A New Focus for Controls Testing
How many companies thought or still think that to comply with Sarbanes Oxley there simply needs to be a piece of paper with a signature on it? That “check-the-box” mentality is no longer even remotely acceptable. With pressure from the PCAOB, many public accounting firms have expanded their documentation requirements surrounding controls testing which affect both internal auditors and control owners.
How many times have you heard your auditor say "we're going to audit through the computer?" What does that even mean? That means they are going to test general computer controls (“GCCs”) such as logical and physical access and user provisioning and confirm an adequate segregation of duties exists within the system. They may even drill down further and test application level controls to verify that key systems are functioning as designed. Auditors should then be able to rely on computer-generated reports and automated workflows, right? Not necessarily – the PCAOB has reminded the audit profession that while testing GCCs and even application controls provides a certain level of comfort over systems, it's not necessarily an adequate level of assurance.
The levels of assurance should also have a direct alignment to the risk assessment performed within each audit area, with key factors including history of issues, financial statement impact, complexity of the process, volume of transactions and reliance on systems, to name a few. This process, according to the PCAOB, should be well-documented and guide the integrated audit process. The documentation should include procedures performed to obtain “reasonable” assurance, which could result in a combination of GCC, application and manual control testing.
One area of audit focus has been on the review procedures performed by the control owners. Auditors are expanding their testing documentation to not only include the steps that individuals performed as part of their review process, but also the data used to perform the control and the procedures the reviewers used to confirm that the data is valid, complete and accurate. Furthermore, auditors are being instructed to document variance thresholds and decision trees based on amounts and/or the significance of the balance to the financial statements.
What implications does this have for an internal auditor? If external auditors are going to rely on the work of internal audit, internal auditors will have to retain a level of evidence to support every step of their work. While internal audit has been historically successful at documenting testing and results, an increased focus has emerged on testing population completeness. As such, internal audit is being asked to support how populations were captured and possibly walk through the report generation process and report parameters to validate a population. Once the populations are validated, random sampling techniques are used and the methodology and sampling statistics should be retained to support the selections. This documentation flow gives the external auditor a complete understanding of how internal audit obtained their “assurance” which should allow for greater reliance on the work of internal audit.
A few techniques auditors perform to confirm completeness of the populations are:
- observe the report being generated,
- obtain screenshots to support the parameters in the system used to generate the report,
- obtain read-only access to the system to independently generate the report and document how it was complete.
The end result is going to be a full audit trail from the system to the report used for selecting audit sample selections which can be followed by someone independent of the company and the integrated audit process.
The audit profession is being held to a higher standard and that is going to impact auditors, company personnel being audited and ERP providers. The end result may be a more thorough audit, but it’s also going to take more time and resources to complete, so be ready.