AUDIT EFFICIENCIES: IS YOUR
RELIANCE STRATEGY WORKING FOR
YOU?
Kyleen Wissell, CRISC, PHR, RCC
Today’s Agenda
• Background: Audit Standard #5 adopted by PCAOB and approved by the
SEC in 2007 was intended to reduce the overall effort to comply with
Sarbanes-Oxley. Work is expected to be completed economically and
expeditiously, with more discretion and flexibility.
• Judgment: Complex decision tasks that require professional judgment and
may be influenced by a number of factors, both external (environment)
and internal (cognitive and affective), including the auditors’ working style
and previous experiences related to barriers to auditor cooperation,
objectivity and / or competence.
• Session Goal: Assess whether your work as an Internal Auditor and/or
Management can influence greater reliance by the External Auditor and
where you may be able to strengthen reliance on your work, and thereby
reduce the costs of compliance and duplicative efforts which overlap.
Note: Perspective is limited to business and not as an external auditor.
2
Topics
• Summarized Expectations of the External Auditor (what Auditing
Standard No. 5 allows)
• Auditor Reliance Strategy & Approach (factors and considerations)
• What is the opportunity?
• Auditor Reliance Summary Criteria
• Competence of the Internal Audit Function
• Audit Efficiencies: Example Plans
• Key Questions for Considering Whether You Are Capitalizing on
Auditor Reliance Opportunities
• Sources
• Q&A
3
Summary Expectations of the External Auditor
What AS5 Allows
•
Requirement of the Auditor: The auditor must obtain appropriate evidence which is sufficient
in order to obtain reasonable assurance about whether material weaknesses exist. A direct
relationship exists between the degree of risk that a material weakness could exist in a
particular area of internal control over financial reporting and the amount of audit attention
that should be devoted to that area.
•
Test of Controls: It is not necessary to test 100% of controls that, even if deficient, would not
present a reasonable possibility of material misstatement to the financial statements.
•
Risk: Auditors are required to critically review all the areas of high risk in order to ensure that
the planned procedures are adequately covered.
•
Tests Performed Properly: The Auditor must determine this through “re-performance” testing.
External Auditors generally select approximately 20% of control activities and re-perform a
sufficient portion (judgmental) of management’s testing to conclude whether the test of
controls was performed properly.
4
Auditor Reliance Strategy & Approach
Factors and Considerations
•
Reliance: The auditors may use the work performed by, or receive direct assistance from
internal auditors, company personnel and third parties working under the direction of
Management. A reliance strategy means that the auditor intends to rely on Internal Audit, or
others, rather than performing more “hands on” audit procedures in order to obtain audit
evidence for themselves.
–
•
Accounts: Important factors to be considered includes nature and significance of items in the
accounts within the balance sheet and income statement, by assessing the:
–
–
•
This offers more possibilities towards savings when considering the average blended rate for some of the Big 4 firms is
upwards of $450 an hour.
Nature of the accounts and the volume of transactions which result in significant account balances, and
Taking into account any audit risks identified when analyzing the client’s business.
Audit Efficiencies: Those items in the accounts, which because of the limited volume of
transactions or other factors, can be audited more efficiently through substantive tests rather
than reliance.
–
Examples may include share capital, long term debt and related interest expense, investments and related income
(except when a large portfolio of investments is held).
5
Auditor Reliance Strategy & Approach
Factors and Considerations (cont’d)
•
Extent of Risk: The extent to which the auditor may use the work of others will depend on the risk
associated with the control(s) in scope to be tested. As the risk associated with a control increases,
the need for the auditor to perform his or her own work increases. For example,
 Controls over complex areas of the business, significant transactions outside of the normal
course of business, journal entries, related party transactions, and controls which mitigate
incentives for and pressures on management to falsify or the potential for mismanagement of
financial results.
 Risk related to a high probability of error for areas subject to estimation or susceptible to
pilferage.
 Risk related to the structure of the organization, especially in cases of joint ownership of an
organization, whether the owners are not equally represented in Management.
 Risk related to controls which are not operating effectively or problem areas.
 Processes which have recently been transformed or changed.
 Number of accounting locations and the likelihood of increasing the effect of cost and the
similarity of processes from location to location.
 Number of adjusting entries.
 Types of unusual or complexity of transactions of which the client is engaged.
•
IT Risks: Identification of the risks and controls within IT should not be a separate evaluation, as
application systems are linked to financials.
6
Auditor Reliance: What is the Opportunity?
•
Reliance Goal: Medium and Low Risk processes and controls, as well as on lower risk
Walkthroughs.
 Dialogue should be initiated and/or ongoing with your external auditors to determine if
it’s reasonable to expect benefits for your company.
 A preliminary understanding and evaluation of the potential for reliance should be
documented.
 Subsequently, a framework should be developed with your external auditor which
outlines or regards what work Internal Audit or others could perform.
 A permanent and detailed record prepared and shared.
 Other considerations, where if improvements were made, reliance could be achieved.
 Auditors are allowed to incorporate the knowledge obtained during past audits into the
decision-making process for determining the nature, timing and extent of testing
necessary in the current year. They can roll forward prior year’s testing when the control
was sufficiently tested and found to be effective.
 It’s reasonable to expect:
 90-95% reliance on Internal Audit’s work for non-public clients.
 50-65% is possible for public clients, however not more than 2/3 of work is allowed by PCAOB.
7
Auditor Reliance Summary Criteria
•
Management: It all starts with establishing materiality at the account balance level so that
risk can be quantitatively and qualitatively established before risk has meaning. Inherent risk
implies that we can predict where errors are most likely and least likely within the financial
statement segments.
•
Competence & Objectivity: The auditor is required to assess the competence and objectivity
of the persons whose work the auditor plans to use to determine the extent to which the
auditor may rely on their work. The higher the degree of competence and objectivity, the
greater use the auditor may make of the work. Perceptions about competence and objectivity,
developed over years of interaction, also influence these judgments as well as working
relationships and styles.
•
Current & Previous Audits: External Auditors will evaluate their experience through results of
current and previous audits (tests of controls and substantive tests) as well as the integrity
exhibited by Management.
8
Competence of the Internal Audit Function
•
External Auditors must evaluate the existence and quality:
 Education and professional experience, including professional certification and
continuing education related to standards for the department.
 Resumes of everyone involved with the audit.
 Audit plan and scope including the nature and extent of audit procedures.
 Supervision and review of internal auditor activities and work including responsibility for
day-to-day work and addressing issues.
 Procedures being performed to ensure recommendations issued are being
implemented.
 Remediation and corrections are consistently reported to management and followed up
for closure.
 Visibility and status with upper management.
 Interaction, association and organizational reporting relationship to those charged with
governance in the organization.
 Reporting relationship to the Audit Committee and whether relationships extend past
committee meetings.
 Rotation of auditors to significant areas and process and including locations within the
business.
 Relevance of coverage as it relates to how the External Auditor.
 Deliverables prepared by the Audit Team including the sampling approach.
9
Audit Efficiencies – Example Plan
Year 1
Year 2
Year 3
Year 4 and
beyond
• External Auditor places little to no reliance on Internal Audit for the walkthrough
documentation process. Firm attends and documents walkthroughs to gain an
understanding of all processes.
• External Auditor works with Internal Audit to incorporate the firm’s audit walkthrough
documentation template and relies on the work of Internal Audit for low risk processes.
• External Auditor plans to increase reliance on Internal Audit for certain processes, by
exploring ways to more effectively utilize the business process owner’s time to reduce follow
up questions regarding items such as; key reports and spreadsheets, SOC-1 processes, and
audit request list items.
• As planning begins, External Auditor works with Management and Internal Audit to evaluate
requirement for walkthroughs of all processes, and determine if audit requirements can be
achieved with adjustments to the walkthrough procedures.*
• Note: “inquiry only” would likely not be sufficient enough, as guidance requires review and documentation of evidence
in order to validate no key changes.
10
Audit Efficiencies – Control Testing Example Plan
Location
Reliance is determined based on risk and
complexity of the control plus other
judgments
Approximately 63-65% reliance achieved
globally in Year 3**
We are at the maximum reliance for
controls testing, and expect similar
percentage in Year 4 and beyond
(dependence on continued effectiveness
of internal controls)
Year 3
Year 4
(# of rely controls)
(# of rely controls)
Canada
16
16
Hong Kong
5
5
Ireland
17
20
Japan
5
5
United Kingdom
25
24
United States
45
41*
Corporate
27
26*
Total
140
137
*Change can be attributed to different factors including a
change in the number of controls, and a change in control risk
levels year-over-year.
**Does not include application controls at this time.
11
Key Questions for Considering Whether You Are
Capitalizing on Auditor Reliance Opportunities
•
•
•
•
•
•
•
•
•
•
•
•
Where does direct assistance make sense?
Is there is a spotlight on improving the efficiency of audit-related processes?
Management’s oversight of Sarbanes-Oxley activities?
What is the competency of the Internal Audit function? Quality of deliverables?
What is the objectivity of the Internal Audit function? Management?
How effective is the working relationship between Internal Audit, External Audit &
Management?
What is the timing or period of Internal Audit coverage versus SOX deliverables?
How adequate or effectively has your Sarbanes-Oxley program been scoped?
How did the organization identify key internal control processes that are financially
significant? Did you take a top-down, risk-based approach?
Have you determined high, medium and low risk controls?
Have you identified and use direct and indirect entity-level controls? Monitoring
controls?
Do you have a structured approach to evaluating deficiencies?
Is your internal control environment effective and sustainable?
12
Sources
•
Auditing Standard No. 5
http://pcaobus.org/Standards/Auditing/Pages/Auditing_Standard_5.aspx
•
AICPA Auditing Standards Board
http://www.aicpa.org/Research/Standards/AuditAttest/ASB/Pages/AuditingStandardsBoard.a
spx
•
Sarbanes-Oxley Compliance Journal http://www.sox.com/dsp_getFeaturesDetails.cfm?CID=2279
•
Security and Exchange Commission Release on Auditing Standard No. 5
http://www.sec.gov/rules/pcaob/2007/34-55876.pdf
•
The Wall Street Journal “Deloitte Insights”
http://deloitte.wsj.com/cfo/2012/09/19/sustainability-why-cfos-are-driving-savings-andstrategy/
13
Q&A
Thank you!
[email protected]
14