|
Featured Member
Special Agent Bernardo Rodriguez, CCS
Our featured member is Special Agent Bernardo (Bernie) Rodriguez of the U.S. Coast Guard Investigative Service (CGIS).
Special Agent Rodriguez is a Certified Controls Specialist and also holds the designation of Certified Fraud Examiner. He began his federal law enforcement career in 1996 with the former Immigration and Naturalization Service (INS) after completing an 11 year enlistment with the U.S. Navy. Subsequently, he spent 13 years with U.S. Department of Health and Human Services, Office of Inspector General in Miami, Florida where he was an Assistant Special Agent in Charge responsible for managing 14 Special Agents and supervising healthcare fraud violations. He also pioneered many initiatives and supervised numerous precedent setting healthcare fraud cases. In 2010, Special Agent Rodriguez was hired by the U.S. Coast Guard Investigative Service (CGIS) and assigned to the Special Operations Group in Miami, Florida, where he was responsible for investigating internal violations of the Uniform Code of Military Justice, Maritime Environmental Crimes, and was deployed in response to the Deep Water Horizon Oil Spill, where he was assigned to the protection of Commandant Thad Allen, Critical Incident Commander. In May 2011, Special Agent Rodriguez was promoted to Resident Agent in Charge of the CGIS' Miami Field Office. In that capacity, he is in charge of all CGIS' investigative activities within South Florida and is responsible for supervising 15 Special Agents. He holds a Criminal Justice Degree from Mountain State University and is currently pursuing a Master Degree in National Security Studies with a concentration in Homeland Security from the American Military University. He is an active member of both the Institute for Internal Controls and the Association of Certified Fraud Examiners.
__________________________________________
ABOUT THEIIC
The Institute for Internal Controls is a global organization dedicated to promoting an effective internal controls environment in all organizations by providing high quality research and education in all areas of internal controls. As an indicator of expertise in internal controls, The Institute for Internal Controls grants the designation of Certified Internal Controls Auditor (CICA) and Certified Controls Specialist (CCS).
__________________________________________
CONTACT INFORMATION
Institute for Internal Controls
109 Mullen Drive, Suite B
Sicklerville, NJ 08081
856.982.2410
TheIIC e-Newsletter is published on a quarterly basis by The Institute for Internal Controls.
Copyright 2011.
All rights reserved.
Link to TheIIC website
************************************** ************************************** Complete Your MBA Part-time with an 18-Month Accelerated Program with Two One-Week Business Abroad Immersion Courses
Link for Additional Information on the MBA Program
************************************** ************************************** IT STRATEGIC & OPERATIONAL CONTROLS BOOK
Link to Book Site
************************************** ************************************** Job Openings
Click here to Link to the Job Openings Webpage
************************************** ************************************** Forward to a Friend or Add Another Email Address
Click here to Refer a Friend or Add Another Email Address or Opt back in for this and future e-Newsletters or emails from TheIIC
************************************** ************************************** National Association of Construction Auditors Inaugural Conference - Rio Hotel & Casino - Las Vegas - September 19-21, 2011
CLICK HERE FOR REGISTRATION INFORMATION ON THE CONFERENCE
Join our mailing list!
[ ][Join]
|
|
Message from the Chairman
The projects listed for 2011 and 2012 as discussed in my last message to you included the design and development of "The Internal Controls Magazine" which will be supplemented by the peer-reviewed "Journal of Internal Controls." The Magazine will publish non academic articles that cover the subject matter of IC, ethics, fraud, and other subjects of interest to our membership. I again seek from the membership the submission of articles for publication as well as recommendations for subject matter that you may have interest in. Also, we are seeking to develop a working committee to assist me and my staff in the design and development of the Magazine. A second committee from the academic community will be established for the Journal. If you are interested in supporting these efforts via any of the listed avenues, please contact me at chairman@theiic.org.
Dr. Frank
__________________________________________ __________________________________________
|
|
SEC Recommends No New SOX 404(b) Exemptions
|
|
A study by the SEC Office of the Chief Accountant of Section 404(b) of the Sarbanes-Oxley Act was completed earlier this year. The study was mandated by the Dodd-Frank Wall Street Reform and Consumer Protection Act and its scope was restricted to companies with a market capitalization between $75 million and $250 million. Dodd-Frank tasked the SEC with determining how the Commission could reduce the burden of complying with Section 404(b) for smaller accelerated filers, while maintaining investor protections for such companies. It also required a review of whether a complete exemption for such companies from Section 404(b) compliance would encourage companies to list on U.S. exchanges in their initial public offerings (IPOs).
The findings recommended maintaining existing requirements of Section 404(b) for accelerated filers in general, and also calls for actions "that have potential to further improve both effectiveness and efficiency of Section 404(b) implementation." The 404(b) requirements, which focus on the auditor's report on internal control over financial reporting, have been in place since 2004 for domestic issuers and 2007 for foreign private issuers. In June 2007, the PCAOB issued Auditing Standard No. 5, An Audit of Internal Control Over Financial Reporting That Is Integrated With An Audit Of Financial Statements, to address the costs in conducting an effective audit of internal controls and feedback on 404(b).
The study addresses the auditor attestation requirement with respect to an issuer's internal control over financial reporting (ICFR) pursuant to Section 404(b). It does not address management's responsibility for reporting on the effectiveness of ICFR pursuant to Section 404(a) of the Sarbanes-Oxley Act. Based on its review of prior academic and other research on Section 404, the SEC study drew four conclusions:
1. The cost of compliance with Section 404(b), including both total costs and audit fees, has declined since the 2007 reforms under AS 5;
2. Research has found no conclusive evidence linking the enactment of Section 404(b) to decisions by issuers to exit the reporting requirements of the SEC, including ICFR reporting;
3. Auditor involvement in ICFR is positively correlated with more accurate and reliable disclosure of all ICFR deficiencies, and restatement rates for issuers with the auditor attestation is lower than that for issuers without this attestation; and
4. Disclosure of internal control weaknesses conveys relevant information to investors.
The SEC staff is also monitoring COSO's work to review and update its internal control framework, which "is the most common framework used by management and the auditor alike in performing assessments of ICFR," the report states. The study's analysis of prior research found, among other things, that:
· More internal control weaknesses were discovered by the auditor (or auditor and client jointly) and by control tests rather than substantive tests.
· Disclosures of material weaknesses under Section 302 were more likely in the fourth quarter when auditors were on-site at the client's office most frequently and when the audit firm or office had experience with Section 404 audits
· The majority of internal control deficiencies that were classified by the auditor as a significant deficiency or a material weakness were initially classified by the issuer as less severe.
Link to full article
|
|
Grant Thornton Survey Reveals Chief Audit Executives Say No to Repeal of SOX
|
|
A survey of more than 300 chief audit executives by Grant Thornton found that 88 percent do not believe that Sarbanes-Oxley should be repealed, although half said the shifting regulatory landscape poses the greatest threat to their company. The research also found that of those that believe SOX should be repealed, the cost of compliance is the main reason for doing so. The survey also showed that 69 percent of CAEs surveyed said their organizations use cloud computing technologies, and 45 percent expect their organization's use of the cloud for hosting applications to increase in the next 12 months. Meanwhile, 64 percent indicated cloud computing is not part of their organization's internal audit plan and 43 percent of CAEs surveyed have yet to give any thought to security, governance, risk and controls in a cloud environment. The 2011 survey of U.S. CAEs was conducted in November and December 2010. Respondents came from public and private companies with a wide range of revenues from across the United States
Link to Survey Report
|
|
CAQ Releases In-Depth Guide to Public Company Auditing
|
|
The Center for Audit Quality (CAQ) has just released its newest publication, the In-Depth Guide to Public Company Auditing. The booklet, which may be of interest to the members of TheIIC, is designed for investors and others interested in understanding the external audit process for public companies and role the audit plays in our capital markets. The In-Depth Guide to Public Company Auditing provides more detail about the audit process than the CAQ's 2009 Guide to Public Company Auditing, which serves as an introduction and overview of public company auditing.
According to Cindy Fornelli, Executive Director of the CAQ, the CAQ's continuing dialogue with individual investors indicates that many in the marketplace do not fully understand the scope of the audit process and the responsibilities placed on public company auditors and the purpose of the Guide to Public Company Auditing will be to help bridge that information gap.
Link to Guide
|
|
Reporting on Controls at a Service Organization - SSAE No. 16
|
|
Service Organization Control (SOC) 1 reports will be conducted in accordance with Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization. SSAE 16 is replacing the SAS 70 auditing standard for reporting periods ending on or after June 15, 2011. Much like SAS 70, SSAE 16 provides two (2) reporting options; Type 1, a report on a service organization's system and the suitability of the design of controls", while an SSAE 16 Type 2 Report is officially a "Report on management's description of a service organization's system and the suitability of the design and operating effectiveness of controls".
This SSAE addresses examination engagements undertaken by a service auditor to report on controls at organizations that provide services to user entities when those controls are likely to be relevant to user entities' internal control over financial reporting. It complements AU section 324, Service Organizations (AICPA, Professional Standards, vol. 1), in that reports prepared in accordance with this SSAE may provide appropriate evidence under AU section 324. (Ref: par. A1).
The focus of this SSAE is on controls at service organizations likely to be relevant to user entities' internal control over financial reporting. The guidance also may be helpful to a practitioner performing an engagement under AT section 101, Attest Engagements (AICPA, Professional Standards, vol. 1), to report on controls at a service organization:
a. Other than those that are likely to be relevant to user entities' internal control over financial reporting (for example, controls that affect user entities' compliance with specified requirements of laws, regulations, rules, contracts, or grants, or controls that affect user entities' production or quality control). AT section 601, Compliance Attestation (AICPA, Professional Standards, vol. 1), is applicable if a practitioner is reporting on an entity's own compliance with specified requirements or on its controls over compliance with specified requirements. (Ref: par. A2-A3)
b. When management of the service organization is not responsible for the design of the system (for example, when the system has been designed by the user entity or the design is stipulated in a contract between the user entity and the service organization). (Ref: par. A4)
In addition to performing an examination of a service organization's controls, a service auditor may be engaged to (a) examine and report on a user entity's transactions or balances maintained by a service organization, or (b) perform and report the results of agreed upon procedures related to the controls of a service organization or to transactions or balances of a user entity maintained by a service organization. However, these engagements are not addressed in this SSAE.
The requirements and application material in this SSAE are based on the premise that management of the service organization (also referred to as management) will provide the service auditor with a written assertion that is included in or attached to management's description of the service organization's system. Paragraph 10 of this SSAE addresses the circumstance in which management refuses to provide such a written assertion. AT section 101 indicates that when performing an attestation engagement, a practitioner may report directly on the subject matter or on management's assertion. For engagements conducted under this SSAE, the service auditor is required to report directly on the subject matter.
|
|
PCAOB Will Weigh Audit Term Limits
|
|
In early June 2011, PCAOB Chairman James Doty announced that the PCAOB is prepared to consider all possible means of addressing audit quality, "including whether mandatory audit firm rotation would help address the inherent conflict created because the auditor is paid by the client," "I don't have a predetermined idea as to whether the PCAOB ultimately should adopt term limits," he said. Rather he said the board would "take up the debate about firm tenure and examine it, with rigorous analysis and the weight of evidence in support and against." Doty called for "a holistic approach to addressing the cultural challenges inherent in auditing, based on a deep, fact-based analysis of the problem." To that end, he said, the board expects to issue over the next two months several policy documents and host roundtables to spur debate and research. He also touched on the board's ongoing examination of the auditor's reporting model (a concept release on alternatives for changing the model is likely to emerge this month) and initiatives relating to audit transparency.
Link to Article
|
|
Surveys Reveals Companies Struggling with Anti-Bribery and Corruption Compliance
|
|
Though the majority of companies in the U.S. and the U.K. are taking measures to address risks associated with anti-bribery and corruption compliance, important percentages are still struggling with such challenges, especially with third party risks and assessing different international requirements, according to KPMG's 2011 Global Anti-Bribery and Corruption Survey. In particular, the report showed that:
· Only a third of the companies that participated in the survey performed anti-bribery and corruption risk assessments. About 20 percent of the firms gave their employees communication and training.
· About 40 percent of firms that trained their employees in anti-bribery and corruption didn't also do so for third parties, such as agents, distributors, vendors, brokers, joint venture partners, or suppliers. More than half of companies did not get periodic compliance certificates from these outside partners. And about 60 percent of firms who have the right to audit their third parties, did not do so.
· Only 43 percent of participating U.S. companies said their anti-bribery and corruption program was compliant with the U.K. Bribery Act. 46 percent of U.K. participants said that their programs were FCPA-compliant.
While every company should look at anti-corruption and bribery as an important business issue and make an informed decision based on a risk assessment, in the real world, that doesn't always get done, says Jay Martin, vice president, chief compliance officer, and senior deputy counsel at the oilfield services firm Baker Hughes Inc. "It takes a while to turn a big ship," says Martin. "You're not going to take a country like the US, even though we're leading edge in the compliance area relative to other countries, and change every company of any size, any industry, and any geographical area, and have them all be in synch with the exactly the same progress on a particular trend." Ryan McConnell, a partner at the law firm Haynes and Boone, on the other hand, was surprised by the survey results, since in his experience, companies seemed doing a thorough job in addressing global anti-corruption concerns. "Companies are focusing on these issues and trying to adapt their compliance programs in a way that meaningfully addresses FCPA risk and the U.K. Bribery Act, as well," says McConnell. "To say that a lot of companies that talk to you aren't really doing what they're supposed to be doing is surprising, because that's not what I and people at other firms that I've been in contact with perceive."
Link to Report
|
|
INTERNATIONAL NEWS-KPMG's Custom Audit Model Scrutinized
|
|
EXTRACT
IN 2009, KPMG designed a tailored audit package for Rentokil that caused uproar in the accounting world. Critics said the deal - which shaved 30% off Rentokil's bill by taking on some internal audit functions - went against basic principles of independence and ethics. The Audit Inspection Unit's annual report is due next month and its view on KPMG's brainchild will be closely scrutinized. One source close to the matter said the AIU sees the package in a positive light, potentially encouraging competitors to follow suit. It begs the question: is KPMG's offering an aberration that will quickly be discredited, or has the Big Four player struck gold?
Chief architect, KPMG's UK head of audit Oliver Tant, said it enhances the audit service by avoiding duplication of external auditors' work by internal auditors, leaving the latter free to direct their attention elsewhere. He gave the example of testing a larger sample of controls or balances of lower value than the materiality level set for the statutory audit. Normally, internal auditors would carry out this work, also looking at other aspects of the internal controls environment such as management strategy, corporate social responsibility and reputational risk. Critics' primary complaints center on the self-review threat - whereby an external auditor relies upon its own internal audit work - and the management risk, which warns against internal auditors assuming the role of management.
The Chartered Institute of Internal Auditors, unsurprisingly, viewed the deal with a cold eye. Chief executive Dr. Ian Peters said that, although the service might not actually breach ethics, it could be perceived to do so, and this is potentially just as damaging. He argued the perception that there may be a conflict of interest undermines the whole industry at a time when building respect and credibility is paramount. Such crossover is not permitted in the US and many other jurisdictions. KPMG has been reprimanded in the past for blurring the lines between internal and external audit: it was providing staff to undertake internal audit-like functions in the workplace under the direction of an Australian client. A stop to this was ordered by the US Securities and Exchange Commission earlier this year.
Other critics have claimed auditor independence will be eroded by increasingly lucrative contracts and ever-closer ties between auditor and client. Peters argued that precisely because greater sums of money are involved - with savings for the client and larger contracts for the firm - KPMG is sailing close to the wind in terms of acceptable auditor behavior.
LINK TO ARTICLE
|
|
Instructor and Course Developers Sought
|
|
In the last edition of TheIIC e-Newsletter we sought instructors to assist in the development and instruction of a portfolio of live and video based training courses to be available in 2011 and 2012. Many of you responded; however, we still need more members to volunteer for these assignments. If you are interested contact the Office of the Chairman for consideration at chairman@theiic.org.
|
|
Call for Papers
|
|
A key resource for members is the sharing of information among the membership via articles. Subject matter including techniques for reviewing internal controls, discussion of available tools, case studies, etc. can assist both the new and experienced internal controls auditor/specialist.
If you would like to submit an article or monograph on any subject matter that may be of interest to the membership, we encourage you to do so. You can direct any materials for review to the Chairman at chairman@theiic.org.
|
|
Message from the Editor: Welcome for First-timers
|
|
For first timers, I would like to welcome you to the TheIIC e-Newsletter. In the design of the newsletter we completed extensive research on how to make the e-newsletter successful. As you can see, the layout is a little different than you see in other e- newsletters. While most e-newsletters only give you a few lines of the article, with a link to the full article, we have decided to present an abstract type summary of each, with a link to the full article, when available. We feel that this allows you to get the substance of the article without having to link to another site. However, we do provide a link for those who want any additional details available. This also provides you with the ability to print out the newsletter and read it at your leisure. We encourage any comments or suggestions for improving the e-newsletter. Comments as well as contributions for publication should be sent to me at e-newsletter@theiic.org.
|
|
|
