Tensions over the assessment and auditing of internal controls over financial reporting—which have been on the rise again lately—look increasingly like they will fall on the doorstep of the audit committee.
Audit committees bear ultimate responsibility for the integrity of the financial reporting process, Elizabeth Ryan, director at MorganFranklin Consulting, said at the Compliance Week 2015 conference. That means they are in the best position to facilitate communication necessary among external auditors, internal auditors, and management—and that conversation will be critical to companies marching through the minefield of audit demands, while audit firms face tough inspection findings from the Public Company Accounting Oversight Board over internal controls.
The PCAOB issued its Staff Audit Practice Alert No. 11 in October 2013 to address persistent internal control concerns found in inspections, just as most public companies were preparing to adopt the updated 2013 COSO internal control framework. That led to plenty of tension between management and auditors over how to test and document the design and effectiveness of controls amid significant change.
The biggest pains have centered on external auditors’ reliance on the work of internal auditors, and the adequacy of the audit around management review controls and IT controls. The PCAOB, along with the Center for Audit Quality and the Institute of Internal Auditors, have already called on audit committees to referee those tensions and help companies navigate their way through it.
Speakers at Compliance Week 2015 echoed that message.
“For audit committee members, the first place to start is to ask questions of the external audit firm,” Ryan said. “What are the inspection findings from the PCAOB? What is the audit firm doing to address those questions? That will give the audit committee some understanding of the important focus areas. There may be changes to the way the audit is performed.”
“We hear the concerns, even frustrations, from company officials over the level of audit work they are seeing.”
Keith Wilson, Deputy Chief Auditor, PCAOB
If a company’s audit firm has been grilled by PCAOB inspectors over certain specific areas of internal control audits, that will give the company some warning on where auditors may place renewed focus, Ryan said. “Understanding how the firm is addressing that particular finding will shed some light on what you need to be thinking about in performing your own controls and evaluating your risks in these areas,” she said. “Are there any changes that need to occur in the way you are performing the control or collecting evidence for the control?”
Keith Wilson, deputy chief accountant for the PCAOB, said the agency issued Practice Alert 11 to clarify and highlight concerns its inspectors were finding in their reviews of audits of internal control. The alert addresses areas such as risk assessments, selecting controls for testing, and evaluating control deficiencies; plus several areas that have proved to be the biggest flash points: IT controls, management review controls, and use of the work of internal audit.
QUESTIONS FOR YOUR AUDITOR
Below, the PCAOB reaches out to audit committees, providing advice on what to ask the auditor in regard to certain key issues.
Auditing Internal Control Over Financial Reporting
What are the points within the company’s critical systems processes where material misstatements could occur? How has the audit plan addressed the risks of material misstatement at those points? How will your auditor determine whether controls over those points operate at a level of precision that would prevent or detect and correct a potential material misstatement?
What is your auditor's approach to evaluating the company's controls over financial reporting for significant unusual transactions or events, such as the acquisition of assets and assumption of liabilities in a business combination, divestitures, and major litigation claims?
If the company enters into a significant unusual transaction during the year, how will your auditor adjust the audit plan, including the plan for testing ICFR related to the transaction? For example, how would the company's acquisition of a significant enterprise during the third quarter affect the audit plan for the year? How might your auditor's materiality assumptions change? Would the audit plan focus on different systems and controls than originally planned? How would your auditor test controls over the systems used to generate information for recognizing and measuring the identifiable assets acquired, the liabilities assumed, and any non-controlling interest in the acquiree? How would the internal control over financial reporting of the acquired company be considered? Asking about the effectiveness of controls before such transactions and events occur will signal to your auditor that preparedness is a priority, as will asking similar questions about new systems and processes.
If the company or your auditor has identified a potential material weakness or significant deficiency in internal control, what has been done to probe the accuracy of its description? Could the identified control deficiency be broader than initially described? Could it be an indication of a deficiency in another component of internal control??
Assessing and Responding to Risks of Material Misstatement
Which audit areas are designated by your auditor as having significant risks of material misstatement and what audit procedures are planned to address those risks?
In your auditor’s view, how have the areas of significant risk of material misstatement changed since the prior year? What new risks has your auditor identified? What is your auditor's process to make sure that it identifies new or changing risks of material misstatement and tailors the audit plan appropriately? How is the engagement partner involved?
How does your auditor's audit plan address the varied risks in a multi-location environment? If your auditor assumes that controls are uniform across multiple locations, how does your auditor support that assumption?
If the company has operations in countries that are experiencing political instability, how has your auditor identified and addressed the specific risks that might result from such a circumstance? Or, if some of the company's products are approaching technological obsolescence due to competitive new products, you might ask how your auditor plans to address the risks of inventory obsolescence.
Auditing Estimates, Including Fair-Value Measurements, and Disclosures
What does your auditor do to obtain a thorough understanding of the assumptions and methods the company used to develop critical estimates, including fair value measurements?
What is your auditor's approach to auditing critical accounting estimates, such as allowances for loan losses, inventory reserves, and tax-related estimates?
How has your auditor assessed whether management has identified all separable intangible assets that, while not included in the financial statements, must nevertheless be valued in connection with assessing goodwill for possible impairment (e.g., customer-related intangibles and in-process research and development)? Has your auditor considered contrary information that suggests the existence of such assets that management has not identified?
Will your engagement team use its firm's in-house valuation specialists? If so, how are the specialists integrated into the engagement team? How are specialists supervised, and how are significant issues they identify resolved? If the firm does not have in-house valuation specialists, does the firm engage external specialists to assist the auditor with their audit of complex estimates?
“We hear the concerns, even frustrations, from company officials over the level of audit work they are seeing,” Wilson said. “Maybe it’s an uptick in the audit work or the requests from auditors for information. A lot of this gets attributed to inspections, or issues that have been driven from inspections. We have some concern that something may be getting lost in the translation. PCAOB inspections are evaluating compliance with existing standards. It’s not going beyond that.”
Although the results of 2014 inspections have not yet been published, Wilson repeated what others at the PCAOB have said publicly: that inspection reports will show some firms are making improvements in some areas, but more improvements are still expected. Most firms have addressed some “basic blocking and tackling,” he said, but may still miss some finer details of compliance with auditing standards.
Talk It Out
To help companies work through the process, Wilson said companies would be wise to think in the same terms that the PCAOB is driving into auditors.
“It starts with the risks,” he said. “What are the risks of material misstatement of financial statements? What are the high risk accounts and assertions?” Then the PCAOB proceeds to put the controls in place to address those particular risks, and what evidence exists to show those controls are designed and operating effectively. “The risk drives the amount of evidence the auditor needs to support the evaluation. Higher risk controls require more evidence.”
Kevin Lavin, professional practice follow for the Center for Audit Quality, said auditors have made big strides in addressing PCAOB inspection findings and continue to work on the issue. “The public company auditing profession is working actively on many fronts to enhance the audit of internal control over financial reporting,” he said.
Lavin pointed to several trends in studies of financial restatements and investor confidence that suggest financial reporting has improved in recent years, even if the PCAOB still isn’t satisfied with auditors’ work around internal controls. “It’s important to get the big picture view,” he said. “It’s easy to get lost in the weeds.”
Auditors would welcome greater involvement from the audit committee, Lavin said, and he urged companies to “leverage the audit committee as the intermediary.” Audit committees can help facilitate the communication necessary and to reduce the audit fatigue that many companies have voiced as a concern to their auditors and regulators, he said. “They can manage expectations, and they can help influence the amount of support that internal audit needs to give to external audit.”
Lavin also suggested companies consider appointing a “central facilitator,” a person to channel all information requests from auditors to management. Companies would also benefit from enhanced coordination between external auditors and internal auditors—for example, perhaps by performing joint walkthroughs to reduce duplication of efforts. Companies should make increased use of templates provided by external audit firms to assure their internal efforts can be relied upon by external auditors, he said.
Ryan agreed that joint walkthroughs and robust communication to coordinate the efforts of internal and external auditors is key to working through the tension. “Start the conversation as early as possible, and continue to make sure all the parties are in agreement,” she said. “You want to understand and define the roles and responsibilities of each party: who’s going to be testing what controls, and where external auditors are relying on internal auditors for direct assistance.”
Mary Spencer, director of financial compliance at RockTenn, said at the Compliance Week 2015 conference that the key to successful Sarbanes-Oxley compliance has been to view SOX compliance as a project management exercise—and one that changes annually at that. “SOX is always going to be a project, and it’s never the same twice,” she said. “The risk assessment, the review, the people, the environment, the technology: They are all changing.”