PCAOB Reports Set High Bar for Auditors

Corporate America should take note that auditors may soon be upping their game when it comes to performing internal control audits over financial reporting, following a recent regulatory report that highlights areas where more work is needed.

The Public Company Accounting Oversight Board published a report summarizing inspectors’ observations after the first full cycle of auditing and inspection under Auditing Standard No. 5, the new-and-improved handbook for how to audit internal controls over financial reporting. AS5 replaced Auditing Standard No. 2, the PCAOB’s original standard on internal control auditing, which was heavily criticized for requiring excessive, costly audit work.

In its report, the PCAOB said auditors generally are hitting the mark in terms of planning and performing audits, but listed six specific areas where improvements can be made. The six hot spots identified by inspectors touch on the perennial issues that have been controversial since The Sarbanes-Oxley Act first put internal controls over financial reporting into the spotlight.

Most notably, the PCAOB cited weaknesses in evaluating entity-level controls and in testing controls, which address “tone at the top” and cover things such as information technology infrastructure, investigation procedures, ethics programs, and the like. In addition, inspectors also are focusing on risk assessments, the risk of fraud, using the work of others, and evaluating and communicating deficiencies.

Lister

“The report generally says auditors are getting the idea, but they’re not doing it perfectly yet,” says Susan Lister, national director of audit policy for BDO Seidman. With respect to all six areas of focus, the report says “most of us got it right most of the time, but there are always instances where people didn’t, or where they did it particularly well.”

Jim DeLoach, managing director for Protiviti, says his read of the report is generally positive. “On balance, the report reflects the overriding message that the firms have been paying attention to the differences between AS5 and AS2 and have been incorporating those differences into their practice,” he says.

“The whole SOX compliance arena is maturing to become more predictable, but that’s not to say it’s completely predictable,” says Andrew Barfuss, a partner with East Coast regional audit firm Amper, Politziner & Mattia. “There are still a lot of rough edges to be smoothed out.”

DeLoach

With respect to entity-level controls, however, DeLoach is not surprised that inspectors noted some problems. “The profession continues to struggle with this and has struggled with it for a long time,” he says.

Inspectors noted “significant variance” in how effectively auditors identify and test entity-level controls then use the results of those efforts to plan the audit. For example, the report says some auditors did not evaluate entity-level controls beyond those associated with the control environment and the period-end financial reporting process—and some auditors say they stopped there because their clients didn’t evaluate controls any further either.

WHAT WENT WRONG

The following excerpt from the PCAOB’s report on first-year AS5 implementation describes some areas under six categories where the PCAOB saw inadequacies in audit inspections:

Risk Assessment

… The inspectors … observed instances where the auditors failed to

adequately assess risk in certain relevant aspects of the audit. These instances included the failure to (i) identify certain components of an account or certain locations in a multi-location environment that presented different risks of material misstatement of the financial statements than other components of the same account or other locations, respectively, (ii) evaluate both the qualitative and quantitative factors when determining whether to perform tests of controls at a location, (iii) identify all relevant assertions, and (iv) consider the effects of control deficiencies identified during the audit (including deficiencies in pervasive controls such as information technology general controls) on

the risk assessment.

Risk of Fraud

… There were instances … where the nature, timing, and extent of auditors’ tests of controls were not sufficiently responsive to an identified fraud risk because auditors either failed to alter the extent of testing in areas of greater risk, or they failed to identify and test compensating controls when the controls identified and tested did not completely address the identified risk. The inspectors also observed instances where auditors either did not evaluate all the relevant processes of the company’s period-end financial reporting process or did not appropriately test the design or operating effectiveness of controls to address the risk of management override.

Using the Work of Others

&hellip In certain instances, the auditors performed few or no procedures to assess the competence of the others relative to the task being performed, or they did not adequately assess the objectivity of the others, particularly where the work was performed by company personnel other than internal auditors. In addition, the inspectors observed numerous instances where the extent of the auditors’ retesting of the work of others was seemingly unrelated to the risks involved (e.g., a uniform approach to retesting of 20 percent of the controls tested). .

Entity-Level Controls

&hellip [T]he inspectors observed that the auditors’ work in the area could have been more effective. For example, in some instances, auditors did not evaluate entity-level controls beyond those associated with the control environment and the period-end financial reporting process. (Inspectors were told in certain cases that the auditors did not evaluate other entity-level controls because the issuer had not done so.) Some auditors identified entity-level controls that appeared to be designed to operate with a high degree of precision, but failed to obtain sufficient audit evidence of their operating effectiveness. There also were instances where the auditors identified and tested entity-level controls and found them to be designed and operating with a high degree of precision, but did not alter their tests of process-level controls in response to that assessment.

Nature, Timing, and Extent of Controls Testing

… [I}n certain cases, the auditors did not consider the assessed level of risk when selecting controls to be tested, or the controls selected were not designed to address the risk of misstatement to the relevant assertion(s). The inspectors also observed situations where auditors failed to test a relevant control appropriately or, in some cases, at all. For example, inspectors observed instances where the auditors’ testing of controls over

financially significant applications was dependent on appropriate segregation of duties, but the auditors did not test to determine whether appropriate segregation of duties existed. Similarly, in some instances, the auditors tested certain controls without testing the system-generated data on which the tested controls depended; the auditors did not test controls over applications that processed financially significant transactions, including important manual spreadsheets; or the auditors observed evidence of review and approval controls (e.g. management sign-off evidencing review and approval) without testing the design or operating effectiveness of management’s controls. In some instances, the auditors did not obtain service auditors’ reports related to controls at outside service organizations, or the auditors failed to perform procedures related to the necessary user controls identified in the service auditors’ reports.

Evaluation of Deficiencies

Inspectors observed other instances, however, where auditors inappropriately

based their conclusions about the severity of control deficiencies solely on the

materiality of the identified errors in the financial statements. Also, some auditors failed to consider relevant risk factors when evaluating the severity of identified control deficiencies. In addition, there were instances where the auditors did not consider whether certain control deficiencies identified through using the work of others, in combination with other identified control deficiencies, constituted a material weakness in controls. In certain instances, the compensating controls that the auditors identified and tested were not sufficiently precise or did not operate effectively to mitigate the risks associated with the identified deficiencies. In addition, the inspectors observed that

certain auditors’ required communications of identified control deficiencies to management or the audit committee were incomplete.

Source

PCAOB Report: First-Year AS5 Implementation (Sept. 24, 2009.

The report also notes some auditors identified entity-level controls that appeared to operate well, but didn’t document those findings or didn’t alter testing of lower-level process controls to reflect them. Conversely, some auditors relied too heavily on entity-level controls, and in some cases even when they recognized there may be problems with doing so.

“The important message here is that auditors are not taking a closer look at the potentially positive impact of effective entity-level controls and process-level monitoring on the scope and testing of automated, process-level controls,” says DeLoach. “There is still some work to be done in that particular area.”

First-Time Filers Gear Up

With respect to testing controls, inspectors noted some “opportunities for improvement,” according to the report. Inspectors say some auditors didn’t consider risk when selecting controls for testing, or tested controls that weren’t designed to address the risk being considered. The report also notes a number of ways in which auditors relied too heavily on underlying controls or information, such as segregation of duties, system-generated data, applications, or outside service organizations.

As non-accelerated filers—those with market caps below $75 million—gear up for their first-ever audit of internal control, the report provides some important insight into where regulators and, therefore, auditors are focusing their attention, says Lister. “It gives some guidance to those who are doing this for the first time to see where the most important areas are,” she says.

The Securities and Exchange Commission has granted non-accelerated filers a number of delays in meeting the internal control reporting and auditing requirements, with the most recent deferral of the audit requirement intended to allow small companies to benefit from the findings of the SEC’s just-published cost-benefit study.

Barfuss

Many audit experts have said smaller companies have been slow in shoring up and documenting their internal controls while watching for another delay in the audit requirements. CFO and auditors working with non-acclerated filers likely have limited or no experience with AS5, said Barfuss, so they still have some catching up to do. “Like anything else, there’s a learning curve there,” he said.

DeLoach says the PCAOB’s report cuts to the heart of the issue that most challenges smaller public companies: a management approach that relies on observation or other types of undocumented, unobservable acts that are difficult for auditors to audit.

For many smaller companies, “the entity-level controls they have in place are, to some extent, management by walking around,” he says. “Because of that lack of formality, it will be difficult for entity-level controls to meet the test that AS5 sets for reliance on entity-level controls to the point of not having to rely on process-level controls.”

The test, says DeLoach, is that entity-level controls must operate at a sufficient level of precision that they would prevent or detect misstatements that would otherwise be caught at the process level. “That’s a high bar,” he says. “Audit firms don’t audit by chit chat. They audit by examining evidential matter.”

Lister agrees that reliance on entity-level controls will be a challenge in the ranks of non-accelerated filers. “We could use more guidance on how to conclude there’s a material weakness when there hasn’t been an error and how to test the operating effectiveness of entity-level controls when they are not formal,” she says. “It wasn’t done consistently well according to the report, and it’s not going to get any easier.”