After nearly a year of moderating corporate gripes of excessive auditing driven by regulatory inspections, regulators say the answer is for companies to double down on their controls and use a little more muscle with their auditors.

Representatives of the Securities and Exchange Commission and the Public Company Accounting Oversight Board say they have met with preparers to hear their detailed accounts of where they believe auditors made demands that didn’t make sense. The U.S Chamber of Commerce initiated the sessions with particular concerns around the audit of internal control over financial reporting.

For at least the last few annual inspection cycles, the PCAOB has taken a hard line on auditors over their compliance with Auditing Standard No. 5, which governs the audit of internal control, as well as a group of newer auditing standards that give auditors some specific marching orders around responding to risks. Both are areas of concern at the PCAOB, where board members and inspection staff say some firms are making limited improvements, but compliance is still falling short.

Jim Schnurr, chief accountant at the SEC, said his monitoring of the outreach suggests the issues being identified by the PCAOB may not be entirely audit problems. “Rather, they may, at least in part, be indicative of deficiencies in management’s controls and assessments,” he said during prepared remarks at a recent national accounting conference, where an entire panel of regulators, preparers, and auditors explored how to work through the tension. He urged companies to take a closer look at their controls and initiate more dialogue with auditors to get to core issues.

The push by the PCAOB is prompting auditors to demand more audit evidence and more documentation, especially around management review controls, in ways that has left preparers scratching their heads. “Preparers are on the back end of the compliance funnel,” said conference attendee Kevin McBride, global accounting and financial services controller at Intel. “We can’t just wake up one day and find that everything is different. It’s very difficult to evolve the control environment on a timely basis.”

Susan Insley, vice president of internal audit at VMware, says she’s seen a “drift” away from the top-down, risk-based approach to the audit of internal controls that is mandated under AS5. “We’re moving away from reliance on management review controls and wanting an inclusion of a broader set of control activities rather than relying on the management review controls that are really important to the running of the business,” she said.

Preparers still aren’t entirely sure what they need to do to satisfy auditors, said McBride. “There is a lack of clarity on what exactly is sufficient in management review controls and their precision,” he said.

“We’re moving away from reliance on management review controls and wanting an inclusion of a broader set of control activities rather than relying on the management review controls that are really important to the running of the business.”

Susan Insley, VP of Internal Audit, VMware

That suggests some lack of understanding of why such controls are even in place or what they’re intended to do, said Brian Croteau, deputy chief accountant at the SEC. “On a basic, fundamental level, it is important to understand the fundamental risks that any control is meant to address,” he said. “In assessing internal control over financial reporting, management needs to understand and address the specific controls it has in place to address financial reporting risks. Not all management review controls are created equal.”

The same goes for auditors, said Jeanette Franzel, a board member at the PCAOB. “If management doesn’t understand it, auditors’ problems are compounded,” she said. “The auditor needs this understanding of the flow of transactions, and the understanding of how controls fit into the flow of transactions, in order to properly apply the top-down, risk-based approach of AS5.”

The auditor uses this approach to identify the entity-level controls based on risks of misstatement and then to select the controls to test, Franzel said. If auditors don’t understand the flow of transactions and the controls to address risk, they won’t get the evidence they need to properly support an audit opinion. “Auditors then compound their problems by relying on that as if it were effective and effectively tested to reduce their substantive testing.”


Below, Tom Quaadman, senior vice president of the U.S. Chamber Center for Capital Markets Competitiveness, reacts to the SEC’s internal controls policy.
In sports there is an old saying that you have to call them as you see them. There is no question that the Chamber has been tough on regulators when they haven’t done the right thing. However, we also give regulators kudos when they do the right thing.
Over the past two years, Chamber members have raised concerns about a dramatic increase in the costs and work related to internal controls associated with financial reporting systems. This rise in costs and burdens has been driven, in part, by Public Company Accounting Oversight Board (PCAOB) inspections. Everyone agrees that modern controls are necessary to protect investors before a business raises capital. However, every additional control that doesn’t succeed in protecting investors actually harms them by unnecessarily increasing costs for businesses and reducing returns for investors.
The Chamber convened a group of chief financial officers and accounting experts to get to the bottom of the problem and address these issues. The Chamber’s Financial Reporting Working Group met with members of the PCAOB and the Securities and Exchange Commission (SEC) to educate them on this challenge facing companies and to explore solutions.
To his credit, SEC Chief Accountant Jim Schnurr took the bull by the horns. He asked the Financial Reporting Working Group to come back with real world examples of the problem. The Chamber responded and sent a 19-page letter outlining the problems and requesting a joint stakeholder meeting to develop solutions. Schnurr convened meetings with the PCAOB and brought in businesses and auditors to roll up their sleeves and dive deep into the subject. This week, Schnurr took the next step by convening a panel of experts at the American Institute of Certified Public Accountants’ Annual Conference on SEC and PCAOB Developments to have a public discussion of solutions and provide some clarifications that will help explain what businesses, auditors and investors should be doing.
While this is the start of a much longer process, it is good to see the SEC’s chief accountant taking a proactive approach. Too often market participants and agencies view each other warily and with suspicion. This is a refreshing change—having investors, auditors, businesses and regulators getting together, exploring problems and solutions in a good faith debate and dialogue. Mr. Smith may not have come to Washington, but it looks like the can-do spirit is still around if you look for it.
Source: Chamber of Commerce

This is where auditors get dinged by inspectors for not assuring controls are operating at the right level of precision. In response, auditors have placed less reliance on entity-level controls and tested controls at lower levels. The key question, said Helen Munter, director of inspections for the PCAOB, is to focus on whether the control can mitigate risk of misstatement by itself. “Is the entity-level control you selected sufficient to operate and be tested on its own and in isolation? Or does it in fact depend on the operation of another control?”

Mike Gallagher, a partner at PwC, said the firm responded to the PCAOB’s push with more training and examples for auditors, as well as new tools and templates to help guide the auditor’s thinking around documentation and evaluation. Other major firms have taken similar measures. “Having that consistency of performance, we’ve found, is a game changer, which has shown up positively in our inspection results,” said Gallagher.

Croteau said AS5 and the SEC’s interpretive guidance to management on internal controls are fully aligned on the issue of control precision. Representatives of neither the SEC nor the PCAOB suggested any change in regulatory approach is expected to address the ongoing tension.

Rather, the SEC and PCAOB are encouraging preparers who are still stumped by auditor demands to assure plenty of dialogue, as early in the process as possible, and to push back on why auditors need the evidence or documentation they request. “In all of our outreach, this is one of the most important things that has come out of the tension,” said Franzel. “It’s a lack of understanding between auditors and management. If an auditor says we have to, think about why. Does the auditor not understand your controls? Is the auditor taking the lazy way out? That’s not an acceptable response.”

Insley said she is encouraged by the dialogue she’s seen so far, though she is wary about auditor use of templates and whether some auditors may follow them blindly like checklists. Gallagher urged preparers to press auditors if their actions don’t make sense in the context of the company’s control environment. “I worry about any professional who can’t articulate the why,” he said. “If that’s the answer you’re getting from the auditor, talk to someone in the organization who can give you an answer that makes sense.”