At a time when public company preparers and audit committees are sorely in need of more guidance regarding how the Public Company Accounting Oversight Board interprets its Auditing Standard No. 5, Internal Controls over Financial Reporting (“ICFR”), the only guidance the PCAOB has to offer corporate America is, “talk to your auditors.” This is hardly a satisfactory response, given the tension that exists between auditors and their clients over what is required by the PCAOB to be ICFR-compliant. The PCAOB’s approach has made it difficult for the audit firms to get management buy-in to the PCAOB’s rigorous expectations for ICFR, mainly because management has not heard the PCAOB’s expectations directly from the PCAOB.
There are also significant dollars at stake here. A November 2016 report by Audit Analytics identified 2,169 accelerated filers who have reported audit fees in their proxy statements without interruption since 2002 (out of a total population of 4,003 accelerated filers at June 30, 2016). Audit Analytics reported that audit fees for these 2,169 companies grew from $3.7 billion in 2002 to $9.2 billion in 2015! ICFR most certainly accounts for the lion’s share of this increase. Compliance Week also reported earlier this summer on a Protiviti survey showing that a majority of companies had experienced a greater than 10% increase in hours devoted to Sarbanes-Oxley compliance. The rising compliance costs are driving some companies to leave the Big Four to reduce their compliance costs or exit the public markets to avoid the ICFR burden altogether.
Just over a year ago, the Center for Capital Market Competitiveness (part of the U.S. Chamber of Commerce), speaking on behalf of preparers all over America, wrote to the PCAOB and the Securities and Exchange Commission to express concerns that the PCAOB’s demanding expectations for ICFR had lost sight of the cost-benefit relationship and were driving unnecessary increases in audit fees. The SEC and the PCAOB diligently listened to preparers; but ultimately stood their ground on the PCAOB’s expectations. Compliance Week reported this development in a December 2015 article titled, “Regulators Suggest Its Time to Double Down on Internal Controls.”
“You should talk to your auditors.”
Helen Munter, Director of Inspections, PCAOB to USC Conference on SEC Reporting audience
I support AS 5. But with the uproar about ICFR and management review controls, I expected that further guidance from the PCAOB would be forthcoming. Not so.
The Big Four are well versed in the PCAOB’s expectations from their experiences with the PCAOB inspection process (about 50+ inspections per year). The next-tier firms have 14 to 36 inspections to draw upon. The headline here is that preparers and audit committees hear next to nothing directly from the PCAOB. Educating preparers and audit committees about the PCAOB’s expectations has instead fallen on the shoulders of the auditors—and it has been an arduous uphill battle for the auditors to convince their clients as to the PCAOB’s expectations.
The last interpretive guidance from the PCAOB on ICFR was issued in October 2013, long before the uproar (Staff Audit Practice Alert No. 11, “Considerations for Audits of Internal Control Over Financial Reporting,”). With the attention drawn to ICFR in 2015 (courtesy of the U.S. Chamber of Commerce), I anticipated that useful interpretive guidance from the PCAOB would be forthcoming. Rather than providing clarity as to the PCAOB expectations, the PCAOB’s director of inspections, Helen Munter, told the audience at the recent USC Conference on SEC Reporting, “You should talk to your auditors.”
PLANNING THE AUDIT
Below, the PCAOB discusses how to plan an audit of internal control over financial reporting.
The auditor should properly plan the audit of internal control over financial reporting and properly supervise the engagement team members. When planning an integrated audit, the auditor should evaluate whether the following matters are important to the company's financial statements and internal control over financial reporting and, if so, how they will affect the auditor's procedures -
Knowledge of the company's internal control over financial reporting obtained during other engagements performed by the auditor;
Matters affecting the industry in which the company operates, such as financial reporting practices, economic conditions, laws and regulations, and technological changes;
Matters relating to the company's business, including its organization, operating characteristics, and capital structure;
The extent of recent changes, if any, in the company, its operations, or its internal control over financial reporting;
The auditor's preliminary judgments about materiality, risk, and other factors relating to the determination of material weaknesses;
Control deficiencies previously communicated to the audit committee or management;
Legal or regulatory matters of which the company is aware;
The type and extent of available evidence related to the effectiveness of the company's internal control over financial reporting;
Preliminary judgments about the effectiveness of internal control over financial reporting;
Public information about the company relevant to the evaluation of the likelihood of material financial statement misstatements and the effectiveness of the company's internal control over financial reporting;
Knowledge about risks related to the company evaluated as part of the auditor's client acceptance and retention evaluation; and
The relative complexity of the company's operations.
The PCAOB may argue that preparers and audit committees are beyond their purview. Yes, the SEC has jurisdiction over preparers and audit committees. But this is where citizens get frustrated. Can’t these two organizations get together to offer something better than “You should talk to your auditors”? FASB provides all kinds of interpretive guidance (such as the Revenue Recognition Transition Resource Group). Why can’t the PCAOB and the SEC do the same?
This issue is part of a broader fundamental problem when it comes to procuring audit services. Audits come in black boxes. The buyers of audit services have limited knowledge about what they are procuring beyond audit team expertise. The lack of transparency about the internal control requirements only compounds the buyer’s reservations about the value inside each black box and contributes further to the commodity pricing of audits.
We need less in the black box, not more. The PCAOB’s goal of protecting investors is an admirable goal. To achieve that goal, preparers and audit committees deserve to hear more from the PCAOB beyond trite, pat answers.
Bob Conway is a retired KPMG audit partner and is currently the Professional Practice Director at CNM LLP. Before joining CNM, Bob was at the PCAOB for nine years where he was a Regional Associate Director with leadership responsibilities for the PCAOB’s Orange County and Los Angeles offices.