Indicators emerging from the latest year-end audit cycle suggest companies should get used to heightened scrutiny and increased demands from auditors around internal controls documentation. It won’t be letting up anytime soon.

Signals are mixed on whether companies made any head way in the recent round of audits in meeting auditors’ requests for evidence and documentation in a way that will satisfy regulators, most notably the Public Company Accounting Oversight Board. Auditors say enhanced dialogue is producing greater understanding of what has to be done; those on the preparer side of the table say it’s too soon to suggest any kind of consensus has formed.

In 2015, after a few years of blistering audit inspection findings delivered to all the major audit firms, companies began buckling under increased audit demands for documentation, especially around internal control over financial reporting. Some started getting more vocal and pushing back. That produced some high-level dialogue toward the latter half of the year bringing together the PCAOB, the Securities and Exchange Commission, representatives of the U.S. Chamber of Commerce and Financial Executives International, and the major audit firms.

“I do think we’ve made progress,” says Trent Gazzaway, national managing partner at Grant Thornton. “Everyone involved has been talking a lot. We’ve been learning. The regulators have been learning. Now we’re starting to get to a little bit of equilibrium or status quo.”

Sara Lord, national director of assurance services at RSM, sees it as a natural evolution. Early on, the focus was on assuring the right controls were in the scope of internal control assessments and auditing. Now the focus is on assuring the assessment and testing are occurring at the right level of precision to address the risk of misstatement. “As we get better in certain areas, the questions get harder,” she says. “So we continue to move forward and continue refining.”

Tom Quaadman, senior vice president at the Chamber’s Center for Capital Markets Competitiveness, called it “uneven progress.” By the time talks got under way in 2015, audit planning for 2015 year-end audits was already well in hand. “Different firms may be in different places,” he says, “but it’s a matter of continuing this dialogue to get it on an even keel. We’ve seen progress, but it has been at an uneven level.”

“Companies are requesting more dialogue. They’re saying, ‘we understand your regulator is asking you to do this, but what does it mean to me? We believe we are already giving you enough’.”

Pat Voll, Vice President, RoseRyan

That’s similar to what the FEI found when it conducted an internal poll of its Committee on Corporate Reporting. More than 70 percent of CCR members said they saw yet another increase in the latest audit cycle in audit demands for evidence and documentation, says Erik Bradbury, professional accounting fellow at the FEI. Likewise, 70 percent said they believed auditors were asking for audit documentation that exceeded what management believed was necessary for them to produce to comply with SEC management guidance on internal controls.

That suggests, however, that roughly 30 percent of members are not experiencing what they consider to be excessive audit demands. “There’s still a lot of tension in the system right, but it’s mixed,” says Bradbury. “It speaks to how individual some of the audits can be. There are still quite a lot of judgment calls being made by audit partners and audit staff, and that means every single audit is truly different and unique.”

The SEC and PCAOB have suggested companies having challenges with their auditors over documentation or evidence demands should elevate the discussion to the engagement partner and perhaps even the national office. That’s a great idea, but not easily done, says Laura Phillips, a member of the FEI’s CCR who has led an ad hoc working group on internal controls.

Companies might sense misalignment or conflict across dozens or even hundreds of controls, so the preparer community is wrestling with exactly what questions to elevate through the audit firm. “I would suggest if you think you’re in that position, pick just a couple that you think are representative and spend time focused on just those couple,” says Phillips. “That might be enough to break the log jam.”

One of the big challenges for companies, according to Bradbury and Quaadman, is the long time it takes for information to flow from PCAOB inspection results through the information supply chain to the internal control owners who have to adapt to new demands. “Unfortunately, they’re at the end of the compliance funnel,” says Bradbury.

IMPORTANCE OF ICFR

Below is an excerpt of a speech by SEC Deputy Chief Accountant Wesley Bricker on the importance of internal control over financial reporting.
ICFR remains a significant area of focus not only for OCA but also for our colleagues in the Divisions of Corporation Finance and Enforcement. A recent enforcement action against an issuer and several individuals, including company management, the company’s auditors, and a company consultant, for deficient evaluation of the company’s ICFR, demonstrates our coordinated efforts related to ICFR as well as some of the challenges that remain in this area. From my perspective, there are three important takeaways from that case: 

The first is that management has the responsibility to carefully evaluate the severity of identified control deficiencies and to report, on a timely basis, all identified material weaknesses in ICFR.  Any required disclosure should allow investors to understand the cause of the control deficiency and to assess the potential impact of each for disclosure as a material weakness.

The second is the importance of maintaining, or augmenting with, competent and adequate accounting staff resources to keep books, records, and accounts that accurately reflect the company's transactions and to maintain internal accounting controls designed to ensure that company transactions are recorded in accordance with management's authorization and in conformity with GAAP.  Qualified accounting resources will be of vital importance in connection with the adoption of the new accounting standards that I mentioned earlier.

And finally, management has to take responsibility for its assessment of ICFR.  That responsibility cannot be outsourced to third party consultants.  At the same time, third party consultants have obligations to uphold when assisting management in its evaluation of ICFR.
Opportunities for improvement related to ICFR assessments are also reflected in the fact that the PCAOB continues to identify frequent deficiencies in the audits of ICFR. OCA staff continues to encourage all stakeholders to take a broader view of the PCAOB inspection findings. The ICFR auditing issues identified by the PCAOB may not be just a problem of audit execution but rather, at least in part, be indicative of deficiencies in management’s controls and assessments.
Notwithstanding the need for continued improvement in the assessments and reporting of ICFR by both management and auditors, both the PCAOB and the SEC staff are keenly aware of the ongoing discussions regarding the impact of some of the changes made by audit firms to their audit methodologies, policies, and procedures in response to the PCAOB inspection findings in this area.
In 2015, the PCAOB, with SEC staff observing, conducted a number of outreach meetings with preparers, auditors, and other constituents to better understand the concerns of the various groups regarding the ICFR assessments by companies, their interaction with the audits of ICFR, and related inspection findings of the PCAOB.  The staff continues to encourage regular discussions among management, auditors, and audit committees on existing and emerging issues in assessments of ICFR.  This appears to be particularly important for matters such as changes being made to the firm’s audit approach and methodology, assessment of risks for the audit, and selection of relevant controls to be tested and relied on by the auditors in the context of the existing guidance from the SEC and the PCAOB.
With the 2015 financial reporting season behind us, the staff has recently reengaged with the various stakeholders in order to assess progress on the issues previously discussed and to stay informed of new issues that might have emerged.  Much of what we have heard thus far tends to be fact specific and necessitates a focused discussion, but Brian Croteau will share some additional information with respect to this ongoing outreach on the later panel. 
While the staff has heard of some success stories that could be attributed to greater communication among auditors, management, and audit committees, it appears that the steps outlined last year[16] have not yet in all instances yielded the full level of potential benefits.  Undoubtedly, this is due, at least in part, to the timing of our outreach and communications, which took place in late 2015 when much of the audit planning and ICFR assessment work had already been completed.  Therefore, I would like to encourage all of you to engage in audit planning and risk assessment discussions now as it relates to the current year audit.  There is no doubt in my mind that an effective dialogue around ICFR will ultimately lead to more reliable financial reporting for the benefit of investors.
It is clear that investors view ICFR assessments as beneficial and important to investor protection.  Therefore, the staff remains sharply focused on overseeing the requirements for ICFR assessments and reporting and is committed to resolving any challenges that may remain in this area.
Source: Securities and Exchange Commission

The FEI and the Chamber have asked the PCAOB and SEC to consider forming some kind of task force, bringing together all the relevant parties to formalize and hasten the information exchange. Neither the SEC nor the PCAOB have said directly whether they like that idea. The PCAOB said through a spokesman that they’ve met with CCR members and others and consider the dialogue helpful. “We will continue to welcome these meetings and consider insights obtained in light of our investor protection mission," said spokesman Colleen Brennan in a statement.

In a recent speech, Wesley Bricker, a deputy chief accountant at the SEC, said the staff has heard some indications that the situation is improving, but that there’s still more work to do. He acknowledged the dialogue in late 2015 likely followed the audit planning and documentation that had already occurred for year-end reporting purposes.

Bricker encouraged auditors to get a head start this year and dialogue early and often with companies to bring about real improvements. He also issued a strong reminder that internal control is management’s responsibility. “The ICFR auditing issues identified by the PCAOB may not be just a problem of audit execution but rather, at least in part, indicative of deficiencies in management’s controls and assessments,” he said.

Pat Voll, vice president at consulting firm RoseRyan, says she definitely sees more discussion occurring and more push back on audit demands. “Companies are requesting more dialogue,” she says. They’re saying, ‘we understand your regulator is asking you to do this, but what does it mean to me? We believe we are already giving you enough’.” She doesn’t see companies necessarily spending any more time or money in the most recent audit cycle than in the past few years, “but we’re not seeing anything backing off.”

Brian Christensen, executive vice president at consulting firm Protiviti, says the firm’s recent survey results suggest although companies acknowledge increased rigor around internal controls, they also acknowledge improvements in financial reporting that have resulted. “Auditors and companies are conforming to these expectations and realizing this is the new reality,” he says. “If anybody was hoping they were going to see something that would offer them a lesser or less rigorous response, that’s not on the drawing board. It’s not something we’re going to see in the future.”