IT Focus Areas- PCAOB Inspection Views expressed in the presentation are the Speaker's OWN

Deficiency Evaluation Case Study Deficiencies in access to make changes to IT systems used to process revenue and AR; Determined to be not a significant deficiency or material weakness. Compensating controls focused on change approval; did not detect unauthorized changes. Compensating control was also affected by the GITC deficiencies. Testing of compensating controls did not determine level of precision (auditor just read the review reports). Application controls using a sample of one was not sufficient. Accuracy and completeness of certain data used in the operation of IT-dependent manual controls was not supported.

System Access Case Study Company’s process of granting access based on a peer employee’s access rights or a predecessor employee’s access rights rather than using a defined “role” or requesting specific access permission for the designated employee. With such access granting practice, access should be reviewed on a more frequent basis than annually, which was Company’s practice. Accountability risks related to shared accounts. Business personnel with system administrative accounts.

Work of Others Case Study Reliance on IA testing (1) GITCs, some with manual component, over applications related to the valuation of the company’s hard-to-value securities and derivatives and (2) two other manual controls over the valuation Controls were identified as higher risk of failure. Limited reperformance- reviewed a small portion of IA testing. When re-performing, evidence from the source were not obtained. Approach on use of work of others was not clearly and robustly documented. Independent evaluation of deficiencies identified by IA was not performed.

IT Scoping Case Study Revenue generated at numerous locations, routine transactions, highly automated, complex component structure, multiple IT systems. Auditor failed to identify all IT system – assumption that transactions, IT systems, and controls were uniform across all locations. Company used multiple instances of two IT systems; Auditor limited its testing to one instance.

Focus Areas Completeness and accuracy of information: Auditors are not considering whether companies have controls in place over C&A of information; Difference between controls over C&A versus testing for C&A. Lack of documentation to demonstrate C&A control and its testing.

Focus Areas IT application / automated controls testing: Testing after period year end -questions on reliance of the controls for the period under audit. All relevant attributes in a ‘test of one’ are not being tested. ‘Test of one’ does not include inspection of configuration. Insufficient identification of automated controls to address process risks.

Focus Areas SOC reports evaluation: Timing of report coverage relative to the period under audit. ‘Silent period’ is as long as 9 months at times. Evaluation of deficiencies identified in the SOC report and their impact on audit. Testing End‑User Control Considerations. Addressing relevant areas scoped out of the SOC reports and sub- servicer reports.

Focus Areas Cybersecurity Risks Firm Software Audit Tools Considering cybersecurity while performing risk assessment. Whether cybersecurity risk pose risk of material misstatement. Whether modifications to audit approach, risk assessment in response to cybersecurity risk was done. Firm Software Audit Tools Completeness and accuracy of audit evidence processed by software tools are not being considered.

SSAE 18 vs SSAE 16 Complementary subservice org controls Complementary user entity controls C&A of IPE Review of Internal Audit Reports Risk Assessment Documented design of controls Criteria and example control changes

Questions/ Comments

Kanika Saraiya Manager, Advisory KPMG, Portland OR Thank You Kanika Saraiya Manager, Advisory KPMG, Portland OR