A push for better internal control audits coupled with a new internal control framework has produced a “perfect storm,” says Jeanette Franzel, a member of the Public Company Accounting Oversight Board, suggesting it will take all hands on deck -- not just auditors' -- to address the issues.
Franzel told internal auditors gathered at an annual national conference that despite what they may be hearing from external auditors, the rules around internal control auditing have not changed in recent years. The PCAOB has not revised Auditing Standard No. 5, issued in 2007 to govern the audit of internal control, although it has offered more recent guidance in Audit Practice Alert No. 11. She acknowledged many companies are noticing changes to auditors' approaches as a result of that guidance and the board's recent approaches to audit inspections.
She's worried that auditors' responses may not dig deeply enough into the root problem, which is perhaps deficiencies in the controls themselves that management needs to address. “I am concerned that, in some cases, the auditor's reaction is to bolt on a series of new audit steps when a more efficient and effective solution may require some tightening up of the controls on the part of management, in addition to changes to the audit procedures,” she said.
The PCAOB has aired its concern about the high number of audits flagged on inspection for problems with the audit around internal control -- 15 percent of the 309 audits among major firms in 2010, with 85 percent of those problem audits also linked to problems in the audit of financial statements. Those numbers suggest the audit firms have some holes in their internal systems of quality control, said Franzel, and leading to the recent audit alert.
The PCAOB has heard the feedback from companies that are concerned about the additional audit procedures auditors are undertaking in response to the PCAOB's guidance and inspection findings, said Franzel. She said some audit firms are changing the internal control audit approach for audits that were not inspected or were inspected but did not lead to findings of deficiency. They might also be making changes to their audit approach as part of efforts to remediate quality control criticisms from the board. “The PCAOB has heard that in response, some issuers have expressed concerns about the value of additional audit work in the ICFR area, and whether there will be significant increases in costs as a result,” she said.
However, the board also hears feedback that would suggest the audit firms and their issuer clients are not communicating effectively, she said. “In some cases, audit firms have told issuers that the PCAOB insists on detailed procedures such as the use of ‘screen prints' to document certain systems-related features, or specifying the number of pages that must be involved in summarizing key controls, or that auditors must attend management meetings to observe certain controls in action,” she said. “I assure you that the board is not requiring procedures at that level of detail.”
Franzel said she's worried the dialogue is not adequately focused on more important issues, such as identifying key controls, establishing the appropriate level of management documentation and testing, and the nature and extent of testing needed to support an audit opinion. She called on auditors and management to dialogue more productively about how to coordinate management's responsibilities with those of auditors. “Experienced auditors and financial statement preparers know that the ICFR audit is made more difficult if management's process is not as effective or well-documented as it should be,” she said. “Effective and efficient solutions to some of the audit deficiencies found by the PCAOB may also require some improvements to both the issuer's and the auditor's process.