CUNA Regulatory Comment Call
March 20, 2006
AICPA Proposal Regarding Attestation Engagements
- The Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) has published an Exposure Draft containing a proposed Statement on Standards for Attestation Engagements (SSAE) entitled Reporting on an Entitys Internal Control Over Financial Reporting (also referred to as AT 501). The ASB is the senior technical committee of the AICPA designated to issue auditing, attestation, and quality control standards and guidance. It is authorized to make public statements on matters relating to auditing, attestation, and quality control standards without clearance from Council or the Board of Directors. This proposed SSAE would revise the requirements and guidance for an independent certified public accountant (CPA) for reporting on the internal control of nonpublic companies, including credit unions.
- The proposed SSAE provides guidance to a CPA on evaluating managements basis or substantiation for making an assertion about an entitys internal control over financial reporting. Under the proposal, the CPA would be required to obtain a representation letter from the credit union management that includes a written assertion about the effectiveness of the entity's internal control. The proposal also details managements documentation requirements to support the assertion.
- According to the proposal, the CPA should evaluate identified control deficiencies by significant account balance, disclosure and component of internal control to determine whether the deficiencies, individually or in combination result in a significant deficiency or a material weakness. The proposal discusses the types of testing the CPA should perform in conducting the evaluation.
- The proposed SSAE would require the CPA to communicate, in writing, to management and those charged with governance any significant deficiencies and material weaknesses that exist as of the date of managements assertion, those the CPA becomes aware of during the examination, and any known or suspected fraud.
- The Exposure Draft includes new appendixes, including one that provides an illustrative report that management must provide to external parties if the CPAs report is to be for general use.
- Comments are due to the AICPA by May 19, 2006. Please send your comments to CUNA by May 5, 2006. Please feel free to fax your responses to CUNA at 202-638-7052; e-mail them to Associate General Counsel Mary Dunn at firstname.lastname@example.org or to Senior Regulatory Counsel Catherine Orr at email@example.com; or mail them to Mary or Catherine in c/o CUNA's Regulatory Advocacy Department, 601 Pennsylvania Avenue, NW, 6th Floor - South Building, Washington, DC 20004. You may also contact us at 800-356-9655, ext. 6743, if you would like a copy of the Exposure Draft, or you may access it here.
- In March 2003, the ASB issued an exposure draft that contained a proposed SSAE entitled Reporting on an Entitys Internal Control Over Financial Reporting.
- The Sarbanes Oxley Act of 2002 (Act) created the Public Company Accounting Oversight Board (PCAOB) and charged it with overseeing audits of public companies (subject to the rules of the Securities and Exchange Commission (SEC)). In March 2004, the PCAOB issued Auditing Standard No. 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction With an Audit of Financial Statements, which establishes the standards for an audit of the internal control of an issuer performed in conjunction with the audit of the issuers financial statements.
- This exposure draft revises the ASBs original exposure draft to reflect guidance from PCAOB Auditing Standard No. 2 that the ASB believes would be applicable to and appropriate for examinations of the internal control of nonpublic companies, and useful to regulated entities, such as financial institutions and insurance companies.
- This proposed SSAE supersedes Chapter 5, Reporting on an Entitys Internal Control Over Financial Reporting, of SSAE No. 10, Attestation Engagements: Revision and Recodification, as amended.
- NCUA has issued an Advance Notice of Proposed Rulemaking (ANPR) which proposed seeking input on whether NCUA should modify its Supervisory Committee Audit Rules (Part 715 - Supervisory Committee Audits and Verifications), and if so, how. An ANPR does not reflect a specific proposal but rather requests comments on issues and concerns raised by an agency. If NCUA were to pursue this issue, the next step would likely be a proposed rule. One of the specific issues NCUA is raising is whether credit unions should be required to secure an attestation on internal controls in connection with their annual audits. An attestation on internal controls consists of two parts. First, management must report its assessments of the effectiveness of the credit unions internal control structures and procedures. Second, the credit unions external auditor must examine, attest to (certify), and report separately on managements written report. The scope of the attestation could be limited only to the effectiveness of internal controls over financial statements prepared for regulatory purposes (such as the report on examination of internal controls over Call Reporting audit option available to credit unions under $500 million in assets) or extended to include all financial reporting. The ANPR specifically asks whether, if credit unions were required to obtain an attestation on internal controls, Part 715 should require that those attestations adhere to the Public Company Accounting Oversight Boards (PCAOBs) AS2 standard that applies to public companies, or to the AICPAs revised AT 501 standard that applies to non-public companies. CUNAs Comment Call regarding NCUAs ANPR is posted here.
DISCUSSION OF THE PROPOSED STATEMENT
Definition of Internal Control
- In the proposed SSAE, the term internal control refers to a process effected by the
entitys board, management or other personnel designed to provide reasonable assurance regarding
the reliability of financial statements prepared in accordance with the applicable financial
reporting framework. Those processes and procedures include those that:
- Pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the entity;
- Provide reasonable assurance that transactions are recorded as necessary to permit the preparation of financial statements in accordance with the applicable financial reporting framework; and
- Provide reasonable assurance regarding the prevention or timely detection of the unauthorized acquisition, use, or disposition of the entity's assets that could have a material effect on the entitys financial statements.
Managements Responsibilities in an Examination of Internal Control
- For the CPA to satisfactorily complete an examination of internal control, management
- Accept responsibility for the design and operating effectiveness of the entitys internal control;
- Obtain an understanding of and evaluate the design effectiveness of the entitys internal control;
- Evaluate the operating effectiveness of the entitys internal control using suitable control criteria;
- Support its evaluation (and thereby support its assertion) with sufficient evidence, including documentation; and
- Present a written assertion about the design and operating effectiveness of the entitys internal control.
- If the results of the procedures performed by the CPA caused him to conclude that a material weakness in internal control exists, that information should be disclosed in the CPAs report.
CPAs Responsibilities in an Examination of Internal Controls
- The CPA should determine whether management has determined which controls should be tested, including controls over all relevant assertions related to all significant accounts and disclosures in the financial statements.
- Generally, such controls include:
- Controls over initiating, authorizing, recording, processing, and reporting significant accounts and disclosures and related assertions embodied in the financial statements.
- Controls over the selection and application of accounting policies that are in conformity with the applicable financial reporting framework.
- Antifraud programs and controls.
- Controls, including information technology general controls, on which other controls are dependent.
- Controls over significant nonroutine and nonsystematic transactions, such as accounts involving judgments and estimates.
- Entity-level controls.
- The control environment, and
- Controls over the period-end financial reporting process, including controls over procedures used to enter transaction totals into the general ledger; to initiate, authorize, record, and process journal entries in the general ledger; and to record recurring and nonrecurring adjustments to the financial statements, for example, consolidating adjustments, report combinations, and reclassifications.
- The CPA must evaluate the design effectiveness of controls.
- The CPA should also evaluate the operating effectiveness of controls based on procedures sufficient to assess their effectiveness.
- To evaluate the effectiveness of an entity's internal control, management must have:
- Evaluated controls over all relevant assertions related to all significant accounts and disclosures.
- Determined the deficiencies in internal control that are of such a magnitude and likelihood of occurrence that they constitute significant deficiencies or material weaknesses.
- Communicated findings to the CPA and others, if applicable.
- Evaluated whether the findings are reasonable and support the assertion.
- Management must support its evaluation of the operating effectiveness of the entitys internal control (and thereby support its assertion) with sufficient evidence, including documentation. Documentation of the design of controls over relevant assertions related to significant accounts and disclosures is evidence that controls related to managements assertion about the effectiveness of internal control, including changes to those controls: (1) have been identified; are capable of being communicated to those responsible for their performance; and are capable of being monitored and evaluated by the entity.
- When determining whether management's documentation provides reasonable support for its
evaluation and assertion, the CPA should determine whether such documentation includes:
- The design of controls over all relevant assertions related to all significant accounts and disclosures in the financial statements. The documentation should include the following five components: control environment (integrity, ethical values and competence of the entitys staff, managements philosophy and operating style, the way management assigns authority and responsibility and organizes and develops it people, and the attention and direction provided by the board); risk assessment; control activities (approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets, and segregation of duties); information and communication and monitoring.
- The link between the individual controls and the significant accounts and assertions to which they relate.
- Information about how significant transactions are initiated, authorized, recorded, processed, and reported.
- Sufficient information about the flow of transactions to identify the points at which material misstatements due to error or fraud could occur.
- Controls designed to prevent or detect fraud, including who performs the controls and the related segregation of duties.
- Controls over the period-end financial reporting process.
- Controls over the safeguarding of assets.
- The results of management's testing and evaluation.
- In addition to examining an entitys internal control, a CPA might be engaged to perform other services for an entity related to its internal control, such as assisting management in preparing or gathering documentation of its internal control or recommending improvements to its internal control. The results of tests of controls that a CPA might perform in the context of such engagements may not be used by management to support its assertion in an examination of internal control.
- Documentation might take many forms, such as paper, electronic files, or other media, and can include a variety of information, including policy manuals, process models, flowcharts, job descriptions, documents, and forms. The form and extent of documentation will vary depending on the nature, size, and complexity of the entity.
Monitoring by Management
- Managements monitoring activities may provide evidence of the design and the operating effectiveness of internal control.
- Monitoring involves the performance of all the following activities by appropriate personnel
on a timely basis:
- Assessing the quality of internal control performance on an ongoing basis or through separate evaluations at points in time. The greater the degree and effectiveness of ongoing monitoring, the less the need for separate point-in-time evaluations.
- Determining whether controls are suitably designed and operating effectively by periodically testing and assessing them.
- Capturing and reporting identified control deficiencies to appropriate individuals within the organization.
- Performing appropriate follow-up actions, including:
- Investigating underlying problems.
- Assessing the risks associated with specified deficiencies.
- Authorizing the decision to take corrective actions.
- Modifying controls if corrective action is deemed necessary.
- The CPA should obtain a representation letter from management that includes a written assertion about the effectiveness of the entity's internal control.
- A CPA should not accept an assertion from management stating that the entitys internal control is effective if management has identified one or more material weaknesses. In addition, managements assertion should disclose all material weaknesses that exist as of the end of the most recent fiscal year.
- Managements assertion should clearly define the scope of the controls covered by
managements assertion and whether financial reporting was expanded beyond the basic financial
- An example of a situation in which the scope of internal control over financial reporting extends beyond the basic financial statements is that of Insured Depository Institutions (IDIs) subject to the internal control reporting requirements of Section 112 of the Federal Deposit Insurance Corporation Improvement Act (FDICIA). IDIs must include in the scope of their examinations of internal control and in their assertions, at a minimum, schedules equivalent to the basic financial statements that are included in the IDIs applicable regulatory report. In these situations, managements assertion should indicate that the scope of internal control includes controls over the preparation of the IDI's financial statements as well as the schedules equivalent to the basic financial statements included in the IDIs applicable regulatory report.
Managements Report on Internal Controls for External Parties
- The following elements should be included in managements report to external parties:
- The scope of controls covered by managements assertion (for example, controls over the preparation of the entitys financial statements and any schedules or forms related to the financial statements).
- Any controls that have been excluded from managements assertion.
- A statement about the inherent limitations of internal control.
- A frame of reference for reporting (the criteria against which the effectiveness of internal control was measured).
- An assertion (or conclusion) about the effectiveness of the entitys internal control, such as: The entitys system of internal control over financial reporting was effective as of December 31, 2005 (or during the fiscal year ended December 31, 2005). If one or more material weaknesses exist that preclude management from concluding that the criteria for internal control effectiveness have been met, a description of the material weakness(es).
- The date as of which (or the period for which) the conclusion was made.
- The names of the report signers.
- If the CPA determines that management's report is inappropriate, the CPA should modify his or her report to include an explanatory paragraph describing the reasons for this conclusion. If management does not provide the CPA with a written report to external parties, the CPA should restrict the use of the his report. If, at a later date, management provides the CPA with a report to external parties, the CPAs report may be reissued as a general-use report with the same report date as the original restricted-use report since no procedures have been performed subsequent to that date.
- If the CPA becomes aware of a significant deficiency or material weakness in any of the components, he or she is required to report those matters to management and those charged with governance.
- The proposed SSAE recognizes that for nonpublic companies, the group or person charged with governance may exist in a variety of forms, for example, a board of directors, a committee of management, a legislative oversight committee, or an owner in an owner-managed entity; in some cases management and those charged with governance are the same people.
- Each year the CPA must obtain sufficient evidence about whether the entity's internal control, including the controls for all internal control components, is operating effectively. This means that each year the CPA must obtain evidence about the effectiveness of controls for all relevant assertions related to all significant accounts and disclosures in the financial statements. The CPA should test controls that are important to achieving each control objective. It is not necessary to test all controls, or to test redundant controls (controls that duplicate other controls that achieve the same control objective) if the other controls already have been tested, unless redundancy, itself, is a control objective, as it is in the case of certain computer controls.
- A CPA should perform at least one walkthrough for each major class of transactions. In a walkthrough, the CPA traces a transaction from origination through the entitys information systems until it is reflected in the entitys accounting records.
- In the presence of effective information technology general controls, an automated application control (for example, aging of accounts receivable, extending prices on invoices, or performing edit checks) is expected to perform as designed. Entirely automated application controls, therefore, generally are not subject to breakdowns due to human failure and this feature allows the CPA to "benchmark," or "baseline," these controls. If general controls over program changes, access to programs, and computer operations are effective and continue to be tested, and if the CPA verifies that the automated application control has not changed since he last tested the application control, the CPA may conclude that the automated application control continues to be effective without repeating the prior year's specific tests of the operation of the automated application control.
QUESTIONS REGARDING THE PROPOSED SSAE
- Do you feel that managements responsibilities with respect to an examination as
laid out in the proposal are reasonable?
Yes ______ No ______
If not, which responsibilities are not reasonable and why?
- Do you think the criteria for managements assertion are appropriate?
Yes ______ No ______
If not, please explain why not?
- Are the documentation and monitoring requirements on managements part proper?
Yes ______ No ______
If not, what are your suggestions?
- Do the testing requirements make sense?
Yes ______ No ______
If not, why not?
- Under this proposal, a credit union would have to have a CPA do the attestation.
Further, one CPA may assist management in preparing or gathering documentation of a credit
unions internal control or recommending improvements to its internal control. However,
another different CPA must perform the testing. This would require hiring one or more CPA
firms. Does this seem overly burdensome?
Yes ______ No ______
If yes, please quantify the additional burden imposed, if possible.
- Other comments?
Eric Richard General Counsel (202) 508-6742 firstname.lastname@example.org |
Mary Mitchell Dunn SVP & Deputy General Counsel (202) 508-6736 email@example.com
Jeffrey Bloch Assistant General Counsel (202) 508-6732 firstname.lastname@example.org
Lilly Thomas Assistant General Counsel (202) 508-6733 email@example.com
Catherine Orr Senior Regulatory Counsel (202) 508-6743 firstname.lastname@example.org