing similar functions, and effected by the company's board of directors, management, and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with GAAP. It includes those policies and procedures that

“Effective internal control over financial reporting provides reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes. If one or more material weaknesses exist, the company's internal control over financial reporting cannot be considered effective.”

The process companies are undertaking to be compliant with this provision should be focused on financial reporting internal controls and not process or activity level controls. Many consultants and independent auditors have spent unnecessary time on process level controls because they did not recognize the distinction between the two types of control processes. Financial reporting controls have always been the focus of Taylor White Sarbanes Oxley engagements.

10. Risk assessment underlies the entire audit process described by this standard, including the determination of significant accounts and disclosures and relevant assertions, the selection of controls to test, and the determination of the evidence necessary for a given control.

11. A direct relationship exists between the degree of risk that a material weakness could exist in a particular area of the company's internal control over financial reporting and the amount of audit attention that should be devoted to that area. In addition, the risk that a company's internal control over financial reporting will fail to prevent or detect misstatement caused by fraud usually is higher than the risk of failure to prevent or detect error. The auditor should focus more of his or her attention on the areas of highest risk. On the other hand it is not necessary to test controls which, even if deficient, would not present a reasonable possibility of material misstatement to the financial statements.

In remaining focused on financial reporting controls it is not necessary to identify or test every process control, but rather only those that satisfy management’s financial statement assertions related to:

• Existence or occurrence
• Valuation or allocation
• Completeness
• Rights and obligations
• Presentation and disclosure

Taylor White’s control identification process begins with first identifying financial statement assertions and then identifying the key controls that satisfy those assertions.

The auditor should evaluate whether the company's controls sufficiently address identified risks of material misstatement due to fraud and controls intended to address the risk of management override of other controls. Controls that might address these risks include:

• Controls over significant, unusual transactions, particularly those that result in late or unusual journal entries;
• Controls over journal entries and adjustments made in the period-end financial reporting process;
• Controls over related party transactions;
• Controls related to significant management estimates; and
• Controls that mitigate incentives for, and pressures on, management to falsify or inappropriately manage financial results.

In identifying financial statement accounts having a higher likelihood of containing a material misstatement or inadequate disclosure, the focus should be on processes that have a high degree of subjectivity, involve related parties, or are subject to adjustment for valuation. The controls that might mitigate these risks reside in entity level controls for Board or Audit Committee oversight, monitoring activities, supervision of the financial close process and the Board’s efforts to adequately and correctly compensate upper management.

16. The auditor should evaluate the extent to which he or she will use the work of others to reduce the work the auditor might otherwise perform himself or herself. AU sec. 322, The Auditor's Consideration of the Internal Audit Function in an Audit of Financial Statements, applies in an integrated audit of the financial statements and internal control over financial reporting.

17. For purposes of the audit of internal control, however, the auditor may use the work performed by, or receive direct assistance from, internal auditors, company personnel (in addition to internal auditors), and third parties working under the direction of management or the audit committee that provides evidence about the effectiveness of internal control over financial reporting. In an integrated audit of internal control over financial reporting and the financial statements, the auditor also may use this work to obtain evidence supporting the auditor's assessment of control risk for purposes of the audit of the financial statements.

18. The auditor should assess the competence and objectivity of the persons whose work the auditor plans to use to determine the extent to which the auditor may use their work. The higher the degree of competence and objectivity, the greater use the auditor may make of the work. The auditor should apply paragraphs .09 through .11 of AU sec. 322 to assess the competence and objectivity of internal auditors. The auditor should apply the principles underlying those paragraphs to assess the competence and objectivity of persons other than internal auditors whose work the auditor plans to use.

19. The extent to which the auditor may use the work of others in an audit of internal control also depends on the risk associated with the control being tested. As the risk associated with a control increases, the need for the auditor to perform his or her own work on the control increases.

It is up to each company’s audit committee to evaluate to what degree external auditors are willing to use the work of others. When the external auditors are evaluating the objectivity and competence of the personnel performing the work, the keys will be independence and whether or not those personnel work for and report to the audit committee as opposed to management. Critical areas in which they may use the work of others are: risk assessment and critical business process identification; identification of sufficient financial reporting controls; walk-throughs (provided the auditor supervises the walk-through process); selection of the type of testing, and the actual testing. The more work of others the auditor can accept, the risk associated with controls decreases which should lower the cost of the audit.

21. The auditor should use a top-down approach to the audit of internal control over financial reporting to select the controls to test. A top-down approach begins at the financial statement level and with the auditor's understanding of the overall risks to internal control over financial reporting. The auditor then focuses on entity-level controls and works down to significant accounts and disclosures and their relevant assertions. This approach directs the auditor's attention to accounts, disclosures, and assertions that present a reasonable possibility of material misstatement to the financial statements and related disclosures. The auditor then verifies his or her understanding of the risks in the company's processes and selects for testing those controls that sufficiently address the assessed risk of misstatement to each relevant assertion.

22. The auditor must test those entity-level controls that are important to the auditor's conclusion about whether the company has effective internal control over financial reporting. The auditor's evaluation of entity-level controls can result in increasing or decreasing the testing that the auditor otherwise would have performed on other controls.

23. Entity-level controls vary in nature and precision

• Some entity-level controls, such as certain control environment controls, have an important, but indirect, effect on the likelihood that a misstatement will be detected or prevented on a timely basis. These controls might affect the other controls the auditor selects for testing and the nature, timing, and extent of procedures the auditor performs on other controls.
• Some entity-level controls monitor the effectiveness of other controls. Such controls might be designed to identify possible breakdowns in lower level controls, but not at a level of precision that would, by themselves, sufficiently address the assessed risk that misstatements to a relevant assertion will be prevented or detected on a timely basis. These controls, when operating effectively, might allow the auditor to reduce the testing of other controls.
• Some entity-level controls might be designed to operate at a level of precision that would adequately prevent or detect on a timely basis misstatements to one or more relevant assertions. If an entity-level control sufficiently addresses the assessed risk of misstatement, the auditor need not test additional controls relating to that risk.
• Controls related to the control environment;
• Controls over management override;
• The company’s risk assessment process;
• Centralized processing and controls, including shared service environments;
• Controls to monitor results of operations;
• Controls to monitor other controls, including activities of the internal audit function, the audit committee, and self-assessment programs
• Controls over the period-end financial reporting process; and
• Policies that address significant business control and risk management practices

25. Because of its importance to effective internal control over financial reporting, the auditor must evaluate the control environment at the company. As part of evaluating the control environment, the auditor should assess:

• Whether management's philosophy and operating style promote effective internal control over financial reporting;
• Whether sound integrity and ethical values, particularly of top management, are developed and understood; and
• Whether the Board or audit committee understands and exercises oversight and responsibility over financial reporting and internal control

26. Because of its importance to financial reporting and to the auditor's opinions on internal control over financial reporting and the financial statements, the auditor must evaluate the period-end financial reporting process. The period-end financial reporting process includes the following:

• Procedures used to enter transaction totals into the general ledger;
• Procedures related to the selection and application of accounting policies;
• Procedures used to initiate, authorize, record, and process journal entries in the general ledger;
• Procedures used to record recurring and nonrecurring adjustments to the annual and quarterly financial statements; and
• Procedures for preparing annual and quarterly financial statements and related disclosures.
• The nature and extent of the oversight of the process by management, the board of directors, and the audit committee.

Taylor White has always, long before the publication of this standard, used the top down, entity level control (ELC) identification method on all of our Sarbanes projects. The key points to make concern some of the processes and procedures we have asked you to implement. Risk Management is an area that is not universally understood, but based upon the above is critical to having effective entity level controls. Taylor White can supply you with an Enterprise Risk Management protocol for smaller public companies, based on the COSO ERM framework, period-end financial reporting process and monitoring controls with a strong audit committee involvement. A strong audit committee chairperson is critical to the success of this entity level control. The monitoring of the financial reporting process by the audit committee is absolutely necessary for this to be a mitigating ELC. Taylor White has supplied, or can, audit committee charters and responsibilities calendars to help you institute this control. In some cases we have helped recruit your audit committee chairperson, or can assist in doing so if needed. Other templates/protocols include closing calendars, checklists and monitoring examples. Strong ELC’s, audit committee and monitoring efforts always lead to less control identification and testing which should lead to lower costs from your external auditors.

28. The auditor should identify significant accounts and disclosures and their relevant assertions. Relevant assertions are those financial statement assertions that have a reasonable possibility of containing a misstatement that would cause the financial statements to be materially misstated. The financial statement assertions include:

• Existence or occurrence
• Completeness
• Valuation or allocation
• Rights and obligations
• Presentation and disclosure

The identification of financial reporting controls has been discussed above by both the PCAOB and Taylor White. This section simply amplifies the importance of knowing the difference between process controls and assertion controls.

“Understanding Likely Sources of Misstatement

34. To further understand the likely sources of potential misstatements, and as a part of selecting the controls to test, the auditor should achieve the following objectives:

• Understand the flow of transactions related to the relevant assertions, including how these transactions are initiated, authorized, processed, and recorded;
• Verify that the auditor has identified the points within the company's processes at which a misstatement – including a misstatement due to fraud – could arise that, individually or in combination with other misstatements, would be material;
• Identify the controls that management has implemented to address these potential misstatements; and
• Identify the controls that management has implemented over the prevention or timely detection of unauthorized acquisition, use, or disposition of the company's assets that could result in a material misstatement of the financial statements.

35. Because of the degree of judgment required, the auditor should either perform the procedures that achieve the objectives in paragraph 34 himself or herself or supervise the work of others who provide direct assistance to the auditor, as described in AU sec. 322.”

37. Performing walkthroughs will frequently be the most effective way of achieving the objectives in paragraph 34. In performing a walkthrough, the auditor follows a transaction from origination through the company's processes, including information systems, until it is reflected in the company's financial records, using the same documents and information technology that company personnel use. Walkthrough procedures usually include a combination of inquiry, observation, inspection of relevant documentation, and re-performance of controls.

This section is not mandating the auditors to perform walk-throughs, but they would be hard pressed not to do them. Taylor White has a walk-through process that includes gathering evidential matter to back up the walk-through control evaluation, which can be reviewed by your auditors or re-performed efficiently with their supervision. Again, this should lead to lower costs on their part.

“Selecting Controls to Test

39. The auditor should test those controls that are important to the auditor's conclusion about whether the company's controls sufficiently address the assessed risk of misstatement to each relevant assertion.

40. There might be more than one control that addresses the assessed risk of misstatement to a particular relevant assertion; conversely, one control might address the assessed risk of misstatement to more than one relevant assertion. It is neither necessary to test all controls related to a relevant assertion nor necessary to test redundant controls, unless redundancy is itself a control objective.

41. The decision as to whether a control should be selected for testing depends on which controls, individually or in combination, sufficiently address the assessed risk of misstatement to a given relevant assertion rather than on how the control is labeled (e.g., entity-level control, transaction-level control, control activity, monitoring control, preventive control, detective control).”

At the risk of being redundant, the selection of financial statement assertion key controls is critical to the success of the project. All process controls do NOT need to be identified, and controls that are selected do NOT need to be tested by themselves. Taylor White has successfully combined synergistic controls into test plans for years, with the acceptance of external auditors.

“Testing Design Effectiveness

42. The auditor should test the design effectiveness of controls by determining whether the company's controls, if they are operated as prescribed by persons possessing the necessary authority and competence to perform the control effectively, satisfy the company's control objectives and can effectively prevent or detect errors or fraud that could result in material misstatements in the financial statements.

Note: a smaller, less complex company might achieve its control objectives in a different manner from a larger, more complex organization. For example, a smaller, less complex company might have fewer employees in the accounting function, limiting opportunities to segregate duties and leading the company to implement alternative controls to achieve its control objectives. In such circumstances, the auditor should evaluate whether those alternative controls are effective.

43. Procedures the auditor performs to test design effectiveness include a mix of inquiry of appropriate personnel, observation of the company's operations, and inspection of relevant documentation. Walkthroughs that include these procedures ordinarily are sufficient to evaluate design effectiveness.”

Having strong entity level controls will mitigate most segregation of duties issues, particularly financial close, monitoring, and audit committee involvement in the reporting process. Again, the walk-through process used by Taylor White can satisfy the design effectiveness requirement. The ELC and risk assessment methodology includes integrating ELC’s into the critical process identification, directly correlating mitigating controls into the test planning and execution.

“Testing Operating Effectiveness

44. The auditor should test the operating effectiveness of a control by determining whether the control is operating as designed and whether the person performing the control possesses the necessary authority and competence to perform the control effectively. Note: In some situations, particularly in smaller companies, a company might use a third party to provide assistance with certain financial reporting functions. When assessing the competence of personnel responsible for a company's financial reporting and associated controls, the auditor may take into account the combined competence of company personnel and other parties that assist with functions related to financial reporting.

45. Procedures the auditor performs to test operating effectiveness include a mix of inquiry or appropriate personnel, observation of the company’s operations, inspection of relevant documentation, and re-performance of the control.”

“Note: Although the auditor must obtain evidence about the effectiveness of controls for each relevant assertion, the auditor is not responsible for obtaining sufficient evidence to support an opinion about the effectiveness of each individual control. Rather, the auditor's objective is to express an opinion on the company's internal control over financial reporting overall. This allows the auditor to vary the evidence obtained regarding the effectiveness of individual controls selected for testing based on the risk associated with the individual control.”

When evaluating ELC’s, one of the areas in our methodology is to evaluate the finance staff competency. This speaks directly to #44 above. The type of test to be performed does not have to be a sample with documentation review. Depending on the risk level, personnel competence and ELC strength, any of the testing types described above can be used as evidential matter. Again the emphasis is not on individual controls, but on the system of internal controls for financial reporting taken as a whole. Depending on the circumstances, Taylor White has integrated different testing methods into control test plans for the same process.

Appendix A contains discussion by the PCAOB on how and why the standard was adopted.