New Guidance and Reduced Testing 2088
-
What we were told was that when examining each account in each location, you have to consider misstatements at a lower level than materiality. Therefore, you need to verify 0.25% of profit before tax as the misstatement risk threshold. %0A http://iacmusic.com/Uploads/Motorpsychos_-_bullshit.gif
-
I think the difference is simply that we have a very risk averse partner and director on the engagement team. in addition, the old methodology applied to scoping would have picked up only 2/3 entities as full scope with others as being limited. This is becuase we have 2 entities that dominate our financial results with others being small ebusinesses acquired over the years.
That should be his problem and not yours.
FYI - we received the following responses to the points that you made above:- They do not intend to place any reliance on any of management’s work becuase this is the first year of attestation (we reported independantly last year due to FPI accelerated filer exemptions). In addtion, they have stated that becuase the audit is integrated (sorry if I am wrong here- I think it was always supposed to be integrated?) that they have to look at entities that require statutory audits.
That’s not a valid reason for not placing reliance. Either they are not satisifed with the independence and quality of the work or they are not.
As for statutory audits, they NEED to look at entities only for statutory purposes. It is quite conceivable that an entity that requires a statutory audit is out of scope for SOX - we have many. The only entity that needs to be in scope for SOX is the one listed in the US. - I have tried to contact our auditors for a kick off meeting since March. They met us for the first time 2 weeks ago and refuse to provide dates or estimated dates for testing (we have informed them that Phase 1 is already underway) until we provide ours.
That’s just plain ignorant
3.Scoping reports are definitely detailed and take a long time to prepare. We have been asked to consider significant deficiencies because of te risk that they may lead to a material weakness when accumulated. We have also been asked not to reduce our key controls to those giving risk to a material misstatement for the same reason.
Management is obliged to determine out the level of review/testing that supports their assessment - not the auditor. If they are not going to rely on your work why would you accomodate them? - sample sizes will reduce. we have been told that there is no longer such a thing as medium risk - only low or high risk. They acknowledged that they have a need to reduce their sample sizes as they have been higher than other audit firms over the last 3 years of adoption.
As per my answer above, management assesses risk however they want within their own defined approach. And the auditors do likewise. - Direct entity level controls. We were criticised for only having indirect entity level controls but most of these have existed in the format of our month end financial reporting process and controls.
Direct entity level controls CAN be used to remove assertion-level cotnrol from scope if sufficiently precise. If you don’t have them it is only a missed efficiency, it is not a compliance process. If you do have them but they’re in your period-end processes then your auditors need to be a bit less dense - after all we pay for them to be highly skilled practitioners do we not? - Cost - we anticipate this to increase to an amount higher than originally budgeted given the non-reliance on management assessments and the additional scoping that was not anticipated at Q1 (we had expected scoping to reduce)
Challenge them on this - potentially competitively
- They do not intend to place any reliance on any of management’s work becuase this is the first year of attestation (we reported independantly last year due to FPI accelerated filer exemptions). In addtion, they have stated that becuase the audit is integrated (sorry if I am wrong here- I think it was always supposed to be integrated?) that they have to look at entities that require statutory audits.
-
I totally agree with you on all of this Dennis.
Unfortunately the powers that be on the board of Directors seem unwilling to change firms right now, and, as I am the only SOX specialist in the group, I don’t really get much support…
Seriously thinking about leaving there…
-
I do agree that the revised guidance just emphasizes what we did last year (witch was my first)… no change in methodology.
But, we are thinking in reduce sample size for low risk areas and use just walkthrough in some areas.
I had a roundtable with PwC last week and they are focusing on company level controls (as mentioned by WrightLot, Direct entity level controls), witch we did not test last year- Does anyone knows why IT is different???
The PCAOB guidance steers auditors to place reliance on management’s work. Our auditors are citing international audit standards claiming that this is not possible, partciularly for IT and have significantly increased the amount of work around IT. - SEC Guidance is too generic. In my opinion, management will still following PCAOB Standards and external auditors’ methodology.
- Does anyone knows why IT is different???
-
I’m not clear on point 1 and what your auditors have told you Ricardo.
Did they cite which audit standards they were referring to?
-
I didn’t find anything.
This was first mentioned by WrightLot (above). I personally disagree with these point.
-
Ricardo, the statement I made was taken from my external auditor and shows the ‘fun’ I am experiencing. I also do not think that the argument is any different for IT audit than for non-IT, the same standard (APB Ethical Standard 1) applies to both areas. A cynic might argue that this, along with the arguments EMM is encountering, is an attempt by the auditors to justify maintaining their fee level post the SOX revisions.
PLEASE NOTE that this appears to relate to those of us based in the UK and Ireland where there seem to be stricter rules about auditors’ reliance on the work of others. Therefore for us it is finding the right balance between adopting the reliance encouraged by the PCAOB and ensuring that auditing standards are not breached. I cannot speak for the rest of the world where audit standards may have a different emphasis.
-
WrightLot, I have worked in PwC for almost 8 years’. and all of their world wide methodology was based on the ISA (International Standard on Auditing) and also COSO.%0AAccordingly to all Big (Last) Four’ employee I met, the focus will be reducing the number of key controls based on risk assessment (approximately 40% reduction), and their fees will still the same… Reducing work, but not the fees’’%0ARisk assessment = professional judgment.
-
Ricardo.
The auditor firm we are referring to is KPMG.I am a PwC alumni myself and worked on several SOX audits under the old AS2 rules.
Wrightlot and I are simply comparing notes because we use the same audit firm and one would assume that those who received training in the UK offices would have received similar training in the Irish offices.
-
Thanks for the reply.
My company has already changed to KPMG’ I hope they pass very far from Ireland…
