Importance of Audits of Internal Controls
Good afternoon. It is a pleasure to be here – I want to thank Steve Harris for inviting me to speak with you. I think we as a group share the same interests – protecting the investor by improving audit quality – and I am looking forward to today's discussion. Before I begin, I must say that the views I express are my own and should not be attributed to the PCAOB as a whole or any Board members or staff.
Internal control over financial reporting ("ICFR") attracts much attention. And it should. When ICFR is effective, it helps companies make sure that they produce reliable financial statements that investors can use to make investment decisions. When it is not, it can damage the integrity of financial reporting that is the very foundation of the capital markets.
Deficiencies in audits of internal control also can affect the audit of the financial statements. In integrated audits, auditors often rely on controls to reduce their substantive testing of financial statement accounts and disclosures. Thus, deficiencies in testing and evaluating internal control can lead to inadequate testing of accounts and disclosures in the financial statement audit. This means that investors may not have the same level of assurance that an audit should provide about the financial statements upon which they are relying.
At the PCAOB, our focus remains clear. We are here to protect the interests of investors. Our inspectors – who are very seasoned and experienced professionals with an average of 17 years of audit experience — perform risk-based inspections of audit firms.
Our collective goal is to ensure that the audits of public companies are performed in accordance with PCAOB auditing standards and that firms have designed and implemented systems of quality control that would result in the performance of high quality audits. Our inspections are designed to identify and address weaknesses and deficiencies related to how a firm conducts audits. To achieve that goal, our inspections evaluate a firm's performance in selected audit engagements, as well as the design and operating effectiveness of a firm's own quality control policies and procedures.
Today, I would like to provide a perspective on the state of the audit work we see through inspections.
The Big Picture
Over the last few years, the audit of internal control has topped the list of deficiencies in the audit work we have reviewed. In 2013, approximately 36 percent of the integrated audits inspected had some deficiency related to internal control. While not all of the 2014 reports are out yet, we saw some improvement at certain firms, but deficiencies were still high.
Of course, I am disappointed to see this. Auditing Standard No. 5,An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements ("AS No. 5") has been out since 2007. It has not changed. Nor have our expectations about the audit work changed. But there continue to be challenges.
No doubt firms have taken significant actions in an effort to perform an effective ICFR audit. Many engagement teams, in fact, do perform an effective ICFR audit. We have, however, observed some engagements teams that do not. There could be many reasons that firms and engagement teams are struggling with ICFR audits and they range from not fully understanding the requirements of AS No. 5, the firm's methodology, and/or the audit client's business, to not having the necessary experience to perform the work or appropriate supervision by more senior members of the team.
A deeper and more holistic understanding of what causes some to get it right and others to miss the mark is necessary.
Where are the challenges? As we have looked at audit work, we have seen that some auditors do not properly apply the top-down risk-based approach that is required by the auditing standard. In some cases, we have seen some apply a mechanical approach that is not appropriately tailored to the risks and that of course can lead to an ineffective audit.
There are three areas where we most commonly see problems.
The first area is in understanding a company's flow of transactions. This is a critical first step in planning an effective audit. Without this understanding, engagement teams may not identify all of the risks that exist and select the appropriate controls to test. Further, the controls that are selected for testing may not be responsive to the risk of material misstatement (including fraud risk) that the engagement team has identified. We've observed this scenario commonly when auditors were testing revenue.
The second area is the testing of management review controls. Management review controls serve as a form of detective control – meaning it is intended to help management identify errors, inaccuracies, or fraud. In order to rely on management review controls, the auditor needs to understand the control and test it to see if it is operating or operating at a precise enough level to detect material misstatements.
So what does this mean? Let's say that the auditor selects management's monthly review of budget-to-actual financial results to test. If the auditor only looks to see that management performed the review and does not understand what management looked for in the review, what matters were investigated, and how they were resolved, the auditor has failed to obtain evidence that the review could in fact prevent or detect a material misstatement. We have seen this sort of ineffective testing by some engagement teams that placed significant reliance on certain management review controls.
One explanation some auditors provided for the deficiencies we observed in this area is the lack of documentation to support the operation of the controls at the audit client. This is not to say that management is not maintaining sufficient documentation for their purposes, but the documentation may not support the testing that the engagement teams are required to perform. As a result, engagement teams may not be able to place the level of reliance that they would like on these controls, and may have to identify and test other controls to support their audit approach.
The third area is the testing of system-generated data or reports. If a control selected for testing uses system-generated data or reports, the effectiveness of the control depends in part on the controls over the accuracy and completeness of the system-generated data or reports. For example, if the control relies on sales prices coming from a price list, the auditor needs to understand where the price list is coming from and identify and test the controls over the accuracy and completeness of the price list.
What could be the cause of such deficiencies? In some instances, firms' methodology and guidance needed to be revised in this area. When that happened, Inspections staff saw that this contributed to fewer related audit deficiencies.
In other instances, decreases in audit staffing and turnover, particularly in the periods from 2007 - 2010, have contributed to the audit deficiencies seen at firms. This can create a situation where less experienced audit staff, who may not have a good understanding of the auditing standard, are performing the work without proper supervision by more experienced staff.
We have also heard from auditors that the quality of an issuer's processes and controls also can affect the audit. When an issuer has well documented processes and controls, audit quality tends to be higher. This is particularly true when auditing internal control.
Firms have taken varying actions to address the problems. We have seen firms issue new templates and tools to guide their staff through the audit of internal control. We have seen some require enhanced documentation; others have added additional layers of review and most have enhanced their training. Of course, some staff may follow the steps prescribed by their firms through these tools and training and still not tailor the work to the audit being performed.
The Way Forward
The answer to everything is not more work – it is "smart work" and by this I mean a balance of efficiency and effectiveness. Sure, when procedures were not performed in the first place, more work will be entailed. But auditors that are thoughtful in applying the top-down, risk-based approach may find that they don't necessarily need to do more work.
Smart work involves taking the time and effort for careful planning in advance. This involves having a good understanding of the audit client's business and flow of transactions to identify the risks, making a thoughtful selection of controls that address those risks, and calibrating the testing of controls along with obtaining sufficient audit evidence based on the associated risks.
Applying a mechanical approach to the audit, for example, just checking that management performed a review, without proper planning can lead to ineffective testing of controls and other problems.
If the auditor does not understand the risks in the company's processes, he or she might not select the right controls to test, which can lead to ineffective auditing. As the audit gets closer to completion date, there are fewer options – no one wants to pivot back.
If the auditor does not properly design the control testing, it can lead to unsupported opinions on internal control and on the financial statements. It is just like planning a trip. It is important to be smart about the plan and the procedures before hitting the road. And, of course, be ready to respond to bumps encountered along the way. Sometimes, the plan doesn't go as expected and the auditors need to be ready to respond or make appropriate changes to the plan as necessary throughout the audit.
We have a significant root cause initiative underway to better understand these challenges. We are looking at what makes one engagement team do a great job when other engagement teams at the same firm are not necessarily doing a great job. We have seen that some things – as simple as good project management skills – contribute to a better quality audit. That has real implications for the amount of effort that is necessary in an audit, especially around the testing of internal control.
The Continued Dialogue
We have seen a lot of ups and downs in the inspected work. I am encouraged by what we saw in 2014 and the early signs of 2015 are that the gains made by some firms have been retained, but others still have challenges. Not all firms are equal in their progress.
Our inspectors engage in a lot of dialogue with audit firms – not only as issues in audit work are identified but, most importantly, as they take steps to understand the underlying cause and implement remedial action.
So again, just like planning a trip, thoughtful, planned work is a key step in any audit to help protect the integrity of financial reporting and the capital markets.
I look forward to hearing your thoughts and input as we all continue to work to protect the interests of investors.
 See Staff Audit Practice Alert No. 11, Considerations for Audits of Internal Control Over Financial Reporting (October 24, 2013).
 See paragraphs 34 to 41 of AS No. 5.
 See paragraphs 42 to 61 of AS No. 5. Examples of management review controls include (1) monthly comparisons of budget and actual results to forecasts for revenues and expenses; (2) comparisons of other metrics, such as profit margins and certain expenses as a percentage of sales; and (3) quarterly balance sheet reviews.
 See paragraph 39 of AS No. 5.
 See PCAOB general report, Observations from 2010 Inspections of Domestic Annually Inspected Firms Regarding Deficiencies in Audits of Internal Control Over Financial Reporting (December 10, 2012).