Auditors plan to dig into controls, risk in year-end audits

As they prepare for the upcoming year-end audit cycle, auditors for public companies are assembling a somewhat lengthy list of accounting, regulatory, and market concerns to factor into their audit plans.

It should come as no surprise this year that internal control over financial reporting will get priority attention as the Public Company Accounting Oversight Board continues to hammer auditors through inspections to further refine their audit approach in that area. “It’s probably what everybody thinks about more than anything else,” says Daniel Sunderland, chief auditor at Deloitte. “It is now a piece of the fabric in the dialogue between management, the audit committee, and the auditor.”

The PCAOB continues to evolve its questioning around internal control, says Sara Lord, partner and national director of assurance services at audit firm RSM. “Is a good control in place?” she asks. “Can we document it, audit it, and can we rely on the data? What controls does management have on the reliability of that data?” Companies need to assure those controls that will be key to the highest risks of misstatement are well designed and documented, she says, as auditors will be testing them

Precision, completeness, and accuracy are a constant theme in PCAOB inspections, says Christopher Tower, national managing partner of audit quality at BDO USA. The largest companies have made strides the past few years, but “for middle-market public companies, this is a significant area as regulatory pressure continues in this area,” he says

With the constant staffing challenges in the accounting and finance profession, auditors will be expected to scrutinize whether turnover or staffing shortages might be affecting the soundness of controls, says Kevin Wydra, a partner at Crowe Horwath. “As people get more mobile and move from place to place, that’s definitely a consideration,” he says

Auditors also are under some increased pressure from the PCAOB to more closely observe new risk standards adopted in 2011. The PCAOB issued an alert in late 2015 to aggregate common themes in inspection findings around auditors’ failures to properly apply those standards

“Brexit, commodity market fluctuations, election jiggers, interest rate questions, troubled geographies. Uncertainties, uncertainties, uncertainties.”

Daniel Sunderland, Chief Auditor, Deloitte & Touche

That will drive auditors in the upcoming cycle to assure they will be spending more time on risk issues, says Sunderland. “It’s important for us to spend time on those things that are most significant because that’s where the risk exists,” he says. “So we are trying to make sure we appropriately risk assess accounts and assertions within financial statements.”

In terms of new accounting rules taking effect in the current reporting year, auditors are bracing themselves for the biggest issues around the going concern assessment. The Financial Accounting Standards Board adopted Accounting Standards Update No. 2014-15 to establish a requirement for management to take the first pass at determining whether investors should be warned about any doubt that the company can remain in business

Historically, that duty has fallen to auditors, who have their own standard for performing a going concern assessment and alerting auditors—and the tests are not exactly the same. That means auditors will be both auditing management’s assessment under the accounting rule and performing an assessment of their own under the auditing rule

“Going concern is an overlapping process,” says Lord. “There could be situations where management says no, we didn’t get to going concern under the accounting standards, and auditors applying the auditing standards would come to a different conclusion.”

ICFR & REVENUE

In a speech from March 2016, SEC Chief Accountant James Schnurr discusses Internal Controls Over Financial Reporting in regard to the new revenue standard.
I mentioned earlier that implementation of the new revenue standard may involve the development of new or redesigned business processes, systems and controls. I believe that management’s ability to successfully transition to the new standard will depend, to a large degree, on the effective design and operation of internal control over financial reporting (ICFR). Therefore, it is appropriate that ICFR remains an important topic of discussion for management, auditors and audit committees.
Management review controls, in particular, have been an important element of that discussion over the past year, which is not surprising given the important role that some of these controls play and the amount of judgment that they may involve. I believe the implementation of the new revenue standard provides an opportunity to be proactive and improve the design and operation of management review controls that may exist within a company’s revenue recognition process, including with reference to the various estimates and judgments that the new revenue standard may require. Therefore, as you evaluate your contracts with customers, it would be appropriate to take a fresh look not only at your historical accounting policies and how they may need to change but also at the design of the related controls (both existing and new) to ensure they are designed to operate in a manner that is sufficiently sensitive or precise to prevent or detect a material misstatement in the financial statements.
For example, when designing a management review control around estimates of royalties and milestone payments to be included in the transaction price, it will be important to specify: (i) the objective of management’s review, (ii) the frequency and granularity with which management’s review is performed, and (iii) the specific thresholds for investigating deviations from expectations as well as how those expectations are developed. It will also be important to consider the interactions between the review control and other controls, including controls over the reliability of the information used to perform the review. And last, but not least, maintaining appropriate documentation of the effective operation of these controls will be key to their assessment by auditors.
Speaking of taking a fresh look at ICFR, while implementation of the new revenue standard will obviously require taking a fresh look at business process-level controls, it is also important to keep in mind the other four components of internal control over financial reporting, including control environment and risk assessment. For example, availability of competent resources trained to exercise sound judgment will be essential to the consistent, reliable application of the new revenue recognition guidance.
ICFR also continues to be a point of focus more broadly. Over the past year, we have devoted a significant amount of time and effort to understanding and providing initial responses to concerns of various constituents regarding the ICFR assessments by companies, their interaction with the audits of ICFR and related inspection findings of the PCAOB. As you know, the PCAOB continues to identify deficiencies in the audits of ICFR. Our involvement in a number of registrant matters related to ICFR would also suggest that some of these audit deficiencies may be, at least in part, indicative of deficiencies in management’s design or operation of controls, including management review controls.
The PCAOB, with my staff and me observing, has conducted a number of outreach meetings with preparers, auditors and other constituents to better understand the concerns and challenges in this area. We continue to encourage regular discussions between management, auditors, and audit committees on existing and emerging issues in assessments of ICFR. We plan to continue this important dialogue in 2016 in order to assess progress and stay informed of new issues that might emerge.
Source: SEC

Jeff Burgess, national managing partner in audit services at Grant Thornton, says it’s not uncommon even under the historic approach for management and auditors to disagree on whether a going concern warning should be issued, but market factors pile on to make it even trickier this year. “In certain industry sectors impacted by oil and natural gas prices, that’s where we have to take a probably harder look,” he says. “That also raises the potential for impairments.”

In addition to going concern, FASB has enacted more than a dozen other accounting changes taking effect in 2016, although many of them are less pervasive or less controversial. New standards touch on areas such as consolidation, hedging, income statement presentation, debt issuance costs, intangibles, earnings per share, fair value, insurance contracts, and others. PwC assembled a list to make it easy for companies to assure they have covered all the bases

Auditors say they are concerned not only about standards taking effect this year, but also those on the horizon, especially big changes in the works for revenue recognition, leasing, and financial instruments, both classification and measurement and reflecting credit losses. None of those new rules are effective this reporting year, but their effect is so significant regulators and auditors will be watching to see how companies are preparing for them—and preparing their investors

Companies are required under disclosure rules of the Securities and Exchange Commission to explain the expected effect of adopting new accounting standards in the future. To the extent they don’t know, then they can say they don’t know. But the SEC has signaled it is growing weary with that approach

“They seem unhappy with the continual disclosure that the entity may still be investigating the impact of the revenue recognition standard,” says Wydra. “Are companies really investigating it? You run the risk of a comment letter.”

The list of audit concerns this year even strays into some non-audit topics that can have some bearing on the audit, like uses of non-GAAP accounting measures and cyber-security. The SEC has been vocal in 2016 about its concern over non-GAAP accounting, and while auditors don’t audit non-GAAP accounting, they refer to it as they scrutinize GAAP accounting and disclosures. Where they spot inconsistencies, that might raise questions about a company’s disclosure controls, says Wydra

As for cyber-security, that’s another area where auditors are not performing specific audit procedures over a company’s security measures, but they have to consider it as a risk to misstatement of financial statement information. “All auditors have to have some reasonable level of understanding of what their clients are doing from a cyber-security risk management perspective,” says Burgess

Looking beyond an entity’s accounting and internal controls, auditors can recite long lists of issues to consider. “Brexit, commodity market fluctuations, election jiggers, interest rate questions, troubled geographies,” says Sunderland. “Uncertainties, uncertainties, uncertainties.” All of those and more will prompt auditors to ask questions about impairments, deferred tax assets, available-for-sale securities, and earnings held in offshore jurisdictions, he says.