Leverage Kral Ussery For Your Internal Audit Function
While many larger organizations have an internal audit function staffed with employees, others may not. Kral Ussery can serve as a company's internal auditor by providing independent and objective internal assurance services. Even for companies with an in-house internal audit function, we can also help with a wide range of training and services commonly referred to as "co-sourcing" of the internal audit function. This is especially popular for technology matters in the event the company does not have a Certified Information Systems Auditor (CISA) or other on-site technology resources.
The reality is that many companies have needs beyond their internal audit staffing capabilities. Kral Ussery provides resources, either temporary or long-term, to bridge capability gaps. We can also report directly to audit committees thus enhancing independence of test results and making the efforts more acceptable to external auditors in support of SOX-404 efforts. The fact that we are a licensed accounting firm rather than simply a consulting firm adds credibility to our services by raising the comfort level with audit committees and external auditors.
Our Internal Assurance Practice is fluent in internal auditing standards, tools, and approaches to best meet objectives. We can work to fulfill your internal audit needs through:
Assessing Control Design & Operating Effectiveness
Consistent with SEC staff guidance, we apply a top-down, risk-based approach to identify applicable objectives, and then controls to mitigate risks in not achieving the objectives. This approach explicitly includes IT general controls and entity-level controls, which touches a wide range of departments. A company’s culture, as well as its process for attracting, developing, and retaining employees, are examples of entity-level control areas that have a pervasive effect on objectives, including financial reporting. Hence, this is not simply an exercise of the CFO and controllership functions, but rather involves the inputs and efforts of many people.
The scoping matter of IT controls deserves further attention since there is often an ongoing debate between the IT department, the controllership function, and auditors on this topic. IT general controls and software application controls may be relevant to the internal control over financial reporting (ICFR) evaluation, but this varies widely depending on the company’s technology infrastructure and ultimate uses of the technology. There is a lot of judgment that factors into this, but ultimately if the IT infrastructure or software is relevant to addressing financial reporting risks, either directly or indirectly through other financial reporting controls, it should be considered for scoping purposes.
We leverage COSO’s Internal Control – Integrated Framework for all types of controls, as well as ISACA’s Control Objectives for Information and Related Technologies (COBIT framework) for designing and testing IT controls. It is important to remember that these frameworks can and should be used to help achieve all operating, compliance and reporting objectives, not just ICFR. The Kral Ussery team members are experts in applying these frameworks.
Assessing the Severity of Deficiencies
Concluding on materiality matters lies at the heart of these challenges for both preparers and auditors. In addition to materiality considerations of financial disclosures; preparers and auditors need to consider the level of deficiencies they identify pertaining to the preparer's internal controls over financial reporting (ICFR). Decisions upon whether a deficiency is a material weakness, significant deficiency or simply a deficiency is important in adhering to disclosure requirements, as well as both internal and external auditing standards. This involves a lot of judgment. A process should be followed to consider all of the relevant factors. A decision tree approach is helpful and should be considered.