Heading into the home stretch on work to implement a new framework for internal controls, a handful of companies are starting to question their external auditors’ documentation requirements and are considering pushing back on the demands.
At Compliance Week’s recent West Coast conference, Lillian Barlett of SunOpta, said she would welcome an opportunity to get a discussion started among similarly situated public companies to determine how best to address what she believes to be unnecessary documentation demands thrust on management. Barlett is the vice president of risk management and internal audit for the natural foods company, headquartered in Toronto and listed on Nasdaq, with revenues of $1.2 billion.
SunOpta, like most public companies that rely on the COSO Internal Control — Integrated Framework to achieve internal control reporting requirements, is wrapping up its adoption of COSO’s 2013 updated framework in time for the year-end audit. The 1992 framework expires at the end of 2014, prompting most companies to update their controls to the new framework, which more explicitly requires the 17 principles of internal control stated in the framework to be present and functioning to assert that controls are effective.
Barlett says auditors are looking at aspects of the COSO framework adoption through the lens of Staff Audit Practice Alert No.11, issued by the Public Company Accounting Oversight Board in October 2013 to direct auditors to shore up pervasive problems with internal control audits spotted during routine inspections. In Barlett’s view, auditors are demanding management documentation, especially with respect to information produced by the entity, that are driven more by guidance to auditors than requirements of management as the company interprets the COSO framework.
“Under SEC guidance for companies, companies are allowed to have different forms of documentation. What companies are required to do doesn’t have to be the same as auditors. It’s right in the SEC guidance. But auditors are expecting companies to have documentation that mirrors their documentation.”
Curtis Matthews, Partner-in-Charge, Moss Adams
“Audit firms are being pushed by the PCAOB to do a lot more work to provide assurance around information produced by entity, or IPE,” says Barlett. “They’re saying the COSO framework requires the same thing. We’re pushing back to say no, we have latitude to interpret the principles under COSO 2013. How we apply them to IT and how they apply to the information we use in financial reporting? That’s the sticking point.” Barlett says her company’s auditor has produced “pages and pages and pages of their interpretation of the 17 principles that they say require these things. But that’s not your job, that’s my job to interpret these requirements for my company.”
Bob Hirth, chairman of COSO, told Barlett he’s familiar with the struggle that’s happening in the trenches as companies implement the COSO framework, while auditors follow fresh marching orders from the PCAOB on internal control auditing at the same time. He said COSO’s principle No. 13 has proven most difficult for companies to implement. No. 13 says: “The organization obtains or generates and uses relevant, quality information to support the functioning of internal control.”
Practice may not be consistent as everyone interprets new guidance for the first time, he said. “I would urge you to try to force consistency,” he said. “Talk with other companies who use the same firm.” Then companies would need to decide if they want to draw a line with auditors, or accept a possible auditor finding of a deficiency in controls. “At some point you have to end the discussion,” he said.
Cameron Jackson, manager of governance, risk ,and compliance for Columbia Sportswear Co., said at the same conference that the intersection of COSO 2013 and Audit Alert No. 11, along with the company’s global business transformation, has led to significant volume of change and judgment and increased conversations with auditors. Efforts within the audit profession to filter interpretations through different firms in various regions down to thousands of professionals has been “ineffective,” in his view. “I’ve been overwhelmed by white papers and Webinars,” he said.
That prompted the company to form its own interpretations ahead of auditors. “We have to make sure we can articulate our position with clarity in advance of waiting for our firm to settle on where they stand,” he said. “We’ve established this concept, facilitating and documenting our positions in writing with collective open commentary from the right people and putting our position down very sharply and clearly, and then moving on. Let’s establish our stake in the ground and then execute it.”
Management’s Judgment to Make?
EVALUATING CONTROLS
Below is an excerpt from the Public Company Accounting Oversight Board’s Audit Practice Alert #11 in which the board offers some guidance on evaluating identified control deficiencies.
Control deficiencies might be identified during the audit of the financial statements as well as the audit of internal control. For example, an error identified in the financial statement audit often results from a deficiency in the design or operation of controls, or a lack of controls, over that account or disclosure. PCAOB standards require auditors to evaluate the effect of the findings of the substantive procedures performed in the financial statement audit on the effectiveness of internal control. This includes identifying and evaluating any specific control deficiencies related to the identified mis-statements.
PCAOB standards require auditors to evaluate the severity of each control deficiency that comes to his or her attention to determine whether the deficiencies, individually or in combination, are material weaknesses. Auditing Standard No. 5 provides that the severity of a control deficiency depends on (1) whether there is a reasonable possibility that the company's controls will fail to prevent or detect a mis-statement of an account balance or disclosure and (2) the magnitude of the potential mis-statement resulting from the deficiency or deficiencies. The severity of a deficiency does not depend on whether a mis-statement actually has occurred but rather on whether there is a reasonable possibility that the company's controls will fail to prevent or detect a mis-statement.
Auditing Standard No. 5 also provides additional direction on evaluating the severity of control deficiencies, including risk factors that affect the evaluation of the likelihood and potential magnitude of mis-statements resulting from control deficiencies and indicators of material weaknesses. For example, deficiencies in controls over the key assumptions in a significant accounting estimate could result in a reasonable possibility of mis-statement because of the subjectivity, complexity, or extent of judgment required to determine the amount of the estimate. Also, multiple control deficiencies affecting the same account can increase the likelihood of mis-statement. Similarly, the magnitude of potential mis-statements resulting from a deficiency is greater for control deficiencies affecting processes with large transaction volumes or the existence of accounts with large recorded amounts.
In forming a conclusion about whether a control deficiency or combination of deficiencies is a material weakness, the auditor should evaluate the effect of compensating controls, if any. This includes testing the compensating controls to determine whether they operate at a level of precision that would prevent or detect a mis-statement that could be material. This includes evaluating whether the control addresses the risk of material mis-statement to the relevant assertion intended to be addressed by the deficient control.
If the compensating control is a management review control, the previously discussed considerations for testing management review controls apply to the compensating control.
Evaluating whether a control deficiency, or a combination of control deficiencies, results in a material weakness requires professional skepticism and a careful analysis of all the evidence obtained. Auditors who perform a mechanical or cursory evaluation of deficiencies might reach premature conclusions without appropriately considering critical information. For example, a mechanical or cursory evaluation may lead an auditor to:
Assess control deficiencies in isolation, without considering the effects of deficiencies in combination;
Consider only the amount of identified mis-statements, without evaluating the magnitude of potential mis-statement that could occur; or
Focus on a checklist of material weakness indicators without considering other relevant factors.
Source: PCAOB.
Jackson said the company has had to work through its own determinations of what documentation is necessary for management to produce, and what the company believes auditors should produce for themselves, especially around management review controls or IPE. Auditors are required, for example, to assess the dynamism of management’s review of controls, he said. “Management isn’t going to document how dynamic their process is,” he said. “We’re not going to document our own competency.” A similar conversation addresses how complete and accurate certain reports might be, he said, a point the PCAOB has hammered on auditors. “How do you know that the report is complete and accurate? In some cases we’re being asked to demonstrate that, and in some cases it might not make sense.”
Ken Blomster, a partner with PwC who also spoke at the conference, said he’s familiar with the issues. “There is some noise out there that different practitioners are taking different views on this,” he said. “PwC’s view is that No. 13 doesn’t impose any new requirements on the company that weren’t there before. I would agree that IPE—and we don’t use that acronym so I’m struggling a little bit with that—but we don’t believe that IPE and controls over IPE are something triggered by the new framework. We do agree that controls over that type of information are critical to a business. If the information is being used to support internal control, then the controls need to be there.” PCAOB guidance may be inspiring individual engagement teams to redouble their efforts in this area, he said.
Curtis Matthews, partner-in-charge of internal audit services outsourcing at Moss Adams who provides outsourced internal audit services to companies, says he often sees external auditors asking companies to produce documentation that auditors need, but is not necessarily required of management as they follow guidance directed at them by the SEC or under COSO. “We see auditors pushing more onto companies,” he says. “Under SEC guidance for companies, companies are allowed to have different forms of documentation. What companies are required to do doesn’t have to be the same as auditors. It’s right in the SEC guidance. But auditors are expecting companies to have documentation that mirrors their documentation. Across the board, companies are having to deal with this position, ‘if you don’t document it the way we do, we can’t rely on it.’” As a result, providing auditors what they want cost-efficiently is a key focus of his practice.
Sara Lord, a partner with McGladrey, says auditors are doing their best to get what the PCAOB tells them they need to find. “As audit firms, we have our marching orders from our regulator,” she says. “For management review controls, there are six criteria that I need to look at for precision, and I ask the client: are these covered?” If not, she says, auditors will give companies the opportunity to update their documentation or perform other audit procedures accordingly. “We can work around it doing inquiry and observation,” she says. “What we often find is clients really have controls that meet the requirements but it’s not indicated in the documentation.” As companies work through the issues, she’s advising both companies and auditors to keep an open dialogue to understand the needs.
No comments yet