Internal Control Strategies: A Mid to Small Business Guide

Preface ix

Chapter 1 Understanding the SEC’s Guidance for Management 1

Purpose of Internal Control over Financial Reporting 1

Evaluation Process 5

Reporting Considerations 12

Rule Amendments and other SEC Guidance Related to Internal Control over Financial Reporting 14

Chapter 2 The PCAOB’s Auditing Standard No. 5 19

Eight Concepts to Focus the Audit on Matters Most Important to Internal Control 20

New Emphasis on Entity-Level Controls 28

Importance of a Fraud Risk Assessment 29

Tips to Eliminate Unnecessary Procedures 30

Scaling Audits for Smaller Companies 36

Chapter 3 SEC’s Guidance on a Risk-Based Approach 39

Highlights of the SEC Staff Statement 40

Staff’s Emphasis on Reasonable Assurance 41

Comments on Evaluating Internal Control Deficiencies 45

Disclosures about Material Weaknesses 46

Information Technology Comments from the Staff 47

Communications with Auditors: An Unintended Consequence 48

Message for Small Business Issuers and Foreign Private Issuers 50

Chapter 4 Highlights of the PCAOB’s May 2005 Policy Statement 51

Policy Statement Highlights 52

Integrating the Financial and Internal Control Audits 52

Importance of Professional Judgment 55

Top-Down Approach and Role of Risk Assessment 56

When Auditors Can Use the Work of Others 57

Auditors’ Ability to Provide Advice to Audit Clients 57

How the PCAOB Inspections Help Drive Improvements 59

A Final Comment 59

Chapter 5 Starting at the Top: Using Entity-Level Controls to Create Efficiencies 61

What are Entity-Level Controls? 61

How Strong Entity-Level Controls Can Reduce the Scope of Your Program 62

How to Apply COSO’s Recent Internal Control Guidance 65

How to Create a Winning Control Environment 66

Steps for Creating a Useful Risk Assessment Process 76

Control Activities 85

Creating an Effective Information and Communication Program 85

How to Implement Successful Monitoring Controls 90

How to Assign Roles and Responsibilities to Enhance Internal Controls 94

Small-Company Issues for Implementing Entity-Level Controls 98

Summary of COSO’s Guidance for Smaller Public Companies 103

Chapter 6 Minimizing Excess through Proper Scoping and Planning Practices 105

Scoping Analysis: Event or Process? 106

How to Determine Materiality for Scoping Purposes 106

How to Use a Top-Down, Risk-Based Approach to Reduce the Scope of Your Program 111

Methods for Determining Significant Locations 116

Specific Areas Included and Excluded by the PCAOB 120

PCAOB and SEC Guidance on Other Common Scoping Issues 123

Tips for Resource Planning and Developing Useful Timelines 124

Chapter 7 Advantageous Project Management Techniques 127

11 Areas of Focus for the Second Year and Beyond 128

How to Increase Productivity with a Sound Management Approach 129

Aim for the Target Instead of the Way to Get There 130

More Project Management Tips 135

Staffing Strategies 138

Restructuring the Organizational Chart for Sustainability 144

How to Communicate Effectively through Emails, Meetings, and Advisories 148

Tactics for Dealing with Business Changes for Sections 302 and 404 Compliance 150

Chapter 8 Streamlining Documentation 155

Three Ideas to Improve Your Overall Documentation Process 157

Clearing the Clutter: How to Create and Maintain Meaningful Control Matrices 159

Using Relevant Financial Assertions for Planning Purposes 161

Financial Assertion Help for Nonauditors 162

Techniques for Scrutinizing the Number of Key Controls 163

How to Reduce and Improve Controls with Standardization 166

Practical Ideas for Documentation at International Locations 168

How to Create an Effective Spreadsheet Control Program 169

How to Create Strong Financial Reporting Controls 172

Tools for Assessing Control Design 175

An Alternative to Gap Remediation 176

Three More Ideas for Improving Documentation 177

Chapter 9 Economical Testing Techniques 181

Testing Control Design and Operating Effectiveness 181

Practical Steps to Applying Guidance on the Nature, Timing, and Extent of Testing 182

Suggestions for Testing Significant Manual and Nonroutine Transactions 184

Using Update Tests to Ease the Burden of Testing at Year-End 186

Five Ideas for the Timing of Control Tests 190

Types of Control Tests and When to Use Them 194

Why You Should Minimize the Use of Self-Assessment Tests 197

Maximizing Your Auditors’ Reliance on the Work of Others 199

More Inspiration on Efficient Testing 210

Chapter 10 Methods for Remediation Madness 215

Do All Controls Have to Be Remediated? 216

For-Now Approach to Remediation 217

Creating Meaningful Remediation Plans 218

Nine Practice Tips for the Remediation Phase 218

Sufficient Periods for Remediated Controls 221

Steps to Prepare for Retesting 222

Project Management Tools for Remediation 223

Chapter 11 Taking the Mystery out of Evaluating Deficiencies 227

Deficiencies Defined 228

Analytical Steps for Evaluating Deficiencies 230

Are All Exceptions Considered Deficiencies? 235

Techniques for Aggregating Deficiencies 237

Typical Material Weaknesses 239

Unique Nature of IT General Control Deficiencies 240

Market’s Reaction to Process Specific versus Pervasive Material Weaknesses 242

How to Improve Material Weakness Disclosures 244

AS No. 4 and Reporting Whether a Previously Reported Material Weakness Still Exists 245

Successful Communication of Deficiencies to Management and the Audit Committee 246

Suggestions for Management’s Final Assessment Report 247

Chapter 12 Common Areas of Concern and How to Address Them 251

Control Options for the Use of Service Organizations 252

What to Do with Mergers and Acquisitions Activities 258

A Unique Solution for Managing the Tax Process 261

How to Minimize IT Developer Access to Production Issues 263

What to Do When Your ERP System Is Not Compatible with Your Access Controls 264

Tips for Changing ERP Systems and Staying SOX Compliant 266

Practical Ideas for Document Retention Requirements 267

Thoughts on Changing Accounting Firms 269

Appendix A Simplified Sample Entity-Level Control Matrices 271

Appendix B COSO’s Internal Controls Checklist for Entity-Level Controls 279

Appendix C Standardized Period-End Process Control Matrix 283

Appendix D PCAOB Staff Question-and-Answer Index 287

Appendix E SEC Office of the Chief Accountant Frequently Asked Questions Index 291

Appendix F Summary of Changes Made to Auditing Standard No. 2 and the Related New Guidance 295

Index 301