PwC's assertions 325



  • This post is deleted!


  • This post is deleted!


  • PwC’s assertions come directly from their own audit methodology.



  • According to Section 404 of Sarbanes-Oxley Title enacts the following concerning management assessment of internal controls:
    (a) Rules Required. – The Commission (Securities and Exchange Commission - SEC) shall prescribe rules requiring each annual report required by section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m or 78o(d)) to contain an internal control report, which shall–
    (1) state the responsibility of management for establishing
    and maintaining an adequate internal control structure and
    procedures for financial reporting; and
    (2) contain an assessment, as of the end of the most recent
    fiscal year of the issuer, of the effectiveness of the internal
    control structure and procedures of the issuer for financial
    reporting.
    (b) Internal Control Evaluation and Reporting.–With respect to the internal control assessment required by subsection (a), each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this subsection shall be made in accordance with standards for attestation engagements issued or adopted by the Board (Public Company Account Oversight Board PCAOB). Any such attestation shall not be the subject of a separate engagement
    The SEC is looking for the evaluation and monitoring of internal control to be managed within a set methodology. The COSO Framework defines internal control, describes its components, and provides criteria against which control systems can be evaluated. COBIT-Control Objectives for Information and related Technology was originally released as an IT process and control framework linking IT to business requirements. It was initially used mainly by the assurance community in conjunction with business and IT process owners. Beginning with the addition of Management Guidelines in 1998, COBIT is now being used more and more as a framework for IT governance, providing management tools such as metrics and maturity models to complement the control framework.
    The SEC and PCAOB recognizes these guidelines and all companies I have worked with utilize these methodologies.
    Even K and P and D and T accepts the CoBIT methodology.



  • The community of ext. Auditors more or less has adopted the COBIT and COSO Framework to their own audit approach. That implies that the assertions of each of the big 4 companies are almost the same.



  • The community of ext. Auditors more or less has adopted the COBIT and COSO Framework to their own audit approach. That implies that the assertions of each of the big 4 companies are almost the same.
    That’s true. I’ve worked for two of them and have due diligenced the others at various times. They all have slightly different assertions but they all amount to the same thing.



  • Hi folks
    I have had PwC as my clients’ auditors on several engagements, and they are insistent on using their CAVR (completeness, accuracy, validity, and restricted access) set of assertions in assessing the design of controls. My other clients use the PCAOB/COSO financial statement assertions. The PwC assertions look familiar from an information systems point of view, but does anyone know how they came up with this method and how they square it with PCAOB’s preference for the COSO framework?
    Mitch
    CAVR are control assertions, they are a high level indication of what kind of control a control is.
    The financial statement assertions say something about the control objectives what a control tries to achieve.
    Hopes this Helps



  • Hi all,
    Just left Pwc after 5 years… yes, that’s correct… you are confusing PwC controls objectives with assertions…two completely different things. PwC has adopted the COSO framework…which talks about information processing objectives in chapter 4. As information passess through the accounting cycle you want it to pass through each part completely and accurately, you want it to be valid ( authorized etc. ) and you want the access to it to be restricted. If you have these types of controls over the information in each of your subprocess, then you have met your assertions, which are over FINANCIAL STATEMENT LINE ITEMS ( the accumulation of your transactions), not over individual controls. Hope that expands on it a little bit further



  • It was developed in-house at PwC. And believe me, every firm is different in their approach.
    Jeff Cunningham



  • Every firm is different in their approach. E-and-Y is the only one that is identical to COSO



  • Hi guys,
    do you know if correct that all the evidence of contros must be sign and store?
    Control example:
    If i have a mail alert of something that i have to correct do i have to stamp it and sign it? Is enough to record it in a mail server?
    I think that the security level is low. You can cancel the mail during the day for example.
    I think i should stamp it and sign to demostrate that i have done the control.
    Thank for your answer.
    Bye
    Check



  • you can also fake a signature and a stamp
    the only safe thing is to have a video recording of the message, no wait, that can be faked as well



  • You can check out:
    auditnet.org/Guides/AuditNet Monograph Series Electronic Records Management.pdf
    This document addresses electronic records management.
    Milan



  • you can also fake a signature and a stamp
    the only safe thing is to have a video recording of the message, no wait, that can be faked as well
    lmao :lol:



  • Hi,
    I’ve seen the following linkage between PwC’s Control Objectives (CAVR) and the standard FS Assertions:
    C Completeness -and-lt;=-and-gt;Completeness, Cutoff, Existence/Occurence,
    A Accuracy -and-lt;=-and-gt;Accuracy, Existence/Occurence,
    V Validity -and-lt;=-and-gt;Valuation
    R Restricted Access -and-lt;=-and-gt; None
    This ‘forced’ linkage does NOT map to Presentation/Disclosure and Rights and Obligations. Additionally, it is at best, fundamentally flawed, since the two concepts are not interrelated.
    However, if you are bent on developing a linkage table, this achieves some correlation. I would not suggest making use of it and instead, propose going with the FS Assertions as observed in COSO or PCAOB.
    If you simply include the PwC CAVR in the control matrix separately, you will avoid confusion or disagreement on the unimportant.
    Hope this further helps,
    Milan



  • Hi,
    I’ve seen the following linkage between PwC’s Control Objectives (CAVR) and the standard FS Assertions:
    C Completeness -and-lt;=-and-gt;Completeness, Cutoff, Existence/Occurence,
    A Accuracy -and-lt;=-and-gt;Accuracy, Existence/Occurence,
    V Validity -and-lt;=-and-gt;Valuation
    R Restricted Access -and-lt;=-and-gt; None
    This ‘forced’ linkage does NOT map to Presentation/Disclosure and Rights and Obligations. Additionally, it is at best, fundamentally flawed, since the two concepts are not interrelated.
    However, if you are bent on developing a linkage table, this achieves some correlation. I would not suggest making use of it and instead, propose going with the FS Assertions as observed in COSO or PCAOB.
    If you simply include the PwC CAVR in the control matrix separately, you will avoid confusion or disagreement on the unimportant.
    Hope this further helps,
    Milan
    hello
    so are you saying in the Risk Control Matrix, it is best that we stick to COSO’ financial statement assertions, rather than using PwC’s CAVR?
    thanks,



  • CAVR represents the information processing objectives that are used by PwC in their audit approach. They are useful and worth consideration, but it should be noted that they are not the FS assertions that are typically included in the RCM.
    It is preferable to use the standard FS Assertions and if the control involves an IT component, it might also be helpful to correlate the control to the relevant information processing objective.



  • As Mr. Guest Said:
    Information Processing Objectives area related to controls (COSO, chapter 4 not a PwC creation), and Financial Statement Assertions are related to financial statement lines (accounts). A well done COSO implementation should use CAVR.
    When you map your process and identify a control, it is easer to link to CAVR, and then link to FS assertions. I use to document both on my RCM.
    The correct relation between CAVR and FS Assertions are:
    Completeness - Completeness, Cut-off, Existence/Occurrence, Rights and Obligations
    Accuracy - Accuracy, Classification, Valuation and Allocation
    Validity - Existence/Occurrence, Cut-off, Rights and Obligations
    Restricted Access - Most, except for Rights and Obligations


Log in to reply