Authored by: John P. Bennecke and Jennifer Crawford
As companies continue to rely more and more on electronic support and documentation, auditors are paying more attention to the resulting technology risks. In 2013, COSO issued an updated framework providing new guidance for companies related to internal controls reporting. One of the important updates relates to electronic information produced by entities (IPEs) commonly referred to as Electronic Audit Evidence (EAEs) or User Developed Applications (UDAs). Once focused primarily on spreadsheets, this definition now encompasses system generated reports or any other electronic data utilized as part of your tax processes.
Following the new guidance, the PCAOB released the Staff Audit Practice Alert No. 11 which confirmed that an alarming amount of audits of internal controls over financial reporting are still not up to standard. One of the areas highlighted in the release was increased attention that would be paid to informational technology controls. Auditors have been failing the PCAOB’s standards of sufficiently testing accuracy and completeness of system generated data or reports used by the process owner. This suggests that auditors will be changing their process around their audits and putting high scrutiny on the use of spreadsheets and system-generated reports, particularly in the areas of completeness and accuracy, rather than just existence. This initiative may be driven by both internal and external audit as some companies may be relying on internal audit to supplement external audit work and reduce their external audit fees.
Tax departments rely on multiple spreadsheets and system-generated reports during both the provision and tax return process. Between the complexity involved in the calculation and the close proximity to the financial statements, income tax is almost always flagged as a high risk by auditors. Previously, the Information Technology departments held the sole responsibility for controls over these systems or reports; however, auditors are now requiring the users of those reports to take ownership of designing and implementing controls around the EAEs they use.
Audit firms are asking process owners to identify the EAEs used for each control to help them better isolate the risk these spreadsheets or reports play in each control. Once identified, auditors may ask to look into many factors, including restrictions on use, restrictions on changes, versioning, and logic testing to determine the risk of each document. For tax departments who rely on countless external inputs, as well as their own complex spreadsheets, this may be a significant undertaking, and incorrectly performing these tasks can bring unwanted attention to your processes.
Effectively designed EAEs consider a number of key factors to reduce risk and ensure sustainability:
True Partners consulting is here to help you prepare your process area for the increased scrutiny that is sure to come from your auditors. A full examination would include a risk assessment, a review of the current process to identify the areas which could benefit from automation or software, and a design of controls around the manual inputs or complex spreadsheets. We will provide recommendations based on your needs and work with your team to develop a clear and comprehensive implementation plan. Our team will
also provide consultation and assistance to drive the implementation of those changes, whether in an automated environment or within the existing EAE environment, to reduce risk and strengthen your tax department.
True Partners Consulting is an independent tax consulting and advisory firm with a team of experienced professionals who can help you prepare your provision and tax return compliance processes to be ready for the shift happening within audits of internal controls. Together, we can streamline your usage of EAEs and design controls to put in place around these reports to be prepared for approaching audit requests.
To download this article in PDF form, please Click Here