“Regulators Suggest it’s Time to Double Down on Internal Controls” (Headline from Compliance Week) Robert Conway Professional Practice Director CNM LLP Rconway@cnmllp.com (714) 392-2499
Discussion Overview Overview of 2015 PCAOB Inspection Results Focus on Management Review Control Findings What Does the PCAOB Expect? Examples of Typical Findings System Tension – US Watch Dog Barks! PCAOB / SEC Response – Double Down! Implications to Public Companies SEC Enforcement Actions on ICFR 2
Big Four PCAOB Inspection Findings Summary for 2015 All Big 4 Issuer Inspections 219 FSA Restatements 2 ICFR Restatements 7 Total # Deficient Audits* 76 Individual Deficiencies 370 * An audit is “deficient” if it has one or more Part 1 findings (Part 1 = insufficiently supported opinion). 3
Big Four PCAOB Inspection Findings Summary for 2015 All Big 4 Issuer Inspections 219 Number of Deficient Audits: ICFR and FSA 47 ICFR only 17 FSA only 12 Total Deficient Audits 76 4
Big Four Deficiencies by Auditing Standard All Big 4 AS 5 – ICFR 184 AS 13 – Response to Risks* 41 AU 342 – Auditing Estimates 30 AU 328 – Auditing FV Meas. 34 All Others 81 Total Individual Deficiencies 370 * See PCAOB Release No. 2015-007 (Inspection Observations re Risk Assessment Stds.) ICFR accounts for 50% of all deficiencies!!! 5
PCAOB Summary of Most Frequent Deficiencies (Frequency of Top 5 Deficiencies for All Big Four) All Failed to Test: Big 4 Control Design/Op Effect. 51 Control Addressing Risks 27 Evaluation of Control Def. 8 Report Controls/Accuracy 29 In Response to Risks 23 Assumptions in Estimates 32 All Others (combined) 200 Total 370 6
Digging Deeper into the Nature of ICFR Findings All Big 4 Issuer Inspections 219 Number of Deficient Audits 76 Audits w/ ICFR Deficiencies 64 Audits w/ Management 45 Review Control Deficiencies Mngmn’t Review Controls Are the Biggest Problem! Failure to Test Reports is Still a Problem, Too! 7
The Use of Management Review Controls Crosses a Broad Spectrum Review of a reconciliation Review of journal entries Review for triggering events or GW Step Zero Review of the work supporting an estimate Review of budget-to-actual variances (aka “the All Pro Free Safety”) 8
Examples of Common Findings “The Firm identified a fraud risk related to the timing of revenue recognition . To address the fraud risk, the Firm selected for testing a control that consisted of the review of adjustments to revenue for shipments that were in transit at the end of each period; however, the Firm’s procedures were limited to determining that the analysis used in the control had been prepared, inquiring of certain individuals involved in the process, inspecting documents with comments that indicated reviews that were part of the control had occurred, and comparing certain amounts to the general ledger. The Firm, however, failed to sufficiently test an important aspect of the control related to the specific review procedures performed by the control owner, as its procedures to test this aspect were limited to inquiry .” Possible Fix: More thorough documentation by the control owner of the procedures to be performed and actually performed. 9
Example # 2 of a Common Finding “The Firm selected two controls for [ testing POC revenue ] that consisted of monthly meetings in which issuer personnel reviewed (1) the estimated cost to complete each project and (2) the status of each POC contract; however, the Firm’s procedures to test these controls were insufficient [as] … these procedures were limited to gathering reports used in the operation of the controls, comparing information between these reports, and attending one meeting for each control. The Firm failed to test whether the controls operated at a level of precision that would prevent or detect material misstatements, as it failed to ascertain, and evaluate, the criteria used to identify items for follow-up and how those items were resolved . In addition, the Firm failed to … test controls over the completeness and accuracy of the report that the issuer used [to perform these] controls, as its procedures were limited to the comparisons described above.” Possible Fix: Define criteria/precision for follow-up, define the follow-up process, and test reports used for completeness & accuracy. 10
Example # 3 of a Common Finding “The Firm failed to sufficiently test a con trol that consisted of the calculation and review of the reserve for excess inventory . Specifically, the Firm’s procedures wer e limited to inspecting documents for signatures that indicated the review performed as part of the control had occurred, comparing certain amounts to supporting documents or the general ledger, and inquiring of management. The Firm failed to test whether the control operated at a level of precision that would prevent or detect material misstatements, as it failed to ascertain and evaluate (1) the scope of the review activities performed, (2) the criteria used to identify items for follow up, and (3) how those items were resolved. Possible Fixes : Define the precision / criteria for investigation in a manner that assures material misstatements in the aggregate would be detected. Identify action and resolution steps as part of control design. More documentation of the review activity and thinking during review. 11
Noise in the System from Auditors and Preparers (from Compliance Week, Dec. 22, 2015) “The push by the PCAOB is prompting auditors to demand more audit evidence and more documentation, especially around management review controls, in ways that has left preparers scratching their heads.” An Internal Audit Director say she’s seen a drift away from the top -down, risk-based approach to the audit of internal controls that is mandated under AS 5. “Were moving away from reliance on management review controls and wanting an inclusion of a broader set of control activities rather than relying on the management review controls that are really important to the running of the business .” Some are asserting that we have silently reverted to AS 2. 12
What Did the Watch Dogs Say on May 29, 2015? The US Chamber of Commerce Wrote to the SEC and PCAOB to Say: Auditors are telling clients they need to expand documentation of management review controls to satisfy the PCAOB expectations. No new rules; but assertion is that rules are being expanded by PCAOB inspections. Increases in audit and compliance costs are driven by the PCAOB. PCAOB accused of losing sight of the cost-benefit relationship. Public companies get no credit for their management review controls. 13
What Did the SEC and PCAOB Do in Response? The SEC, PCAOB, US Chamber, Auditors, and selected Preparers met in the Fall of 2015. Anecdotal concerns rejected. Only specific facts patterns evidencing concerns were considered. Nothing revealed until the AICPA Conference on SEC/PCAOB Matters in December 2015. SEC says that discussions are ongoing. 14
SEC / PCAOB Position – “Regulators Suggest It’s Time to Double Down on Internal Controls” There may be deficiencies in the design of management review controls. Key issues are: o Is precision of the review defined and appropriate? o Is documentation sufficient (consider AS 3)? o Some high risk areas may be ill-suited for MRCs. Re-emphasized risk-based approach when auditing ICFR. The level of documentation needs to be commensurate with the risk. Re-affirmed that SEC guidance to preparers is aligned with PCAOB guidance to auditors. Auditors should discuss documentation expectations with management and the Audit Committee in advance. Management should push back when appropriate. Permissible for management and auditor to take different approaches to testing controls; but reasons should be understood. 15
Other SEC Observations On-going concern that Material Weakness are a lagging indicator o Only reported when there is a restatement (but some improvement observed) o Are preparers and auditors properly evaluating deficiencies for significance? Are Material Weaknesses being under-reported? o Very important to consider the “ could factor .” o Could a control deficiency enable a material misstatement to occur without prevention or detection? ICFR is also important to areas such as: o Segment reporting determination o Reporting unit determination o Application of new accounting pronouncements (i.e., Rev Rec) 16
PCAOB Communications Have Been Limited No interpretive guidance from the PCAOB since the Staff Audit Practice Alert # 11 in October 2013, “ Consideration for Audits of Internal Controls Over Financial Reporting. ” The PCAOB has conducted so- called “outreach” programs that have been useful to those who have participated; however, the PCAOB has avoided publishing much needed interpretive guidance for the benefit of auditors, preparers, internal auditors, and 404 outsourcing providers. Despite the lack of interpretive guidance, ICFR continues to be a high priority at both the PCAOB and SEC. 17
Recommend
More recommend