Just around the corner, in 2020, non-accelerated public filers will have their external auditors include “Critical Audit Matters” (or CAMs for short) in their audit reports. Here’s a brief overview of what a CAM is and how Executives along with Internal Audit can prepare for this new PCAOB requirement. At the end of this article there are links to PCAOB guidance as well as additional links to articles other firms have written.

Changes to the audit report

The definition of a CAM (per the PCAOB) is “… any matter arising from the audit of the financial statements that was communicated or required to be communicated to the audit committee and that:(1) Relates to accounts or disclosures that are material to the financial statements; and (2) Involved especially challenging, subjective, or complex auditor judgment.”

At a high level, this could potentially include not only material weaknesses, but also Significant Deficiencies typically not included in public documents. There is also a lot left open to an auditor’s opinion. Which could result in businesses in the same industry having different levels of CAMs depending on not only which audit firm they use, but which Partner is responsible for the audit.

How to get ahead of the game

There are several steps the CFO and the Director/VP of Internal Audit can take to start preparing for this new requirement. First, go straight to your auditors. Ask them for their internal guidance, whitepapers, etc. Also ask them what items in the past could have been included as a CAM. This should open up some dialog and get you pointed in the right direction for avoiding potential CAMs in the future.

Next, Internal Audit and the CFO should identify which business processes could have CAMs be documented due to the complex nature of the process or subjective decisions used in calculations and reporting. Some areas could include taxes, derivatives and goodwill calculations. Management should also consider which areas have the most struggles getting through an audit. It’s not a large stretch of the imagination to see departments with past audit struggles to start showing up in CAMs.

Internal Audit should work with the Internal Control person (or whomever is responsible for updating SOX documentation) to identify any new controls or Non-Key controls which might need to be elevated to Key. An additional option is for Internal Audit to conduct specific audits to target these higher risk areas. Combining your discussion with the auditors with your internal discussions, these audits should give you a good snapshot of potential CAMs.

Another Option

Another option to consider is asking your auditors to complete a “dry run”. Most audit groups are wanting to conduct a “dry run” so your request should be met with open arms. This will give your auditors time to discuss details internally and your company time to address items before they are publicly disclosed.

External Links

For more information, I found these pages helpful. If you have any questions feel free to reach out any time via e-mail thomas@r-vmc.com

PCAOB Implementation of Critical Audit Matters: The Basics

PCAOB Implementation of Critical Audit Matters: A Deeper Dive on the Determination of CAMs

From Deloitte (In conjunction with Harvard Law School): Critical Audit Matters—What to Expect

Journal of Accountancy: What ‘dry runs’ reveal about critical audit matters

Internal Audit Directors (Vice Presidents, Chief Audit Executives, etc.) have a delicate balance to maintain in the office. They are in a unique position of having to not only run their own department, but also have positive relationships with the Audit Committee and every other Executive, Manager and Department Head. Sometimes it’s easy to forget the small things that are important.

Click Here to E-Mail Us

Click Here to go to our Home Page

Audit Reports

Every Internal Audit Department we’ve worked with has had three issues with their audit reports.

1) Timeliness of distribution. Do you rewrite every report, go through 3 levels of review, adjust the font, set up meetings and then reschedule them multiple times, then realize the audit was over 6 months ago and the report still hasn’t been issued?

• Standardize your reports, limiting the need to adjust mundane issues
• Ensure your auditors are communicating with the auditees throughout the audit, requiring what is in the first draft has already been communicated to the proper managers
• Set deadlines and hold people accountable. Including yourself.

2) Length of the report. Get to the point. Do you want to read a 50 page report on why buying copy paper from one company is better than buying it from another company, even though it’s $1.25 per case more expensive? No? Then stop adding in lengthy details to your own reports.

3) I’m leaving this one blank, you have your own answers for this one.

Give a Peace Offering

Think about the next audit that hasn’t started yet. Internal Audits are a “necessary evil” to many people. See if you can adjust their view by being friendly. Take the Manager (or whomever is in charge of what you’re auditing) out to lunch in advance of the audit. Have donuts dropped off in that area of the office the first day of the audit (and the last). These small steps can pay dividends when your team requests samples or sends out a first draft of the report for review. Responses might come a bit quicker.

Non-Auditor Training

Do you get complaints that either the auditee sent the wrong information or keeps questioning every request and question from your team? It might be a gap in communication and general lack of understanding from the auditee. Instead of arguing and demanding, why not add time to the schedule this year (don’t wait until next year) to conduct cross-company training? An auditee should understand what proper audit evidence looks like. The purpose of an audit. How information flows between departments within a company. You’ll probably find some process improvement opportunities and add real value to your company in the process.

Department Training

Many departments lack solid training, typically due to budget restraints. An easy way to address this is to have each member of the department join a different professional organization (such as the IIA, ACFE or ISACA). Then work with each to identify local, inexpensive training options which have topics that are valuable to either the entire group, or to that individual.

If you aim for one training event a month, rotating between the different organizations, you’ll see positive dividends very quickly.

Click Here to E-Mail Us

Click Here to go to our Home Page

If your Internal Audit department is like most others, your organization sees you as a “necessary evil” and only provides you limited support. As a result, implementing automated audit programs, and improving efficiencies within your department becomes nearly impossible. You look for small ways to improve your department but you’ve run out of ideas. Here are some ways you can improve your internal efficiency and potentially automate certain functions without touching your budget.

Talk to your IT Department. I’ve been surprised by the number of times there were software solutions already available which no one knew about. Either a module in SAP or Oracle wasn’t turned on or SharePoint was part of the Office software package but long forgotten about. In another instance SharePoint was available but the IT department didn’t have anyone who knew how to set it up for workflows. I was able to learn SharePoint myself and create an internal controls issues log which was tied to the Active Directory. As deadlines approached for remediation, automated e-mails were sent to the control owners and their direct supervisors were notified as deadlines were missed or other issues happened. That IT group was hesitant to provide SharePoint access because they expected more work for their department, in the end it had almost no effect on them.

Standardize Controls. If your company has multiple locations and/or de-centralized processes, you probably have similar controls in multiple locations, but have to test each one a little differently. Working with the internal controls person or the proper members of management, can help to standardize the controls which in turn allows you to standardize your testing procedures (see the next recommendation below). This also could identify process gaps where controls are not as strong, an added benefit to your organization.

Standardize your testing. If you’re able to standardize controls in the organization, the next natural step would be to standardize your testing procedures. Populations, evidence requirements and testing attributes should be the same regardless of the location. Creating standardized templates for each control and process reduces the amount of prep time needed for each audit.

Standardize your reporting. Not much is needed to be said here, the prior two steps should lead to a natural standardization of your audit reports. Stop reinventing the wheel every time you issue an audit report.

Utilize the functions of MS Office. Most businesses use Outlook, Excel, Word, etc. for their business needs. Expanding your team’s knowledge of these tools can benefit those inside and outside of your department. For example, instead of sending an e-mail with a question, use the “delay send” feature for an hour or so later. It never fails, I’ll send a question only to have another question pop up 5 minutes later. This allows your questions to be in one e-mail, easier to track and find later, rather than multiple e-mails bouncing around.

Utilize OneNote, a typical application within MS Office. Employees can keep notes and questions on a shared page while having personal notes on private pages. Resulting in better collaboration within your department.

Utilize LinkedIn’s free learning center to take courses on subjects such as PivotTables in Excel. While you’re at it, they also have tons of courses on leadership and mentoring which can help your own career as well.

The first place you should always look, however, is internally. The entire Internal Audit team and the auditees. Listen. Don’t be defensive. Let them help be part of the solution.

You can contact us at thomas@r-vmc.com or 936-494-5135. We’re also on LinkedIn (Thomas’ profile, R-VMC company page).

My son is in his second year of competing in gymnastics.

During his first year he learned a lot and was able to work hard enough to earn 3rd place overall in his age/division in the South Texas “State” competition. His medal holder was so full that I had to make him a new holder for this season.

This season he moved up a level and he’s going against some boys who previously competed at this level last year. In the first several competitions he was able to hold his own and even place in the top 25% consistently. Then a large event came up with stiffer competition.

This 10 year-old who is used to riding home with multiple medals around his neck came home with one, a 3rd place on rings. He was devastated. The car ride home was long, the mood was somber. Two weeks later he confessed he even thought about giving up (not that we would let him…but the thought was there).

In business we face our own unique set of challenges. Lost sales, critical decisions which turned out wrong, important employees suddenly putting in their notice, customers cancelling orders, finding out an employee you think more of as family has been stealing from you for years. Many of these situations can cause one to question their future, question how they want to move on. We get knocked down and question if it’s really worth it.

Getting some perspective on the situation can help. Talking to other leaders within your company, peers, mentors, etc. can help you see the forest through the trees. If you have an employee who is or could be doing something inappropriate then a third party like Re-Vision Management Consulting can help soften the blow as well as help prevent other situations from coming up. (You don’t want to suddenly question every employee if your “favorite” makes bad decisions.)

For my son? He worked hard the next two weeks, found a different perspective by learning a new focus technique on the way to a competition. The result? 7 medals (out of a possible 7) and 2nd place overall.

Don’t let internal control issues, fraud or other concerns derail your focus. Identify the underlying cause of the issue and fight to ensure the problem doesn’t keep returning.

I’m thankful to live in The Woodlands, just North of Houston, TX. While enjoying some beautiful weather recently, my son and I walked around our house to do a “risk assessment”. Our 1/3 acre lot is in a subdivision that was one of the original subdivisions in The Woodlands. Having a house that’s over 40 years old can be a challenge at times, but we love it and have no desire to move any time soon.

My son (who is 10 years old) helped me count the trees on our property and asses if any posed a risk to our home. Similarly, a company’s risk assessment typically identifies risks to the organization. While these risks could be external (I have 5 trees outside of my property that could cause damage in later years) or internal (20 trees are on my property), sometimes you have risks which could impact groups outside of your organization.

For example, I have a tree on the back part of my property which is leaning a bit. It leans away from my garage and is no where near my house so I’m not that worried about it. When walking the property though, we realized something, the tree is directly over my neighbor’s back patio. A section of their backyard they use regularly. I suddenly have an increased risk in an area I never even though to consider in previous risk assessments.

What helped identify this risk? Having an independent, second set of eyes (my son) who was able to see our risks from a different point of view than my own.

Do you seriously consider your risk assessment, or do you keep it around just to satisfy your auditors? It might be time to give it a fresh point of view.

Contact us at thomas@r-vmc.com if you’d like to get an independent opinion of your risk assessment, internal control documentation or 2019 internal audit plan. Or contact us using our form at www.r-vmc.com/contact-us

It’s December, 2018. Every person in the office has completed multiple reviews of their remaining vacation days over the last few weeks. Entire departments shrink to that one person who took an extended vacation in July and grudgingly sits at their desk shopping on Amazon and streaming Netflix on their phone while watching the clock closely. Others enjoy the slower schedule and get caught up on their “to-do” list before taking off on their holiday break.

For Internal Audit Directors (VPs, CAOs, etc.) this can be a strategic time to set up an impactful 2019. No, I don’t mean surprise audits (don’t be that person). You have your year-end roll forward SOX testing already planned out, you probably already have your 2019 audit plan approved by the Audit Committee, if your company has year-end inventory counts you’ve already given the “joyous” news to those on your team who are helping out.

Now is the unique time you can really get outside of your norm. Here are a few ideas to consider:

1. Contact your Audit Committee Chairman – Grab lunch if they are in the area, or have an extended call to discuss current trends and risks which  are outside of any current audit plans (this also builds a vital relationship which is rarely given enough focus)
   
2. Review your risk assessment again – Think about the seminars you went to in 2018, or trending articles you’ve seen on LinkedIn or industry sites, what’s a topic you should focus a bit more on?
3. Schedule some CPE courses early in 2019 to gain better knowledge of areas you’re not as strong in. Be sure to include your team in the training so they can benefit from professional growth as well
4. Review your team and identify how to strengthen the weak spots – This doesn’t mean calling someone on Christmas Eve with a pink slip (please don’t do that), but setting them up to focus on their weak spots for year-end testing or the slower first quarter can be beneficial to everyone in the long-run. Or better, finding training sessions through the IIA or another organization to put on their schedule. If you have any 2018 budget left over, go ahead and register them for these sessions instead of waiting and letting that money disappear.
5. Create a “Tone at the Top” survey to send out at a later date. Do the staff and management in Oklahoma view the importance of integrity the same? What about the management in Norway vs the management at the Corporate office? This type of survey can help inform Executive Management (and the Board) of weak spots in your control environment and help you adjust your training and audit plan accordingly.

Our motto is “Give your company a new perspective”, while we would love to help you accomplish that, doing a few of the items above will help you achieve even greater success in 2019.

With stricter requirements on internal control testing, cyber security concerns, external auditors, Hotline abuse and then the standard information you have always had to report to the Audit Committee, more and more Executives are facing heavy burdens when it comes time to sit in front of the Audit Committee and spend hours defending decisions or mistakes made within their organization. Executives have two different ways to approach these quarterly meetings: you go be defensive, or you can proactive and aggressive.

If you chose to be defensive, then you are approaching these meetings incorrectly. You will come across as someone who won’t take the blame for mistakes, pointing your finger at others while backpedaling at every turn. You go in with more questions than answers and walk away feeling flustered and defeated. You thought you were prepared but within minutes of the start of the meeting you find yourself on the defense and are never able to recover.

The alternative is what an Audit Committee (and your organization in general) wants and needs from you. Present the facts but bring so much more to the table. For example, if you had a cyber security breach and only reported there was a breach, some data was stolen and “IT upgraded the firmware” I would hope the response by the AC would not be pleasant for you. Instead, if you reported an attack from China hit the London office on March 23rd and was immediately detected by the IT department. Information about our day rates for the Ireland rigs was accessed however it was older data that won’t be detrimental to the organization. The IT group immediately addressed the weakness in the security and then did a thorough review of IT security across the entire organization to ensure no other similar weak points exist. We then had internal audit conduct bring in IT security consultants to conduct their own security testing.

Yes, we will all agree that some of the details above might not be realistic to obtain, however the point is clear. But what happens if the issue is something you have less experience in? Take the security breach example above. Your AC probably won’t ask detailed IT questions, but what if they do? More modern Boards are adding members with IT experience due to heightened (and more public) cyber security concerns. Add in the new GDPR in the EU and I would predict more Boards looking for more IT knowledge in their next candidate.

For every issue being presented to the Audit Committee, management should:

1. Completely understand what caused the issue
2. Understand the short and long-term ramifications of the issue
3. Have a clear and concise plan already in place to address the issue
4. Have a measured result that can be presented at the next AC meeting to show what progress has been made

In today’s world though, can a CFO be expected to know details for cyber security? Know them well enough to communicate the issue and game plan moving forward? Doubtful. In the example above a CFO who isn’t as savvy in IT terminology and processes would be wise to invite the IT Consultant to either include slides in the presentation which add clear (that’s a key point) information or they can be present for a brief presentation to help explain the issue and how it has been addressed. A wise CFO won’t try to know all the answers, he or she just needs to know how to get all the answers.