The next round of audit inspection reports will show leading audit firms have made progress in their audit of internal controls over financial reporting, but often are still missing the final step in assuring controls are effective, according to Jay Hanson, a member of the Public Company Accounting Oversight Board.

Speaking at Compliance Week 2014, Hanson said 2013 inspection reports, which the board will begin publishing soon, will show audit firms in some cases are not closing the loop in their assessment and testing of controls to assure the controls are actually effective in preventing or detecting material misstatements in financial statements. “The new phrase that concludes the new failure deficiency is the firm did not assess whether the control operated at a level of precision that would detect a material misstatement,” he said. “Effectively, the question is ‘does the control work?' That's a tough question to answer.”

Auditing Standard No. 5 requires auditors to audit internal controls over financial reporting and attest to their effectiveness as part of their financial statement audit. The PCAOB has called out many cases over the past few years where auditors failed to properly assess or test controls to determine their effectiveness. Now, said Hanson, there's plenty of evidence the firms have dug in to take a closer look at assessing and testing controls, but ultimately aren't always successful in determining effectiveness. “The firms are putting a lot of effort and attention into upping their game relative to the testing of controls,” he said. “They've all made good progress in identifying the problem.” However, “that closing the loop on it is something many firms are struggling with.”

Inspection reports in prior years commonly indicated auditors failed to properly identify controls over a particular group of transactions or test them for effectiveness, said Hanson. “You could describe that in about a sentence,” he said. The 2013 reports, by comparison, will show auditors did a great deal of work to assess and test controls, but failed to determine definitively that a given control was effective. “Now the description of the finding says the firm did a proper risk assessment of the financial reporting risk, properly identified controls, properly selected controls to test,” he said. “It takes a page to describe ‘here are all the things that have been done,' but that closing the loop didn't happen.”

While auditing standards have not changed with respect to internal controls since the board approved AS5, Hanson said the inspection and board focus on AS5 implementation has evolved. Early on, inspections were focused on assuring audit firms changed their approach from the bottom-up focus of the original rule, Auditing Standard No. 2, to the more top-down, risk-based approach of AS5, he said. Then a few years ago, the board changed its focus, he said. “It was just full on, are they complying with AS5?” he said. “We found some slippage on the testing of internal controls.”

Jeanette Franzel, also speaking at Compliance Week 2014, referred to the “perfect storm” over auditing, where the board is focused on internal control improvements just as companies also are implementing the new 2013 framework for internal control, COSO's Internal Control -- Integrated Framework. The PCAOB's staff practice alert, issued in October 2013, was meant to highlight some audit areas where the board was looking for improvements, she said. “The alert was issued to help audit firms to understand how and why audits have failed and to point out areas that need to be focused on,” she said. “The alert emphasizes existing guidance.”

Topics