Home > Risk > The PCAOB’s continuing concern about audits and internal control over financial reporting

The PCAOB’s continuing concern about audits and internal control over financial reporting

September 18, 2015 Leave a comment Go to comments

In August, Jeanette Franzel, a member of the PCAOB Board (i.e., not a staff member) made an interesting presentation to the Annual Meeting of the American Accounting Association.

You can read the text of her speech on the PCAOB web site.

From my reading (and while she states for the record that it is her personal opinion, I would be shocked if PCAOB staff were not aligned), here are the two main concerns:

  1. The rate of deficiencies identified by the PCAOB Examiners in the audits of the financial statements and internal control over financial reporting (ICFR) continues at about the same high level as in prior years, although some improvements have been noted. The Examiners found deficiencies in the documentation by the auditors of how they determined, for example, the level of precision in management review controls, or why they believed that they had identified the ‘right’ key controls.
  2. The level of restatements outpaces the level of disclosed material weaknesses. Ms. Franzel believes this merits study. This is also an area of concern to the SEC.

Ms. Franzel also talked about whether PCAOB inspections are leading the audit firms to increase fees. She acknowledged that she is hearing (including from me) that some audit teams are performing work that is not necessary if a top-down and risk-based approach is taken. She said:

At the same time, I’ve heard anecdotal accounts about auditors adding work that is potentially not value-added, while driving up audit fees, in response to PCAOB inspection findings. We’ve also heard that constructive and productive communication is sometimes lacking between auditors and audit clients, with the engagement teams simply telling an audit client that certain work must be done in a particular way “because of PCAOB inspections.”

I believe that there probably are some cases out there where auditors are doing too much work or not the right kind of work in an attempt to respond to or avoid a PCAOB inspection finding, and that communication between the auditors and clients on these matters has not been productive.

To the extent that this is happening, “we” collectively, including the firms, audit teams, issuers, and the PCAOB, need to get a handle on this, so that valuable audit resources are not being diverted from areas that are high risk.

My comment on this is that these audit teams who are not communicating are often unable or unwilling to show the registrant exactly what the PCAOB Examiners have said that is driving the need to perform the work. Frankly, as Ms. Franzel has acknowledge in other remarks, the audit firm has said told management that the Examiners required specific actions when the Examiners don’t provide that kind of detail in their guidance.

Coming back to the issue of why the level of disclosed material weaknesses is less than the level of restatements.

Ms. Franzel comes close to at least a part of the answer in a footnote:

Depending on the timing of the discovery of a misstatement in the financial statements or the announcement of a restatement, in some cases the issuer may be able to effectively remediate any related material weaknesses that could result in a clean audit opinion on ICFR in the year of the announced restatement.

Here are some things for all of us, including the PCAOB and SEC, to consider:

  1. The assessment of the effectiveness of ICFR is as of the end of the year. However, not only may the deficiency that led to the misstatement driving the restatement have occurred earlier in the year and been corrected, but it may have occurred in a prior year! At Maxtor, where I was CAE and also ran the SOX program, our financial reporting manager (Wai Lim) identified an error in tax-related accounting from a prior year. While we needed to restate, the ICFR issue was in that prior year. Our current ICFR was excellent: it identified a prior period error that had escaped the external audit firm in both prior and current years.
  2. Internal control does not provide perfect assurance, only reasonable assurance. Errors will occur because controls are performed by humans. When these errors are infrequent, if it is possible to say that the material misstatement was due to a rare mistake and that there is less than a reasonable possibility of a recurrence; it is possible to assess ICFR as effective. AS5 may correctly indicate that a material error is an indicator of a material weakness, but it does not say that it is automatically a material weakness – which would be incorrect.
  3. Registrants rarely disclose material weaknesses in ICFR or disclosure controls in their quarterly filings with the SEC (although required by §302 of SOX) – even though they have identified deficiencies that, if not remediated, may represent material weaknesses at the end of the year. I believe this is a problem meriting significant attention by the SEC and PCAOB. (The PCAOB because even though the external audit firm does not audit the quarterly financials, they are aware of controls that have failed during the year and have an obligation to comment when the filing contains misstatements.)

By the way, I recommend Francine McKenna’s post, where she focuses on external auditor performance.

I welcome your comments.

  1. September 22, 2015 at 12:21 PM

    Norman,

    Thanks for bringing this speech to our attention. As always, your analysis is interesting and informative. I have two concerns with a couple of points you have made above:

    1) You write: “Our current ICFR was excellent: it identified a prior period error that had escaped the external audit firm in both prior and current years.” I cannot say whether your current ICFR was excellent or not, but I would not accept as proof of that excellence the fact that your team found this prior year error – if controls are only effective at identifying prior year errors, and not at preventing or detecting errors in the current period, they are simply not effective at all.

    I agree that an error in a prior year is the result of a control deficiency in that year, and that your current controls might well be effective, but proof of that effectiveness must rest on evidence that such an error is not reasonably possible given controls as they are now. Presumably, there would need to be evidence that the controls had been significantly improved in the interim as well.

    2) When you say that controls must provide “only” reasonable assurance, I think you suggest a very different meaning of reasonable assurance than is intended by regulators. I understand reasonable assurance to mean that controls are strong enough that a material error is not considered to be a reasonable possibility.

    Best regards,

  2. Norman Marks
    September 22, 2015 at 12:55 PM

    Thank you for your comment, Neil. There was ample proof of excellence, not only in the testing of controls but in the demonstrated competence of Wai Lim in finding the error. My interpretation of reasonable assurance is exactly the same as the regulators and how you have expressed it: as less than a reasonable possibility of a material error or omission.

  1. November 2, 2015 at 11:27 PM
  2. December 3, 2015 at 10:52 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: