Академический Документы
Профессиональный Документы
Культура Документы
The purpose of this BRS Alert is to provide additional guidance on qua lity and
documentation standards for Sarbanes Oxley Section 404 Advisory Engagements for
non-audit clients.
Introduction
Section 404 of the Sarbanes-Oxley Act of 2002 requires management to evaluate the
effectiveness of its internal control over financia l reporting and for the company’s
independent auditors to report on both management’s assessment and on the
effectiveness of control. PCAOB Auditing Standard No. 2 provides guidance to audit
firms as to the nature, scope and level of work necessary to issue an opinion. PCAOB
Standard No. 2 describes the elements of management’s assessment process that the
independent auditor must evaluate, and also indicates that management should have
sufficient evidence, including documentation, to support its assessment.
This BRS alert outlines our policies in certain key areas of a Section 404 assistance
engagement. An implementation section accompanies each policy to assist
engagement teams with compliance with the policy. It is important to note, however,
that unless specific guidance exists to the contrary, our normal policies and
procedures (such as those covering client and engagement acceptance, engagement
letters, documentation, review and reporting) apply fully to our work in 404 assistance
engagements. Common sense and professional judgment must be applied in
determining the application of these standards to our work.
BRS Alert – Section 404 Quality and Documentation - continued
Policy
Our engagement letter should properly reflect the nature and scope of the work we
have agreed to perform for our client. Where our work ultimately differs significantly
from the terms described in our engagement letter, for whatever reasons, we should
examine whether there is a need to draft an amendment to the original scope of
services as outlined in the engagement letter, prepare a supplemental engagement
letter or prepare a new engagement letter. Where the change does not materially affect
the contractual relationship between Ernst & Young and the client (i.e., the scope of
services outlined in the engagement letter were provided to the client with minor
deviations, scope of process documentation was increased, findings and
recommendations report was not provided), it is sufficient to prepare a memo to the
file outlining the change to the scope of our services and the reason for the change.
If changes to an engagement letter involve altering the terms of our standard Section
404 engagement letter to properly reflect the work we are performing, these changes
should be referred to the BRS Global Director for review and approval prior to
issuance of the engagement letter to the client. In addition, engagement teams should
consult with General Counsel’s Office and the BRS Global Center for requested
changes to the terms and conditions of the engagement. Evidence of this consultation
should be maintained in your workpapers.
Implementation
Because many of our engagement letters were drafted before the deferral of the
effective dates for Section 404 compliance, our scope of work as outlined in the
engagement letter might not always properly align with the deliverables we will be
providing. If the engagement letter states in the scope of services section that we are
issuing findings and recommendations reports, and we have not done so to date, we
need to understand if we have failed to fulfill our contractual obligation with the
client. This is accomplished by considering the following: 1) whether the client
agreed with and accepted our process documentation as the expected deliverable from
the performance of our procedures; 2) whether the client was satisfied with our work
product; and, 3) whether the engagement team avoided providing recommendations,
in any form whatsoever, for the control gaps and weaknesses highlighted in the
process documentation or testing provided to the client. If the answer to eac h of the
above questions is yes, then we should prepare a memo to the file indicating that the
client did not expect a report of findings and recommendations.
For new engagements when preparing our engagement letter when the client indicates
that it does not want a findings and recommendations report as a deliverable, we
should modify the wording in the engagement letter to read as follows: “We will
issue a findings and recommendations report only if you request recommendations
from us, in any form, rega rding remediation of identified control gaps and weaknesses
from our procedures.”
Page 2 of 7
BRS Alert – Section 404 Quality and Documentation - continued
If we are only providing loaned staff to a client to assist them with their Section 404
compliance efforts, the scope of services section of our engagement letter should be
modified as follows:
It is very important that the engagement letter signed by the client properly mirrors
the scope of services that we have been engaged to provide. Thus, the scope of
services provisions of the standard 404 engagement letter should be tailored to reflect
only those services that we have been engaged to perform.
If a new engagement letter is needed, it should be obtained from the BRS Global
Center or the Americas General Counsel's Office.
Po licy
When working with client staff as part of a joint team, we maintain responsibility for
the quality of the work done by our staff, unless we have a signed engagement letter
Page 3 of 7
BRS Alert – Section 404 Quality and Documentation - continued
stating that the work of our staff will be performed at management’s directio n and
reviewed by management. To support the work that we have performed, we should
maintain sufficient working paper documentation evidencing the work and review
procedures we have performed.
Implementation
Our working papers which might consist of print outs from the client’s software
package or manually prepared working papers (e.g., memos to the file, process
narratives and flowcharts, and risks and control matrices) can be maintained
electronically in EY/AWS or in hard copy Our working papers should be properly
archived at the end of the engagement.
Policy
Implementation
Policy
Our sample of items for testing identified controls should be derived from the entire
population of transactions over which the control is performed, including all
applicable locations/reporting units. While it is more efficient to select the sample of
Page 4 of 7
BRS Alert – Section 404 Quality and Documentation - continued
items for testing from the broader population, we should segregate that population and
select individual samples of items for testing when: 1) we determine the controls we
plan to test are not applied uniformly across the broader population; 2) the controls
are subject to differing risks; or, 3) the controls are not common to the larger
processes and population. In essence, each item in the population should have an
equal chance of being selected for testing. The sample sizes will need to be
determined between the PMO leader and external audit provider.
Implementation
Based on the type of controls being tested, we believe the following represent
appropriate benchmarks for the sample sizes.
In selecting our sample for testing from the population, the project team should use
EY/Random to select an unbiased, independent sample. EY/Random can be accessed
from the Start menu, then select AABS, then Other AABS Tools, then EY/Random .
Page 5 of 7
BRS Alert – Section 404 Quality and Documentation - continued
Reporting
Policy
Where we are not required to provide the client with a written report of findings and
recommendations, we should not provide similar information informally or in any
other way (i.e., Power Point presentations or within the risk and control matrices or
equivalent documents). Our standard report format includes certain elements
designed to help us manage our risk more effectively and is designed to be consistent
with the nature of the work we have been engaged to perform. Without the benefit of
all of the elements of our standard written report of findings and recommendations,
the client might perceive that we are providing some level of assurance on the
processes we have documented or the controls we have tested.
When issuing a findings and recommendations report, our BRS Review and Approval
Summary form must be completed and maintained in our working papers. The pre-
issuance reviewer for our 404 engagements must be a partner or principal who has
been pre-approved in accordance with our policies and procedures.
Implementation
If the engagement team is providing the client with completed process documentation
(i.e., process narratives and flowcharts accompanied with a risk and control matrix
that identifies control weaknesses and ga ps), but we do not provide a recommendation
for remediation, a findings and recommendations report is not required. To the extent
that the risk and control matrix includes an assessment of the control as effective or
ineffective, our working papers should be explicit that this assessment is based on
design effectiveness and not operating effectiveness.
The documentation that we provide to our clients outlining the results of our testing
procedures should refrain from making conclusions regarding the operating
effectiveness of the control. Our documentation should only include our findings
(e.g., the facts from the results of our testing). [the conclusion as to the effectiveness
is solely management’s responsibility.] For instance, no exceptions noted, or out of
25 tested 2 items contained an error with the details of the error or underlying
documentation to support the error. Management can take the results of our work to
evaluate the operating effectiveness of the individual controls and the overall process,
which will encompass taking into consideration company level and information
technology general controls.
Page 6 of 7
BRS Alert – Section 404 Quality and Documentation - continued
Policy
Where we provide verbal advice particularly associated with judgmental areas such as
materiality, setting the scope of management’s assessment, and the classification of
control deficiencies, we should include appropriate documentation in our working
papers. Our documentation should include the issue that management has raised, if
any, our response, and any intended actions as a result of it. These discussions should
include an engagement executive and the memo to the file should be subjected to our
normal review procedures.
We should retain on our files copies of any material such as Power Point slides used
to present our advice, with appropriate notations or other documentation addressing
the above points.
Questions
All questions regarding our documentation and quality standards should be forwarded
to Kevin Sheehan in the BRS Global Center.
Page 7 of 7