This summer many public companies will be spending an exorbitant amount of time examining their control documentation as audit regulators—and hence audit firms—focus not just on the detection of controls, but also whether they are operating effectively.
The Public Company Accounting Oversight Board is shining new light on internal controls and whether auditors have adequately audited management's assertions on the effectiveness of controls.
As a new round of inspection reports begins to emerge—so far Deloitte's is the only major 2013 report to be published—the number of deficient audits has not diminished but the nature of the deficiencies has changed. The Deloitte report notes that the firm may have properly identified a particular internal control and verified that it occurred, but didn't evaluate adequately whether it was effective. In nearly every mention of internal control problems, inspectors say auditors failed to evaluate whether the control operated “at a level of precision” that would prevent or detect material errors.
“There seems to be this tension between over auditing and sufficient auditing,” says Larry Rittenberg, audit committee chairman for Woodward Inc. “The firms are struggling with that. The issue is to what extent do you have to repeat or somehow additionally verify that the control is operating effectively?”
The answer, say audit experts, is in the rules and guidance that companies and auditors have had available to them from the very beginning: Auditing Standard No. 5, the 2007 interpretive guidance from the Securities and Exchange Commission directed at management, the COSO Internal Control — Integrated Framework, and more recently the PCAOB's Staff Audit Practice Alert No. 11. The riskier a control, the more evidence auditors need that it effectively mitigates the risk of mis-statement.
“You start with asking what are the risks of material mis-statement,” says Rittenberg. “So many companies start with controls and look to map those controls to the framework. But the point is if we're talking about precision, then we have to be talking about risk. If companies and auditors look more from the risk point of view, then that will tell them if they've done sufficient testing to bring the risk to an acceptable level.”
Demonstrating Effectiveness
The focus on effectiveness represents yet another step in the long road to showing investors that a company uses a good set of internal controls to provide as much accuracy as possible in financial statements. First Sarbanes-Oxley led to Auditing Standard No. 2 and a frenzied approach to document controls, followed by Auditing Standard No. 5 to focus attention on the risk of mis-statement.
PCAOB inspections showed initial compliance with AS5 represented too lax an approach to controls, with inspectors noting too many instances where controls were overlooked. Now firms are catching more controls, but not gathering sufficient evidence to show that they operate effectively to mitigate risks of mis-statement, said PCAOB member Jay Hanson at a recent conference.
Showing effectiveness of controls is easier in straightforward areas, like the movement of inventory, where numbers are not driven by judgments or estimates, says Sue Lister, national director of auditing for BDO USA. With so much accounting now relying on judgments, however, controls and their effectiveness are more difficult to document, she says.
“If companies and auditors looked more from the risk point of view, then that will tell you if you've done sufficient testing to bring the risk to an acceptable level.”
—Larry Rittenberg,
Audit Committee Chairman,
Woodward Inc.
“There's not nearly as much black and white,” Lister says. “Did the person who prepared the documentation have enough knowledge? What data did they use? How did they come up with the estimate? This is much harder to establish and prove. You almost have to get inside their heads. So many more of a company's controls used to be fairly mechanical processes, and they were fairly easy to observe and audit. Now it's not nearly so observable or auditable.”
Lister is asking companies to produce more documentation to show more precisely how controls work. “They know in their heads what they do when they review something, but they may not have written in the control description exactly what's involved,” she says. “Listing out all the steps in a review process will help,” she says.
Brian Christensen, executive vice president at Protiviti, concurs. “Effectiveness of controls can be broken into two components—the overall design effectiveness and operating effectiveness,” he says. “But it's not satisfactory to say someone is doing it. You need copious evidence that it's taking place.”
Hal Garyn, vice president at the Institute of Internal Auditors, says he's hearing anecdotally from chief audit executives that audit firms are starting to scrutinize companies, as the PCAOB scrutinizes them. “As the PCAOB places pressure on the firms, the firms are placing pressure on organizations,” he says.
The increased focus is bound to produce more cost for companies, he says. “The firms have to do one of two things: increase their work or transfer that work somewhere and review it and rely on it. So the organization bears the cost in one way or another.” Lister says the increased focus on difficult-to-audit judgments requires the firms to place more senior-level auditors on tasks that otherwise would be performed by junior-level auditors. “If you're going to sit in a meeting so you can evaluate the quality of judgments, you have to have senior level time, and that does get expensive,” she says.
And COSO, Too
INTERNAL CONTROL EVIDENCE
Below is a “heat map” from the SEC, which shows how much evidence you need to establish that internal controls are effective.
Determining the effectiveness of the controls you've identified requires that you gather evidence about how the controls actually operate. What kind of evidence you need, and how much of it, depends on your assessment of two kinds of internal control risk:
(1) The risk of a material misstatement in the financial reports
(2) The risk that the control will fail to operate as designed
The greater the internal control risk, the more evidence you'll need to support a conclusion that the control is effective.
Source: SEC.
As companies face this increased scrutiny, they're also in the throes of determining how they will transition to a new COSO internal control framework issued in 2013 to replace the 1992 framework that expires at the end of 2014. Kevin Hyams, partner in charge of GRC services at audit firm Friedman, says transitioning to the new framework will help address concerns raised by regulatory inspections at the same time. The new framework more explicitly requires a company to show 17 principles of control are present to assert effectiveness, he says. Adopting the new framework will naturally lead to more documentation that may help address auditors' concerns, he says. “If you step back and look at Audit Alert No. 11 and the new COSO framework, the whole approach is going to be somewhat different going forward,” he says.
Lister is not as convinced that adopting the new framework will address the specific concerns around showing effectiveness of controls. “You will get more specificity in the entity-level controls, but I don't see that having a direct impact on whether you got the fair value of intangibles correct,” she says. “I don't think it will affect the account level, which is what the PCAOB is looking at.”
Websites
We are not responsible for the content of external siteshttp://pcaobus.org/inspections/reports/documents/2014_deloitte_touche.pdf
http://pcaobus.org/standards/qanda/10-24-2013_sapa_11.pdf
http://www.sec.gov/rules/interp/2007/33-8810.pdf
http://pcaobus.org/standards/auditing/pages/auditing_standard_5.aspx
http://media.complianceweek.com/documents/70/sec_sarbanes-oxley_section_404_17264.pdf
No comments yet