As part of our occasional series of conversations with compliance executives and others influential in the corporate governance world, we caught up with Laura Phillips, a member of the Committee on Corporate Reporting at Financial Executives International. Phillips is leading an ad hoc working group within the committee focused on internal control over financial reporting.
FEI and others have initiated dialogue with the Public Company Accounting Oversight Board, the Securities and Exchange Commission, and leading audit firms to try to sort out why many public companies sense a misalignment between auditor and management understanding of how to assess and report on a company’s system of internal control. As someone in the trenches of this effort, Phillips provides insight on how the working group is trying to help key capital market players work through tension around internal control audits.
CW: What has FEI’s Committee on Corporate Reporting determined about current concerns around internal control reporting and auditing?
LP: There’s a lot of diversity within the committee right now. Some companies are having good experiences with their auditors and are saying they have no issues with how to evaluate internal control and how auditors evaluate it. Other companies are experiencing some tension. They see some misalignment among what they think the SEC guidance to management instructs them to do, what the COSO Internal Control—Integrated Framework calls for, and what auditors are expecting.
The committee contains around 40 companies, so this is not a huge sample. There are no trends among audit firms, or with the size of the company. It’s not as if companies are having problems with a specific firm, or as if the problems are concentrated in a certain size or type of company.
We did find that if companies were having problems or seeing this misalignment tension around the evaluation of management review controls, they tended to report having issues in other areas as well. Those without tension around management review controls tended to not have other issues either. That leads me to believe that this may be something that is specific to audit engagement teams.
CW: The SEC has said it has studied both its guidance to management and the PCAOB guidance for auditors, and it doesn’t find any misalignment of requirements. So why are we seeing disagreement over what should be expected under the standards?
LP: One of this issues that makes this so challenging is that there is so much judgment and subjectivity involved. Context and fact patterns are very important to the analysis. This is a different space from the requirements contained in accounting standards. What does it mean to have effective internal control? How does management assess it? And how do you audit that? This has never been compliance for compliance’s sake. It’s about managing and identifying risk, and how in a pragmatic way you adequately control risk.
ABOUT LAURA PHILIPS
Committee on Corporate Reporting of Financial Executives International
Laura Phillips serves on the Committee on Corporate Reporting of Financial Executives International. Through June 2016, she was vice president, corporate controller at Brown-Forman, a wine and spirits company, where she had responsibility for accounting, reporting and analysis activities, including filings with the Securities and Exchange Commission, and participated in planning and significant business development activities.
From 2003 to 2007, Phillips helped establish the standards on internal control auditing as a staff member at the Public Company Accounting Oversight Board. She also served previously as assistant corporate controller at General Motors.
She began her career in 1991 as an auditor with Ernst & Young. As a former auditor, regulator, and preparer, she has sat in literally every chair at the current table of debate.
CW: What is the solution to work through the different judgments and arrive at some consensus about what’s necessary to comply?
LP: At a high level, I think it would be helpful if there were something analogous to the Emerging Issues Task Force at the Financial Accounting Standards Board. (The EITF is a body that explores narrow or emerging issues in accounting standards and recommends standard-setting solutions that are largely adopted by FASB as recommended.) It could provide a mechanism to resolve practice issues without the PCAOB or SEC undertaking full rule-making or standard setting, to produce some formal, documented output after thorough discussions. This body could help work through issues surrounding Auditing Standard No. 5, the SEC’s interpretive guidance to management, and interpretations of the COSO framework, involving preparers, auditors, the PCAOB and the SEC in discussions.
Resolving issues with internal control is not the same as resolving issues of accounting. There is much more judgment and subjectivity involved, and the context and fact pattern is even more important. Having a very broad and deep understanding of the facts is critical. At the heart of it, when you’re evaluating internal control, you’re performing a risk assessment, understanding what’s the risk that something could go wrong in a company’s financial reporting and assessing whether the company’s controls, processes and systems adequately reduce the risk. It doesn’t surprise me that there are situations where folks are finding that challenging. It’s difficult, and at times there are disagreements.
Some people think that having a panel would be too difficult because evaluating internal control is so fact-specific and you have to get so deep into the details and facts. I can see that it would be difficult, but I think it would be workable.
CW: The SEC and PCAOB have encouraged companies where they are having challenges with auditors over alignment of guidance to elevate the discussion within the audit firm to the engagement partner or even the national office. Are companies doing that? Is it helping?
LP: The CCR is finding not a lot of companies are escalating issues all the way to the national office, and we’re not sure why that is. My guess goes back to the fundamental difference between accounting and internal controls. The escalation model for resolving accounting questions is well established. The tension we’re seeing around internal controls is not about whether a material weakness exists. It’s the extent of documentation taken across dozens or hundreds of controls. Companies find if they try to escalate all of that, it’s overwhelming. Maybe a better approach is to perhaps pick just a couple of issues that are representative and spend time with the auditor focused on just those couple. That might be enough to break the logjam.
CW: Is there some potential that greater use of technology, perhaps more control automation, might help reduce the subjective judgments and therefore increase assurance around the effectiveness of controls?
LP: We have work flow tools that are used by most large companies today that can easily see 100 percent of the population of transactions. For a controller closing the books, that’s fantastic. It provides so much visibility. It also raises some interesting questions. Is there some point in the future where you have to have these tools in place to have effective internal control? It’s a provocative question, and I wonder if some kind of panel exploring internal control practice issues could address it.
I think today the answer is a resounding no. The tools are nice to have, but not a requirement. There’s a business case to be made for more use of technology, and it’s strong. It’s more effective internal control, it’s less costly, and it’s more efficient over the long term. So if you ask the question 10 years from now, does it become a requirement then? We don’t have a very good mechanism right now at the public policy environmental level to resolve those types of questions.
The good news is the debate today over internal controls is not about revisiting Sarbanes-Oxley Section 404. Without question, the implementation of 404 has been good for the capital markets. Everyone is better off for having more focus on internal control.
Thank you, Laura.