Public companies can expect some extra scrutiny of their internal control over financial reporting in the upcoming audit cycle after regulators gave auditors a new warning to fix lingering problems.
In a new report summarizing internal control audit problems spotted in 2010 inspections of the eight largest firms, the Public Company Accounting Oversight Board says it counted 46 incidents in 309 engagements, or 15 percent, where auditors failed to adequately support their opinions on internal control over financial reporting (ICFR).
In 39 of those 46 cases, the same firm also failed to adequately support its opinion on the financial statements, the PCAOB said. Audit firm fared even worse during the latest round of inspection reports. The PCAOB said the percentage of audits with inadequately supported ICFR opinions rose to 22 percent of cases examined in 2011. “Those numbers are too high,” said PCAOB member Jeanette Franzel in a media briefing.
The high incidence of inadequate checks on internal controls prompted the PCAOB to look for common themes in its inspection findings and try to identify root causes behind what it considers to be an unacceptable failure rate. The board said auditors too often fail to identify and sufficiently test controls that address the risk of material misstatement. They too often fail to sufficiently test the design and operating effectiveness of management review controls, and they don't obtain enough evidence to test controls from the interim date to the company's year end, referred to as the roll-forward period.
Auditors also fail to adequately test data that is generated by information systems or reports that support important controls, the board said. And they fail to adequately scrutinize the work they rely on from others, such as internal auditors or outside specialists. When auditors do spot control deficiencies they don't adequately evaluate them and consider their effect, says the PCAOB.
Where the PCAOB found problems with internal control audit work, it noticed that firms had reduced audit staffing, prompting the board to question whether audit firms have cut too many corners or failed to provide sufficient training and guidance to their auditors. The board said auditors are not applying the intended top-down approach to assessing risks as intended by the current standard governing internal control audits, Auditing Standard No. 5, and they're not communicating adequately with information specialists.
PCAOB member Jay Hanson acknowledged criticism the board hears about its inspection process— that inspectors take extreme views that compel auditors to do more work, therefore giving them ammunition to justify higher fees. His answer back to the firms, he said, is to look at the standard and the firms' own policies and procedures, then challenge their auditors on why they are not doing complete audit work. “I get a little defensive about this,” he said. “We are not by any stretch making people do busy work or things that make no sense.”
Franzel suggested audit committees could play a bigger role in pressing auditors for answers on whether they are doing enough to meet regulatory standards and the firms' own methodologies. The PCAOB offered guidance earlier this year directed at audit committees to help them better understand the information contained in PCAOB inspection reports and how to question auditors about their interactions with inspectors.
“I'm encouraged that both at the management level and the audit committee level we've seen more of a focus on controls over the last six months than we had in the recent past.”
According to the guidance, there's plenty audit committees could learn about their own audits, even if they are not named in inspection reports and even if their own audit was not inspected, simply by asking auditors the right questions and pressing for pointed answers. “Audit committees need to get a handle on why and ask did the firm not do enough work?” Franzel said.
Tim Ryan, a partner and head of the assurance practice at PwC, says firms are aware through their own interactions with the PCAOB and their own internal review processes that there is work to be done to improve internal control audits. Over the last few years, he says, PwC has increased its training around internal control auditing, particularly in the past year, and provided more practice aids to its auditors. The firm also has put greater focus on assuring an open, candid dialogue with management to help them understand how to better design controls so auditors can more readily conclude they are effective. “We are already seeing positive results in terms of areas for improvement,” he says. “I'm encouraged that both at the management level and the audit committee level we've seen more of a focus on controls over the last six months than we had in the recent past.”
Below is an excerpt from the PCAOB's report on internal control over financial reporting outlining the agency's overall findings and deficiencies:
In 46 of the 309 integrated audit engagements (15 percent) that were inspected
in 2010, Inspections staff found that the firm, at the time it issued its audit report, had
failed to obtain sufficient audit evidence to support its audit opinion on the effectiveness
of internal control due to one or more deficiencies identified by the Inspections staff. In
39 of those 46 engagements (85 percent) where the firm did not have sufficient
evidence to support the internal control opinion, representing 13 percent of the 309
integrated audit engagements that were inspected, the firm also failed to obtain
sufficient audit evidence to support the financial statement audit opinion.
In addition, in another 50 of the 309 integrated audit engagements, Inspections
staff identified deficiencies in the auditing of internal control that did not involve findings
of such significance that they indicated a failure to support the firm's internal control
opinion. These deficiencies, however, did evidence deficiencies in some firms' systems
of quality control of such significance that in the Board's view they require remediation.
The deficiencies do not mean the issuer's financial statements were materially
misstated or that the issuer's internal controls were inadequate. Generally, the
deficiencies related to execution issues on the part of individual engagement teams
where those teams did not meet the requirements of the firms' methodologies.
Deficiencies in Audits of Internal Control
The most pervasive deficiencies identified in auditing internal control related to
firms' failures to:
- Identify and sufficiently test controls that are intended to address the risks of
- Sufficiently test the design and operating effectiveness of management review
controls that are used to monitor the results of operations, such as: (1) monthly
comparisons of budget and actual results to forecasts for revenues and
expenses; (2) comparisons of other metrics, such as profit margins and certain
expenses as a percentage of sales; and (3) quarterly balance sheet reviews;
- Obtain sufficient evidence to update the results of testing of controls from an
interim date to the company's year end (i.e., the roll-forward period);
- Sufficiently test the system-generated data and reports that support important
- Sufficiently perform procedures regarding the use of the work of others; and
- Sufficiently evaluate identified control deficiencies and consider their effect on
both the financial statement audit and on the audit of internal control.
Inspections staff identified two or more of the deficiencies noted above in 32 of the 46
integrated audit engagements (70 percent) that were inspected in 2010 where the firm
failed to support its internal control opinion.
Bob Hirth, managing director at consulting firm Protiviti, says given the age of the data that goes into the PCAOB's report and the largest firms' annual interaction with inspectors, audit firms should have already been working to address many of the concerns raised. The firms have been through two new rounds of inspections since the 2010 inspections on which the report is based. The PCAOB, however, won't comment on whether it sees any improvement in its 2012 inspections of 2011 financial statements because the work on those inspections is not yet complete.
The Securities and Exchange Commission had no comment on the PCAOB report, but staff members at the SEC said at a recent accounting conference that they're keeping an eye on management's work to maintain a sound control environment. Brian Croteau, a deputy chief accountant, said the SEC will be interested to see how companies adapt to the revised framework that is being developed by the Committee of Sponsoring Organizations, or COSO, expected to be released in early 2013.
“Implementation of the updated framework once available could provide opportunities for management and auditors alike to reconsider areas where the design of internal controls could be improved to better address current and evolving risks to reliable financial reporting,” he said. Croteau also acknowledged he's interested in the PCAOB's findings on internal control and said the SEC might eventually have something to say about management's work in designing and operating effective controls.
Although the report is directed at auditors, Hirth says it's still good reading for management. Issuers should read the guidance with an eye toward whether their own controls are sound in the areas where the PCAOB raises concerns, he says, and they should ask their auditors questions about how the guidance might apply to their own control environment. “Ask your auditor: do you have these items covered in all of our audit?” he says. “If our audit gets inspected, will any of these issues crop up for us?”
James Comito, a shareholder with audit firm Mayer Hoffman McCann, which was not a firm whose results were included in the PCAOB report, says the guidance represents another correction in the continued journey to strike the right balance on internal controls. When Sarbanes-Oxley was first introduced, auditors were required under an earlier standard, Auditing Standard No. 2, to conduct much more rigorous, tedious audits. Under AS5, the PCAOB instructed auditors to step back from the details and take a top-down, risk-based approach. “The audit of internal control remains a work in process,” he says. “We're still trying to figure out exactly how to approach this.”