In a speech at the end of 2015 to the AICPA National Conference on Current SEC and PCAOB Developments, SEC Chair Mary Jo White emphasized that “it is hard to think of an area more important than ICFR [internal control over financial reporting] to our shared mission of providing high-quality financial information that investors can rely on.” For those of you who would like to gain some insight into suggested ways to improve ICFR, as well as some of the nuts and bolts involved, CFO.com has an interesting article written by a Deloitte partner about one type of internal control, “management review controls”(MRCs), that delves into some detail. According to the article, PCAOB requirements are now causing auditors “to require a level of precision and specificity for management review controls beyond prior years. Auditors are also reviewing far more documentation than they use[d] to. At the same time, there is a lack of clarity on what exactly is sufficient in management review controls and how precise they need to be.”

What is an MRC? According to the article, MRCs are an “essential aspect of effective internal control” that involve management reviews of the reasonableness of estimates and other financial information. These reviews typically involve an assessment of recorded amounts in light of the reviewers’ expectations, judgment, knowledge and experience, as well as related reports and underlying documents. MRCs are different from regular “transaction” controls: they tend to look at the forest, not the trees. First, the author observes, they aim at a higher level, focusing on aggregated results rather than individual transactions. Moreover, unlike transaction controls, which are structured as “yes/no” controls, MRCs are more complex, uncertain and subjective, requiring “knowledgeable and experienced reviewers who have an understanding of the business at a level of detail that enables them to identify issues for follow-up. What’s more, MRC reviewers often rely on data from other sources, not data they personally create or have direct control over.”

The author identifies the following as examples of MRCs:

  • Any review of analyses involving an estimate or judgment, such as a litigation reserve or the percentage of completion for long-term construction projects;
  • Reviews of financial results for components of a group;
  • Comparisons of budget to actual; and
  • Reviews of impairment analyses.

Because MRCs are subjective in nature, the author maintains that the description of the control process should be as prescriptive as possible, taking into account the specific personnel responsible for performance of the review, the level of review precision necessary to satisfy materiality criteria, the way to effectively determine if the data being used is reasonably accurate and complete, the necessary depth of knowledge of the management reviewer of the business area being reviewed and the nature of the review process, which must be well defined and documented. Risk assessments can be key in designing MRCs. For example, to the extent that the topic has a high risk of material misstatement, the MRCs should have a higher level of precision and more focus on the accuracy and completeness of the supporting data used.

The author has identified a number of problem areas common to MRCs, including inadequate definitions, questionable quality and reliability of supporting data, reviewers who do not have sufficient knowledge and experience to make informed judgment calls about the business area they are reviewing, reviews that are imprecise because they are not conducted at a level of detail sufficient to identify potential issues, and personal bias, which is inevitable to some extent but may be mitigated by having a diverse team of reviewers with different perspectives and personal motivations. For example, personal bias may be manifested by “over emphasis on confirming information and under emphasis on disconfirming information. In other words, a reviewer can tend to see what the reviewer wants to see.”

In light of the controversy over the level of supporting detail that auditors and the PCAOB inspectors may now require when evaluating MRCs, the author provides some excellent examples, in his view as an auditor, of the optimal level of documentation. To illustrate, I’ve copied two of his examples below, but there are more included in the article linked above. The example indicates the control as described, the problems with the description and how it can be improved.

“Sample of a control overview

Typical description:

  • The CFO reviews the impairment analysis for appropriateness. Monthly, the controller prepares an undiscounted cash flow analysis, which is then reviewed and approved by the CFO. The CFO reviews the various schedules and signs off on the control package.

Problems with the typical description:

  • Insufficient control description (does not describe what the CFO does); unnecessary process description.
  • Inconsistent references to the inputs (e.g., impairment analysis, undiscounted cash flow analysis, schedules, control package).
  • Lack of cross-references to where the information used in the control has been appropriately addressed.

Improved description:

  • Inputs: Undiscounted Cash Flow Analysis (UCFA), including supporting schedules.
  • Specific monthly review activities: CFO (1) discusses the current and forecasted business environment with the CEO, the COO, and the vice president of operations; (2) reviews each of the assumptions and support within the UCFA with a particular focus on the weighting assigned to each outcome; (3) challenges any assumptions or weights that may have a significant impact on the conclusion.
  • Outputs: Any questions are sent to the controller to be addressed and resolved to the satisfaction of the CFO, at which point the CFO signs off on the UCFA.”

“Sample description of reviewer competence

Typical description:

  • The description of the competence of the reviewer addresses the reviewer’s education, certification, and tenure.

Problems with the typical description:

  • It assumes the competence of the reviewer is “implied” due to his or her position and experience within the entity.

Improved description:

  • In addition to considering the reviewer’s education, certification, and tenure, the description of the competence of the reviewer addresses the reviewer’s: (1) knowledge of the specific subject matter and the activities he or she is involved in to maintain and update that knowledge, and (2) basis for being able to develop an independent expectation (similar to substantive analytical procedures), which would then allow him or her to be able to identify an error in the financial information being reviewed.
  • Consider and document observations based on prior interactions with the reviewer with respect to the subject matter.”