As the watchdog for professional services firms that audit public companies, the Public Company Accounting Oversight Board (PCAOB) continues to take on new areas of focus through its inspections. If you thought you were caught up with the PCAOB’s hot topics for SOX compliance – you may want to think again. It’s never too late to get up to speed on what’s trending though. Here is a brief summary of what our clients at AC Lordi are experiencing.
Controls Over the Adoption of the New Revenue Recognition Standard (ASC 606)
ASC 606 goes into effect for public companies for annual periods beginning after December 15, 2017 and the interim periods therein. This means it doesn’t take effect until January 1, 2018 for 12/31 filers. But Staff Accounting Bulletin Number 74 (SAB 74) requires footnote disclosure of both quantitative and qualitative information about the expected impact of adopting new accounting standards. Therefore, management needs a process to determine the qualitative and quantitative information to be disclosed and will need key controls over this information for their current year internal control assessment. This is important as the expected impact is required to be recorded for the first quarter shortly after the issuance of the 10-K.
Management Review Controls
Management Review Controls (MRCs) are not a new area of focus; however, there is a renewed emphasis on the supporting documentation and evidence produced by management during the execution of the control. Examples of MRCs include:
- Controls around purchase accounting and the related estimates, assumptions, projections, and sensitivity analysis used
- Controls involving significant estimates and judgments such as valuations, impairments, etc.
- Controls around complex areas of accounting such as stock-based compensation expense or accounting for income taxes
There needs to be evidence that management was involved in understanding and agreeing with the supporting documentation and assumptions used in determining the amounts, balances, etc. Management’s expectations and criteria for identifying items to investigate and the nature and resolution of the investigative procedures performed on these outliers should be documented as part of the control operation. Sign-off alone is not sufficient evidence that the control operated effectively.
Additionally, management can no longer just rely on a third party specialist, if used, for complex calculations. Management needs to understand and document the source, as well as the completeness and accuracy of all inputs and the resulting outputs.
Information Technology General Controls
The following should be considered when testing Information Technology General Controls (ITGCs):
- Scoping of systems/applications – may need to include report/querying systems/applications
- Privileged/Administrative users – should be limited to IT personnel
- Finance personnel access – ensuring that access in the system is restricted only to the roles needed, while all other access that is not used should be removed
- Segregation of duties – ensuring no one has the ability to create masterfile changes, approve masterfile changes, create journal entries, approve journal entries, enter invoices, and approve invoices
- User access recertification – needs to be at a granular level so the reviewer understands the nature of the access that they are approving, and evidence of the control needs to document the resolution of any changes that needed to be made based on the recertification
- Change controls – need to have strong evidence documented
Completeness of Manual Journal Entries
Management needs a control that addresses the completeness of journal entries. In other words, what process does management follow to ensure that they are reviewing all manual journal entries? Is the control automated or is it manual?
SOC 1 Reports
SOC1 Type II reports should be obtained for outsourced service providers. Your SOC1s should have:
- Coverage for the whole year through a combination of SOC 1 reports and a bridge letter with the bridge letter preferably covering no more than 3 months at the end of the year. Otherwise, management may need to perform additional internal control procedures at the outsourced service provider.
- Mapping of user/client control considerations to management’s process and ITGC controls, where applicable, or noting why a user/client control is not applicable
Other areas that appear to be receiving a lot of focus in 2017:
- Lower risk in-scope areas the PCAOB has not focused on in the past (e.g., fixed assets, depreciable lives, depreciation calculation, use of analytics)
- Completeness and accuracy of spreadsheets and reports that are part of the operation of a control
- Management’s process and controls to ensure completeness of the list of related parties and transactions with these parties
- Controls over the existence and accuracy of the inventory balances
- Component materiality (i.e., disaggregated levels of materiality when dealing with multiple locations)
It is important to understand the expectations of the PCAOB and external auditors’ and work with them to meet their requirements as efficiently as possible. You may want to discuss these hot topics with your external auditors, if you haven’t already done so.
Jeff is a Senior Manager in AC Lordi’s Risk & Compliance group with over 15 years of accounting, financial analysis, internal auditing, and Sarbanes-Oxley experience. He has led internal audit and accounting engagements for a diverse range of companies across a broad spectrum of industries, including chemicals, life sciences, manufacturing, pharmaceuticals, retail, software, and telecommunications. Jeff can be reached at firstname.lastname@example.org or 610-738-0100.