CUNA Regulatory Comment Call

March 20, 2006

AICPA Proposal Regarding Attestation Engagements

EXECUTIVE SUMMARY

  • The Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) has published an Exposure Draft containing a proposed Statement on Standards for Attestation Engagements (SSAE) entitled Reporting on an Entity’s Internal Control Over Financial Reporting (also referred to as AT 501). The ASB is the senior technical committee of the AICPA designated to issue auditing, attestation, and quality control standards and guidance. It is authorized to make public statements on matters relating to auditing, attestation, and quality control standards without clearance from Council or the Board of Directors. This proposed SSAE would revise the requirements and guidance for an independent certified public accountant (CPA) for reporting on the internal control of nonpublic companies, including credit unions.

  • The proposed SSAE provides guidance to a CPA on evaluating management’s basis or substantiation for making an assertion about an entity’s internal control over financial reporting. Under the proposal, the CPA would be required to obtain a representation letter from the credit union management that includes a written assertion about the effectiveness of the entity's internal control. The proposal also details management’s documentation requirements to support the assertion.

  • According to the proposal, the CPA should evaluate identified control deficiencies by significant account balance, disclosure and component of internal control to determine whether the deficiencies, individually or in combination result in a significant deficiency or a material weakness. The proposal discusses the types of testing the CPA should perform in conducting the evaluation.

  • The proposed SSAE would require the CPA to communicate, in writing, to management and those charged with governance any significant deficiencies and material weaknesses that exist as of the date of management’s assertion, those the CPA becomes aware of during the examination, and any known or suspected fraud.

  • The Exposure Draft includes new appendixes, including one that provides an illustrative report that management must provide to external parties if the CPA’s report is to be for general use.

  • Comments are due to the AICPA by May 19, 2006. Please send your comments to CUNA by May 5, 2006. Please feel free to fax your responses to CUNA at 202-638-7052; e-mail them to Associate General Counsel Mary Dunn at mdunn@cuna.com or to Senior Regulatory Counsel Catherine Orr at mcorr@cuna.com; or mail them to Mary or Catherine in c/o CUNA's Regulatory Advocacy Department, 601 Pennsylvania Avenue, NW, 6th Floor - South Building, Washington, DC 20004. You may also contact us at 800-356-9655, ext. 6743, if you would like a copy of the Exposure Draft, or you may access it here.

BACKGROUND

  • In March 2003, the ASB issued an exposure draft that contained a proposed SSAE entitled Reporting on an Entity’s Internal Control Over Financial Reporting.

  • The Sarbanes Oxley Act of 2002 (Act) created the Public Company Accounting Oversight Board (PCAOB) and charged it with overseeing audits of public companies (subject to the rules of the Securities and Exchange Commission (SEC)). In March 2004, the PCAOB issued Auditing Standard No. 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction With an Audit of Financial Statements, which establishes the standards for an audit of the internal control of an issuer performed in conjunction with the audit of the issuer’s financial statements.

  • This exposure draft revises the ASB’s original exposure draft to reflect guidance from PCAOB Auditing Standard No. 2 that the ASB believes would be applicable to and appropriate for examinations of the internal control of nonpublic companies, and useful to regulated entities, such as financial institutions and insurance companies.

  • This proposed SSAE supersedes Chapter 5, “Reporting on an Entity’s Internal Control Over Financial Reporting,” of SSAE No. 10, Attestation Engagements: Revision and Recodification, as amended.

  • NCUA has issued an Advance Notice of Proposed Rulemaking (ANPR) which proposed seeking input on whether NCUA should modify its Supervisory Committee Audit Rules (Part 715 - Supervisory Committee Audits and Verifications), and if so, how. An ANPR does not reflect a specific proposal but rather requests comments on issues and concerns raised by an agency. If NCUA were to pursue this issue, the next step would likely be a proposed rule. One of the specific issues NCUA is raising is whether credit unions should be required to secure an “attestation on internal controls” in connection with their annual audits. An “attestation on internal controls” consists of two parts. First, management must report its assessments of the effectiveness of the credit union’s internal control structures and procedures. Second, the credit union’s external auditor must examine, attest to (certify), and report separately on management’s written report. The scope of the attestation could be limited only to the effectiveness of internal controls over financial statements prepared for regulatory purposes (such as the “report on examination of internal controls over Call Reporting” audit option available to credit unions under $500 million in assets) or extended to include all financial reporting. The ANPR specifically asks whether, if credit unions were required to obtain an “attestation on internal controls”, Part 715 should require that those attestations adhere to the Public Company Accounting Oversight Board’s (PCAOB’s) AS2 standard that applies to public companies, or to the AICPA’s revised AT 501 standard that applies to non-public companies. CUNA’s Comment Call regarding NCUA’s ANPR is posted here.

DISCUSSION OF THE PROPOSED STATEMENT

Definition of Internal Control

  • In the proposed SSAE, the term internal control refers to a process effected by the entity’s board, management or other personnel designed to provide reasonable assurance regarding the reliability of financial statements prepared in accordance with the applicable financial reporting framework. Those processes and procedures include those that:
    • Pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the entity;
    • Provide reasonable assurance that transactions are recorded as necessary to permit the preparation of financial statements in accordance with the applicable financial reporting framework; and
    • Provide reasonable assurance regarding the prevention or timely detection of the unauthorized acquisition, use, or disposition of the entity's assets that could have a material effect on the entity’s financial statements.

Management’s Responsibilities in an Examination of Internal Control

  • For the CPA to satisfactorily complete an examination of internal control, management must:
    • Accept responsibility for the design and operating effectiveness of the entity’s internal control;
    • Obtain an understanding of and evaluate the design effectiveness of the entity’s internal control;
    • Evaluate the operating effectiveness of the entity’s internal control using suitable control criteria;
    • Support its evaluation (and thereby support its assertion) with sufficient evidence, including documentation; and
    • Present a written assertion about the design and operating effectiveness of the entity’s internal control.

  • If the results of the procedures performed by the CPA caused him to conclude that a material weakness in internal control exists, that information should be disclosed in the CPA’s report.

CPA’s Responsibilities in an Examination of Internal Controls

  • The CPA should determine whether management has determined which controls should be tested, including controls over all relevant assertions related to all significant accounts and disclosures in the financial statements.

  • Generally, such controls include:
    • Controls over initiating, authorizing, recording, processing, and reporting significant accounts and disclosures and related assertions embodied in the financial statements.
    • Controls over the selection and application of accounting policies that are in conformity with the applicable financial reporting framework.
    • Antifraud programs and controls.
    • Controls, including information technology general controls, on which other controls are dependent.
    • Controls over significant nonroutine and nonsystematic transactions, such as accounts involving judgments and estimates.
    • Entity-level controls.
      • The control environment, and
      • Controls over the period-end financial reporting process, including controls over procedures used to enter transaction totals into the general ledger; to initiate, authorize, record, and process journal entries in the general ledger; and to record recurring and nonrecurring adjustments to the financial statements, for example, consolidating adjustments, report combinations, and reclassifications.

  • The CPA must evaluate the design effectiveness of controls.

  • The CPA should also evaluate the operating effectiveness of controls based on procedures sufficient to assess their effectiveness.

  • To evaluate the effectiveness of an entity's internal control, management must have:
    • Evaluated controls over all relevant assertions related to all significant accounts and disclosures.
    • Determined the deficiencies in internal control that are of such a magnitude and likelihood of occurrence that they constitute significant deficiencies or material weaknesses.
    • Communicated findings to the CPA and others, if applicable.
    • Evaluated whether the findings are reasonable and support the assertion.

Management’s Documentation

  • Management must support its evaluation of the operating effectiveness of the entity’s internal control (and thereby support its assertion) with sufficient evidence, including documentation. Documentation of the design of controls over relevant assertions related to significant accounts and disclosures is evidence that controls related to management’s assertion about the effectiveness of internal control, including changes to those controls: (1) have been identified; are capable of being communicated to those responsible for their performance; and are capable of being monitored and evaluated by the entity.

  • When determining whether management's documentation provides reasonable support for its evaluation and assertion, the CPA should determine whether such documentation includes:
    • The design of controls over all relevant assertions related to all significant accounts and disclosures in the financial statements. The documentation should include the following five components: control environment (integrity, ethical values and competence of the entity’s staff, management’s philosophy and operating style, the way management assigns authority and responsibility and organizes and develops it people, and the attention and direction provided by the board); risk assessment; control activities (approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets, and segregation of duties); information and communication’ and monitoring.
    • The link between the individual controls and the significant accounts and assertions to which they relate.
    • Information about how significant transactions are initiated, authorized, recorded, processed, and reported.
    • Sufficient information about the flow of transactions to identify the points at which material misstatements due to error or fraud could occur.
    • Controls designed to prevent or detect fraud, including who performs the controls and the related segregation of duties.
    • Controls over the period-end financial reporting process.
    • Controls over the safeguarding of assets.
    • The results of management's testing and evaluation.

  • In addition to examining an entity’s internal control, a CPA might be engaged to perform other services for an entity related to its internal control, such as assisting management in preparing or gathering documentation of its internal control or recommending improvements to its internal control. The results of tests of controls that a CPA might perform in the context of such engagements may not be used by management to support its assertion in an examination of internal control.

  • Documentation might take many forms, such as paper, electronic files, or other media, and can include a variety of information, including policy manuals, process models, flowcharts, job descriptions, documents, and forms. The form and extent of documentation will vary depending on the nature, size, and complexity of the entity.

Monitoring by Management

  • Management’s monitoring activities may provide evidence of the design and the operating effectiveness of internal control.

  • Monitoring involves the performance of all the following activities by appropriate personnel on a timely basis:
    • Assessing the quality of internal control performance on an ongoing basis or through separate evaluations at points in time. The greater the degree and effectiveness of ongoing monitoring, the less the need for separate point-in-time evaluations.
    • Determining whether controls are suitably designed and operating effectively by periodically testing and assessing them.
    • Capturing and reporting identified control deficiencies to appropriate individuals within the organization.
    • Performing appropriate follow-up actions, including:
      • Investigating underlying problems.
      • Assessing the risks associated with specified deficiencies.
      • Authorizing the decision to take corrective actions.
      • Modifying controls if corrective action is deemed necessary.

Management’s Assertion

  • The CPA should obtain a representation letter from management that includes a written assertion about the effectiveness of the entity's internal control.

  • A CPA should not accept an assertion from management stating that the entity’s internal control is effective if management has identified one or more material weaknesses. In addition, management’s assertion should disclose all material weaknesses that exist as of the end of the most recent fiscal year.

  • Management’s assertion should clearly define the scope of the controls covered by management’s assertion and whether financial reporting was expanded beyond the basic financial statements.
    • An example of a situation in which the scope of internal control over financial reporting extends beyond the basic financial statements is that of Insured Depository Institutions (IDIs) subject to the internal control reporting requirements of Section 112 of the Federal Deposit Insurance Corporation Improvement Act (FDICIA). IDIs must include in the scope of their examinations of internal control and in their assertions, at a minimum, schedules equivalent to the basic financial statements that are included in the IDI’s applicable regulatory report. In these situations, management’s assertion should indicate that the scope of internal control includes controls over the preparation of the IDI's financial statements as well as the schedules equivalent to the basic financial statements included in the IDI’s applicable regulatory report.

Management’s Report on Internal Controls for External Parties

  • The following elements should be included in management’s report to external parties:
    • The scope of controls covered by management’s assertion (for example, controls over the preparation of the entity’s financial statements and any schedules or forms related to the financial statements).
    • Any controls that have been excluded from management’s assertion.
    • A statement about the inherent limitations of internal control.
    • A frame of reference for reporting (the criteria against which the effectiveness of internal control was measured).
    • An assertion (or conclusion) about the effectiveness of the entity’s internal control, such as: “The entity’s system of internal control over financial reporting was effective as of December 31, 2005 (or during the fiscal year ended December 31, 2005).” If one or more material weaknesses exist that preclude management from concluding that the criteria for internal control effectiveness have been met, a description of the material weakness(es).
    • The date as of which (or the period for which) the conclusion was made.
    • The names of the report signers.

  • If the CPA determines that management's report is inappropriate, the CPA should modify his or her report to include an explanatory paragraph describing the reasons for this conclusion. If management does not provide the CPA with a written report to external parties, the CPA should restrict the use of the his report. If, at a later date, management provides the CPA with a report to external parties, the CPA’s report may be reissued as a general-use report with the same report date as the original restricted-use report since no procedures have been performed subsequent to that date.

Examination Engagement

  • If the CPA becomes aware of a significant deficiency or material weakness in any of the components, he or she is required to report those matters to management and those charged with governance.

  • The proposed SSAE recognizes that for nonpublic companies, the group or person charged with governance may exist in a variety of forms, for example, a board of directors, a committee of management, a legislative oversight committee, or an owner in an owner-managed entity; in some cases management and those charged with governance are the same people.

Testing

  • Each year the CPA must obtain sufficient evidence about whether the entity's internal control, including the controls for all internal control components, is operating effectively. This means that each year the CPA must obtain evidence about the effectiveness of controls for all relevant assertions related to all significant accounts and disclosures in the financial statements. The CPA should test controls that are important to achieving each control objective. It is not necessary to test all controls, or to test redundant controls (controls that duplicate other controls that achieve the same control objective) if the other controls already have been tested, unless redundancy, itself, is a control objective, as it is in the case of certain computer controls.

  • A CPA should perform at least one walkthrough for each major class of transactions. In a walkthrough, the CPA traces a transaction from origination through the entity’s information systems until it is reflected in the entity’s accounting records.

  • In the presence of effective information technology general controls, an automated application control (for example, aging of accounts receivable, extending prices on invoices, or performing edit checks) is expected to perform as designed. Entirely automated application controls, therefore, generally are not subject to breakdowns due to human failure and this feature allows the CPA to "benchmark," or "baseline," these controls. If general controls over program changes, access to programs, and computer operations are effective and continue to be tested, and if the CPA verifies that the automated application control has not changed since he last tested the application control, the CPA may conclude that the automated application control continues to be effective without repeating the prior year's specific tests of the operation of the automated application control.

QUESTIONS REGARDING THE PROPOSED SSAE

  1. Do you feel that management’s responsibilities with respect to an examination as laid out in the proposal are reasonable?

    Yes ______ No ______

    If not, which responsibilities are not reasonable and why?











  2. Do you think the criteria for management’s assertion are appropriate?

    Yes ______ No ______

    If not, please explain why not?











  3. Are the documentation and monitoring requirements on management’s part proper?

    Yes ______ No ______

    If not, what are your suggestions?











  4. Do the testing requirements make sense?

    Yes ______ No ______

    If not, why not?











  5. Under this proposal, a credit union would have to have a CPA do the attestation. Further, one CPA may assist management in preparing or gathering documentation of a credit union’s internal control or recommending improvements to its internal control. However, another different CPA must perform the testing. This would require hiring one or more CPA firms. Does this seem overly burdensome?

    Yes ______ No ______

    If yes, please quantify the additional burden imposed, if possible.











  6. Other comments?











Eric Richard • General Counsel • (202) 508-6742 • erichard@cuna.com
Mary Mitchell Dunn • SVP & Deputy General Counsel • (202) 508-6736 • mdunn@cuna.com
Jeffrey Bloch • Assistant General Counsel • (202) 508-6732 • jbloch@cuna.com
Lilly Thomas • Assistant General Counsel • (202) 508-6733 • lthomas@cuna.com
Catherine Orr • Senior Regulatory Counsel • (202) 508-6743 • corr@cuna.com
Copyright © 2012 Credit Union National Association