|
1000 Commerce Drive, Suite 500, Pittsburgh, PA 15275
tel: 412. 506.1131 fax: 412. 494.9272 www.igate.com
July 8, 2005
Craig Wilson
Senior Assistant Chief Accountant
Securities and Exchange Commission
450 Fifth Street, N.W.
Washington, D.C. 20549
|Re:
|iGate Corporation
|Item 4.01 Form 8-K
|Filed May 25, 2005
|File No. 000-21755
Dear Mr. Wilson:
Please find below the responses of iGate Corporation (the “Company”) to the Commission Staff’s additional comments on the above referenced Form 8-K as set forth in its letter dated June 24, 2005 directed to Michael J. Zugay, Senior Vice President, Chief Financial Officer and Corporate Secretary of the Company.
|1.
|SEC COMMENT: Your response to prior comment number 1 indicates that you recorded certain tax adjustments in the second quarter of 2004 which resulted from ineffective controls over the calculation of income taxes. As of December 31, 2004 you considered these ineffective controls to be material weaknesses. We note that your disclosure controls and procedures were effective in the periods ended June 30, 2004 and September 30, 2004. Considering the ineffective controls noted and the adjustments made in the second quarter of 2004, explain to us how you considered your disclosure controls and procedures effective for these periods.
COMPANY RESPONSE: The tax adjustment was a result of the Company’s decision to close its operations in the U.K. during the second quarter of 2004. The issue related to a reserve recorded against certain deferred tax assets due to cumulative prior years net operating losses generated by the Company’s U.K. operation. The significant deficiency arose due to the fact that, because of the complexity of this matter, Company management was unable to determine the amount of the reserve without first consulting with the Company’s independent registered public accounting firm. Subsequent to consultations with its independent registered public accounting firm, the tax adjustment was made. At the time of this adjustment, management was unaware that the significant deficiency would later aggregate into a material weakness in the income tax area when combined with additional significant deficiencies found in the income tax area subsequent to December 31, 2004.
As a result, management determined the Company’s disclosure controls and procedures were effective as of June 30, 2004 and September 30, 2004. Because the above-referenced additional significant deficiencies found subsequent to December 31, 2004, when aggregated with the significant deficiency related to the second quarter income tax adjustment, resulted in the reported material weakness in the income tax area, they did not impact management’s conclusion regarding the effectiveness of the Company’s disclosure controls and procedures as of June 30, 2004 and September 30, 2004. These additional significant deficiencies were identified only in connection with the more comprehensive work undertaken in connection with the preparation of management’s report on internal control over financial reporting, which was required for the first time to be included in the Company’s December 31, 2004 Form 10-K.
|2.
|SEC COMMENT: You also indicate that you decided a material weakness existed because you were unable to determine “whether the steps taken to remediate these deficiencies were effective because test work for two subsequent periods prior to December 31, 2004 was not available.” Please explain what you mean by this statement.
COMPANY RESPONSE: The statement referenced in the above comment was intended to explain to the Commission Staff that Company management and its independent registered public accounting firm determined that testing over at least two quarters was required to ensure that the deficiencies were properly remediated. The Company became aware of additional control deficiencies in the income tax area very late in the fourth quarter of 2004 and used its best efforts to remediate these matters. New controls and procedures were implemented in late December 2004 to remediate the deficiencies. However, the Company did not have adequate time to adequately test the effectiveness of these remediation efforts because management and the Company’s independent registered public accounting firm determined that testing over at least two quarters was required to determine if the new controls and procedures that were implemented in December 2004 were adequate to effectively remediate the control deficiencies.
|3.
|SEC COMMENT: We note that in addition to the 3 material weaknesses you also had 78 significant deficiencies. These deficiencies were not disclosed in your Controls & Procedures as of December 31, 2004 or any subsequent periods. Tell us how you considered Question 11 of the FAQ on Release No. 34-47986 “Management’s Report on Internal Control Over Financial Reporting and Disclosure in Exchange Act Periodic Reports.” Explain how you determined that these deficiencies in the aggregate did not represent a material weakness that required disclosure. Additionally, tell us whether you have made any material changes to your disclosure controls and procedures or to internal controls over financial reporting to remedy any of these deficiencies.
COMPANY RESPONSE: As required by Question 11 of the FAQ on Release No. 34-47986 “Management’s Report on Internal Control Over Financial Reporting and Disclosure in Exchange Act Periodic Reports,” we did consider whether any of these deficiencies, when aggregated, constituted a material weakness. In accordance with the FAQ, the Company disclosed in its Form 10-K/A the material weaknesses and the nature of the significant deficiencies since they were material to the understanding of the disclosure. The remaining significant deficiencies were aggregated as described below, but did not aggregate to any additional material weaknesses and, therefore, the Company did not disclose the existence or nature of the significant deficiencies.
As required by the Public Company Accounting Oversight Board (PCAOB) Auditing Standard No. 2 (An Audit of Internal Control Over Financial Reporting Performed in Conjunction with An Audit of Financial Statements), paragraph No. 207, “the auditor must communicate in writing to management and the audit committee all significant deficiencies and material weaknesses identified during the audit.” This communication occurred on May 25, 2005 in the form of the PricewaterhouseCoopers “2005 Audit Committee Report” that was presented to the iGate Corporation’s management team and Audit Committee by the Company’s independent registered public accounting firm. Each of the Company’s three material weaknesses and 78 significant deficiencies were detailed in Section IV, Exhibit C of this document. Please note for reference purposes that the Company previously provided a copy of this document to the SEC in its response letter dated June 17, 2005. The Company has added a column titled “Aggregation Reference” and are providing it to the Commission Staff as Appendix I enclosed herewith. It should be noted that both Company management and the Company’s independent registered public accounting firm were in full agreement as to the nature and extent of these weaknesses and deficiencies. Management publicly disclosed each of the three material weaknesses in its December 31, 2004 10-K/A filing.
Each of the 78 significant deficiencies noted above were evaluated both on an individual basis and then in the aggregate by Company management and by the Company’s independent registered public accounting firm.
On an individual basis, management evaluated each of these deficiencies according to “A Framework for Evaluating Control Exceptions and Deficiencies, Version 3, December 20, 2004.” This framework was provided to management by PricewaterhouseCoopers, and the Company utilized this framework as well as other judgmental factors in aggregating its deficiencies. This document is enclosed with this letter as Appendix II. The framework is focused upon the evaluation of deficiencies in four main areas: control exceptions (Chart 1), process/transaction-level control deficiencies (Chart 2), information technologies deficiencies (Chart 3), and other pervasive controls (Chart 4). It is important to note that while the framework provides for a thought process in each of these four
areas, significant judgment is still required on the part of both management and the Company’s independent registered public accounting firm. Both Company management and the Company’s independent registered public accounting firm separately evaluated each of the 78 deficiencies against the appropriate chart noted above.
On an aggregated basis, Company management and its independent registered public accounting firm agreed to group 34 out of the 78 significant deficiencies into 11 aggregated significant deficiencies. The remaining 44 deficiencies that were not aggregated have remained as significant deficiencies on an individual basis. Company management and its independent registered public accounting firm performed this aggregation by combining those deficiencies that shared either significant account balances, related disclosures, and/or related COSO (Committee of Sponsoring Organizations of the Treadway Commission) components. Unlike the evaluation of deficiencies on an individual basis, a framework for evaluation in the aggregation does not exist. Company management and its independent registered public accounting firm therefore performed their aggregation evaluation using significant levels of judgment while considering the nature and extent of the deficiencies relative to management’s response as to the implications on the effectiveness of the Company’s COSO components. None of the 11 aggregated significant deficiencies were deemed to be material weaknesses.
Management’s efforts to date in 2005 have been primarily directed towards remediation of the three (3) material weaknesses disclosed in the Company’s Form 10-K/A as of December 31, 2004. Because of this, there have been no material changes to management’s disclosure controls and procedures or to internal controls over financial reporting to remedy any of the above significant deficiencies. However, management is in the process of formulating a plan that, upon completion, will address each of the above deficiencies.
If you have any questions regarding the Company’s responses, the enclosures provided herein, or would prefer to organize a conference call to discuss any unresolved matters, please do not hesitate to call me (412-787-9590).
|Very truly yours,
|
/s/ Michael J. Zugay
Michael J. Zugay
|cc:
|Sunil Wadhwani
|J. Gordon Garrett
|James J. Barnes, Esq.
|Christine Davis
Appendix I
iGate Corporation
Significant Deficiencies - Aggregation
December 31, 2004
|
SAD Ref
|
Description
|
Business Unit
|
Process
|
Individual Conclusion
|
Aggregation Reference
|
8
|PwC noted that closing checklists appeared to be properly completed by the manager of financial reporting indicating that all recurring entries and trial balance uploads were made into PeopleSoft, however, there appears to be no indication of review of the checklists by the treasurer nor does there appear to be review by the manager of financial accounting or the treasurer prior to upload.
|Corporate
|Financial Accounting & Reporting
|Significant Deficiency
|9,10,11,12,13,14,15,16,18,19
|
9
|There was no formal documentation of review or formal documentation of the process of review of the journal entries by the manager of financial reporting or the treasurer prior to posting although it appears that the treasurer has initialed each journal entry as reviewed after posting.
|Corporate
|Financial Accounting & Reporting
|Significant Deficiency
|8,10,11,12,13,14,15,16,18,19
|
10
|It was noted that with respect to the transactions posted to U.S. non-operating entities and the resulting trial balances that are uploaded, there is no formal documentation of review of the transactions prior to upload by the manager of financial reporting or by the treasurer.
|Corporate
|Financial Accounting & Reporting
|Significant Deficiency
|8,9,11,12,13,14,15,16,18,19
|
11
|Based upon the results of our testing and discussion with the manager of financial reporting, there was no evidence of the validation of the PeopleSoft currency translation. It was noted, based upon our discussion with the manager of financial reporting that he performs this query once a month on-line only and did not maintain any evidence of the query or the results for the year except for December 2004.
|Corporate
|Financial Accounting & Reporting
|Significant Deficiency
|8,9,12,13,14,15,16,18,19
|
12
|Based upon our review of the financial reporting responsibility matrix that included responsibilities for both the quarter and year end procedures, there was no indication either by initialing, sign-off or other notation that any of the responsibilities or activities as annotated on the list had been carried out.
|Corporate
|Financial Accounting & Reporting
|Significant Deficiency
|8,9,11,13,14,15,16,18,19
|
13
|Based upon our inquiries and evidence received, we noted that no reporting log is maintained and all significant reporting issues are not documented but rather discussed with senior management and the audit committee. The treasurer provided, on a summary level, a reporting and disclosure template that provides some points on a very high level to consider as well as a high level summary of matters discussed. It was noted that there was no signoff as reviewed by either the manager of financial reporting, the treasurer, CFO or CEO or evidence that the matters were discussed (meeting notes, comments of financial statements, etc.)
|Corporate
|Financial Accounting & Reporting
|Significant Deficiency
|8,9,11,12,14,15,16,18,19
|
14
|Management did not assess, evaluate, and ensure there was adequate design and operational effectiveness with respect to financial statement footnote disclosures.
|Consolidated iGate Corporation
|Financial Accounting & Reporting
|Significant Deficiency
|8,9,11,12,13,15,16,18,19
|
15
|There is a lack of comprehensive oversight of the financial results and developments of IGS at the iGate Corporate level. Instances such as the failure to record certain external auditor adjustments were noted.
|Corporate
|Financial Accounting & Reporting
|Significant Deficiency
|8,9,10,11,12,13,14,16,18,19
iGate Corporation
Significant Deficiencies - Aggregation
December 31, 2004
|
SAD Ref
|
Description
|
Business Unit
|
Process
|
Individual Conclusion
|
Aggregation Reference
|
16
|Instances were noted whereby the completeness of the Company’s Intercompany Eliminations process was not evident. As a result of this lack of completeness, 2 year-end audit adjustments were recorded to eliminate the impact of these transactions.
|Corporate
|Financial Accounting & Reporting
|Significant Deficiency
|8,9,10,11,12,13,14,18,19
|
18
|Although there is some limited review by the CFO of goodwill, it appears based upon discussion and review of the process with the treasurer, a goodwill analysis is performed annually and has not been reviewed quarterly for any triggering events which would need to be considered in analyzing the Company’s goodwill for impairment.
|Corporate
|Financial Accounting & Reporting
|Significant Deficiency
|8,9,10,11,12,13,14,15,16,19
|
19
|One instance was noted during FY 04 whereby management was late in filing an SEC document form 8k, Report of unscheduled material events or corporate event.
|ALL
|Financial Accounting & Reporting
|Significant Deficiency
|8,9,10,11,12,13,14,15,16
|
IND APP 20
|Market rate information is used for transaction processing when converting currency rates. 55 OPRID’s have access to this function by virtue of being attached to the GL user role.
|India
|Financial Accounting & Reporting
|Significant Deficiency
|Item does not aggregate
|
IND APP 21
|Multicurrency translation options are used for defining options related to converting currency rates. 55 OPRID’s have access to this function by virtue of being attached to the GL user role.
|India
|Financial Accounting & Reporting
|Significant Deficiency
|Item does not aggregate
|
IND APP 3
|
There are non finance users such as the IS team including Help desk team who have access to enter journal entries.
Certain Users within Finance team also have access to this function which is not compatible to the roles that they perform.
|India
|Financial Accounting & Reporting
|Significant Deficiency
|Item does not aggregate
|
IND APP 34
|The file for provision is stored in a separate folder on shared server. Files are not password protected, but the folder is accessed only by concerned personnel in the Accounts Department.
|India
|Financial Accounting & Reporting
|Significant Deficiency
|SPDST 1
|
IND APP 35
|
Certain financial information are stored in the shared folder ‘Accounts$’ – access to which is restricted to concerned personnel in the Accounts Department.
However, all the personnel in the Accounts Department have access to all the folders in the ‘Accounts$’ folder. The access may be restricted to the personnel only to the relevant sub-folders within the ‘Accounts$’ folder and not to the entire folder. This would ensure security of data.
|India
|Financial Accounting & Reporting
|Significant Deficiency
|SPDST 1
|
IND APP 36
|
The input files are stored in a separate folder on shared server. Files are not protected by any password but the folder access is restricted to the concerned person in Accounts Department.
Access to the shared folder is available to all the personnel of the accounts department. The access to the sub-folders of the different locations should be restricted only to the concerned person and to the corporate MIS team.
|India
|Financial Accounting & Reporting
|Significant Deficiency
|SPDST 1
iGate Corporation
Significant Deficiencies - Aggregation
December 31, 2004
|
SAD Ref
|
Description
|
Business Unit
|
Process
|
Individual Conclusion
|
Aggregation Reference
|
IND APP 37
|The output files are stored in a separate folder on the shared server and the files are not password protected.
|India
|Financial Accounting & Reporting
|Significant Deficiency
|SPDST 1
|
IND APP 38
|The US GAAP financials are stored in the shared folder in the server.
|India
|Financial Accounting & Reporting
|Significant Deficiency
|SPDST 1
|
IND APP 4
|
There are non finance users such as the IS team including Help desk team who have access to edit journal entries.
Certain Users within Finance team also have access to this function which is not compatible to the roles that they perform.
|India
|Financial Accounting & Reporting
|Significant Deficiency
|Item does not aggregate
|
IND APP 5
|
There are non finance users such as the IS team including Help desk team who have access to mark journal entries for posting.
Certain Users within Finance team also have access to this function which is not compatible to the roles that they perform.
|India
|Financial Accounting & Reporting
|Significant Deficiency
|Item does not aggregate
|
IND APP 6
|
There are non finance users such as the IS team including Help desk team who have access to post journal entries.
Certain Users within Finance team also have access to this function which is not compatible to the roles that they perform.
|India
|Financial Accounting & Reporting
|Significant Deficiency
|Item does not aggregate
|
IND APP 7
|
There are non finance users such as the IS team including Help desk team who have access to unpost journal entries.
Certain Users within Finance team also have access to this function which is not compatible to the roles that they perform
|India
|Financial Accounting & Reporting
|Significant Deficiency
|Item does not aggregate
|
SOD 1
|Duties are not appropriately segregated within the G/L, P&P, and R&R functions for PeopleSoft 7.5 US and CA instances. (FAR specific)
|Corporate and India
|Financial Accounting & Reporting
|Significant Deficiency
|8, 9,10,11,12,13,14,15,16,18,19,
|
SPDST 1
|Controls were not implemented to support access, change maintenance, input, and version control along with the security and integrity of data for financially significant spreadsheets.
|Corporate and India
|Financial Accounting & Reporting
|Significant Deficiency
|IND APP 34,35,36,37,38
|
28
|There is lack of segregation of duties - AR4
|Canada
|Trade Accounts Receivable
|Significant Deficiency
|Item does not aggregate
|
30
|No company policy stating how Allowance for Bad Debt is determined; estimated by Management - AR15
|Canada
|Trade Accounts Receivable
|Significant Deficiency
|49
|
45
|Corporate Elimination adjustment for intercompany billings identified by PwC and booked by the client; Trade A/R and Trade A/P; Decrease in Trade A/R and Trade A/P of $1,513,278. The adjustment resulted from an operating deficiency, whereas the intercompany balances reconciliation and eliminations failed.
|Corporate
|Trade Accounts Receivable
|Significant Deficiency
|46
iGate Corporation
Significant Deficiencies - Aggregation
December 31, 2004
|
SAD Ref
|
Description
|
Business Unit
|
Process
|
Individual Conclusion
|
Aggregation Reference
|
46
|Corporate Elimination adjustment for intercompany billings identified by PwC and booked by the client; Sales and Direct Costs; Decrease in Sales and Direct Costs of $768,905. The adjustment resulted from an operating deficiency, whereas the intercompany balances reconciliation and eliminations failed.
|Corporate/Canada
|Trade Accounts Receivable
|Significant Deficiency
|45
|
49
|GFS - Mastech Emplifi Allowance for doubtful accounts adjustment identified by management and booked; Allowance for Doubtful Accounts and Expense; Increase in Allowance for Doubtful Accounts and Expense of $466,000. The adjustment resulted from an operating deficiency, whereas the review of a subjective estimate failed.
|GFS
|Trade Accounts Receivable
|Significant Deficiency
|30
|
IND APP 33
|Persons not performing the Receivables function have access to this role.
|India
|Trade Accounts Receivable
|Significant Deficiency
|Item does not aggregate
|
SPDST 1
|Controls were not implemented to support access, change maintenance, input, and version control along with the security and integrity of data for financially significant spreadsheets.
|Corporate and India
|Trade Accounts Receivable
|Significant Deficiency
|InD APP 34,35,36,37,38
|
43
|Corporate bonus adjustment identified by PwC and booked by the client; Accrued Bonuses and Exec Bonus Expense adjustment; Decrease in accrued bonus and exec bonus expense of $300,000. The adjustment resulted from an operating deficiency, whereas the review of a subjective estimate failed.
|Corporate
|Trade Accounts Payable & Accrued Liabilities
|Significant Deficiency
|50
|
50
|Mastech Emplifi payroll and holiday accrual adjustment identified by PwC and booked by client: P&L impact of $275,000 Increase in Sales and Increase of $165,000 Payroll and $110,000 Holiday Expense; $275,000 Increase Unbilled A/R and Accrued liabilities. The adjustment resulted from an operating deficiency, whereas the review of a subjective estimate failed.
|Mastech Emplifi
|Trade Accounts Payable & Accrued Liabilities
|Significant Deficiency
|43
|
52
|Mastech Emplifi intercompany billing audit adjustment identified by PwC and booked by the client; Trade A/P and Cash; Increase in Cash and Trade A/P of $182,000. The adjustment resulted from an operating deficiency, whereas old, outstanding items were not researched and cleared in a timely manner (i.e. reconciliations).
|Mastech Emplifi
|Trade Accounts Payable & Accrued Liabilities
|Significant Deficiency
|53
|
53
|Canada VMS accrual audit adjustment identified by PwC and booked by client; Sales, Direct Costs, Unbilled A/R and Accrued Liabilities; Increase in Sales and Unbilled A/R of $335, 140 and Direct Costs of $324,909 and Accrued Liabilities of $10,231.
|Canada
|Trade Accounts Payable & Accrued Liabilities
|Significant Deficiency
|52
|
69
|Lack of Controller review on EFT payment files.
|BU 11
|Trade Accounts Payable & Accrued Liabilities
|Significant Deficiency
|Item does not aggregate
iGate Corporation
Significant Deficiencies - Aggregation
December 31, 2004
|
SAD Ref
|
Description
|
Business Unit
|
Process
|
Individual Conclusion
|
Aggregation Reference
|
70
|All AP executives have the right to setup a new vendor account. No authorization is required to create/modify vendor accounts.
|BU 50
|Trade Accounts Payable & Accrued Liabilities
|Significant Deficiency
|Item does not aggregate
|
IND APP 22
|Certain IS users like Helpdesk, tech leads, have been given access to enter and maintain AP vouchers, payments and vendor standing data. All finance person who have access to enter AP vouchers also have the access to make payments and change vendor standing data
|India
|Trade Accounts Payable & Accrued Liabilities
|Significant Deficiency
|Item does not aggregate
|
IND APP 23
|
AP administrator role has access to make changes to critical control information related to the AP sub-system such as Bank information, Payables definition etc. 3 OPRID’s who have access to this function including IS persons are
1. Swadhin Kumar Patel
2. Bhaskar DeBiswas
3. Sambasivam Kailasam
|India
|Trade Accounts Payable & Accrued Liabilities
|Significant Deficiency
|Item does not aggregate
|
IND APP 24
|Users having the AP user role (52 OPRID’s) have access for loading assets for import to the AM module.
|India
|Trade Accounts Payable & Accrued Liabilities
|Significant Deficiency
|Item does not aggregate
|
APD 92
|PSAUDIT table is not reviewed proactively to identify vendor entries that were modified or added. The review is performed whenever there is a need to investigate suspicious activity and there is no documentation of that review retained.
|Pittsburgh
|Trade Accounts Payable & Accrued Liabilities
|Significant Deficiency
|Item does not aggregate
|
SOD 1
|Duties are not appropriately segregated within the G/L, P&P, and R&R functions for PeopleSoft 7.5 US and CA instances.
|Corporate and India
|Trade Accounts Payable & Accrued Liabilities
|Significant Deficiency
|Item does not aggregate
|
SPDST 1
|Controls were not implemented to support access, change maintenance, input, and version control along with the security and integrity of data for financially significant spreadsheets.
|Corporate and India
|Trade Accounts Payable & Accrued Liabilities
|Significant Deficiency
|IND APP 34, 35, 36, 37, 38
|
91
|Control Testing Exception: Segregation of duties, the corporate treasurer independently reviews the income tax calculation on a quarterly basis. Client Control Identification: T-1.
|Corporate
|Income Taxes
|Significant Deficiency
|Item does not aggregate
iGate Corporation
Significant Deficiencies - Aggregation
December 31, 2004
|
SAD Ref
|
Description
|
Business Unit
|
Process
|
Individual Conclusion
|
Aggregation Reference
|
92
|Control Testing Exception: Restricted Access to People Soft 7.5. Noted during the testing, the corporate tax manager, who prepared the income tax accrual, had super-user access to the People Soft 7.5 system. Control identification T-2.
|Corporate
|Income Taxes
|Significant Deficiency
|Item does not aggregate
|
93
|Control Testing Exception: No evidence of review and completion of checklist with retained supporting evidence for the following items related to the income tax accrual: 1. Updates for any new process documentation for any know tax laws accounting changes, 2. Updates for any new permanent tax items, 3. e-mails the Manager of Financial Reporting the balance of Income Before Tax (IBT) used in the final tax provision calculation requesting that he confirm it is the final IBT for financial reporting purposes. We noted no sign-off and review of this documentation for the third quarter. As this is a quarterly control, this is testing deficiency. Control Identification T-5
|Corporate
|Income Taxes
|Significant Deficiency
|Item does not aggregate
|
98
|Control Testing Exception: Each quarter, the Director of Taxes ensures that approved adjustments were input correctly into PeopleSoft by the Accounting Manager by tying the ending balances per the final Tax Provision/Accrual Adjustment spreadsheet for the quarter to the general ledger balances. There is no evidence of review of this control for the third quarter. Review was only evidenced for the fourth quarter. Control Identification T-11
|Corporate
|Income Taxes
|Significant Deficiency
|Item does not aggregate
|
54
|iGS US GAAP audit adjustment identified by PwC and booked by client; Increase in PP&E of $769,300 and Payables of $690,697 and SG&A of $46,341 and Direct Costs of $32,262.
|iGS
|PP&E
|Significant Deficiency
|Item does not aggregate
|
55
|iGS US GAAP audit adjustment identified by PwC and booked by client; Increase in Accum Dep. And SG&A of $128,442.
|iGS
|PP&E
|Significant Deficiency
|Item does not aggregate
|
56
|iGS US GAAP audit adjustment identified by PwC and booked by client; Decrease in Land and Increase in SG&A of $33,513.
|iGS
|PP&E
|Significant Deficiency
|Item does not aggregate
|
86
|Depreciation has been calculated wrongly for certain assets.
|BPO-Fixed Assets
|PP&E
|Significant Deficiency
|Item does not aggregate
|
87
|No evidence of review of the asset details maintained in the excel sheet.
|BPO-Fixed Assets
|PP&E
|Significant Deficiency
|Item does not aggregate
|
SOD 1
|Duties are not appropriately segregated within the G/L, P&P and R&R functions for Peoplesoft 7.5 US and CA instances.
|Corporate and India
|PP&E
|Significant Deficiency
|Item does not aggregate
|
SPDST 1
|Controls were not implemented to support access, change maintenance, input, and version control along with the security and integrity of data for financially significant spreadsheets.
|Corporate and India
|PP&E
|Significant Deficiency
|Item does not aggregate
|
74
|Review of SAS 70 and the related necessary client controls was not formally performed.
|Canada
|Payroll
|Significant Deficiency
|Item does not aggregate
|
APD 3
|iGate's documentation and testing does not demonstrate that periodic reviews of direct Oracle data access were occurring.
|Pittsburgh
|GCC
|Significant Deficiency
|Item does not aggregate
|
IND PD/PC 4
|Members of the Development team migrated the modules to the test environment for the PeopleSoft 8.8 implementation.
|India
|GCC
|Significant Deficiency
|IND PD/PC 9; APD 18; IND APD 22
iGate Corporation
Significant Deficiencies - Aggregation
December 31, 2004
|
SAD Ref
|
Description
|Business Unit
|Process
|Individual Conclusion
|Aggregation Reference
|
IND PD/PC 9
|Evidence was not obtained for change control logs with details of changes made and tracked within the People soft system; therefore, we could not confirm that all changes followed the change control process.
|India
|GCC
|Significant Deficiency
|IND PD/PC 4; APD 18;
IND APD 22
|
IND CO 20
|Changes to access to Share folders in file servers, where financial and account information is retained, was not recorded.
|India
|GCC
|Significant Deficiency
|Item does not aggregate
|
ADP 18
|No documentation was maintained to demonstrate the formal process of the initial request, authorization, testing, or approval for migration for any of the seven changes made to PeopleSoft 7.5 in 2004.
|Pittsburgh
|GCC
|Significant Deficiency
|IND PD/PC 4,9; IND
APD 22
|
APD 21
|Terminated employees access is not revoked in a timely manner for PeopleSoft 7.5
|Pittsburgh
|GCC
|Significant Deficiency
|Item does not aggregate
|
SPDST 1
|Controls were not implemented to supporting access, change maintenance, input, and version control along with the security and integrity of data for financially significant spreadsheets,
|Pittsburgh
|GCC
|Significant Deficiency
|Item does not aggregate
|
IND APD 2
|Help desk tracks user request for project related information only. The request for the project related information is communicated as part of Software Project Plan (SPP).
|India
|GCC
|Significant Deficiency
|Item does not aggregate
|
IND APD 17
|Helpdesk users who are a part of the IS team have been found to have access to most critical functions within the PS system.
|India
|GCC
|Significant Deficiency
|Item does not aggregate
|
IND APD 18
|The id VP1, a People soft delivered id, is shared among multiple individuals to perform administrative functions. Individual accountability is not maintained. There is no person performing the role of People soft security Administrator.
|India
|GCC
|Significant Deficiency
|Item does not aggregate
|
IND APD 19
|
The management documentation on PeopleSoft did not contain the following:
1. The process of User ID creation and deletion.
2. Grant of roles on creation
3. The process of attaching additional roles.
|India
|GCC
|Significant Deficiency
|IND APD 20, IND
APD 21
|
IND APD 20
|The management’s access control matrix does not analyze the actual duties performed by each user and does not establish the link between the work performed by the user and his defined role in PeopleSoft.
|India
|GCC
|Significant Deficiency
|IND APD 21
|
IND APD 21
|The management’s access control matrix does not list the permission lists. Since PEOPLESOFT 8.8 access is ultimately decided by the permission lists that a user can access through the roles assigned to him/her, it is relevant to identify whether the permission lists exist.
|India
|GCC
|Significant Deficiency
|IND APD 20
|
IND APD 22
|
The change control option for tracking changes to objects within Peopletools has not been enabled.
Hence, it is not possible to track any change made in the production environment.
|India
|GCC
|Significant Deficiency
|IND PD/PC 4,9; APD
18;
iGate Corporation
Significant Deficiencies - Aggregation
December 31, 2004
|
SAD Ref
|
Description
|Business Unit
|Process
|Individual Conclusion
|Aggregation Reference
|
IND APD 23
|Authorization to make/modify change control settings within People soft is available with 11 users in addition to 6 People soft application power users. IS development personnel also have access to this feature. These access permissions are inappropriate
|India
|GCC
|Significant Deficiency
|Item does not aggregate
|
IND APD 24
|Authorization to migrate changes to production environment is available with 10 users in addition to 6 People soft application power users. IS personnel are also having the authorization to migrate changes to production.
|India
|GCC
|Significant Deficiency
|Item does not aggregate
|
IND APD 30
|
Of the 22 default OPRID’s delivered by People soft, 5 are being maintained by IT team . Of these, the default password of PSAPPS has not been changed. We were informed that this will be changed.
The remaining 17 default OPRID’s are maintained by the IS te
|India
|GCC
|Significant Deficiency
|Item does not aggregate
|
IND APD 32
|There are 19 OPRID’s having access to People soft System Administration Tools. IS Helpdesk persons have access to People soft Administration Tools.
|India
|GCC
|Significant Deficiency
|Item does not aggregate
|
IND APP 1
|
There are 27 OPRIDS’s having access to People soft Tree Manager.
The Tree Manager has access to change the Chart of Account groupings.
|India
|GCC
|Significant Deficiency
|Item does not aggregate
|
IND APP 2
|The IS development team has access to Finance roles in production environment.
|India
|GCC
|Significant Deficiency
|Item does not aggregate
|
IND APP 33
|Persons not performing the Receivables function have access to this role. Billing User have access to this role. Access to this role permits users to process collections.
|India
|GCC
|Significant Deficiency
|Item does not aggregate
|
iGate Identified
|Segregation of duties issue within the Accounts Payable function whereby the same individual who processes payments also is able to establish vendors.
|India
|GCC
|Significant Deficiency
|Item does not aggregate
Appendix II
A Framework for Evaluating
Control Exceptions and Deficiencies
Version 3
December 20, 2004
Table of Contents
|Page
|1
|3
|14
|
Chart 1 – Evaluating Exceptions Found in the Testing of Operating Effectiveness
|17
|
Chart 2 – Evaluating Process/Transaction-Level Control Deficiencies
|18
|
Chart 3 – Evaluating Information Technology General Control (ITGC) Deficiencies
|19
|
Chart 4 – Evaluating Deficiencies in Pervasive Controls Other than ITGC
|20
Introduction and Purpose
This paper outlines a suggested framework for evaluating exceptions and deficiencies resulting from the evaluation of a company’s internal control over financial reporting. Issuers and auditors may find this framework useful.
This paper should be read in conjunction with Auditing Standard No. 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction With an Audit of Financial Statements (AS 2), especially the definitions in paragraphs 8 through 10, the section on evaluating deficiencies in paragraphs 130 through 141, the examples of significant deficiencies and material weaknesses in Appendix D, and the Background and Basis for Conclusions in Appendix E. The framework is not a substitute for AS 2 and other relevant professional literature.
The framework was developed by representatives of the following nine firms:
BDO Seidman LLP
Crowe Chizek and Company LLC
Deloitte & Touche LLP
Ernst & Young LLP
Grant Thornton LLP
Harbinger PLC
KPMG LLP
McGladrey & Pullen LLP
PricewaterhouseCoopers LLP
In addition, William F. Messier, Jr., Professor, Georgia State University, also contributed to the development of the framework.
This framework reflects their views on a framework consistent with their understanding of AS 2.
The framework represents a thought process that will require significant judgment. The objective of the framework is to assist knowledgeable and experienced individuals in evaluating deficiencies in a consistent manner. The mere mechanical application of this framework will not, in and of itself, necessarily lead to an appropriate conclusion. Because of the need to apply judgment and to consider and weigh quantitative and qualitative factors, different individuals evaluating similar fact patterns may reach different conclusions.
The framework recognizes the requirement in AS 2 to consider likelihood and magnitude in evaluating deficiencies. It also recognizes that AS 2.136 states:
In evaluating the magnitude of the potential misstatement, the auditor should recognize that the maximum amount that an account balance or total of transactions can be overstated is generally the recorded amount. However, the recorded amount is not a limitation on the amount of potential understatement. The auditor also should
1
recognize that the risk of misstatement might be different for the maximum possible misstatement than for lesser possible amounts.
The framework applies these concepts through the evaluation of a combination of magnitude and likelihood. Because of the wide variety of control types, population characteristics, and test exception implications, the group did not undertake to develop a purely quantitative model. Instead, the framework considers quantitative and qualitative factors.
This paper does not address the determination of materiality. Reference, in that regard, should be made to AS 2.23, which states:
The same conceptual definition of materiality that applies to financial reporting applies to information on internal control over financial reporting, including the relevance of both quantitative and qualitative considerations.*
|•
|The quantitative considerations are essentially the same as in an audit of financial statements and relate to whether misstatements that would not be prevented or detected by internal control over financial reporting, individually or collectively, have a quantitatively material effect on the financial statements.
|•
|The qualitative considerations apply to evaluating materiality with respect to the financial statements and to additional factors that relate to the perceived needs of reasonable persons who will rely on the information. AS 2.6 describes some qualitative considerations.
|*
|AU sec. 312, Audit Risk and Materiality in Conducting an Audit, provides additional explanation of materiality.
2
Guiding Principles
The principles set forth below correspond to the box numbers on the appropriate charts included in this paper.
The evaluation of individual exceptions and deficiencies is an iterative process. Although this paper depicts the evaluation process as a linear progression, it may be appropriate at any point in the process to return to and reconsider any previous step based on new information.
In applying the framework, the following should be considered in determining which chart(s) to use for evaluating individual exceptions and deficiencies:
|•
|Chart 1 is used to evaluate and determine whether an exception noted in performing tests of operating effectiveness represents a control deficiency.
|•
|Chart 2 is used to evaluate and classify control deficiencies in manual or automated controls that are directly related to achieving relevant financial statement assertions.
|•
|Chart 3 is used to evaluate and classify deficiencies in ITGCs that are intended to support the continued effective operation of controls related to one or more relevant financial statement assertions. If an application control deficiency is related to or caused by an ITGC deficiency, the application control deficiency is evaluated using Chart 2 and the ITGC deficiency is evaluated using Chart 3.
|•
|Chart 4 is used to evaluate and classify control deficiencies in pervasive controls other than ITGC. Such control deficiencies generally do not directly result in a misstatement. However, they may contribute to the likelihood of a misstatement at the process level.
After evaluating and classifying individual deficiencies, consideration should be given to the aggregation of the deficiencies using the guiding principles outlined in “Consider and Evaluate Deficiencies in the Aggregate” below.
Evaluating Exceptions
Found in the Testing of Operating Effectiveness (Chart 1)
|
General.
|The testing of controls generally relates to significant processes and major classes of transactions for relevant financial statement assertions related to significant accounts and disclosures. Therefore, the underlying assumption is that all exceptions/deficiencies resulting from the testing must be evaluated because they relate to accounts and disclosures that are material to the financial statements taken as a whole.
|The purpose of tests of controls is to achieve a high level of assurance that the controls are operating effectively. Therefore, the sample sizes used to test controls should provide that level of comfort. In cases in which samples are selected using a statistically based approach, sample sizes for frequently operating manual controls that result in less than a 90% level of
3
|confidence that the upper limit deviation rate does not exceed 10% typically would not provide a high level of assurance. (Refer to the AICPA Audit and Accounting Guide, Audit Sampling).
|The magnitude of a control deficiency (i.e., deficiency, significant deficiency, or material weakness) is evaluated based on the impact of known and/or potential misstatements on annual and interim financial statements.
|While some of the concepts discussed in this paper relate to statistical sampling, the framework does not require the use of statistical sampling. A statistical sample is (1) selected on a random or other basis that is representative of the population and (2) evaluated statistically. In tests of internal controls, it may be impractical to select samples randomly, but they should be selected in an unbiased manner.
|
Box 1.
|All exceptions should be evaluated quantitatively and qualitatively. A thorough understanding of the cause of the exception is important in evaluating whether a test exception represents a control deficiency. This evaluation should consider the potential implications with regard to the effectiveness of other controls, e.g., the company’s ITGCs and other COSO components.
|In concluding whether the test objective was met, considerations include:
|
• The deviation rate in relation to the frequency of performance of the control (e.g., absent extending the test, there is a presumption that an exception in a control that operates less frequently than daily is a control deficiency).
|
• Qualitative factors, including exceptions that are determined to be systematic and recurring or that relate to the factors outlined in AS 2.133, 139, and 140.
|
• Whether the exception is known to have resulted in a financial statement misstatement (e.g., there is a presumption that an exception that results in a financial statement misstatement in excess of the level of precision at which the control is designed to operate, is a control deficiency).
|A control objective may be achieved by a single control or a combination of controls. A test of controls may be designed to test a single control that alone achieves the control objective or a number of individual controls that together achieve the control objective.
|
Box 2.
|If the test objective is not met, consideration should be given to whether additional testing could support a conclusion that the deviation rate is not representative of the total population. For example, if observed exceptions result in a non-negligible deviation rate, then the test objective initially is not met. In a test designed to allow for finding one or more deviations, the
4
|test objective is not met if the actual number of deviations found exceeds the number of deviations allowed for in the plan.
|
Box 3.
|If the test objective initially is not met, then there are two options:
|
• If the observed exceptions and resulting non-negligible deviation rate are not believed to be representative of the population (e.g., because of sampling error), the test may be extended and re-evaluated.
|
• If the observed exceptions and resulting non-negligible deviation rate are believed to be representative of the population, the exceptions are considered to be a control deficiency and its significance is assessed.
Evaluating Process/Transaction-Level Control Deficiencies (Chart 2)
Step 1. Determine whether a significant deficiency exists:
|
Box 1.
|When evaluating deficiencies, potential magnitude (inconsequential, more than inconsequential, or material) is based on the potential effect on both annual and interim financial statements. The potential magnitude of a misstatement of annual or interim financial statements of not more than inconsequential results in the deficient control being classified as only a deficiency, absent any qualitative factors, including those in AS 2.9, 137, 139, and 140. Potential magnitude of misstatement may be based on gross exposure, adjusted exposure, or other appropriate methods that consider the likelihood of misstatement.
|
Box 2&3.
|If there are controls that effectively mitigate a control deficiency, it is classified as only a deficiency, absent any qualitative factors, including those in AS 2.9, 137, 139, and 140. Such controls include:
|
• Complementary or redundant controls that achieve the same control objective
|
• Compensating controls that operate at a level of precision that would result in the prevention or detection of a more than inconsequential misstatement of annual or interim financial statements
|Boxes 1, 2, and 3 should be considered separately. Adjusted exposure should not be reduced by the quantitative impact of the compensating and complementary or redundant controls.
|
Box 3.
|An unmitigated deficient control that results in a control objective not being met related to a significant account or disclosure generally results in a more than remote likelihood of a more than inconsequential misstatement of annual or interim financial statements and, therefore, is at least a significant deficiency.
5
Step 2. Determine whether a material weakness exists:
|Box 4.
|The potential magnitude of a misstatement of annual or interim financial statements that is less than material results in the deficient control being classified as only a significant deficiency, absent any qualitative factors, including those in AS 2.9, 137, 139, and 140. Potential magnitude may be based on gross exposure, adjusted exposure, or other appropriate methods that consider the likelihood of misstatement.
|Box 5.
|Compensating controls that operate at a level of precision that would result in the prevention or detection of a material misstatement of annual or interim financial statements may support a conclusion that the deficiency is not a material weakness.
|Box 6.
|In evaluating likelihood and magnitude, related factors include but are not limited to the following:
|
• The nature of the financial statement accounts, disclosures, and assertions involved; for example, suspense accounts and related party transactions involve greater risk.
|
• The susceptibility of the related assets or liability to loss or fraud; that is, greater susceptibility increases risk.
|
• The subjectivity, complexity, or extent of judgment required to determine the amount involved; that is, greater subjectivity, complexity, or judgment, like that related to an accounting estimate, increases risk.
|
• The cause and frequency of known or detected exceptions in the operating effectiveness of a control; for example, a control with an observed non-negligible deviation rate is a deficiency.
|
• The interaction or relationship with other controls; that is, the interdependence or redundancy of controls.
|
• The possible future consequences of the deficiency.
|
• An indication of increased risk evidenced by a history of misstatements, including misstatements identified in the current year (AS 2.140).
|
• The adjusted exposure in relation to overall materiality.
|This framework recognizes that in evaluating deficiencies, the risk of misstatement might be different for the maximum possible misstatement than for lesser possible amounts.
|As a result of this additional evaluation, determine whether the likelihood of a material misstatement to both the annual and interim financial statements is remote. In extremely rare circumstances, this additional evaluation could result in a judgment that the likelihood of a more than inconsequential misstatement to both the annual and interim financial statements is remote.
6
|Box 7&8.
|When determining the classification of a deficiency, consider AS 2.137, which states:
|
When evaluating the significance of a deficiency in internal control over financial reporting, the auditor also should determine the level of detail and degree of assurance that would satisfy prudent officials in the conduct of their own affairs that they have reasonable assurance that transactions are recorded as necessary to permit the preparation of financial statements in conformity with generally accepted accounting principles. If the auditor determines that the deficiency would prevent prudent officials in the conduct of their own affairs from concluding that they have reasonable assurance,* then the auditor should deem the deficiency to be at least a significant deficiency. Having determined in this manner that a deficiency represents a significant deficiency, the auditor must further evaluate the deficiency to determine whether individually, or in combination with other deficiencies, the deficiency is a material weakness.
|
Note: AS 2.9 and .10 provide the definitions of significant deficiency and material weakness, respectively.
|*
|See SEC Staff Accounting Bulletin Topic 1M2, Immaterial Misstatements That Are Intentional, for further discussion about the level of detail and degree of assurance that would satisfy prudent officials in the conduct of their own affairs.
Additional considerations related to misstatements identified:
A greater than de minimis misstatement of annual or interim financial statements identified by management or by the auditor during a test of controls or during a substantive test is ordinarily indicative of a deficiency in the design and/or operating effectiveness of a control, which is evaluated as follows:
|•
|The design and/or operating deficiency(ies) that did not prevent or detect the misstatement should be identified and evaluated based on Chart 2 – Evaluating Process/Transaction-Level Control Deficiencies – applying the following:
|•
|A known or likely (including projected) misstatement that is inconsequential to annual or interim financial statements is at least a deficiency.
|•
|A known or likely (including projected) misstatement that is more than inconsequential to annual or interim financial statements is a strong indicator of a significant deficiency.
|•
|A known or likely (including projected) misstatement that is material to annual or interim financial statements, as addressed in AS 2.140, is at least a significant deficiency and a strong indicator of a material weakness.
|•
|The implications on the effectiveness of other controls, particularly compensating controls, also should be considered.
7
Evaluating ITGC Deficiencies (Chart 3)
|General.
|Deficiencies in ITGCs are evaluated in relation to their effect on application controls.
|
• ITGC deficiencies do not directly result in misstatements.
|
• Misstatements may result from ineffective application controls.
|There are three situations in which an ITGC deficiency can rise to the level of a material weakness:
|
• An application control deficiency related to or caused by an ITGC deficiency is classified as a material weakness
|
• The pervasiveness and significance of an ITGC deficiency leads to a conclusion that there is a material weakness in the company’s control environment
|
• In accordance with AS 2.140, an ITGC deficiency classified as a significant deficiency remains uncorrected after some reasonable period of time
|In evaluating the effect of an ITGC deficiency on the continued effective operation of application controls, it is not necessary to contemplate the likelihood that an effective application control could in a subsequent year become ineffective because of the deficient ITGC.
|Relationship between ITGCs and application controls. An understanding of the relationship among applications relevant to internal control over financial reporting, the related application controls, and ITGCs is necessary to appropriately evaluate ITGC deficiencies. ITGCs may affect the continued effective operation of application controls. For example, an effective security administration function supports the continued effective functioning of application controls that restrict access. As another example, effective program change controls support the continued effective operation of programmed application controls, such as a three-way match. ITGCs also may serve as controls at the application level. For example, ITGCs may directly achieve the control objective of restricting access and thereby prevent initiation of unauthorized transactions.
|Similarly, ITGC deficiencies may adversely affect the continued effective functioning of application controls; in the absence of application controls, ITGC deficiencies also may represent control deficiencies for one or more relevant assertions.
|Evaluating ITGC deficiencies. All ITGC deficiencies are evaluated using Chart 3. Additionally, if an ITGC deficiency also represents a deficiency at the application level because it directly relates to an assertion, the ITGC deficiency also is evaluated using Chart 2. In all cases, an ITGC deficiency is considered in combination with application controls to determine whether the combined effect of the ITGC deficiency and any application
8
|control deficiencies is a deficiency, significant deficiency, or material weakness.
|Box 1.
|Controls that effectively mitigate a control deficiency result in the deficiency being classified as only a deficiency, absent any qualitative factors, including those described in AS 2.9, 137, 139, and 140. Such controls include complementary or redundant controls that achieve the same control objective. An ITGC deficiency identified as a result of an application control deficiency indicates that other ITGCs could not have achieved the same control objective as the deficient ITGC.
|Box 2.
|If no deficiencies are identified at the application level (as evaluated in Chart 2), the ITGC deficiency could be classified as only a deficiency. (Refer to Box 5.)
|Box 3&4.
|If there is a control deficiency at the application level related to or caused by an ITGC deficiency, the ITGC deficiency is evaluated in combination with the deficiency in the underlying application control and generally is classified consistent with the application control deficiency, that is:
|
• A material weakness in an application control related to or caused by an ITGC deficiency indicates that the ITGC deficiency also is a material weakness.
|
• A significant deficiency in an application control related to or caused by an ITGC deficiency indicates that the ITGC deficiency also is a significant deficiency.
|
• An application control deficiency (that is only a deficiency) related to or caused by an ITGC deficiency generally indicates that the ITGC deficiency is only a deficiency.
|Box 5.
|Notwithstanding the guiding principles relating to Boxes 1 through 4, the classification of an ITGC deficiency(ies) should consider factors including but not limited to the following:
|
• The nature and significance of the deficiency, e.g., does the deficiency relate to a single area in the program development process or is the entire process deficient?
|
• The pervasiveness of the deficiency to applications and data, including:
|
• The extent to which controls related to significant accounts and underlying business processes are affected by the ITGC deficiency
|
• The number of application controls that are related to the ITGC deficiency
|
• The number of control deficiencies at the application level that are related to or caused by the ITGC deficiency
|
• The complexity of the company’s systems environment and the likelihood that the deficiency could adversely affect application controls
|
• The relative proximity of the control to applications and data
9
|
• Whether an ITGC deficiency relates to applications or data for accounts or disclosures that are susceptible to loss or fraud
|
• The cause and frequency of known or detected exceptions in the operating effectiveness of an ITGC; for example, (1) a control with an observed non-negligible deviation rate, (2) an observed exception that is inconsistent with the expected effective operation of the ITGC, or (3) a deliberate failure to apply a control .
|
• An indication of increased risk evidenced by a history of misstatements relating to applications affected by the ITGC deficiency, including misstatements in the current year
|When determining the classification of a deficiency, consider AS 2.137, which states:
|
When evaluating the significance of a deficiency in internal control over financial reporting, the auditor also should determine the level of detail and degree of assurance that would satisfy prudent officials in the conduct of their own affairs that they have reasonable assurance that transactions are recorded as necessary to permit the preparation of financial statements in conformity with generally accepted accounting principles. If the auditor determines that the deficiency would prevent prudent officials in the conduct of their own affairs from concluding that they have reasonable assurance,* then the auditor should deem the deficiency to be at least a significant deficiency. Having determined in this manner that a deficiency represents a significant deficiency, the auditor must further evaluate the deficiency to determine whether individually, or in combination with other deficiencies, the deficiency is a material weakness.
|
Note: AS 2.9 and .10 provide the definitions of significant deficiency and material weakness, respectively.
|*
|See SEC Staff Accounting Bulletin Topic 1M2, Immaterial Misstatements That Are Intentional, for further discussion about the level of detail and degree of assurance that would satisfy prudent officials in the conduct of their own affairs.
Additional consideration:
ITGCs support the proper and consistent operation of automated application controls. Therefore, consideration should be given to the nature, timing, and extent of the testing of related application controls affected by, or manual controls dependent on, the deficient ITGC.
10
Evaluating Control Deficiencies in Pervasive Controls Other than ITGC (Chart 4)
|General.
|Deficiencies in pervasive controls generally do not directly result in a misstatement. However, they may contribute to the likelihood of a misstatement at the process level. Accordingly, evaluation of a deficiency in a pervasive control other than ITGC is based on the likelihood that such deficiency would contribute to circumstances that could result in a misstatement. Quantitative methods generally are not conducive to evaluating such deficiencies.
Step 1. Determine whether a significant deficiency exists:
|Box 1&2.
|A deficiency of the type described in AS 2.139 ordinarily results in deficiencies being at least a significant deficiency. The circumstances in which an evaluation would lead to the deficiency not being classified as a significant deficiency are rare. The circumstances identified in AS.140 should be regarded as at least a significant deficiency and as a strong indicator of a material weakness.
|Box 3.
|Certain controls could result in a judgment that the deficient control is limited to a deficiency and classified as only a deficiency, considering qualitative factors, including those in AS 2.9, 137, 139 and 140. Such controls include:
|
• Complementary or redundant programs or controls
|
• Compensating controls within the same or another component
|Box 4.
|A deficiency with a more than remote likelihood that the deficiency would contribute to a more than inconsequential misstatement is a significant deficiency. Such judgment considers an evaluation of factors such as:
|
• The pervasiveness of the deficiency across the entity
|
• The relative significance of the deficient control to the component
|
• An indication of increased risks of error (evidenced by a history of misstatement)
|
• An increased susceptibility to fraud (including the risk of management override)
|
• The cause and frequency of known or detected exceptions for the operating effectiveness of a control
|
• The possible future consequences of the deficiency
Step 2. Determine whether a material weakness exists:
|Box 5.
|The evaluation of certain controls could result in a judgment that the deficient control is limited to a significant deficiency and classified as such, considering qualitative factors, including those in AS 2.9, 137, 139 and 140. Such controls include compensating controls within the same or another component.
11
|Box 6.
|A deficiency with a more than remote likelihood that the deficiency would contribute to a material misstatement is a material weakness. Such judgment considers an evaluation of factors such as:
|
• The pervasiveness of the deficiency across the entity
|
• The relative significance of the deficient control to the component
|
• An indication of increased risks of error (evidenced by a history of misstatement)
|
• An increased susceptibility to fraud (including the risk of management override)
|
• The cause and frequency of known or detected exceptions for the operating effectiveness of a control
|
• The possible future consequences of the deficiency
|A deficiency of the type described in AS 2.140 is generally a material weakness; in limited circumstances, it may be appropriate to conclude the deficiency is only a significant deficiency (refer to AS.2 Appendix E99).
|Box 7&8.
|When determining the classification of a deficiency, consider AS 2.137, which states:
|When evaluating the significance of a deficiency in internal control over financial reporting, the auditor also should determine the level of detail and degree of assurance that would satisfy prudent officials in the conduct of their own affairs that they have reasonable assurance that transactions are recorded as necessary to permit the preparation of financial statements in conformity with generally accepted accounting principles. If the auditor determines that the deficiency would prevent prudent officials in the conduct of their own affairs from concluding that they have reasonable assurance,* then the auditor should deem the deficiency to be at least a significant deficiency. Having determined in this manner that a deficiency represents a significant deficiency, the auditor must further evaluate the deficiency to determine whether individually, or in combination with other deficiencies, the deficiency is a material weakness.
|Note: AS2.9 and .10 provide the definitions of significant deficiency and material weakness, respectively.
|*
|See SEC Staff Accounting Bulletin Topic 1M2, Immaterial Misstatements That Are Intentional, for further discussion about the level of detail and degree of assurance that would satisfy prudent officials in the conduct of their own affairs.
12
Consider and Evaluate Deficiencies in the Aggregate
Deficiencies are considered in the aggregate by significant account balance, disclosure and COSO component to determine whether they collectively result in significant deficiencies or material weaknesses. Aggregation of control activities deficiencies by significant account balance and disclosure is necessary since the existence of multiple control deficiencies related to a specific account balance or disclosure increases the likelihood of misstatement. Aggregation by the control environment, risk assessment, information and communication, and monitoring components of COSO is more difficult and judgmental. For example, unrelated control deficiencies relating to design ineffectiveness in other COSO components could lead to the conclusion that a significant deficiency or material weakness in the risk assessment component exists. Similarly, unrelated control deficiencies in other COSO components could lead to a conclusion that a significant deficiency or material weakness in the control environment or monitoring component exists.
13
Terminology
Adjusted exposure – gross exposure (see below) multiplied by the upper limit deviation rate.
Application controls – automated control procedures (e.g., calculations, posting to accounts, generation of reports, edits, control routines, etc.) or manual controls that are dependent on IT (e.g., the review by an inventory manager of an exception report when the exception report is generated by IT). When IT is used to initiate, authorize, record, process, or report transactions or other financial data for inclusion in financial statements, the systems and programs may include controls related to the corresponding assertions for significant accounts or disclosures or may be critical to the effective functioning of manual controls that depend on IT.
Compensating controls – controls that operate at a level of precision that would result in the prevention or detection of a misstatement that was more than inconsequential or material, as applicable, to annual or interim financial statements. The level of precision should be established considering the possibility of further undetected misstatements.
Complementary controls – controls that function together to achieve the same control objective.
Control deficiency – a deficiency in the design or operation of a control that does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis.
|•
|A deficiency in design exists when (a) a control necessary to meet the control objective is missing or (b) an existing control is not properly designed so that, even if it operates as designed, the control objective is not always met.
|•
|A deficiency in operation exists when a properly designed control does not operate as designed, or when the person performing the control does not possess the necessary authority or qualifications to perform the control effectively.
Control objective – the objective(s) related to internal control over financial reporting to achieve the assertions that underlie a company’s financial statements.
Gross exposure – a worst-case estimate of the magnitude of amounts or transactions exposed to the deficiency with regard to annual or interim financial statements, without regard to the upper limit deviation rate or likelihood of misstatement, and before considering complementary, redundant, or compensating controls. Factors affecting gross exposure include:
|•
|The annual or interim financial statement amounts or total transactions exposed to the deficiency.
|•
|The volume of activity in the account balance or class of transactions exposed to the deficiency that has occurred in the current annual or interim period or that is expected in future periods.
14
Inconsequential
|•
|Potential misstatements equal to or greater than 20% of overall annual or interim financial statement materiality are presumed to be more than inconsequential.
|•
|Potential misstatements less than 20% of overall annual or interim financial statement materiality may be concluded to be more than inconsequential as a result of the consideration of qualitative factors, as required by AS 2.
Information technology general controls (ITGCs) – policies and procedures that relate to many applications and support the effective functioning of application controls by helping to ensure the continued proper operation of information systems. This includes four basic IT areas that are relevant to internal control over financial reporting:
|•
|Program development
|•
|Program changes
|•
|Computer operations
|•
|Access to programs and data
Material weakness – a significant deficiency, or combination of significant deficiencies, that results in more than a remote likelihood that a material misstatement of the annual or interim financial statements will not be prevented or detected.
Pervasive controls other than ITGC – the general programs and controls within the control environment, risk assessment, monitoring, and information and communication, including portions of the financial reporting process, that have a pervasive impact on controls at the process, transaction, or application level.
Potential misstatement – an estimate of the misstatement that could result from a deficiency with a more than remote likelihood of occurrence.
Redundant controls – controls that achieve the same control objective.
Remote likelihood – the chance of the future event or events occurring is slight.
Significant deficiency – a control deficiency, or combination of control deficiencies, that adversely affects the company's ability to initiate, authorize, record, process, or report external financial data reliably in accordance with generally accepted accounting principles such that there is more than a remote likelihood that a misstatement of the company's annual or interim financial statements that is more than inconsequential will not be prevented or detected.
Test objective – the design of the test of a control activity to determine whether the control is operating as designed, giving consideration to:
|•
|The nature of the control and the definition of an exception
|•
|The frequency with which the control operates
|•
|The desired level of assurance in combination with the reliability of the control, for example, whether the control is designed to achieve the control objective alone or in combination with other controls
|•
|The number of exceptions expected
15
Upper limit deviation rate – the statistically derived estimate of the deviation rate based on the sample results, for which there is a remote likelihood that the true deviation rate in the population exceeds this rate (refer to AICPA Audit and Accounting Guide, Audit Sampling).
16
CHART 1 – Evaluating Exceptions Found in the Testing of Operating Effectiveness
Individual boxes should be read in conjunction with the corresponding guiding principles.
17
CHART 2 – Evaluating Process/Transaction-Level Control Deficiencies
This decision tree is to be used for evaluating the classification of control deficiencies from the following sources:
|•
|Design effectiveness evaluation
|•
|Operating effectiveness testing (from Chart 1)
|•
|Deficiencies that resulted in a financial statement misstatement detected by management or the auditor in performing substantive test work.
Individual boxes should be read in conjunction with the corresponding guiding principles.
18
CHART 3 – Evaluating Information Technology General Control (ITGC) Deficiencies
This decision tree is to be used for evaluating the classification of information technology general control (ITGC) deficiencies from the following sources:
|•
|ITGC design effectiveness evaluation
|•
|ITGC operating effectiveness testing (from Chart 1)
|•
|ITGC design or operating deficiencies identified as a result of application control testing (from Chart 2)
Individual boxes should be read in conjunction with the corresponding guiding principles.
19
CHART 4 – Evaluating Control Deficiencies in Pervasive Controls Other than ITGC
This decision tree is to be used for evaluating the classification of control deficiencies in pervasive controls other than ITGC from the following sources:
|•
|Design effectiveness evaluation
|•
|Operating effectiveness testing (from Chart 1)
Individual boxes should be read in conjunction with the corresponding guiding principles.
20