Board Member Jeanette Franzel spoke on the 26th at the IIA's GAM conference on the topic of "Effective Audits of Internal Control in the Current "Perfect Storm." The
full text of her speech has been posted by the PCAOB.
She talked about a number of issues that I believe are important:
- Has the PCAOB released new guidance on how the external auditors should perform their assessment of internal control over financial reporting?
- Where the external auditors are saying they need to do more work because of new and specific requirements by the PCAOB, are they justified in that explanation?
- Should companies and their auditors use what I and others have called checklists (some call them templates, but that is semantics) that require all the COSO Principles to be satisfied without first considering whether there would be financial reporting risk should they not be fully satisfied?
- Have management and the internal auditors failed, in some cases, to adequately document, test, and assess key controls relied upon to prevent or detect a material misstatement of the financials? In other words, have the failures reported by the PCAOB in their October Staff Alert been caused, at least in part, by failures of management?
The answers are:
- No. She said "the PCAOB has neither changed the auditing standards nor introduced new rules for audits of internal control over financial reporting since the issuance of AS 5 in 2007."
- If the external auditors had been performing their audit consistent with the requirements of AS 5, then the answer is "no". They would have to do more work if they had previously fallen short, especially if those defects are in the areas discussed by the PCAOB in the October 2013 Staff Audit Alert.* In addition, Jeanette points out that some of the comments apparently made by certain external auditors are misleading.
"In some cases, audit firms have told issuers that the PCAOB insists on detailed procedures such as the use of "screen prints" to document certain systems-related features; or specifying the number of pages that must be involved in summarizing key controls; or that auditors must attend management meetings to observe certain controls in action. I assure you that the Board is not requiring procedures at that level of detail. AS 5 provides the guiding standard for ICFR audits."
- Jeanette is very clearly opposed to the use of checklists (or templates) that do not first consider the level financial reporting risk should there be any gap in the presence and functioning of the COSO Principles.
"... the PCAOB has heard from some issuers concerns that audit firms may take a checklist approach to the audit to map controls to the principles articulated in the 2013 COSO Framework. And we also have heard speculation that firms are taking such an approach because they are worried that PCAOB inspectors will inspect against the points in the 2013 COSO Framework."
"I am concerned that a checklist approach to the 2013 COSO Framework would result not only in a missed opportunity to take a fresh look at management's and the auditor's approaches to evaluating and auditing internal control, but also that such an approach could increase the likelihood of missing new and evolving risks in financial reporting and the related auditing."
"I will once again emphasize the importance of auditors following the top-down, risk-based audit approach in AS 5, along with the guidance in the Board's October 2013 audit practice alert, for conducting the audit."
- Yes. As Jeanette says:
"Experienced auditors and financial statement preparers know that the ICFR audit is made more difficult if management's process is not as effective or well-documented as it should be. Effective and efficient solutions to some of the audit deficiencies found by the PCAOB may also require some improvements to both the issuer's and the auditor's process. I am concerned that, in some cases, the auditor's reaction is to "bolt on" a series of new audit steps when a more efficient and effective solution may require some tightening up of the controls on the part of management, in addition to changes to the audit procedures."
I like the point made in the speech about the need for improved communication between management (and/or internal audit) and the external auditor. Personally, I think both sides are likely at fault: the external auditor for blaming the PCAOB (IMHO, without justification) and laying down the law to management, and management and internal audit for failing to challenge the external auditor. From what I hear, management (including the CAE and SOX program management) are not asking the external auditor to show them where the PCAOB examiner has said what is being asserted as a new requirement.
What do you think? I strongly recommend a careful read of the speech.
*BTW, I hope you saw my
earlier post where I discussed the PCAOB Staff Alert.