Welcome to Scribd. Sign in or start your free trial to enjoy unlimited e-books, audiobooks & documents.Find out more
Standard view
Full view
of .
Look up keyword
Like this
0 of .
Results for:
No results containing your search query
P. 1




|Views: 2,386|Likes:
Published by cajitendergupta

More info:

Published by: cajitendergupta on Jul 17, 2008
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less





Risk Rating theAudit Universe
A critical look at traditional audituniverse risk-rating factors
Prepared by:
Bruce McCuaigChief Risk Officer and Principal Consultant
A Paisley White Paper
Risk Rating the Audit Universe
Risk Rating the Audit Universe
One outcome of the Sarbanes-Oxley Act, and the related Public CompanyAccounting Oversight Board AS2, and more recently AS5, is more informationin the public domain about the performance (or failure) of internal controlsover financial reporting. The information comes from the hundreds of internalcontrol deficiencies reported by accelerated filers. Analyzing this data to deter-mine what kinds of companies reported deficiencies, how deficiencies weredetected, what business processes the deficiencies related to, and what ac-counts and assertions they impacted provides great insight into how controlswork in modern public companies. This information also provides insight intothe role and performance of internal auditors. Knowledge gained from thesedeficiency disclosures may challenge internal auditors’ assumptions aboutwhere risk lies and how to better prioritize an audit universe. Specifically,can we learn more about how to risk rate an audit universe to better focusresources on where the deficiencies lie? Big risks can lurk under small rocks,and the indicators of big risks are often ignored in audit planning. Internalaudit has played an important role in finding and reporting SOX deficiencies,however, external audit has played a far bigger role. This paper will identifysome areas for improvement.
Internal audit professionals are guided to establish a risk-based audit universeby the Institute of Internal Auditors International Standards for the Profes-sional Practice of Internal Auditing and related practice advisories. Currentlyunder revision, the proposed International Professional Practices Framework(IPPF) Performance Standard 2010,
, states,
 “The chief audit executive must establish risk-based plans todetermine the priorities of the internal audit activity, consistentwith the organization’s goals.” 
The proposed standard is more explicit than its predecessor, making itmandatory for the chief auditor to develop a risk-based plan.There is room for improvement in the execution of a risk-based auditapproach. A recent study published by the Financial Executives ResearchFoundation,
Control Deficiency Reporting: Review and Analysis of Filings
Table of Contents
2Internal vs. ExternalAuditor Performance
2How Should InternalAuditors Prioritize Audit
4Guidance ForImprovement
9About Paisley 10
Risk Rating the Audit Universe
During 2004
, analyzes the control deficiency disclosures made by 329 companiesin various SEC filings from November 1, 2003, to October 31, 2004. It analyzesover 950 disclosures to identify trends to help users of financial statements betterunderstand the nature of control deficiency reporting made by SEC registrants.Management and internal auditors appear to have performed poorly in detectingand reporting deficiencies. Evidence suggests that only about 28 percent of com-panies were proactively bringing reportable deficiencies to the attention of theiraudit committees or external auditors. This strongly suggests that internal audi-tors either used risk prioritization models that routinely scoped out high-risk areasfor internal control deficiencies or did not detect or report deficiencies that werefound.More recent statistics confirm this trend. A February 2007 trend alert from GlassLewis & Co, a leading investor analyst firm, reported:
2,931 U.S. companies,about 23 pecent, filed at least one restatement during the last four years; 683companies restated two or more times.
There is little to suggest that either internal or external auditors are improvingtheir track record of looking in the right places or finding problems if they exist.The February 27, 2007, Yellow Card Trend Alert produced by Glass Lewis & Cotitled,
The Errors of Their Ways,
 “Companies take note: If you restated, you must have had material weaknesses.We still have a hard time figuring out how so many companies that restated alsocould have reasonably concluded that their internal controls are effective and thatthey have no material weaknesses – or that no material weaknesses even existedat the time of the errors.” 
The trend in reported deficiencies is alarming. While individual companiesand their internal auditors may fail to detect or report some internal control defi-ciencies in audits they conduct, the trend in the total number of restatements andthe number of companies reporting deficiencies, and their late and sudden disclo-sure suggest a systemic problem. Material weaknesses and significant deficienciesare simply not being found and reported by management. Restatements continueat a high level.Unless internal auditors are applying completely different risk-based standards toplanning audits of internal control over financial reporting, it is reasonable to sug-gest that the method of prioritizing internal audit activity may be a problem. Isthe error rate experienced in audits of ICFR the same as the error rate in audits of other areas?
Internal auditorseither used riskprioritizationmodels thatroutinely scopedout high-riskareas for internalcontrol deficien-cies or did notdetect orreport deficienciesthat were found.

Activity (8)

You've already reviewed this. Edit your review.
1 hundred reads
1 thousand reads
Larisa Ellard liked this
Prashant liked this
Clyde del Carmen liked this
motlhaolwa liked this
plm1971 liked this
gpillai liked this

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->