Management Testing / Management Assessment 1966



  • Hi,
    Just to add to Milan’s Comments, the new proposed guidance from the SEC and PCAOB is still at proposal stage. The deadline for submission of comments is February 26th 2007. This means that until the guidance is properly finalised and approved, your ext. auditors will not be placing all that much reliance on the work of others, and the proposals that a more risk based approach is taken, should not be assumed as acceptable yet.
    Nonetheless, it does seem likely that the proposed guidance will be in place later this year.
    Is it possible to look at the proposal yet?



  • yes it is.
    The PCAOB proposal is a new audit standard and may be obtained from their website (ref, Audit standard 5). It is quite large though, and as this standard only needs to be followed by external auditors, I would recommend that you have a look at the summary points made by a fellow blogger - Shapi at .
    The SEC guidance, which is aimed more towards Management still references back to the new proposed standard. A brief summary of the proposal may be foudn at [/url]www.sec.gov[url] if you key in a search for SEC release 33-8762.
    Happy reading.[/url]



  • Protiviti Consulting prepared a high level summary of the meeting from 12/06…
    www(dot)protiviti.com/content/PRO/pro-us/pages/en/US/Knowledge/PCAOB_Updates/PCAOBUpdates_20061227.pdf



  • Thank you very much for you answers (very helpful).
    I went through the summaries and particularly the point ‘remove the requirement to evaluate management’s process’ drew my attention.
    What do you think, will this lead to significant changes in the management testing process? I mean, if the process is not evaluated anymore, then there is no incentive to conduct it very thoroughly.
    I am looking forward to your comments.



  • I think it will depend laregely on the relationship between client and auditor and whether or not the auditor knows enough about the client’s procedures through CAKE (Cumulative Audit Knowledge Experience)
    Most audit firms are terrified of litigation at the moment and, as a result, this may not be the key element that they apply to any revised approach that they take.
    The current standard requires a detailed evaluation and assessment of managements workings and reports in order to assess whether any reliance can be placed on their work. If they no longer perform such reviews, we may have additional scrutiny at the non-key control level.



  • … Most audit firms are terrified of litigation at the moment and, as a result, this may not be the key element that they apply to any revised approach that they take.
    The current standard requires a detailed evaluation and assessment of managements workings and reports in order to assess whether any reliance can be placed on their work. If they no longer perform such reviews, we may have additional scrutiny at the non-key control level.
    But doesn’t that mean that a lot of work and responsibility is shifted from the management to the auditors (e.g. additional scrutiny on the non-key controls)?



  • Absolutely.
    This is why it is unlikely that your auditors will stop looking at your reports.
    For example, my organisation is exempted from auditor attestation this year as an FPI. This has not prevented our auditors from performing SOX controls testing and reviewing our documentation.
    Performing work additional to the audit standards is not considered an issue by the PCAOB. They are only concerned with under - compliance



  • I look at it like this:

    1. Management could choose to do no work but in so doing they face the risk that the auditors reach an adverse opinion based on their own testing.
    2. If management undertake no testing then the auditors will have to complete full testing themselves. At say GBP1,000 per day per tester this could prove an expensive option for any company given that the auditors can already rely on independent testing undetaken by management (the proposed revisions just emphasise this further).
      Therefore I would summise that there is every incentive for management to conduct a thorough evaluation to minimise the risk of an adverse opinion and reduce audit fees.
      Whether having a risk based approach will have an impact on management testing I think will depend on how far down that road management have already travelled. The biggest impact of the revised guidance that I can see is the auditors trying to justify the extent (and cost) of future SOX audits if there is extensive 3rd party and management testing already in place.


  • _at_EMM and WirghtLot:
    So, you think in the long run it is less expensive for management to conduct a proper management testing with extensive reporting than to skip management testing and let the auditors do the work?
    But, anyway, to make that point clear: would it theoretically be allowed for management to omit management testing completely?



  • I would have thought that it would be going against 404 for management not to complete an assessment of Internal controls.
    What do you think Wrightlot?



  • I now feel like I’m in a court of law. ‘Tell me, is it possible that…?’.
    Perhaps my answer should be ‘yes it is possible but its likelihood is less than remote’. Instead I think I’ll pass this question to the floor because this is US leglislation and I am only a UK observer.
    In the UK we have, for example, Turnbull which requires companies to certify they have effective corporate governance and has a wider span than 404 or 302. However, in principle, companies could just pay lip service to it because it is not verified by a 3rd party but other legilstaion and the power of shareholders would make this unacceptable.
    Below I have pasted from an article I read recently which highlights these differences which I thought were interesting although I have no idea if they are true.
    The US and Britain appear to share a model of corporate governance, with a common law legal system, transparent disclosure regimes, unitary company board structures, shareholder value and market confidence as corporate objectives and dispersed share ownership with institutional ownership of most shares.
    In reality, great differences exist. In Britain, the Combined Code of corporate governance is the cornerstone of a ‘comply or explain’ principles-based approach. It is backed up by a robust system of company law and market regulation. Shareholders have real power to hold boards to account.
    The US has a regulator-led system mainly enforced through the SEC, listing rules and state law. There is no governance code and shareholders’ main means of board engagement is through proposing non-binding resolutions for annual meetings during the spring and smaller autumn proxy seasons.


Log in to reply