control findingsreporting

Compliance Made Simple

Control Finding & Reporting Deficiencies

Case Studies

Sept. 17, 2014

Presented by:

Sonia Luna

2Compliance Made Simple

Agenda

• COSO– Transition Analysis

(Do’s & Don’ts)– Point of Focus

(POF): Why they matter

• Case Study (Control Findings)– Control Environment– Group Discussion

COSO Transition: Case Studies

• PCAOB –Alert#11– Common Audit

Failures– Level Of Precision– Old Vs. New– Key Report Testing

• Next Steps– COSO Transition Map– Compliance Analysis

• Questions


The Cube


Still the Same only better, more clear and more relevant.

LAYOUT


Principles: What “holds” a principle UP!


Princ

iple


Polling Question


Have you started COSO transition and what %age are you at?

Where am I? %age

A Running to Finish Line 75%

B Getting There 50%

C Formulating a Plan 25%

D Not Started 0%


Visualizing Your COSO Transition



Case Study # 1(Volume #3 pg.65- 66)


Company Background:

– Private Co., retail furniture company (family owned)

– $200MM Rev and exclusively in Western US Sales

– Evaluation of Principle #1


Case Study # 1


• Control FINDINGS– No formal training program to make

employees aware of importance to adherence to standards of conduct.

– No process to evaluate EEs against the published integrity & ethics policy

– Processes to ID & Address Deviations are ad hoc


Case Study # 1


QUESTION: Is this a

• Control Deficiency,

• Significant Def., or

• Major Deficiency?


Case Study # 1


Principle #1

Sets

the

tone

?

Est.

SOC

Eval Adherence?Address

Deviations?


Case Study – Group Solution

What should this private company consider as solutions to this MW?

1.

2.

3.


Case Study # 2(Another Example: volume #4 page #17 – 18)


Approach to Establishes Standards of Conduct Company Background:

• One-Way street Co. created in 2008 a code of business conduct & ethical standards which was provided to all employees and significant vendors.

• In 2008, both employees and significant vendors signed an acknowledgement form confirming they read and understood the policy which currently in 2014 is posted on-line via the company sharepoint intrasite available to employees only.

• Annually One-Way Street requires all employees to take live or web ethics training sessions. One-Way Street regularly provides significant suppliers as part of its SLA (Service Level Agreements) a copy of its “Supplier Code of Conduct” as either an appendix to or referenced in each agreement with these suppliers.


Case Study # 2


Control Finding Issues: Group discussion

What could go wrong with this approach One-Way Street?1.2.3.

What audit evidence would you need to review and/or assess? (Next Slide)


Case Study # 2Transition Considerations -“Top 3 Audit Evidence Items”


Item # Evidence FrequencyA/C Approval(yes /no)

1

2

3


Group Discussion


What best practices are working at your organization?


Case Study # 3: Risk Assessment


Group Exercise

• Task: Identify & analyze significant change and resulting new risks to be considered


Case Study # 3


Background:

ABC Inc. became aware of a hurricane approaching at some of its manufacturing locations that had potential to cause significant supply disruptions.

Risk Response:In response, the company immediately established internal working team to assess the risks of such disruption to its manufacturing capabilities, and the risks of its own affected facilities to its overall manufacturing footprint. All significant suppliers were contacted, via phone and email, and asked to assess the potential hurricane disruption to their production abilities. Parts that might be delayed for production and shipping was inventoried by the ABC “internal working team”, and alternative suppliers were identified and contacted. When no alternative suppliers were identified, ABC internal team created a prioritization list of which manufacturing locations should receive the limited number of parts as they became available.


Case Study # 3


Task (5 – 8 minutes)

Identify three new risks that may impact the financial reporting and the Finance & Accounting Team needs to consider.


What did this Company do right?1.

2.

3.

4.


Group Activity


Classroom Room work

POF to Approaches Exercise


Group Activity


#2 and #4 Map to the most appropriate Approach(es)

Points of Focus:1. Establishes

Oversight Responsibilities

2. Applies Relevant Expertise

3. Operates Independently

4. Provides Oversight for System of IC

Approaches:a) Establishing Roles, Responsibilities

& Delegation of Authority of the BOD

b) Est. Policies and Practices for meetings btwn BOD & mgmt.

c) ID & reviewing BOD Candidatesd) Reviewing Mgmt’s Assertions &

Judgmentse) Obtain an external viewf) Considering Whistle – blower info

about FS Errors and Irregularities.


Group Activity


#2 and #4 Map to the most appropriate Approach(es)


Group Activity


Control Environment (Pr. #4)

Principle # 4:

Organization Demonstrates commitment to attract, develop and retain competent individuals in alignment with objectives.

Points of Focus:

1. Est. Policies and Practices2. Evaluates competence and

address short comings3. Attracts, develops & retains

individuals4. Plans & Prepares for Succession


Group Activity: Control Environment (Pr#4)


Points of Focus:1. Est. Policies and

Practices2. Evaluates

competence and address short comings

3. Attracts, develops & retains individuals

4. Plans & Prepares for Succession

Approaches:a) Est. required knowledge, skills &

expertiseb) Linking Competence standards to est.

Policies and practices hiring, training and retention decisions

c) ID & Delivering on FR related training as needed

d) Selecting appropriate O/S service providers

e) Evaluating competence and behaviorf) Evaluating the Capacity of Finance

personnelg) Developing alternate candidates for

key financial reporting roles


Group Activity


“Plans & Prepares for Succession”

a) How is succession planning being addressed in your organization? How deep in the organizational chart does COSO want you to evaluate this POF?

b) Is this NOT a COSO 2013 Transition item for your organization and WHY? How would you document this conclusion?


Case Study # 4


Risk Assessment and Control Activities process effectiveness overview:


Case study # 4Risk Assessment & Control Activity


• Company Background:

– Public financial services company– Three divisions A, B and C– Objective Category for COSO framework =

External Financial Reporting


Case study # 4Risk Assessment & Control Activity


• Overview of Assessment of control effectiveness

• Management determined it has some revenue recognition control deficiencies and need to reflect the severity of those deficiencies. One of the revenue streams lacked good controls. They noted deficiencies in one of their up and coming divisions “DIVISION C” but there were NO KNOWN financial statement errors!

• Root case analysis done with conclusion that management failed to implement control activities over the revenue recognition process at Division C, which became a significant part of their overall revenue and growth for the organization.


Case studies # 4Risk Assessment & Control Activity


POLLING QUESTION How bad is it? Was this a

A)Control Deficiency,

B) Significant Deficiency

C) Material Weakness

D) Not a deficiency


What Went Wrong with “Division C”?

1. Who should have sound the alarm?

2. When should it have been 3. What improvements should

be implemented to prevent this from happening

4. Who does this get reported to?


Answers Listed:

1.Alarm:2.When/Timing:3.Improvements

A. B.

4.Reporting:


Polling Q: Control Def. Policy (Group)

• Who has one?• When was it last updated?• When bad “stuff” happens

how does it get reported?

33Compliance Made Simple COSO Transition: Case Studies

Internal Control FINDINGS! New PCAOB Auditing BAR!

http://pcaobus.org/Standards/QandA/10-24-2013_SAPA_11.pdf


• Caused audit procedure layering

• More in-depth written description of estimates and use of judgment, especially review controls

• Detailed documentation and testing of system reports utilized in performance of controls.

What’s Different?

http://pcaobus.org/Standards/QandA/10-24-2013_SAPA_11.pdf


Common Audit failures

Source: PCAOB Audit Alert #11 (Oct. 2013)


Closing The Books



Closing The Books [Contd.]



Level of precision in Plain English?

• How detailed is management’s review of journal entries?

• Document your thought process– Dollar Threshold– Percentage of Revenue– Geographic Location– Lines of Business– Other Risk Factors– Timing


Good isn’t good enoughgood v. NEW PCAOB control Language


Older Language (“OK”)

Quarterly, Controller reviews the AR allowance for adequacy and reasonableness of reserve amounts by initialing and dating the “AR reserve” analysis.

Audit Controller initials & Match Total $ = DONE!


NEW PCAOB control Language“new standards for control language”


Older Language (“OK”)

Quarterly, Controller reviews the AR allowance for adequacy and reasonableness of reserve amounts by initialing and dating the “AR reserve” analysis.

Updated Control (“Better”)

Quarterly, Controller reviews AR balances of significant customers with o/s balances greater than $10K and 5% of AR balance and those under that threshold by customer type (e.g. geographical location, types of orders, etc.), to review the AR allowance for accuracy and completeness. Adjustments, if needed, are sent via email to the AR manager, final review of the AR reserve analysis is initialed and dated by the Controller which agrees to the final g/l balance for the period.


So what happens in testing?


BEFOREReview

initials – DONE!

#1 - Initials

#2 - AR Threshold Analysis (completeness/accuracy)

#3 - AR Emails w/follow-up interview documentation

Laye

red

testi

ng


Documentation in Excel


Accounts Receivable Aging

Last Payment Current Past DueCUSTOMER Date Amount 0-30 31-60 61-90 91-119 120-150 150+ Total DueLoyal Customer December 1, 2013 $10,000 $214,000 $245,000 $288,000 $747,000

New Customer - Russia September 1, 2013 $53,000 $101,000 $130,000 $0 $445,000 $676,000

Trying Things Out Customer January 12, 2014 $76,000 $95,000 $279,000 $131,000 $505,000

Not so new Customer February 1, 2014 $46,000 $284,000 $116,000 $400,000

TOTALS $379,000 $594,000 $491,000 $131,000 $288,000 $445,000 $2,328,000

Allowance Analysis New Customer - Russia $0 $101,000 $130,000 $0 $0 $445,000 $676,000

Trying Things Out Customer $126,250Grand Total of Allowance to A/R $802,250

Current G/L Balance $500,000Adjusting Journal Entry (Inc)/Dec ($302,250)

/s/ Susie Smith 4/5/2014Prepared by: Date

/s/ Arnold Jones 4/15/2014Prepared by: Date

Monday, March 31, 2014

Review Signatures “Old School Auditing”


Documentation in Excel


Accounts Receivable Aging

Last Payment Current Past DueCUSTOMER Date Amount 0-30 31-60 61-90 91-119 120-150 150+ Total DueLoyal Customer December 1, 2013 $10,000 $0 $214,000 $245,000 $288,000 $747,000

New Customer - Russia September 1, 2013 $53,000 $0 $101,000 $130,000 $0 $0 $445,000 $676,000

Trying Things Out Customer January 12, 2014 $76,000 $95,000 $279,000 $0 $131,000 $0 $0 $505,000

Not so new Customer February 1, 2014 $46,000 $284,000 $0 $116,000 $0 $0 $0 $400,000

TOTALS $379,000 $594,000 $491,000 $131,000 $288,000 $445,000 $2,328,000

Allowance Analysis New Customer - Russia $0 $101,000 $130,000 $0 $0 $445,000 $676,000

Trying Things Out Customer $126,250Grand Total of Allowance to A/R $802,250

Current G/L Balance $500,000Adjusting Journal Entry (Inc)/Dec ($302,250)

/s/ Susie Smith 4/5/2014Prepared by: Date

/s/ Arnold Jones 4/15/2014Prepared by: Date

Monday, March 31, 2014

Russia Allowance supporting documents:1) AR Client detail report (a)2) Client Invoice Analysis report by product type (a)3) Payment history - client detail report (a)4) Email communication w/Dir. of Rev5) Email communication w/Dir. of Sales6) Confirmation email of AJE by COO and CEO (specifying Russia)

(a) - Part of Management Key report testing (page # 27 of PCAOB audit alert #11)


Remember what key report testing!



Audit Alert #11 (extract pg#20)



COSO TRANSITION RESOURCES


http://www.coso.org/documents/COSO%20McNallyTransition%20Article-Final%20COSO%20Version%20Proof_5-31-13.pdf

https://www.cpa2biz.com/AST/Main/CPA2BIZ_Primary/InternalControls/COSO/PRDOVR~PC-990027/PC-990027.jsp

http://coso.org/documents/2014-2-10-COSO%20Thought%20Paper.pdf


COSO transition Mapping Template


avivaspectrum.com/blog


Next Steps


Initial Intake

Analysis & Benchmarking CCA Report

The Process


Our Control Compliance Analysis (“CCA”)


COSO Transition

• Top Transition Failures (Case Studies)

• Audit Evidence required• Priority Driven by

Principles

PCAOB, IIA & SEC Guidance

• Latest PCAOB Internal Control Standards

• IIA Incorporated Top 7 IC Failures

• SEC Guidance for Mgmt on Internal Controls


Control Compliance Analysis


Join Our LinkedIn GroupCOSO Framework Discussion & Webinars

http://www.linkedin.com/groups/2013-COSO-Implementation-4888186/about

Technical Community sharing Ideas ,Templates, WEBINARS, Advise and Learn from others implementing new framework.

JOIN Today!





Questions?


Sonia Luna- President, CEOAviva Spectrumwww.linkedin.com/in/sonialuna www.slideshare.net/soxppt www.avivaspectrum.com/podcasts

http://www.linkedin.com/in/sonialuna

http://www.slideshare.net/soxppt

http://www.avivaspectrum.com/podcasts


Case Study # 2Suggested Audit Evidence


Audit evidence considerations:1. Code of Conduct (“COC”)2. Supplier COC 3. Accessibility to COC4. SLA inventory5. Definition and confirmation of significant vendors (in

Policy/Procedure document)6. Training $$$$ spent/budgeted7. Training Policy/Procedures8. Certificate of Completion (Training) or Attendance Records9. Legal Policy/Procedure document for suppliers master services

agreements (Is legal informed of this requirement and are they executing this per Company policy of Significant Vendors)


Case Study # 3


Some of the new risk areas to consider could be:

1. Potential penalties contained within various sales contracts

2. Inventory Obsolescence 3. Impact from delays in supply of parts4. Insurance claims & potential losses5. Incremental risks from required system &

process changes

Consider: Audit Evidence Required to Mitigate the Risk.


Case Study # 4 - ANSWERRisk Assessment & Control Activity


What COSO has to say:

A related weakness was noted in Principle #9 “Identifies & Analyzes Significant Change”, because the company never adopted key controls over this Division C that was growing rapidly and Corporate office assumed it was doing what they expected. The conclusion was a:

MATERIAL WEAKNESS for :Principle #10 “Selects and Develops Control Activities” andPrinciple #9 “ID & Analyzes Significant Change”

control findingsreporting

Business

simple coso transition

case studies14item

case studies18task

case studies3still

case studies17background

case studies9question

case studies4

case studies5where