While it's auditors who have taken heat the past few years over internal control over financial reporting, the Securities and Exchange Commission is exploring whether management's evaluation of control is lacking as well.
At a national accounting conference, Brian Croteau, deputy chief accountant at the SEC, said he's convinced the increase in audit inspection findings related to internal controls the past few years likely indicates management is not always properly evaluating internal control. That suggests material weaknesses are not being identified, he said. He's heard suggestions that the Public Company Accounting Oversight Board and auditors are more concerned about internal control than management when considering entity level controls or the severity of control problems. Guidance for auditors and management was developed in tandem to assure they were properly aligned, he said, and management might be wise to review the guidance in light of significant audit findings.
“I continue to question whether all material weaknesses are being properly identified,” Croteau said. “It is surprisingly rare to see management identify a material weakness in the absence of a material misstatement." He surmises that could be because the deficiencies are not being identified or the severity of deficiencies is not being evaluated appropriately. The SEC will be working with the PCAOB to address control concerns in 2014, he said. “It may be useful for management to dust off the SEC's 2007 interpretive guidance and compare management's ICFR evaluation process to the SEC guidance to see if improvements are in order,” Croteau said.
The PCAOB issued a report recently summarizing a long list of problems with internal control audits it has noted through audit inspections over the past few years in particular. The PCAOB has told auditors to take more care in their risk assessment and audit of internal control, selecting controls to test, testing management review controls, and using the work of others. The PCAOB also has told auditors to take a closer look at information that comes from system-generated reports, and the roll forward of controls tested at interim dates.