Still battling over internal control? Focus on risk assessments, communication

Those on the front lines of the ongoing battle over internal control reporting and auditing are telling companies to press on and arm themselves with better risk assessments and more timely, targeted communication.

Jay Hanson, a member of the Public Company Accounting Oversight Board, which wrote the controversial standard that is fueling the continued tension, said the board has continued to meet with constituents in 2016 after intensive meetings throughout 2015 to try to iron out differences. The board is hearing from preparers that its interpretation of Auditing Standard No. 5, which governs the audit of internal control over financial reporting, is prompting auditors to go too far.

Interactions have been positive and productive, Hanson said during a panel discussion at the recent national conference of the American Institute of Certified Public Accountants. Results have been mixed, however, on whether the discussions have been helpful. “There is strong interest in the preparer community to have an ongoing dialogue with the PCAOB on this,” he said.

Helen Munter, director of inspections at the PCAOB, has signaled that inspections of 2015 financial statements suggest audit findings are still high, so the focus on internal controls will continue into 2017. She said the board will focus heavily on a disconnect inspectors see in how auditors respond to their own risk assessments.

Kevin Stout, senior associate chief accountant at the Securities and Exchange Commission, said he continues to believe that the steps outlined by regulators roughly a year ago are still applicable. The SEC and the PCAOB indicated then through conference speeches and panel discussions that companies should engage in more detailed dialogue with auditors and push back where they believed auditors were making seemingly pointless or excessive demands. “Those steps have not yet yielded the full benefits of what we and the PCAOB expected,” he said.

Stout says he still sees evidence of a lack of adequate communication among preparers, audit committees, and auditors over internal control issues. “Open, timely communication is critical,” he said. He’s suggesting companies pay special attention to their risk assessments and compare them to auditors’ assessments to target issues early in the audit process.

“While it’s expected you might have different perspectives on certain matters, active dialogue is critical to bridging those differences,” said Stout. “It’s important for these discussions among auditors, management, and audit committees to occur timely and at a detailed level of specificity for them to be meaningful and have impact.”

“We are seeing more active engagement. That’s not to say every communication is perfect. It could be improved. But we’re also seeing more active engagement from audit committees on that process.”

Josh Jones, Partner, EY

Josh Jones, a partner at EY, said his firm has put a big emphasis with audit teams on having “timely, proactive, thoughtful” discussions with companies to talk through risk assessments, control design, and selection of controls for testing—“making sure everyone is on the same page as to the nature of the evidence that exists.” The firm has provided assistance to audit teams on how to have those communications, articulating changes they are making to the audit process that correlates to auditing standards and management’s assessment process, he said.

“We are seeing more active engagement,” said Jones. “That’s not to say every communication is perfect. It could be improved. But we’re also seeing more active engagement from audit committees on that process.”

From the corporate perspective, David Cornish, senior vice president and deputy controller at American Express, said he has seen a “marked improvement” when it comes to changes in the audit process to more closely align it with auditing standards. Timely communication, however, is still a challenge. He says too often auditors make changes to their audit process very late in the cycle.

“Sometimes late in the game or toward the end of the audit something could come from the national office that you have to change a process or change something you’re doing,” he said. “But if you’ve evaluated this with a risk assessment, to add steps at the end is disruptive just to get documentation.”

ICFR BEST PRACTICES

Below, the CAQ discusses a proper review of internal controls and where internal controls may be lacking.
Management Reporting on the Effectiveness of ICFR 
Section 404 of the Sarbanes-Oxley Act requires (with certain exceptions) all public companies to annually assess the effectiveness of ICFR and report the results. Management also has responsibility to disclose any significant changes to its ICFR system in its quarterly reports. The discipline of performing an ICFR assessment, coupled with the requirement to report the results in a public filing, affords investors increased confidence in the reliability of financial statements. 
In performing its assessment, management must determine whether it has implemented controls that adequately address the risk that a material misstatement in the company’s financial statements would not be prevented or detected on a timely basis and whether those controls are operating effectively. The SEC has recommended that management’s assessment of ICFR take a top-down, risk-based approach. Under that approach, management first focuses on entity-level controls and then on significant accounts and significant processes and, finally, on control activities. While management’s assessment must cover the company’s ICFR as a whole, it should devote the greatest attention to the areas that pose the highest risk to reliable financial reporting. 
ICFR Deficiencies
A deficiency in ICFR exists if the design or operation of a control does not allow management or employees, in the normal course of performing their assigned duties, to prevent or detect misstatements on a timely basis. When deficiencies in the design or operation of a control are found, management needs to assess how serious the impact may be on the integrity of the company’s financial reporting processes. More serious deficiencies are classified as either significant deficiencies or as material weaknesses. 
For purposes of SEC reporting, if a single material weakness in ICFR exists, then ICFR is not effective, regardless of the effectiveness of the rest of the controls. A material weakness means that there is a reasonable possibility that the company’s controls will not prevent or detect a material misstatement of the company’s financial statements on a timely basis. 
It is important to understand that a material weakness in ICFR does not necessarily mean that the company’s financial statements are misstated; rather, it means that there is a reasonable possibility that the company’s controls would not have prevented or detected a material misstatement on a timely basis.
Source: Center for Audit Quality

Those changes midstream could arise due to any number of possible interactions over prior-year audit results, Hanson said. The regulatory process over a given audit year takes months or even years to play out—with inspection field work, inspection reporting, remedial quality control activities, disciplinary measures, and other steps—any of which could affect how audit firms interact with their clients in subsequent audit cycles. “Things are discovered that didn’t work, so that leads to adjustments, sometimes late in the year,” he said.

That speaks to the need for ongoing, intensive dialogue throughout the year, experts agreed. Teri List-Stoll, a board member at Microsoft and Danaher, said audit committees have become much more engaged around internal controls as the situation has gradually escalated over the past several years. She has viewed it as perhaps an opportunity to improve the overall process of managing, reporting on, and auditing controls.

“At every audit committee meeting, we have a conversation about where management stands with execution of the plan, then with the auditors, so there are no surprises,” said List-Stoll. “At every audit committee meeting, there’s time allotted to understand where we stand in that process.”

Cornish says he meets with his audit engagement partner weekly for up to an hour to get and provide real-time updates that facilitate real-time changes, both at the company and with the audit. That minimizes the likelihood of issues falling through the cracks, only to be discovered or discussed months later. It minimizes the filing deadline pressures associated with last-minute changes, he said.

Given the continued consternation over internal control audits, Hanson says he believes the PCAOB should soon make AS5 the focus of a post-implementation review. The PCAOB launched such a review process earlier in 2016 when it began reviewing the implementation of a newer auditing standard around engagement quality reviews. The board has not scheduled a review of AS5 but, Hanson said, it should soon get to the top of the priority list. “We should engage in some kind of look-back at what’s working and what’s not working,” he said.

Preparers likely would agree, if comments on the review of the engagement quality review standard are any indication. The U.S. Chamber of Commerce submitted a letter to the PCAOB to offer its views on the EQR standard, but also to plug for a review of AS5. “Considering the current national dialogue over issues with respect to auditor attestations of internal control over financial reporting, AS5 would seem a more logical and beneficial choice for the PCAOB’s initial PIR,” the Chamber wrote.