Many audit and control failures can be attributed to failures of documentation by the public company.
Much has been written about the 2014 results of the Public Company Accounting Oversight Board’s (PCAOB) inspections of audits, which showed an average audit failure rate of more than 39 percent of inspected audits for the Big Four audit firms — with two firms reaching 46 percent and 49 percent.
James Doty, the chair of the PCAOB, recently said reports to be released in 2015 will show no significant improvement.
This is a marked contrast from the early days of the PCAOB, which was created as part of the Sarbanes-Oxley Act of 2002 (SOX) to provide oversight of the auditing of public companies.
Each year since its formation, the PCAOB has inspected selected public company financial statement and internal control audits and published its findings. When inspection reports were first published, the board reported problems with about 15 percent of the audits it inspected.
Many of the PCAOB’s recent criticisms focus on a failure of the auditor to provide persuasive evidence that internal controls over financial reporting (ICFR), and especially management review controls, were operating effectively or at level of precision that would detect or prevent material misstatements.
Audit firms have taken the PCAOB’s criticisms seriously, and are responding by changing their audit approach and scope of work. Auditors are performing more extensive, costly and time consuming audit procedures related to internal controls, sometimes even after issuing their audit opinion.
As a result, some companies had to amend previously filed Form 10Ks to report previously undisclosed material weaknesses. This resulted in significant increases in related audit fees. In most instances, however, these actions did not result in changes to the financial statements.
Increased SEC Scrutiny
Adding to the pressure, the Securities and Exchange Commission (SEC) has increased its focus on whether companies are in compliance with their internal control requirements. In recent public statements, the SEC staff has expressed concern that companies are not fulfilling their responsibility to evaluate their internal controls, and to identify and disclose material weaknesses without the help of their auditors.
As Brian Croteau, the SEC’s Deputy Chief Accountant for Professional Practice, remarked last December, “It is surprisingly rare to see management identify a material weakness in the absence of a material misstatement.” He suggested these results could either stem from internal control deficiencies not being identified in the first place, or not being evaluated appropriately.
The SEC staff has also made it clear the absence of misstatement in no way implies controls are present and working effectively. Even in the event of an identified misstatement, auditors and management often have difficulty identifying the deficiency that allowed the misstatement to occur.
As a result, the SEC staff now routinely includes questions about internal controls in their comment letters to companies, and has increased the number of enforcement actions due solely to deficiencies in internal controls. We also expect the PCAOB to continue its focus in this area.
It’s the Documentation
Many of the audit and control failures cited by the PCAOB and the SEC can be attributed to failures of documentation by the public company. In short, companies and their auditors were unable to collect, organize and present the necessary audit evidence because the individuals charged with key controls failed to document their internal controls accurately or to obtain the necessary evidence in the first place.
In fact, the PCAOB also found that the documentation companies do produce is often so vague that it simply fails to describe what the company’s managers and decision-makers did. That’s what the PCAOB means when it criticizes companies and their auditors for failing to demonstrate that controls were working at “a level of precision” necessary to detect deficiencies and prevent material misstatements.
We hear some company managers express frustration with the demand for increased documentation and evidence related to internal control, as well as the occasional denial of responsibility to address these demands. They ask: where is the guidance that requires management to prepare a level of documentation that complies with auditing standards?
Companies have clear and rigorous legal obligations regarding internal control. The Foreign Corrupt Practices Act of 1977 requires, among other things, that public companies “make and keep books, records, and accounts, which, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the company” and to “devise and maintain a system of internal accounting controls” to meet its obligations to report financial results accurately and safeguard assets.
SOX and the related SEC rules further require the senior officers of public companies to evaluate and report on the effectiveness of their internal controls and report any significant changes made to their internal controls.
Management also is responsible for maintaining evidential matter, including documentation, to provide reasonable support for its assessment. Further, inaccurate or incomplete documentation about the design of a company’s system of internal controls impairs both management’s and the auditor’s ability to understand the design of the company’s controls, identify deficiencies and obtain the necessary evidence to support their respective assessments.
A Brief Intermission
Soon after the first internal control audits required by SOX had been conducted, corporate managers and others expressed significant concern about the substantial costs and efforts required by the new rules.
The PCAOB responded by replacing their initial internal control auditing standard with one that emphasized the ability of auditors to exercise judgment and to tailor their audits to each client’s facts and circumstances.
The “top-down, risk based” approach provided an effective — and, importantly, more efficient — approach to performing the internal control assessment. The SEC also provided guidance to help management understand its responsibilities under the law. Much of the focus during the next couple of years was on how to implement the new SOX internal control reporting requirements efficiently.
It continues to be appropriate for both management and their auditors to use a top-down, risk-based approach to evaluate whether the company’s internal control is effective. The recent inspections findings and SEC focus suggest, however, that:
- Auditors need to continue to improve their internal control skills, and
- Management ought to increase their focus on the design of their controls and completeness, and clarity of their supporting documentation.
Show Me the Evidence
In the public versions of the PCAOB’s inspection reports, the PCAOB stated flatly that audit firms have failed to obtain sufficient and appropriate audit evidence to support their opinions on the effectiveness of Internal Control Over Financial Reporting (ICFR).
There are two possible causes for a lack of quality evidence. First, the client could actually have sufficient evidence, but the auditors failed to collect, organize, evaluate and present that evidence in their work papers. Second, the client could actually lack the evidence needed to support its assessment or did not identify the internal control weaknesses, and the auditors failed to see that.
In hundreds of interviews with internal control and SOX teams at companies experiencing these problems, Workiva has found a common theme. Many believe they have, or could get, the necessary evidence, but it is too disorganized and scattered to use effectively.
Team members complain they suffer from inconsistent versions of key documents and templates that are difficult to track and manage. They also cite inconsistent storage and retrieval practices, as well as cumbersome, time-consuming and error-prone manual processes used to capture and document the necessary evidence of performance. Without a doubt, most companies find there are too many moving parts in their business processes.
The result is clear — even when companies have well-designed controls that are operating effectively, they often don’t have the documentary evidence to share with their auditors in a readily accessible and usable form. Therein lies the problem.
Our advice to address increased demands for more documentation is threefold. First, be aware of this increased regulatory scrutiny and take it seriously. Discuss your past and present expectations for documentation with your controller, internal auditor and external auditor. Second, ensure that your financial team understands what is required to properly document your company’s internal controls.
Finally, take advantage of new business reporting technologies that dramatically reduce the burdensome manual effort described above. Companies adopting these technologies report they have been able to eliminate version control problems, automate storage and retrieval practices, and actually reduce the time necessary to comply, even as demands on their time have increased.
Auditors have responded to the demands of the PCAOB and the SEC by turning up the pressure on their clients to improve documentation. Those prepared to satisfy auditors’ demands while minimizing the associated burdens will likely survive the heightened scrutiny that results when internal controls are placed in the crosshairs.