#26 | Part 10 – Deficiencies & Material Weaknesses in Demystifying SOX 404 – Auditing Standard 5
Welcome to part 10 of SOX 404: Auditing Standard 5 (AS5). AS 5 have over 100 pages so I’m going to make it easier to understand by talking through keywords and key concepts. In this session, we cover:
- Special Considerations for Subsequent Years’ Audits
- Evaluating Identified Deficiencies
- Indicators of Material Weakness
I suggest you watch the video. It’s easier to understand if you are a visual/audio learner. The content below is the same as the video. It’s for those who learn by reading.
Find the sections in the table of contents below of Auditing Standard 5 from PCAOB that interest you. You can watch those videos or read those blog posts without having to read the original literature itself.
Special Considerations for Subsequent Years’ Audits
Here are things to consider for the following year’s audit. Remember that Auditing Standard 5 is for external auditors. But as SOX auditors, we’ve essentially adopted it because it’s like a test that’s given. We want to pass the test so we have to study the materials.
Paragraph 57 is intuitive. It says incorporate what you learned in the past audits into what you’re going to do this year or next year. The factors listed in paragraph 58 are actually similar to what we have seen before:
- nature and timing of work in previous audits;
- what were the test results,
- changes in the process since last year, and
- think about the risk factors.
Now paragraph 60 talks about benchmarking strategy for automated application controls. Benchmarking strategy is when a company first puts in a new ERP system or upgrades its accounting system to the latest version.
For example, in a company that implements NetSuite for the first time, in the first year as external auditors or as internal auditors we are able to test and say “This is the baseline. Here’s the standard configuration that was originally put in and we are comfortable in it because we tested all the standard configurations”.
That becomes the beginning point or the benchmark. Every year after that, we do not have to test every single control and every single configuration again. We just have to test any changes to the system.
If there are no changes since the last time we tested it, no testing is needed because the system is the same. We just have to show a system generated log that no changes were made.
It’s the same logic if you use Oracle. If the client did an upgrade like from 11i to R12, during the user acceptance testing phase, we will test application controls, functionalities, segregation of duties and the set-up of roles and responsibilities. Once you do initial testing, that becomes your baseline. We only have to test the changes to see how it impacts the controls. It’s less testing and work in the later years if you can do a solid benchmark.
Paragraph 61 (above) says you should vary what you are doing year after year to add an element of surprise. Sometimes, you’ll hear some auditors say the phrase “SALY” which is Same As Last Year. Well, if you keep doing the same thing over and over, the client anticipates it and might hide things because they might think, “They are not going to look at this area. I’ll just hide it here.”
So you want to change things up periodically based on the circumstances. Every year, companies grow and shrink so it’s very hard to always say it’s exactly the same as last year. Maybe some of the procedures and the types of testing we do is the same but the timing or the extent of it will vary.
Evaluating Identified Deficiencies
We’ve done all of this work leading up to evaluating identified deficiencies. We planned the audit and assessed the risk of fraud. We looked at materiality. We selected the controls that are key and we tested. Now, we have a bunch of deficiencies. Every company has deficiencies. It’s deciding whether the deficiency is a deficiency, a significant deficiency, or a material weakness that is important.
Here is how we evaluate these deficiencies.
Severity of Deficiency
Paragraph 62 says that when you evaluate deficiencies, look at the deficiency both individually and in combination with other deficiencies. Could it add up to a material weakness at year-end? Paragraph 63 explains that the severity of a deficiency depends on reasonable possibility that the control would fail or did fail to prevent or detect this mistake, and the magnitude (the amount).
Paragraph 64 talks about the severity of the deficiency. Did the error actually occur or what could have occurred?
To illustrate, we might have found a mistake for $100 but could that mistake have been for $200? Could it have been for $500? Could it have been for $100,000 or $1 million? At which point would the company’s controls detect or prevent that? And whatever the maximum is, that’s the potential mistake, not the actual error of $100 mistake that we found.
Nature of Financial Statement Account
Paragraph 65 talks about the factors that we would consider knowing what type of deficiency it is. We need to look at the nature of the financial statement account or the disclosures. If it’s a small mistake in the disclosures, maybe someone transposed a number because there are lots of numbers in a footnote disclosure or table.
For example, instead of $5 million in cash on the balance sheet, you put $15 million. That’s something someone would easily have caught because the balance sheet is front and center for all to see. But maybe in the footnote disclosures, you transposed a number or have a typo. Those things potentially happen but it’s not so blatant.
Susceptibility to Loss or Fraud
The next factor to consider is susceptibility to loss or fraud. Again, you are more likely to have a lost or fraud in a cash account or a revenue account because cash can walk off. Cash is something people look at because it’s the lifeline to a business compared to long-term assets.
You also have to look at the severity, complexity or extent of judgment on the amount and the mistake. In the previous example, we found a mistake in cash during bank reconciliation. When you look at a bank statement, look at the ending cash balance plus your deposits in transit, minus your checks outstanding. That’s easy to calculate what the amount should be.
But there may be some amounts where there’s a lot of judgment like your AR reserve. Someone has to apply judgment. Do you reserve 100% of an amount or do you reserve 10%? It depends on the business circumstances.
Relationship of Control to Other Redundant Controls
You also have to look at the relationship of that control to other redundant controls. If the deficiency we found is a control that failed, maybe there are two other controls that act the same way or would have caught the mistake for this control. If we then tested those controls and those were working, we could say that our deficiency is still deficiency but it doesn’t really rise further than that.
You also need to consider the interaction of the deficiencies. For example, if the company has 10 deficiencies and 8 of those deficiencies are all around cash and investments. We can make a case that it is a material weakness because that seems to indicate multiple things failing in that area.
Compared that to another company that has 10 deficiencies, but each of those deficiencies are in different parts of the balance sheet and P&L. As part of your normal operations, you are going to find little failures here or there but those are scattered and don’t indicate a pattern.
Magnitude of Misstatement
Paragraph 66 says that when we look at the magnitude of the mistake, you not only include the amount but the all transactions that are exposed.
For example, if we test 45 revenue transactions and we find one of those errors is for a $100 AND during that time the system was not set up to review any of the revenue transactions or the person who was supposed to do was not hired yet, all revenue transactions automatically went into the system without review.
Now, the mistake is not just $100 but our total exposure is all the transactions from January to March when that control was not in place or that someone was not doing that particular control and so you actually have to go out and find all those transactions that meet that criteria that we found similar to the mistake. Add those up and that’s the potential magnitude of our mistake.
Volume of Activity
AS5 talks about the volume of activity. In our example where we found the $100 mistake, if it’s part of an account that has millions and millions of transactions, there’s more likelihood of other similar errors. We found $100 and maybe there are other transactions similar to it which makes it higher risk.
Compare that to an account with only 10 transactions. Well, just with those 10 transactions, you could quickly identify if there’s a risk or not.
Compensating Controls
Paragraph 68 talks about compensating controls. In our example, no one was looking, reviewing and approving revenue transactions from January through March. The person may not be reviewing each of those transactions but you might have a second control somewhere that before invoices are sent out, or before revenue is recognized in the system, an accountant looks at each of the invoice, looks at the revenue contract, checks all of these things before revenue recognition happens. Now you can say there’s a compensating control that would have caught this mistake at that same level work or slightly higher.
Indicators of Material Weakness
Paragraph 69 is the continuation of evaluating identified deficiencies. It talks about what the indicators of a material weakness are. The reason why material weakness gets so much focus is because a material weakness is disclosed in the auditor’s opinion. In later sections, I’ll explain what the auditor is required or not required disclose. The common thinking for many companies is, “it’s fine if I have significant deficiencies but material weaknesses have to be discussed and disclosed and I don’t want that”.
Here are the indicators of material weakness:
- If there is fraud, whether or not material on the part of senior management. It’s also critical to focus on senior management. If the CFO was stealing $10,000 or $100 even though a$100 is not material, the fact that your CFO is stealing from you is an indicator of your control environment. That’s why you’ve seen on certain scandals focus on senior management. So fraud doesn’t have a materiality filter, particularly for senior management.
- Maybe the error that we found this year is a very small amount, but in the past, it was a bigger deal, if we have to go back and restate prior years, that creates more of an indicator for material weakness. The external auditor has to consider, “Would the company’s controls have caught this?” If it had NOT been caught by the company’s controls, then it would indicate a material weakness.
- The other factor is if it’s an ineffective oversight of the financial reporting process by the audit committee. Again, the reason why the audit committee is referenced here is that it’s at the very top of your organization. If you don’t have an effective audit committee overlooking your financial reporting, it could be an indicator of bigger issues that we haven’t discovered or it’s just an indicator that there’s something wrong on a larger scale than what we found.
Paragraph 70 is a lot of words and you’ll see this phrase ‘prudent officials’. It basically says that when you are evaluating the deficiency or combination of deficiencies, you have to put yourself in the position of a prudent official. And this is where creative writing comes into play because often times that we are helping clients position themselves to say that this is a significant deficiency rather than a material weakness, we bring out the prudent official that says, “Hey, as an investor or as a knowledgeable investor looking at the financial statements, if they found or spotted this particular error had happened, would they have cared?”
That’s why sometimes operating in a particular industry or business and having knowledge of that business is very helpful if the error was in revenue. For example, there’s a lot more scrutiny if you’re software company than if you are in a biotech company. In biotech, there is no revenue and the prudent official is really looking at your research and development, your potential for the future is not really your existing revenue.
There is actually a framework that we use to evaluate the deficiency. I’ll cover that in a different session.
Summary
We covered a lot of content. To recap we learned:
Leave a Reply