As noted in the January, 2014 and November/December, 2013 Updates, recent PCAOB inspection reports have focused heavily on the audit of internal control over financial reporting, and the SEC staff has also expressed concerns about management ICFR oversight. In a speech on March 26 to the Institute of Internal Auditors, PCAOB Member Jeanette Franzel analyzed the current focus on internal control in PCAOB
6 Update │ April 2014
inspection reports and SEC staff comments. Her conclusion is that “[w]e are currently in a ‘perfect storm’ in the area of internal control over financial reporting, which demands effective action by all participants in the financial reporting and auditing chain.”
Some of the key points in Ms. Franzel’s remarks include:
The PCAOB’s inspections program has observed high levels of deficiencies in ICFR audits. In October, 2013 the PCAOB issued Staff Audit Practice Alert No. 11 discussing these deficiencies. In many cases, “firms were not appropriately following their own methodologies for audits of internal control over financial reporting.”
The PCAOB has not changed the auditing standards applicable to ICFR audits since the issuance of Auditing Standard No. 5 in 2007. However, in response to PCAOB inspection findings and Audit Practice Alert No. 11, auditors are changing their audit approach and performing additional procedures.
Some auditors are incorrectly telling clients that the PCAOB requires them to perform specific ICFR audit procedures: “In some cases, audit firms have told issuers that the PCAOB insists on detailed procedures such as the use of ‘screen prints’ to document certain systems-related features; or specifying the number of pages that must be involved in summarizing key controls; or that auditors must attend management meetings to observe certain controls in action. I assure you that the Board is not requiring procedures at that level of detail.”
Ms. Franzel also referred to the new COSO internal control framework (see May 2013 Update) and expressed concern about the how it would be implemented. “[T]he PCAOB has heard from some issuers concerns that audit firms may take a checklist approach to the audit to map controls to the principles articulated in the 2013 COSO Framework. And we also have heard speculation that firms are taking such an approach because they are worried that PCAOB inspectors will inspect against the points in the 2013 COSO Framework. I am concerned that a checklist approach to the 2013 COSO Framework would result not only in a missed opportunity to take a fresh look at management's and the auditor's approaches to evaluating and auditing internal control, but also that such an approach could increase the likelihood of missing new and evolving risks in financial reporting and the related auditing.”
Comment: While she stops short of saying so expressly, Ms. Franzel seems to be telling companies and their audit committees that they should not blame the PCAOB for the increased time and effort that auditor’s are devoting to ICFR. The PCAOB’s inspection program has merely brought to light that audit firms have not (in the PCAOB’s view) been fully complying with the Board’s longstanding ICFR auditing standard. She also seems to be warning that the Board expects auditors to focus broadly on how companies implement the revised COSO framework and that audit effort in the ICFR area is not likely to decline.