Effective Audits of Internal Control in the Current “Perfect Storm”

I am honored to be here today to discuss topics of mutual interest to chief audit executives, audit committee and board members, financial and executive management, and the Public Company Accounting Oversight Board (PCAOB) in our complementary roles of achieving reliable financial reporting and audits to promote confidence and integrity in the securities markets. I believe that effective dialogue and interaction among all stakeholders in the financial reporting chain contribute to furthering the interests of investors.

Before I get started, I must tell you that the views I express today are my own and do not necessarily reflect the views of the Board, any other Board member, or the staff of the PCAOB.

We are currently in a "perfect storm" in the area of internal control over financial reporting, which demands effective action by all participants in the financial reporting and auditing chain. Management, internal auditors, and external auditors will be navigating the updated Committee of Sponsoring Organizations of the Treadway Commission (COSO) "Internal Control — Integrated Framework" at the same time that external audit firms are taking steps to respond to PCAOB inspection findings associated with their audits of internal control.[1]

Unfortunately, over the decades, we've seen multiple cycles in which company management and internal and external auditors simply didn't get it right in the area of internal control, resulting in failures to effectively define, understand, implement, and assess internal control.

Currently, after more than a decade of implementation of the internal control requirements of the Sarbanes-Oxley Act, we are faced with an opportunity to take a fresh look at internal control over financial reporting to prevent and detect material misstatements, and protect investors. This fresh look necessarily will involve management, internal auditors, external auditors, audit committees, and the PCAOB working together constructively to fulfill our respective responsibilities in the system of assurance over financial reporting.

Today I'd like to discuss significant trends and emerging issues in audits of internal control over financial reporting and related PCAOB inspections issues. I hope to dispel some mythology regarding PCAOB actions; provide some possible approaches for effectively navigating these issues; and encourage constructive communications between public companies and their audit firm as management considers potential changes to internal control based on the updated COSO Framework.

Trends in Audits of Internal Control Over Financial Reporting

Before we dive into the PCAOB's recent actions related to audits of internal control over financial reporting, here is a quick quiz on PCAOB standards, recent guidance, and inspection findings related to ICFR audits. 

Question Number 1:

Which of the following statements is true?

  1. PCAOB recently has changed the standards for auditing internal control;
  2. PCAOB recently has promulgated new rules for audits of internal control; or
  3. PCAOB has not changed the standards or the rules in this area in recent years.

The correct answer is "c." 

Question Number 2:

Is the following statement true or false?

  1. PCAOB's inspections approach related to internal control over financial reporting has changed over the years.

The correct answer is "true."  

Question Number 3:

In which year(s) did PCAOB's inspections approach change related to internal control over financial reporting?

  1. 2006
  2. 2008
  3. 2010
  4. 2012

The correct answers are a, b, and c.  

 

It is important to understand both the evolution of major changes in PCAOB auditing standards for internal control audits from 2004 to 2007, as well as changes in the PCAOB's inspections approach, so stakeholders can be in the best position to "get it right" on internal controls.

PCAOB inspection results have provided evidence and insights into areas where external auditors need to strengthen audits of internal control to comply with existing standards. Appropriately, audit firms are taking actions to strengthen ICFR audits. I believe that we are currently well-positioned in terms of achieving strengthened audits over internal control based on the evolution of changes in PCAOB standards and inspection activity since the initial standards were issued in 2004.[2]

Here is a brief chronology of PCAOB standards and inspection activities related to internal control over financial reporting.

  • 2004 - The Board adopted Auditing Standard No. 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statements (AS 2), to govern the newly required audit of internal controls.[3]
  • 2006 - On May 1, the Board issued a statement announcing it would focus on how efficiently the firms performed audits according to AS 2.[4] At that time, PCAOB inspections were focused on efficiency, including (1) the degree of integration between the audit of ICFR and the financial statements; (2) the auditor's use of a top-down approach; (3) the proper assessment of and response to identified risks; and (4) using the work of others.[5] Through inspections and other monitoring, PCAOB determined that, although the audit of internal control over financial reporting produced benefits, those benefits came at a significant cost.[6]
  • 2007 - On June 12, the Board adopted Auditing Standard No. 5, An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements (AS 5), to improve implementation of ICFR audits. AS 5 became effective for audits for fiscal years ended on or after Nov. 15, 2007, and emphasizes a top-down, risk-based audit approach that focuses on the most important audit matters.[7] It also eliminated unnecessary audit procedures, and was designed to be scalable to the size and complexity of the business.[8]
  • 2008 - The PCAOB's 2008 inspections of ICFR audits focused on whether auditors were effectively transitioning to AS 5. During inspections fieldwork, inspections teams communicated specific observations to the audit teams and discussed overall observations for each firm with the firm's leadership. Inspection findings related to ICFR were not reported in individual firm inspection reports, but were summarized in a general report issued by the Board.[9]
  • 2009-2010 - The Board continued to monitor the execution of AS 5 and its inspections focused on whether firms had obtained sufficient audit evidence to support audit opinions on the effectiveness of ICFR. Beginning primarily in the 2010 inspections cycle, when inspections staff found deficiencies in the auditor's testing of the design and/or the operating effectiveness of internal controls, those deficiencies were communicated to the audit firms primarily through comment forms and then reported, as appropriate, in the firms' inspection reports.

Recent Board Reports and Guidance Regarding ICFR Audits

Due to the Board's concerns about the number and significance of deficiencies in firms' audits of ICFR in the 2010 and 2011 inspections, in December 2012, the Board issued a report, Observations from 2010 Inspections of Domestic Annually Inspected Firms regarding Deficiencies in Audits of Internal Control over Financial Reporting.[10]

The report provides information about the nature and frequency of deficiencies in firms' audits of internal control detected during the PCAOB's 2010 inspections of eight domestic registered firms that have been inspected every year since the PCAOB's inspection program began.[11] The report's findings include:

  • In 46 of the 309 integrated audit engagements, or 15 percent, that were inspected in 2010, inspections staff found that the firm, at the time it issued its audit report, had not obtained sufficient audit evidence to support its audit opinion on the effectiveness of internal control due to one or more deficiencies identified by the inspections staff.
  • In 39 of those 46 engagements, or 85 percent, where the firm did not have sufficient evidence to support the internal control opinion, the firm also did not obtain sufficient audit evidence to support the financial statement audit opinion. These engagements represent 13 percent of the 309 integrated audit engagements that were inspected.
  • These deficiencies also revealed weaknesses in some firms' systems of quality control of such significance that, in the Board's view, they required remediation.

The Board's inspections staff continued to observe high levels of deficiencies in the audits of internal control during the 2011 inspections of these eight firms (generally covering fiscal year 2010 audits).

On Oct. 24, 2013, the PCAOB issued Staff Audit Practice Alert No. 11, Considerations for Audits of Internal Control Over Financial Reporting, in light of significant ICFR auditing practice issues observed by the inspections staff over the past three years.[12]

The practice alert discusses the application of certain requirements of AS 5 and other PCAOB standards to specific aspects of the audit of internal control. Significant auditing deficiencies in audits of internal control that have been cited frequently in PCAOB inspection reports include deficiencies where the audit firm did not:

  • Identify and sufficiently test controls that are intended to address the risks of material misstatement;
  • Sufficiently test the design and operating effectiveness of management review controls that are used to monitor the results of operations;
  • Obtain sufficient evidence to update the results of testing of controls from an interim date to the company's year-end (i.e., the roll-forward period);
  • Sufficiently test controls over the system-generated data and reports that support important controls;
  • Sufficiently perform procedures regarding the use of the work of others;
  • Sufficiently evaluate identified control deficiencies.

The practice alert also discusses potential root causes of the deficiencies, and provides guidance for auditors in areas including:

  • risk assessment and the audit of internal control;
  • selecting controls to test;
  • testing management review controls;
  • information technology considerations, including system-generated data and reports;
  • roll-forward of controls tested at an interim date;
  • using the work of others;
  • evaluating identified control deficiencies.

In many of the audit deficiencies that inspections staff detected, firms were not appropriately following their own methodologies for audits of internal control over financial reporting.

Emerging Issues in Audits of Internal Control Over Financial Reporting

So although the PCAOB has neither changed the auditing standards nor introduced new rules for audits of internal control over financial reporting since the issuance of AS 5 in 2007, many issuers are experiencing changes in firms' audit approaches as a result of PCAOB inspections and the recent guidance in Audit Practice Alert No. 11. In some cases, auditors are performing additional procedures related to previously issued audit opinions on ICFR.

In some cases, the following situations are occurring, in which auditors are adding or changing ICFR audit procedures:

  • The auditor changes the ICFR audit approach for audits that were not inspected or for audits that were inspected, but did not have ICFR-related deficiencies reported in Part I of the firm's PCAOB inspection report.

Firms may be making changes to their audit approaches as part of the remediation of a quality control deficiency noted in Part II of the inspection report.[13] Such changes could involve additional staff training to achieve compliance with the firms' existing audit methodology for auditing ICFR; the implementation of new audit tools or updates to the audit methodology; or mandating the use of certain audit procedures in cases where those procedures had been optional.

In addition, firms may be implementing changes in their audits of ICFR in reaction to the PCAOB's December 2012 report that summarized deficiencies in firms' ICFR audits, as well as the additional guidance provided in Audit Practice Alert No. 11.[14] The PCAOB issued both of these documents because of a high number of ICFR findings across many inspected firms. The report and the practice alert should have caused firms to reassess their ICFR approach and make any necessary changes to improve quality and make sure their audits are consistent with the requirements of AS 5.

  • The auditor performs additional procedures for a previously completed audit after a PCAOB inspection.

A firm might also be performing additional procedures specifically because a deficiency was identified and included in Part I of the firm's inspection report,[15] and the firm seeks to determine whether, following performance of the necessary procedures, it can still support its previously expressed opinion on ICFR.[16]

The PCAOB has heard that in response to some of the above changes, some issuers have expressed concerns about the value of additional audit work in the ICFR area, and whether there will be significant increases in costs as a result.

We also have received feedback that would indicate there has not been effective communication and dialogue between audit firms and issuers about ICFR issues. In some cases, audit firms have told issuers that the PCAOB insists on detailed procedures such as the use of "screen prints" to document certain systems-related features; or specifying the number of pages that must be involved in summarizing key controls; or that auditors must attend management meetings to observe certain controls in action. I assure you that the Board is not requiring procedures at that level of detail. AS 5 provides the guiding standard for ICFR audits.

Unfortunately, such responses from audit firms tend to close down the dialogue with financial statement preparers about important basic issues such as identifying key controls, establishing the appropriate level of management documentation and testing, and the nature and extent of auditor testing needed to support the auditor's ICFR opinion.

Productive dialogue between the audit firm and financial statement preparers is necessary to coordinate management's responsibilities to implement effective ICFR and assess its effectiveness, and the auditor's responsibilities to audit and report on ICFR.

Experienced auditors and financial statement preparers know that the ICFR audit is made more difficult if management's process is not as effective or well-documented as it should be. Effective and efficient solutions to some of the audit deficiencies found by the PCAOB may also require some improvements to both the issuer's and the auditor's process. I am concerned that, in some cases, the auditor's reaction is to "bolt on" a series of new audit steps when a more efficient and effective solution may require some tightening up of the controls on the part of management, in addition to changes to the audit procedures.

The Securities and Exchange Commission's Deputy Chief Accountant recently expressed concern that some of the PCAOB's inspection findings related to the audits of internal control over financial reporting are likely indicators of similar problems with management's evaluations of ICFR, and thus potentially also indicative of risk for unidentified material weaknesses. He further stated that he has heard suggestions that auditors and the PCAOB have higher expectations than management when considering the adequacy of entity-level controls or the severity of control deficiencies.[17]

Meanwhile, the PCAOB has heard from some issuers concerns that audit firms may take a checklist approach to the audit to map controls to the principles articulated in the 2013 COSO Framework. And we also have heard speculation that firms are taking such an approach because they are worried that PCAOB inspectors will inspect against the points in the 2013 COSO Framework.

I am concerned that a checklist approach to the 2013 COSO Framework would result not only in a missed opportunity to take a fresh look at management's and the auditor's approaches to evaluating and auditing internal control, but also that such an approach could increase the likelihood of missing new and evolving risks in financial reporting and the related auditing.

I will once again emphasize the importance of auditors following the top-down, risk-based audit approach in AS 5, along with the guidance in the Board's October 2013 audit practice alert, for conducting the audit. In addition, I believe it is necessary and productive to take a fresh look at management's process in light of the 2013 COSO Framework, so that the entire system functions effectively. And, of course, auditors and issuers need to have a productive dialogue about these issues.

Concluding Thoughts

The current "perfect storm" swirling around internal control over financial reporting demands the appropriate attention of all participants in the financial reporting and auditing chain. To achieve the assurance over ICFR that investors and the market rely on, all participants must do their part to fulfill their responsibilities for implementing, evaluating, and auditing internal control.

PCAOB inspection results have provided evidence and insights into areas where external auditors need to strengthen audits of internal control to comply with existing standards. Further, audit firms must continue strengthening their ICFR audits.

Meanwhile, management will be considering the 2013 COSO Framework in its implementation and assessment of internal control. Also, internal auditors can play a very important role in these efforts by taking a fresh look at internal control through the COSO Framework, and supporting management's efforts and the external audit process.

I look forward to working constructively with audit committees, issuers, and the audit firms to achieve the assurance needed from audits of internal control over financial reporting.

[1] On May 14, 2013, the COSO released an updated version of its "Internal Control - Integrated Framework," which was published originally in 1992.

[2] The auditor attestation requirement applies to companies that qualify as "large accelerated filers" or "accelerated filers," other than "emerging growth companies." For a discussion of the evolution of requirements for certain public companies to undergo an audit of ICFR under Section 404(b) of the Sarbanes-Oxley Act of 2002, see Office of the Chief Accountant, Securities and Exchange Commission, "Study and Recommendations on Section 404(b) of the Sarbanes-Oxley Act of 2002 For Issuers With Public Float Between $75 and $250 Million" (April 2011).

[3] PCAOB Release No. 2004-001, "Auditing Standard No. 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statements" (March 9, 2004).

[4] PCAOB Release No. 104-2006-105, "Statement Regarding the Public Company Accounting Oversight Board's Approach to Inspections of Internal Control Audits in the 2006 Inspection Cycle" (May, 1, 2006), 1. An audit that achieves the objectives described in the Board's standards is "effective." "Efficiency" refers to the auditor achieving those objectives with the least expenditure of effort and resources.

[5] PCAOB Release No. 104-2006-105 (May 1, 2006), 3.

[6] PCAOB Release No. 2006-007, "Proposed Auditing Standard — An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit Of Financial Statements and Related Other Proposals" (Dec. 19, 2006), 2-3.

[7] PCAOB Release No. 2007-005A, "Auditing Standard No. 5 — An Audit Of Internal Control Over Financial Reporting That Is Integrated with An Audit Of Financial Statements and Related Independence Rule and Conforming Amendments" (June 21, 2007). The Board adopted AS 5 on May 24, 2007, and then issued a technical correction release on June 21, 2007.

[8] Ibid., 3-4. The Board's approach was coordinated closely with the SEC, which issued concurrent guidance to company management on a similar approach to evaluating internal control under management's responsibilities under Section 404(a) of the Sarbanes-Oxley Act (SEC Exchange Act Release No. 33-8810 (June 20, 2007)).

[9] PCAOB Release No. 2009-006, "Report on the First-Year Implementation of Auditing Standard No. 5, An Audit of Internal Control Over Financial Reporting that is Integrated with an Audit of Financial Statements" (Sept. 24, 2009).

[10] PCAOB Release 2012-006, "Observations from 2010 Inspections of Domestic Annually Inspected Firms Regarding Deficiencies in Audits Of Internal Control Over Financial Reporting" (Dec. 10, 2012).

[11] Those inspections generally involved reviews of integrated audits for issuers' fiscal years ending in 2009.

[12] PCAOB Staff Audit Practice Alert No. 11, "Considerations for Audits of Internal Control Over Financial Reporting" (Oct. 24, 2013).

[13] Findings in Part II of PCAOB inspection reports, if any, describe deficiencies in the firm's overall system of quality control such that the Board has doubts that the system provides reasonable assurance that professional standards were met. The Board is prohibited by law from publicly releasing Part II findings unless the firm fails to remediate them to the Board's satisfaction within 12 months of issuance of the inspection report.

[14] PCAOB Release No. 2012-006 (Dec. 10, 2012).

[15] Inspection findings related to audits of ICFR that are reported in Part I of PCAOB inspection reports reflect PCAOB staff's view that the auditor failed to obtain reasonable assurance about whether effective ICFR was maintained in all material respects. See PCAOB Release No. 2012-003, "Information for Audit Committees about the PCAOB Inspection Process" (Aug. 1, 2012), 3.

[16] In the event the firm determines it cannot support its previously expressed opinion, AS 5, paragraph 98, imposes certain obligations on the firm (incorporating certain provisions of AU 561, Subsequent Discovery of Facts Existing at the Date of the Auditor's Report). Cf. AU 390, Consideration of Omitted Procedures After the Report Date.

[17] Brian Croteau, "Audit Policy and Current Auditing and Internal Control Matters" (remarks Before the 2013 AICPA National Conference on Current SEC and PCAOB Developments, Washington, DC, Dec. 9, 2013) http://www.sec.gov/News/Speech/Detail/Speech/1370540472057.