October 29, 2013
PCAOB Issues New Guidance on Sarbanes-Oxley
The headlines may have caught the fact that the PCAOB, in an October 24th
Staff Practice Alert: Considerations for Audits of Internal Control over Financial Reporting (ICFR) (PDF), reported a significant number of deficiencies in the work performed by the external auditors. (One of the better reviews is by
AccountingWeb.) Although the reference to the number (15%) of engagements with key deficiencies is from a December 2012 report, the implication is that the issue remains today so the PCAOB has issued additional guidance to the firms.
The persistent theme, the recurring criticism, is that the external auditors did not document why they made certain decisions and judgments. This creates a lack of evidence to support their eventual conclusion on the effectiveness of ICFR. I hear that the firms are asking clients for more money to upgrade their work in response. My comment is that they are paid for quality work and that their clients should not have to pay more to correct the firms' failures. In fact, in many cases the failure is in the documentation rather than the actual work performed. For example, the audit working papers do not sufficiently explain why they decided that a certain area or control was low or high risk. The Staff Alert is a good read for practitioners charged with SOX compliance for their organization as well as mandatory reading for external auditors. The Staff Alert covers a lot of ground and clarifies a number of key points. For example (in the order in which they appear in the Alert):
- Everybody should be familiar not only with Auditing Standard Number 5 (AS5), but also with AS12:
Identifying and Assessing Risks of Material Misstatement. You may know I teach a Master Class in SOX and I am always surprised how few people are aware of all the Auditing Standards relevant to SOX. The Staff Alert says AS12 "establishes a process for identifying and assessing risks of material misstatement in an audit, which applies to audits of internal control and audits of financial statements. The risk assessment procedures required by Auditing Standard No. 12 include, among other things, obtaining an understanding of the company and its environment and obtaining an understanding of internal control. The auditing standard also sets forth a process for assessing identified risks, which includes determining the likely sources of potential misstatement and evaluating the types of misstatements that could result from the risks; the accounts, disclosures, and assertions that could be affected; and the likelihood and magnitude of potential misstatements."
- Although not referenced in the Alert, practitioners should also be familiar with
Auditing Standard No. 11 Consideration of Materiality in Planning and Performing an Audit.
- "In assessing risks of material misstatement and selecting controls to test, it is important for auditors to be aware that the components of a potential significant account or disclosure might be subject to significantly different risks." In my class, I point to the fact that the revenue account includes not only sales but returns. Returns are, for many organizations, not a potential source of error that would be material to the financial statements; as a result, there may not be a need to identify key controls over returns. The Staff Alert includes other examples.
- PCAOB staff have problems with the decisions made on how much work to do at different locations. The Alert provides enhanced guidance that supplements AS5. In my course, I talk about the need to address each location and significant account in isolation unless there is a common source of error: a person or process where an error could affect multiple locations. The Staff Alert says that is may be possible to have "No specific testing of controls for locations or business units that individually or in combination do not present a reasonable possibility of material misstatement of the consolidated financial statements."
- The staff also point to problems when the company has infrequent processes or transactions. Controls are needed where these activities might be the source of a material error, even if the activity only occurs once every year or so.
- Another point that is included in AS5 but not always addressed is whether the individual performing a key control has both the competence and authority to do so effectively.
- The discussion in the Alert on selecting and testing key controls is a useful reminder of the necessary discipline required for both.
- The Staff Alert places a degree of emphasis on the need to obtain assurance on controls where there is a reliance on a report or screen that is "system-generated."
- An important reminder is the section on "Roll-forward of Controls Tested at an Interim Date." Some of the people in my classes have not, in my opinion, thought through as much as they should whether the work they have done is sufficient to provide evidence that the controls are adequately designed and functioning effectively at year-end.
- While the PCAOB found fault with reliance on internal audit work where there is a high level of judgment, they did not state that reliance cannot be placed on internal audit for tests of controls considered high risk. Instead, they used words that indicate it is unlikely but not impossible — and would have to be carefully explained: "In higher risk areas, such as testing complex controls, controls that address specific fraud risks, or controls that require significant judgment to operate or evaluate, use of the work of others would be limited, if at all."
- At the same time, the external auditors should be taken to task if they fail to place reliance on internal audit work in lower risk areas: "Conversely, the work of competent and objective persons could be used more extensively in lower risk areas."
- One perpetual issue is whether there is a deficiency (of any magnitude) just because a mistake has been made. I remind people that COSO states that internal control only provides reasonable assurance and the auditing standards mirror that view. The PCAOB Alert states: "The severity of a deficiency does not depend on whether a misstatement actually has occurred but rather on whether there is a reasonable possibility that the company's controls will fail to prevent or detect a misstatement."
I have been writing about the
need for the audit committee and its members to step up their oversight of the external auditor. The Staff Alert closes with advice for them:
"Audit committees of companies for which audits of internal control are conducted might wish to discuss with their auditors the level of auditing deficiencies in this area identified in their auditors' internal inspections and PCAOB inspections, request information from their auditors about potential root causes of such findings and ask how they are addressing the matters discussed in this alert. In particular, audit committees may want to inquire about the involvement and focus by senior members of the firm on these matters."
I commend the PCAOB for taking the time to provide this level of guidance. I am interested in hearing whether any part of this is new or challenging to you.