In my SOX Master Classes and elsewhere I hear that the external audit firms are saying the PCAOB has issued new and more demanding Sarbanes-Oxley guidance. They are telling companies that both management and auditors have to do more work and fees have to rise accordingly.
This is NOT TRUE! There is no "new and demanding SOX guidance." (I will let you decide why they are saying this, but I have my suspicions.)
It is true that in October, the PCAOB published
Staff Audit Practice Alert No. 11: Considerations For Audits Of Internal Control Over Financial Reporting.
However, it is important to understand why this Alert was issued. In the words of the SEC:
"The Public Company Accounting Oversight Board today issued a Staff Audit Practice Alert in light of a significant number of audit deficiencies observed in the past three years related to audits of internal control over financial reporting (ICFR)."
In other words, the Alert was issued to help the audit firms understand how and why they have failed to perform, in the eyes of the PCAOB, adequate audits of internal control over financial reporting!
The Alert does NOT impose new requirements. It simply re-asserts existing guidance and what I would consider professional audit practices!
Here are some excerpts that merit praise. They re-assert what external auditors should have been practicing all along (emphasis through italics, etc. has been added by me where useful):
Auditing Standard No. 5 establishes a
top-down, risk-based approach to the audit of internal control. The auditing standard is designed to focus auditors on the most important matters in the audit of internal control and
avoid procedures that are unnecessary to an effective audit.
Comment: AS5 requires the external auditor to avoid performing procedures that address risks that do not represent at least a reasonable possibility of a material misstatement of the financial statements filed with the SEC.
Comment: Even though COSO had already issued their 2013 update to the Internal Controls Framework at the time of the Alert, the PCAOB makes no reference to the update and its 17 Principles. In other words, the PCAOB (and the SEC) continue to
expect and require that companies and their auditors follow a top-down approach. I believe a top-down and risk based approach can be taken to assessing whether the COSO Principles are present and functioning. Please see
my blog post on the topic; since then, I have updated my
Management's Guide to Sarbanes-Oxley Section 404 to include detailed guidance on a top-down risk-based approach encompassing the Principles. If your auditors are using a checklist approach to COSO 2013, they should know that is contrary to the intent of COSO (just ask them) and inconsistent with Auditing Standard No. 5!
Under PCAOB standards, a top-down approach begins at the financial statement level and with the auditor's understanding of the overall risks to internal control over financial reporting. The auditor then focuses on entity-level controls and works down to significant accounts and disclosures and their relevant assertions.
This approach directs the auditor's attention to accounts, disclosures, and assertions that present a reasonable possibility of material misstatement to the financial statements and related disclosures. The auditor then verifies his or her understanding of the risks in the company's processes and selects for testing those controls that sufficiently address the assessed risk of misstatement to each relevant assertion.
One of the potential root causes for the deficiencies in audits of internal control, as cited in the general inspection report, is
improper application of the top-down approach set forth in PCAOB standards.
… it appeared to the inspections staff that firms did not sufficiently understand the likely
sources of potential misstatements related to significant accounts or disclosures as part of selecting controls to test.
Identifying the risks of
material misstatement — including the types of potential misstatements that can occur and the likely sources of those potential misstatements — is necessary for the auditor to select appropriate controls to test and to evaluate whether those controls adequately address the risks. For example, an auditor who identifies revenue overstatement as a risk, without assessing how overstatements might occur or understanding the controls in place to address the risk, lacks the basis to make an informed selection of controls to test or to meaningfully evaluate whether the selected controls are designed and operating to prevent or detect potential misstatements.
Auditing Standard No. 12,
Identifying and Assessing Risks of Material Misstatement, establishes a process for identifying and assessing risks of material misstatement in an audit,
which applies to audits of internal control and audits of financial statements. The risk assessment procedures required by Auditing Standard No. 12 include, among other things, obtaining an understanding of the company and its environment and obtaining an understanding of internal control. The auditing standard also sets forth a process for assessing identified risks, which includes determining the likely sources of potential misstatement and evaluating the types of misstatements that could result from the risks; the accounts, disclosures, and assertions that could be affected; and the likelihood and magnitude of potential misstatements.
Comment: I recommend obtaining a copy of
all the Auditing Standards issued by the PCAOB in October 2012 relating to internal control and risk assessment.
Auditing Standard No. 12 requires the auditor to obtain a sufficient understanding of each component of internal control to (1) identify the types of potential misstatements, (2) assess the factors that affect the
risks of material misstatement, and (3) design tests of controls and substantive procedures.
risks of material misstatement and selecting controls to test, it is important for auditors to be aware that the components of a potential significant account or disclosure might be subject to significantly different risks.
Comment: Not only may some transactions be handled in different processes with different risks, but they may not be significant enough to be a source of material misstatement.
In multi-location engagements, PCAOB standards require the auditor to
assess the risks of material misstatement to the consolidated financial statements associated with the location or business unit and correlate the amount of auditing attention devoted to the location or business unit with the degree of risk. Auditing Standard No. 9 lists factors that are relevant to the assessment of the risk of material misstatement associated with a location or business unit and the determination of the necessary audit procedures. Certain of the factors listed in Auditing Standard No. 9 relate to the inherent
risks of material misstatement, while others — such as the control environment, centralized processing, and monitoring activities — relate to entity-level controls. Auditing Standard No. 5 provides that, in lower risk locations, the auditor might first evaluate whether entity-level controls, including controls in place to provide assurance that appropriate controls exist throughout the organization, provide the auditor with sufficient evidence. Auditing Standard No. 5 also provides that the auditor may take into account the work of others in determining the locations or business units at which to perform tests of controls.
Comment: The point here is that the work performed at each location should be based on the consolidated and not local materiality, nor on any so-called "allocated" materiality.
To illustrate the application of these principles, assume that an auditor is performing an integrated audit of a company with business units in several locations. After assessing the risks associated with the individual locations, an auditor might design an audit strategy involving:
a. Identifying and testing controls over specific risks that present a reasonable possibility of material misstatement to the company's consolidated financial statements;
b. To the extent not covered in item a above, identifying and testing controls at locations or business units that, individually or in combination, present a reasonable possibility of material misstatement through one or more of the following:
- Testing entity-level controls that operate at a level of precision that would detect material misstatements in the locations or business units, individually or in combination.
- For locations with centralized systems and processes and homogeneous controls, performing tests of the common controls across the locations or business units.
- Using the work of others who tested controls at the locations, to the extent appropriate, as discussed later in this release.
c. No specific testing of controls for locations or business units that individually or in combination do not present a reasonable possibility of material misstatement of the consolidated financial statements.
Comment: The only way that the risk at multiple locations should be aggregated is when there is a common point of failure. In other words, a failure of a single control would affect more than a single location. Remember that when there is no common point of failure, the likelihood that two locations would have failures in the same account, at the same time, and in the same direction, is calculated based on the product of their individual likelihood! The PCAOB refers to this situation using the term "homogenous controls."
Auditing Standard No. 5 provides that the auditor should test the design effectiveness of controls by determining whether the company's controls, if they are operated as prescribed by persons possessing the necessary authority and competence, satisfy the company's control objectives and can effectively prevent or detect errors or fraud that could result in
material misstatement of the financial statements.
Auditing Standard No. 5 provides that the auditor should test the operating effectiveness of a control by determining whether the control is operating as designed and whether the person performing the control has the necessary authority and competence to perform the control effectively. The auditing standard also provides that the evidence necessary to persuade the auditor that a control is effective depends upon the risk associated with the control.
Comment: Note the comment on authority and competence. When testing individual controls for these attributes, you are not only testing these controls directly but also obtaining evidence relating to the presence and functioning of some Control Environment Principles.
PCAOB standards provide direction on evaluating the competence and objectivity of others. The higher the degree of competence and objectivity, the greater use the auditor may make of the work. The impact of the work of others on the auditor's work also depends on the relationship between the risk associated with the control and the competence and objectivity of those who performed the work.
Auditing Standard No. 5 provides that the severity of a control deficiency depends on (1) whether there is a
reasonable possibility that the company's controls will fail to prevent or detect a misstatement of an account balance or disclosure and (2) the magnitude of the potential misstatement resulting from the deficiency or deficiencies.
The severity of a deficiency does not depend on whether a misstatement actually has occurred but rather on whether there is a reasonable possibility that the company's controls will fail to prevent or detect a misstatement.
Comment: The assessment of internal control over financial reporting when there is a misstatement is a matter of judgment based on facts and circumstances. Internal control does not provide perfect, only reasonable assurance. Errors will occur because controls are performed by humans. The question to be addressed is whether the error that led to a misstatement is broken and there is at least a reasonable possibility it will fail again and cause a material misstatement.
The Alert discusses other areas of deficiencies identified by the PCAOB examiners, such as in the assessment and auditing of "management review controls" (e.g., where a key control says "the Controller reviews and approves the reconciliation," or "the journal entry is reviewed and approved by the Supervisor") and the automated portion of semi-automated or hybrid controls (e.g., where a manual activity is based on information from the company's information systems, such as the review by a manager of an exception report). It discusses these in some detail. I like to see this because while it doesn't require anything other than what I would have expected from competent auditors, it does provide useful guidance that can help management testers as well as members of the external audit team.
The Alert closes, appropriately, with advice for audit committees:
Audit committees of companies for which audits of internal control are conducted might wish to discuss with their auditors the level of auditing deficiencies in this area identified in their auditors' internal inspections and PCAOB inspections, request information from their auditors about potential root causes of such findings and ask how they are addressing the matters discussed in this alert. In particular, audit committees may want to inquire about the involvement and focus by senior members of the firm on these matters.
I congratulate the PCAOB for restating some of the key principles, including a requirement that the scope of work be based on a top-down and risk-based approach. In particular, the work should be designed to provide assurance that anywhere there is at least a reasonable possibility of a material misstatement controls are adequately designed and operating effectively to prevent or detect such error on a timely basis. In addition, work on areas where there is not at least that reasonable possibility should not be performed. Finally, I congratulate them for not watering down the risk-based approach by following the herd with a checklist of COSO Principles.
I welcome your feedback. Are your auditors calling the content of this alert "new"? Are they asking you to use a checklist to address the COSO Principles instead of basing your work on a top-down and risk-based process?