Expertise Summary
Are you stressed out by incurring the time and costs to persuade your auditors that your internal controls are practically “effective” (as in SOX 404)?
Let me provide the solution based on my expertise of a thorough understanding of how the auditors are SUPPOSED to assess your controls under Auditing Standard (AS) No. 2201 (formerly AS 5) and experience since 2003 when SOX Act 2002 was put into practice.
Seasoned Big 4 CPA, with SEC SOX audit expertise, who can DESIGN and operate controls that are effective under SOX 404; thereby actualizing accurate internal as well as external financial reporting and enabling external auditor to rely on the controls.
Expertise Detail
I started my audit career in 2003 when Sarbanes Oxley Act 2002 (SOX) was implemented. Then, there was a criticism that audit fees would be exorbitant (which actually happened) because audit hours would increase on account of auditors’ extra work required by the Act (i.e., auditors’ attestation on their client’s internal control effectiveness particularly under SOX 404).
In response and to interpret the Act, PCAOB issued Auditing Standard No. 5 (AS 5) 2007, clarifying that auditor’s control attestation must not be an addition to their audit work but that it must have been incorporated in their work via assessing Control Risk as in the Combined Risk Assessment (CRA) formula to evaluate Audit Risk (= Inherent Risk x Control Risk x Detective Risk) for each Assertion.
What the CRA gives to auditors is, to simply put, “the higher the Control Risk, the higher the CRA (thus, more Audit Work, or specifically, more extensive, Substantive Procedure/Testing).”
In reality, however, there is no way for client company to discern how their external auditor has concluded their CRA.
The only way for the company (internal auditor) to figure out would be follow the same (internal control/SOX) audit methodology required for the external auditor by PCAOB/SEC’s AS 5.
That’s where I come into play and ensure that the company’s “Control Risk” (as in the CRA) is so adequately low that the external auditor can comfortably rely on the company’s financial controls.
The Term “Accuracy” Is Not a Control Objective But a Magic Spell (Casted by the Board-Authorized, “Independent” Auditor)
But first, let’s see …
The Reality – The Balance Sheet Approach (Control Assessment)
vs.
The Should-Be Practice – The Top-Down, Risk-Based Approach
When they found a significant Misstatement, the auditor would say, “You, management, have a Control Deficiency,” which is NOT identified as a result of Control Testing BUT of Substantive Testing.
That is because their audit takes the Balance Sheet (B/S) approach, the assumption of which is that, if management’s Controls are Effective, the G/L account balances (at the B/S date) should be “Accurate”.
Conversely, if an account balance was Inaccurate or Incomplete, associated Controls must have been Ineffective/Deficient.
The assumption is practically convenient for the auditor because they don’t need to assess Controls for them to conclude that management’s Controls were Ineffective/Deficient during the current year.
The critical problem for the management here is the fact that they would be mistakenly believe that they need to Remediate the Control Deficiencies IN ORDER TO make the related account balances “Accurate”.
That’s why I refer to the “Accuracy” as a magic spell cast by the auditor.
The assumption is false in logic as the identified misstatement would not indicate what Control was ineffective/deficient. Besides, the auditor wouldn’t know HOW the Control was DESIGNED or HOW the (Effectively DESIGNED) Control was Operated.
The correct logic is that, if an account balance (at the B/S date) was Inaccurate or Incomplete, the auditor’s Control Risk must be correspondingly Higher, according to which their Detective Risk will be necessarily High and the extent of Substantive Testing will be Higher (or more extensive).
Note that Control Risk and Detective Risk are part of Audit Risk, which is determined by the Combined Risk Assessment (CRA) equation: Inherent Risk x Control Risk x Detective Risk = Audit Risk.
Also note that the level of Detective Risk is directly correlated to that of Control Risk, which is inversely correlated to the Control Effectiveness, whereas Inherent Risk is what management, not auditor, is exposed to and, thus, independent from the other two Control and Detective Risks.
In the ICFR context, Inherent Risk is the Misstatement Risk that is referred to as Likely Source of Potential Misstatements (LSPM as in Auditing Standard No. 2201).
It is critically important to distinguish between the two (i.e., Control Risk vs. LSPM) because the reason why auditors don’t care about the LSPM or Misstatement Risk is because it wouldn’t affect the level of Control Risk and thus Detective Risk (in the CRA equation).
Management, on the other hand, is NOT concerned with Control Risk BUT LSPM, which is the very reason why they are unable to Effectively DESIGN Controls and Prevent Misstatements from taking place. Note that, even if a Misstatement was Detected by management, the Misstatement would recur unless underlying LSPM (i.e., Inherent or Misstatement Risk) was Adequately Mitigated.
As such, to Effectively DESIGN a Control, management needs to first identify the LSPM, at each critical data-path in a transaction Cycle such as Order to Cash, Procure to Pay, and Record to Report, with proper F/S Assertions (i.e., Control Objectives), which is NOT Accuracy BUT Existence/Occurrence, Completeness, Rights/Obligations, Valuation/Measurement, and Presentation/Disclosure, and then DESIGN the Control in such a way as to satisfy DESIGN Attributes of the board authorized Policies & Procedures as well as Roles & Responsibilities, US GAAP & SEC Regulation Compliance, Segregation of Duties, ITGC, etc., IN ORDER TO Mitigate the Risk of Misstatement or LSPM.
The Practical Example of How to Design “Effective” (as in SOX 404) Financial Controls —
The COSO Criteria to DESIGNE effective Internal Controls over Financial Reporting (ICFR)
(AI) companies allegedly exercise such frauds as circular transactions and “inadequate disclosures” (as in Exchange Act, e.g., NVDA omits Related Party).
Yet, auditors don’t report any fraud; they say, on 10K, “company maintains effective ICFR, based on ‘COSO Criteria’.”
Reality is, however, auditors don’t really audit ICFR based on the Criteria.
To prove, refer to a sentence shown on 10K: “Our audit included …” 1) “assessing the risk that a material weakness (MW) exists,” 2) “testing … design and operating effectiveness of ICFR ‘based on the Assessed Risk’,” and 3) “performing such other procedures …”
#1 means that the auditor assesses Control Risk: i.e., Risk of ICFR being Ineffective; i.e., #2 meaning they Tested the effectiveness “based on Risk of ICFR being Ineffective”.
That is, to Test ICFR Effectiveness, the auditor took the Balance Sheet approach (NOT the Top-Down, Risk-Based approach per Audit Standard (AS) 2201) whereby (#3) “performing such other procedures” as Substantive Testing to conclude that ICFR is effective/ineffective if balances were Accurate/Inaccurate.
As such, the auditor assesses client’s ICFR effectiveness neither “based on ‘COSO Criteria’” (per SOX by SEC) nor based on the TD, RB approach (per AS by PCAOB/SEC).
Why? Because, they want/need to Detect MW/Material Misstatement BUT to Prevent them.
Or, auditor does NOT need to specifically assess whether client’s ICFR DESIGN is effective; thus, they don’t care HOW to DESIGN.
But does it matter HOW to DESIGN ICFR?
Imagine a situation where a securities lawsuit was filed against company based on “inadequate disclosures” (as in Exchange Act), which allegedly triggered its stock-price collapse.
As it specifies financial statements (F/S) being management’s responsibility, SOX would be the strongest basis for the lawsuit where the burden of proof would rest on management, who need to prove:
1)that they DESIGNED “effective” (as in SOX 404) ICFR “based on ‘COSO Criteria’” in accordance with SOX (302) and Exchange Act: and/or
2) the auditor’s dereliction of duty.
For #1, management need to articulate HOW they DESIGNED ICFR effectively “based on COSO Criteria”.
For #2, the defendant can point that the auditor neglected AS 2201.
Let me help DESIGN effective Preventive ICFR. (Hint: F/S Assertions (NOT Accuracy) should be Control Objectives, and COSO Principles should be DESIGN Criteria: i.e., Effective DESIGN Attributes.)
Please see the conceptual background of the SOX Act for more detail discussions.
Also refer to: https://noritsurumaki.com/who-knows-how-to-design-an-effective-control/