Add to collection(s) Add to saved
  1. Business
  2. Accounting

Internal Controls in the Crosshairs: What the PCAOB's

advertisement 
W H I T E PA P E R
Internal Controls in the
Crosshairs: What the PCAOB’s
Inspection Results Mean for
Your Company
By Joseph Howell, Workiva, and Thomas Ray, Baruch College
This article originally appeared in FEI Daily.
Much has been written about the recent results of the
sometimes even after issuing their audit opinion. Some
Public Company Accounting Oversight Board (PCAOB)
companies had to amend the previously filed Form 10-Ks
inspections of audits. The board was created as part of the
required annually by the Securities and Exchange Commission
Sarbanes-Oxley Act of 2002 (SOX) to provide oversight of the
(SEC) to report previously undisclosed material weaknesses.
auditing of public companies. Each year since its formation,
This resulted in significant increases in related audit fees. In
the PCAOB has inspected selected public company financial
most instances, however, these actions did not result in
statement and internal control audits and published its findings. changes to the financial statements.
In the early days, the PCAOB reported problems with about
15% of the audits it inspected. In 2014, the PCAOB’s inspection
reports showed an average audit failure rate of more than 39%
of inspected audits for the Big Four audit firms, with two firms
reaching 46% and 49%. James Doty, the chair of the PCAOB,
recently said that reports to be released in 2015 will show no
significant improvement.
1
2
3
Many of the PCAOB’s more recent criticisms focus on a
failure of the auditor to provide persuasive evidence that
internal controls over financial reporting (ICFR), and
especially management review controls, were operating
effectively or at level of precision that would detect or
prevent material misstatements.
Audit firms have taken the PCAOB’s criticisms seriously and
responded by changing both their audit approach and scope
of work. Auditors are performing more extensive, costly, and
time-consuming audit procedures related to internal controls,
Increased SEC scrutiny
Adding to the pressure, the SEC has increased its focus on
whether companies are in compliance with their internal
control requirements. In recent public statements, the SEC
staff expressed concern that companies were not fulfilling their
responsibilities to evaluate their internal controls and identify and
disclose material weaknesses without the help of their auditors.
As Brian Croteau, the SEC’s Deputy Chief Accountant
for Professional Practice, remarked last December, “It is
surprisingly rare to see management identify a material
weakness in the absence of a material misstatement.” He
suggested these results could either stem from internal control
deficiencies not being identified in the first place or not being
evaluated appropriately.
4
The SEC staff has also made it clear that the absence of
misstatement in no way implies that controls are present
and working effectively. Even in the event of an identified
misstatement, auditors and management often have difficulty
identifying the deficiency that allowed the misstatement to occur.
As a result, the SEC staff now routinely includes questions
about internal controls in their comment letters to companies
and has increased the number of enforcement actions due
solely to deficiencies in internal controls. We also expect the
PCAOB to continue its focus in this area.
It’s the documentation
Many of the audit and control failures cited by both the PCAOB
and the SEC can be attributed to failures of documentation by
the public company. In short, companies and their auditors
were unable to collect, organize, and present the necessary
audit evidence because the individuals charged with key
controls failed to accurately document their internal controls
and/or obtain the necessary evidence in the first place.
5
In fact, the PCAOB also found that the documentation
companies do produce is often so vague that it simply fails
to describe what the company’s managers and decision
makers did. That’s what the PCAOB means when it criticizes
companies and their auditors for failing to demonstrate that
controls were working at “a level of precision” necessary to
detect and prevent material misstatements.
We hear some company managers express frustration with
the demand for increased documentation and evidence
related to internal control, and even the occasional denial of
responsibility to address these demands. They ask, where is
the guidance that requires management to prepare a level of
documentation that complies with auditing standards?
Companies have clear and rigorous legal obligations regarding
internal control. The Foreign Corrupt Practices Act of 1977
requires, among other things, that public companies “make
and keep books, records, and accounts, which, in reasonable
detail, accurately and fairly reflect the transactions and
dispositions of the assets of the company” and to “devise
and maintain a system of internal accounting controls” to
meet their obligations to accurately report financial results
and safeguard assets. SOX and the related SEC rules further
require the senior officers of public companies to evaluate
and report on the effectiveness of their internal controls and
report any significant changes made to their internal controls.
6
Management also is responsible for maintaining evidential
matter, including documentation, to provide reasonable
support for its assessment. Further, inaccurate or incomplete
documentation about the design of a company’s system
of internal controls impairs both management’s and their
auditor’s ability to understand the design of the company’s
controls, identify deficiencies, and obtain the necessary
evidence to support their respective assessments.
A brief intermission
Soon after the first internal control audits required by SOX
had been conducted, corporate managers and others
expressed significant concern about the substantial costs
and efforts required by the new rules. The PCAOB responded
by replacing its initial internal control auditing standard
with one that emphasized the ability of auditors to exercise
judgment and to tailor their audits to each client’s facts
and circumstances. The “top-down, risk based” approach
provided an effective—and, importantly, more efficient—
approach to performing the internal control assessment. The
SEC also provided guidance to help management understand
its responsibilities under the law. Much of the focus during
the next couple of years was on how to efficiently implement
the new SOX internal control reporting requirements.
It continues to be appropriate for both management and its
auditors to use a top-down, risk-based approach to evaluate
whether the company’s internal control is effective. The recent
inspections findings and SEC focus suggest, however, that
auditors need to continue to improve their internal control
skills, and management ought to increase its focus on the
design of its controls and completeness and clarity of its
supporting documentation.
Show me the evidence
In the public versions of the PCAOB’s inspection reports,
the PCAOB stated flatly that audit firms have failed to obtain
sufficient and appropriate audit evidence to support their
opinions on the effectiveness of ICFR.
There are two possible causes for a lack of quality evidence.
First, the client could actually have sufficient evidence, but
the auditors failed to collect, organize, evaluate, and present
that evidence in their work papers. Second, the client could
actually lack the evidence needed to support its assessment
or did not identify the internal control weaknesses, and the
auditors failed to see that.
In hundreds of interviews with internal control and SOX teams
at companies experiencing these problems, Workiva has
found a common theme. Many believe they have, or could
get, the necessary evidence, but it is too disorganized and
scattered to use effectively. Team members complain
that they suffer from inconsistent versions of key
documents and templates that are difficult to track and
manage. They also cite inconsistent storage and retrieval
practices, as well as cumbersome, time-consuming
and error-prone manual processes used to capture and
document the necessary evidence of performance. Without
a doubt, most companies find that there are too many
moving parts in their business processes.
The result is clear—even when companies have well-designed
controls that are operating effectively, they often don’t have
the documentary evidence to give their auditors in a readily
accessible and usable form. Therein lies the problem.
Prepare yourself
Our advice to prepare and deal with the increased demands
for more documentation is threefold. First, be aware of this
increased regulatory scrutiny, and take it seriously. Discuss
your past and present expectations for documentation with
your controller, internal auditor, and external auditor. Second,
ensure that your financial team understands what is required
to properly document your company’s internal controls.
Finally, seek out and take advantage of new business
reporting technologies that dramatically reduce the
burdensome manual effort described above. Companies
adopting these technologies report that they have been able
to eliminate version control problems, automate storage and
retrieval practices, and actually reduce the time necessary to
comply, even as demands on their time have increased.
Auditors have responded to the demands of the PCAOB and
the SEC by turning up the pressure on their clients to improve
documentation. Those prepared to satisfy auditors’ demands
while minimizing the associated burdens will likely survive the
heightened scrutiny that results when internal controls are
placed in the crosshairs.
About the authors
Joseph Howell is a co-founder and Executive
Vice President for Strategic Initiatives
of Workiva. Joe has over 25 years of
experience in senior financial management
and SEC reporting and has served as a chief financial officer
for several public companies, including EMusic.com, Merix,
and Borland, and several private companies, including Eid
Passport and Webridge. Joe also served as managing director
The information contained herein is proprietary to Workiva and cannot be copied, published, or
distributed without the express prior written consent of Workiva © 2015.
wp0415
at Financial Intelligence LLC, a company that provides
accounting and SEC disclosure advisory services. A certified
public accountant (inactive), he earned a bachelor’s degree
from the University of Michigan and a master’s degree in
accounting from Eastern Michigan University.
Thomas Ray is a Distinguished Lecturer in
the Stan Ross Department of Accountancy
at Baruch College, City University of New
York. Previously, Tom served as the Chief
Auditor and Director of Professional Standards at the Public
Company Accounting Oversight Board (PCAOB), where
he oversaw the development of Auditing Standard No. 5
and numerous other PCAOB standards and rules. Tom was
also previously Director, Audit and Attest Standards at the
American Institute of Certified Public Accountants, partner
and Audit Group Head in the Department of Professional
Practice with KPMG LLP, and a member of the Advisory
Council of the Committee of Sponsoring Organizations
(COSO) of the Treadway Commission. He is a certified public
accountant, received a BBA in accounting from the University
of Wisconsin–Madison, and started his career with Grant
Thornton LLP.
Resources
”Observations From the 2010 Inspections of Domestic Annually Inspected Firms
Regarding Deficiencies in Audits of Internal Control Over Financial Reporting.” (2010).
Public Company Accounting Oversight Board. Retrieved from http://pcaobus.org/
Inspections/Documents/12102012_Release_2012_06.pdf
1
Knox, N. “Corporate Audits to Get Wider Review.” (2014). Wall Street Journal. Retrieved
from http://blogs.wsj.com/cfo/2014/12/16/corporate-audits-to-get-wider-review/
2
Whitehouse, T. “PCAOB Finds No Big Improvement in 2014 Inspections.” (2014).
Compliance Week. Retrieved from http://www.complianceweek.com/blogs/accountingauditing-update/pcaob-finds-no-big-improvement-in-2014-inspections#.VM_BfWTF87N
3
Croteau, B. “Remarks Before the 2013 AICPA National Conference on Current SEC and
PCAOB Developments—Audit Policy and Current Auditing and Internal Control Matters.”
(2013). U.S. Securities and Exchange Commission. Retrieved from http://www.sec.gov/
News/Speech/Detail/Speech/1370540472057
4
”Report on 2013 Inspection of Deloitte & Touche LLP.” (2013). Public Company
Accounting Oversight Board. Retrieved from http://pcaobus.org/Inspections/Reports/
Documents/2014_Deloitte_Touche.pdf
5
”Recordkeeping and Internal Controls Provisions Section 13(b) of the Securities Exchange
Act of 1934.” (2003). U.S. Securities and Exchange Commission. Retrieved from
https://www.sec.gov/spotlight/fcpa/fcpa-recordkeeping.pdf
6
workiva.com
info@workiva.com
+1.888.275.3125
Related documents
Thank you for welcoming me back to USC, it is good
Thank you for welcoming me back to USC, it is good
Evolution of an Automated Internal Audit Management System
Evolution of an Automated Internal Audit Management System
Presentation - Accounting Day
Presentation - Accounting Day
On the Horizon - Grant Thornton
On the Horizon - Grant Thornton
PCAOB Looks for Middle Ground in New Plan to Name Audit Partner
PCAOB Looks for Middle Ground in New Plan to Name Audit Partner
Tone from the top: SEC and PCAOB issue first SOX
Tone from the top: SEC and PCAOB issue first SOX
Case
Case
A&A September 2012
A&A September 2012
Green Impact Auditor
Green Impact Auditor
Task I Which assumptions and principles do these sentences refer to?
Task I Which assumptions and principles do these sentences refer to?
Supreme Court Upholds Constitutionality of the Public Company
Supreme Court Upholds Constitutionality of the Public Company
Broker-Dealer Annual Audits and Accounting Standards: SEC and
Broker-Dealer Annual Audits and Accounting Standards: SEC and
Download
advertisement