Insert School Name and Class Name here Insert date here AS5 and AERS Insert School Name and Class Name here Insert date here presentation ideas Deloitte Trivia (give out bags, shirts, etc. for correct answers) E.g. What is the oldest Accounting Firm? How do you pronounce Tomahtsu Presentation content
Introductions.
Agenda What is AERS? What we do… Denver AERS Service Lines Rewards Frequently Asked Questions Your Deloitte Audit Standard No. 5
What is AERS? Audit and Enterprise Risk Services (AERS) Global leader in helping clients manage risk and uncertainty Broad array of services Assist clients Understand their own business Better measure and manage risk and control Enhance the reliability of systems and processes Deloitte’s Enterprise Risk Services (ERS) practice is a global leader in helping clients manage risk and uncertainty-from the boardroom to the network. We provide a broad array of services that allow clients around the world to better measure and manage risk and control and to enhance the reliability of systems and processes throughout the enterprise. With core competencies encompassing capital markets, control assurance, data quality and integrity, internal audit, regulatory consulting, and security services, our ERS professionals offer a wealth of experience across a wide spectrum of industries.
Remediate Control Weaknesses Develop Monitoring Process What we do… Assess Risk Evaluate the macro-level control environment (governing financial transactions and reporting Assess at a high level the relative strength of internal controls over each financial process Assess at a high level the general computer controls over financial systems and transactions Document Controls Document the business processes supporting all financial transactions Document manual controls over financial transactions and financial reporting Document financial systems and related systematic internal controls over financial transactions Test Controls Test controls for business processes supporting all financial transactions Test manual controls over financial transactions and financial reporting Test financial systems and related systematic (IT) internal controls over financial transactions Remediate Control Weaknesses Identify control gaps and prioritize based on risk Develop control deficiency remediation plan to address control deficiencies Design and implement new controls to address deficiencies Develop Monitoring Process Define the roles and responsibilities of various parties to monitor the control management program Develop testing procedures to support periodic evaluations of internal control effectiveness Develop control self-assessment process
Denver AERS Service Lines External Audit (Financial Statements) Control Assurance Business Cycle Controls (BCCs) General Computer Controls (GCCs) Sarbanes-Oxley SAS 70 Data Quality and Integrity Internal Audit Security and Privacy
Denver AERS Service Lines External Audit (Financial Statements) Objective diagnostic tests Analytical reviews Work closely with yet independently from our clients
Denver AERS Service Lines Business Cycle Controls (BCCs) Expenditure Revenue Payroll & Personnel Inventory Management Fixed Assets Treasury Financial Accounting A business cycle is a sequence of principal business activities performed to process related classes of transactions. Transactions within an entity can typically be classified into one of these 7 business cycles Expenditure Revenue Payroll & Personnel Inventory Management Fixed Assets Treasury Financial Accounting
Denver AERS Service Lines General Computer Controls (GCCs) Systematic Security controls Change management controls Operations controls Automated application controls What we look at Security controls Change management controls Operations controls In some cases, automated application controls Layers we look at Applications Databases Operating Systems Network
Denver AERS Service Lines Sarbanes-Oxley Readiness Attest Control Rationalization Sarbanes-Oxley Readiness Internal Audit – acting on behalf of management “Management’s Assessment” Business cycle controls Design, implementation and effectiveness General computer controls Attest Assurance Service Independent assessment of controls and review of Management’s Assessment Typically Integrated with the Financial Statement Audit COSO Framework applied to Deloitte Methodology
Denver AERS Service Lines SAS 70 Report on controls of outsourced service providers Business Controls and General Computer Controls Service providers include: Application service providers Bank trust departments Credit card processors Data centers Assurance over the controls environment of outsourced service providers for use by their clients and their clients' external auditors In depth audit of Business Controls and General Computer Controls Service providers include: Application service providers Bank trust departments Credit card processors Data centers
Denver AERS Service Lines Data Quality and Integrity SAS 99 - Consideration of Fraud in Financial Statements SAS 99 - Consideration of Fraud in the Financial Statements Upload all General Ledger detailed transactions and trial balance Verify that the data is Complete Entire population of J/E’s exists DR = CR Data Mining for unusual transactions, inconsistencies in data, erroneous data, etc. This information is passed over to the financial audit Helping companies manage, and analyze large amounts of data, and to use their data as an asset
Denver AERS Service Lines Internal Audit No opinions! Internal Audit Co-Sourcing Internal Audit Out-Sourcing No opinions! Internal Audit Co-Sourcing Report to Deloitte management Risk analysis Business cycle controls Design, implementation and effectiveness General computer controls Special projects Internal Audit Out-Sourcing Report to client management Function as internal audit staff at client organizations
Denver AERS Service Lines Security and Privacy Application Integrity Business Continuity Management Identity & Access Management Infrastructure & Operations Security Privacy & Data Protection Security Management Vulnerability Management
Rewards Experience, experience, experience! Client contact In-depth understanding of business processes IT in the real world numerous industries Perks People! Experience, experience, experience! Client contact with all levels of the organization from day one In-depth understanding of client business processes In-depth understanding of information technology in the real world In-depth understanding of all kinds of industries Perks People!
Frequently Asked Questions How technical do I need to be? What kind of training is there? What kind of certifications should I have, or be working toward? What is actually fun about your job? What is the relationship really like with your clients? Where do you spend your time? Any others?
Your Deloitte Or...what to do if you’re interested
Audit Standard No. 5 (AS5) Sarbanes-Oxley Act of 2002 Public Company Accounting Oversight Board (PCAOB) AS5 replaces AS2 Overall goal is to focus financial statement and controls audit on risk
Significant Modifications of AS5 Identifying and Testing Company-Level Detective Controls Using the Work of Others Scoping Multi-location Engagements Performing Walkthroughs Using Knowledge Obtained from Prior Audits
Using the Top-down Approach to Identify Relevant Controls STOP When control is effective for audit purposes Number of Control Objectives Addressed Senior Management High-Level Controls Middle Management Clerical Level Detailed Controls Identify effective company level detective controls that address control objectives related to significant accounts and potential errors Overview the top-down approach and how we use it to identify relevant controls – which might be company-level detective controls – i.e., the controls that might address process level control objectives and which might exist at multiple levels within the organization. The significant point of what is new with AS 5 is to emphasize is to stop going down at the point at which you get to a control that meets a process level control objective (i.e., consistent with the “stop sign” methodology which is already a part of our audit approach) even if the control is a detective control – i.e., AS 2 indicated that testing detective controls alone was not sufficient – AS 5 is less prescriptive. Make point that detective controls – either process or CLC – may be sufficient by themselves to address process level control objectives, i.e, mitigate a risk of material misstatement Implication is reduced number of relevant control activities at the process level if we have had D’s in the past – may not need to test again as there was a compensating control that was likely the right control in a top down approach
Using the Work of Others Elimination of restrictions on: Areas where the work of others can be used Extent to which the work of others can be used “Principal evidence” terminology is eliminated; however: Auditors are responsible for obtaining sufficient evidence to support opinion Auditor judgments are their own Independent Testing vs. Use of Work of Others No restrictions on auditor ability to use management’s work Except walkthroughs, where use is limited to direct assistance As assessed risk related to the control increases, the auditor’s ability to use management’s work and necessary level of competence and objectivity of those who perform the work increases Elimination of restrictions on: Areas where can use the work of others Extent to which we can use the work of others “Principal evidence” terminology is eliminated; however: Auditors are responsible for obtaining sufficient evidence to support opinion Auditor judgments are their own Under the AS 2 model, reperformance testing and testing done by others did not count towards principal evidence. Reference para 3 of the proposed standard: Auditor must obtain sufficient competent evidence about the design and operating effectiveness of controls overall relevant assertions. Auditor may obtain this evidence by performing tests of controls himself or herself using the work of others. Auditor’s judgments need to be his/her own
Scoping Multi-location Audits Scope multi-location audits on an integrated basis, based on assessed risks Eliminate large portion “coverage-based” approach Approach is the same for the audits of internal control and financial statements Vary the locations selected from year to year For locations not selected perform substantive analytical procedures and test company level detective controls Scope multi-location audits on an integrated basis, based on assessed risks Eliminate large portion “coverage-based” approach; do not select locations solely for purpose of testing controls Approach is the same for the audits of internal control and financial statements; i.e., test controls and perform substantive procedures at selected locations Vary the locations selected from year to year For locations not selected perform substantive analytical procedures and test company level detective controls
Performing Walkthroughs Walk one transaction through each significant process Don’t have to follow a separate transaction “through each minor variance in the process” Use a single transaction to the extent possible and practical Include company level detective controls during the walkthrough of the transactions through each significant process Evaluate design and determine implementation of relevant controls in conjunction with walkthrough procedures Walk one transaction through each significant process, considering how risks unique to each major class of transaction are addressed Don’t have to follow a separate transaction “through each minor variance in the process” Use a single transaction to the extent possible and practical Include company level detective controls during the walkthrough of the transactions through each significant process Evaluate design and determine implementation of relevant controls in conjunction with walkthrough procedures Can use work of others in a direct assistance capacity Work performed by internal auditors or others in the form of direct assistance (i.e., under our direct supervision) and the related documentation generally cannot also be used by management to support its assessment of internal control
Using Knowledge Obtained from Prior Audits Vary extent of testing of operating effectiveness from year to year Test controls that mitigate risks and controls that have changed more extensively every year Test other controls less extensively in certain years and more extensively in others Sufficient appropriate audit evidence about the operating effectiveness of controls should incorporate sufficient work in the current audit, together with our work performed in the prior two audits, to provide reasonable assurance of achieving the control objectives related to the reliability of financial reporting. (AAPMS AUD P14.02) Vary extent of testing of operating effectiveness from year to year Test controls that mitigate risks and controls that have changed more extensively every year Test other controls less extensively in certain years and more extensively in others Audit evidence to support our conclusions about the effectiveness of relevant controls is obtained each year by: Evaluating design and determining implementation of (which is also a test of operating effectiveness) of relevant controls Process level controls – performed during the walkthrough of a transaction through the related process General computer controls – other procedures performed to evaluate design and determine implementation Understanding management’s assessment of the effectiveness of these controls, including results of self assessments and any testing performed by management Considering any errors detected through the performance of our substantive testing, including the extent of misstatement that did or could have occurred Our current year plan for additional tests of operating effectiveness of controls in an integrated audit should include (Based on AUD 14.24): Entity level controls Financial Close and Reporting Process controls Controls that mitigate pervasive and specific identified risks Business cycle controls where the relevant business cycles or portions thereof (i.e., principal business activities) contain new or significantly changed application systems A portion of GCCs related to (1) information security and (2) application systems implementation and maintenance Controls (including GCCs) that have changed since the last audit Business cycle controls and GCCs where the only operating effectiveness testing performed during the prior two audits was through procedures to determine implementation
About Deloitte Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, its member firms, and their respective subsidiaries and affiliates. Deloitte Touche Tohmatsu is an organization of member firms around the world devoted to excellence in providing professional services and advice, focused on client service through a global strategy executed locally in nearly 140 countries. With access to the deep intellectual capital of approximately 150,000 people worldwide, Deloitte delivers services in four professional areas — audit, tax, consulting, and financial advisory services — and serves more than 80 percent of the world’s largest companies, as well as large national enterprises, public institutions, locally important clients, and successful, fast-growing global companies. Services are not provided by the Deloitte Touche Tohmatsu Verein, and, for regulatory and other reasons, certain member firms do not provide services in all four professional areas. As a Swiss Verein (association), neither Deloitte Touche Tohmatsu nor any of its member firms has any liability for each other’s acts or omissions. Each of the member firms is a separate and independent legal entity operating under the names “Deloitte,” “Deloitte & Touche,” “Deloitte Touche Tohmatsu,” or other related names. In the United States, Deloitte & Touche USA LLP is the U.S. member firm of Deloitte Touche Tohmatsu and services are provided by the subsidiaries of Deloitte & Touche USA LLP (Deloitte & Touche LLP, Deloitte Consulting LLP, Deloitte Financial Advisory Services LLP, Deloitte Tax LLP, and their subsidiaries), and not by Deloitte & Touche USA LLP. The subsidiaries of the U.S. member firm are among the nation’s leading professional services firms, providing audit, tax, consulting, and financial advisory services through nearly 40,000 people in more than 90 cities. Known as employers of choice for innovative human resources programs, they are dedicated to helping their clients and their people excel. For more information, please visit the U.S. member firm’s Web site at www.deloitte.com Copyright © 2007 Deloitte Development LLC. All rights reserved. DCS383695