Dan Kemp Vice President and Chief Architect ProcessUnity

In December, 2006, to most everyone’s pleasure, the PCAOB proposed changes to the standards around provisions of Sarbanes-Oxley. Responding to criticism that the existing standards made compliance too difficult and expensive, the board proposed a revision to Audit Standard Number 2, “An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements.”

Obviously, the new standards are welcome, and the revisions should make auditing of internal controls quicker, cheaper, and more closely aligned with the original intent of the Sarbanes-Oxley Act.

Letting auditors use others’ work
One specific goal of the new standard is to make it easier for auditors to use the work of others in conducting their audits. To this end, the PCAOB has proposed a related auditing standard, “Considering and Using the Work of Others in an Audit.”

Although the old standard allowed an external auditor to rely on the work of internal auditors and others in testing controls, certain provisions of AS No. 2 were ambiguous. In practice, many auditors were reluctant to use others’ work, and retested everything. Given external auditor reluctance to reuse the work of others, many companies limited their own investment in internal testing of controls since they knew the auditor would retest everything anyway. This was especially true for SAS 70 situations.

An opportunity
According to the PCAOB, the new standards “should encourage auditors to leverage the available work of others to the greatest extent possible in their audits.”  If you already have a good internal testing program, the new standards should allow you to substitute some of your own internal testing for tests otherwise per-formed by the external auditor. If you do not have a good internal testing program, you now have an additional justification for creating one—your investment will be at least partially offset by a reduction in external audit fees.

In either case, if you want the auditors to rely on your testing, you’ll need to be particularly concerned with:

* Establishing an objective, competent testing team
* Planning and scheduling testing
* Documenting results
* Making your work accessible to auditors

An objective, competent testing team
The internal testing team must be demonstrably competent and objective or the external auditor should not and will not rely on their work. Key factors here:

The team’s place in the organization
Ideally, the testing team should be under the direction of someone who reports regularly to the board of directors or audit committee. Ideally, testing teams are fully dedicated – not part-time.

Objectivity of Individuals
The assessment of team objectivity will be up to your auditor. However, you can assume that the team will not be considered objective if it lacks significant insulation from those whose controls they’re testing.
Requirements regarding individual tester objectivity should be reflected in written policy. Testers should not test in areas where relatives are employed, nor should they conduct tests of areas in which they are currently, were recently, or will be shortly assigned. Testers should never have responsibility for performing the very controls they are testing, nor should they be given any financial incentive to achieve a certain testing result.

Individual Competence
The decision to use the work of an individual will be up to the auditor. Points to consider in assessing competence include education level, experience, certification, continuing education, and level of supervision. And, obviously, the competence expected varies with the subject matter of the controls.
The auditor’s expectations will be higher when the risk factors of the subject area are higher and when interpretation of test results requires subjective judgment.
In summary, then, your testing team must always be objective and competent, but the level and domain of competence required will vary by subject area tested. In picking team members, one size does not fit all.

Documenting test results
If the auditors are to rely on your work, they will need to know what you tested, what your results were, and what conclusions you drew - and they’ll need to see the evidence on which you based you conclusions.

Documenting the test
A statement of test results such as “no exception found” or “two out of 60 terminated employees still had access to the system” is not documentation. You need to keep the backup detail. Whenever possible, support each test execution with everything an outside observer would need to validate the tester’s conclusions.

Documenting the tester
A less obvious requirement is the need to document the tester. The willingness of the auditor to rely on the work of others depends on the competence and objectivity of the person performing the test. Each test execution must be unambiguously tied to a given tester, and some statement of the qualifications and independence of each tester should be available.

A word on test scheduling
The external auditor will typically test once a year, but some controls should be tested more frequently. Testing frequency is a function of:

* The risk associated with the subject area.
* The likelihood of change since the last test.
* The frequency of the transaction controlled
* The resources available for internal testing

Make your work auditor-accessible
Regardless of their intentions and yours, auditors will be able to use your work only if they can easily find it, and can be assured that it has not been tampered with. Here is where compliance controls management software become essential.

Assuring data integrity
Once recorded, test results and backup documentation must be protected from after-the-fact tampering, so that is not be possible for a manager to delete or modify evidence of a failed test.

Providing auditor access
Compliance controls management software should also make it very easy for an auditor find and review the testing work you have already done.

During a single short set of continuous interactions with your controls management system, an auditor should be able to do the following:

* View the entire set of control objectives, and control activities
* Select a control activity and test procedure for further investigation
* View a detailed summary of test executions
* Select a test execution for further investigation
* View supporting test detail and documentation
* View information about the competence and objectivity of the tester
* Initiate a request for additional documentation
* Record their own judgment about test validity

Getting started
Before you start, meet with your external auditors to discuss the opportunity presented by the proposed standards, and to understand their perspectives and requirements. Jointly identify areas where your internal testing and can best supplement or replace their external testing.

Obtain the right tools—compliance controls management software can be extremely helpful here. Then start testing and documenting results. The more thoroughly you test, the more your auditors will rely on your testing, and the better your chances of a clean audit report at the end of the year.