Management's assessment on operating effectiveness 688



  • My client’s current external auditor, KPMG, wants management to state an opinion on whether the control is operating effectively for EACH single control. In other words, for each test there needs to be a separate opinion expressed.
    In past engagements, management wrote a conclusive summary letter about the effectiveness of internal control. Part of the evidence used to form this opinion was the test of operating effectiveness results taken as A WHOLE. Instead, KPMG wants an opinion expressed on every test. E.g., 5 exceptions were found so this control is not operating effectively. Has anyone else had to deal with this?



  • The only assertion that is required is for internal control as a whole. However, you have to think about what is supporting this assertion.
    Your overall assertion is based on evaluation of individual controls which meet financial statements risks within individual processes that link to significant accounts within your financial statements. To demonstrate that you have the evidence to support your assertion means that your evaluation of each control almost certainly does need a conclusion - but this would basically be a pass/fail decision on ‘is the control operating effectively?’.
    You would then need to aggregate these conclusions to form a view on an individual process and make a judgement on whether any control deficiencies (or fails) have a significant or material impact on the financial statements.
    However, if the auditor is looking for anything more than a pass/fail judgement on each control then your client really needs to push back.



  • I believe that you do need to assess every control as to whether or not it is effective. If not, are there compensating ocntrols? If it is a key control, you need to know whether or not it is effective so that you can develop a remediation plan for the controls that are not effective.
    We are actually providing our BOD a list of ALL control failures - even those that do not lead to a significant deficiency or material weakness.
    For every control that we assess, the tester is required to state whether or not the control was effective.



  • I agree with kymike.
    For our testing, any controls which had an exception went into a findings summary template. If an additional sample was tested and nothing else found, that would be noted and it would be deemed operating effectively.
    If additional exceptions were found / or we knew that the control was working, we would list the compensating controls and what the conclusions were on them. If the compensating controls were operating effectively, then we could conclude that control objective was met; if they didn’t work we conclude that there was a deficiency. We would then add that up… make some conclusions.
    For everything that didn’t have a problem, they would receive a pass.



  • I probably should have clarified my main concern first. My client brought my team in way too late and now our timeframe is extremely compacted. Therefore, we are still testing several processes even though the actual external audit has already started.
    In the end, yes, management will have to provide the proof and basis for their assertion. However, KPMG said they cannot start testing until an explicit statement is made on the control effectiveness. I have heard plenty of times that the auditor cannot start testing until management has started testing. That is fine. But, even though the test results are completed and signed they will not do anything because the explicit conclusion was not made. This od wasting time we already do not have. I do not recall seeing anywhere that the external auditor cannot start/continue their testing until the control conclusion is made.
    The exceptions are being aggregated in a log which is being continuously updated. However, stating a formal conclusion on every single control seems like overkill and a excuse for them to catch up on the documentation we have already given them.



  • However, KPMG said they cannot start testing until an explicit statement is made on the control effectiveness. …
    … I do not recall seeing anywhere that the external auditor cannot start/continue their testing until the control conclusion is made.
    The exceptions are being aggregated in a log which is being continuously updated. However, stating a formal conclusion on every single control seems like overkill and a excuse for them to catch up on the documentation we have already given them.
    I haven’t seen this approach from any other auditor. Our auditor’s integrated audit approach does not seem to prevent them from testing ahead of us. To me the risk is that by them doing their testing first they will discover control deficiencies that we would have otherwise remediated had we found them first.
    Obviously if we didn’t test at all then the auditor can validly question whether management has a sufficient basis for it’s assertion. However, they appear unconcerned by the timing issue.



  • We also utilize KPMG. They initially said that they would not test an area until our documentation and testing was complete. I believe that this was more from an efficiency perspective in order to keep their fees down. There was also an initial concern that if they found a deficiency that we didn’t find (because they tested before we did) that this would be an indicator of a significant deficiency or material weakness.
    For 2005, KPMG testing ahead of us is not a concern. To the extent that they find a deficiency that we have not identified (because we have not yet tested) and management reacts to it with a remediation plan, they will not consider this an indicator of a significant deficiency or material weakness in our controls.



  • Thanks everyone for the responses so far.
    kymike, which office is the KPMG team you are using based out of? I am dealing with KPMG from the Silicon Valley area. Perhaps each office has a disparate approach? Your KPMG auditors seems more reasonable in the approach they are taking towards testing. To me, that approach is logical.
    However, my auditors seems to follow some unsaid protocol on how they handle they audit, and subsequently, the testing. They do not want to waiver on following this mysterious protocol they dreamt up. Very frustrating to say the least. I will need some concrete evidence and ammo to force them to start testing. They have been wasting enough of our time.


Log in to reply