Persistent problems related to audits of internal control over financial reporting (ICFR) have led the PCAOB to issue a report describing the four problems.
The PCAOB will issue a Rule 4010 report to describe the results of recent inspections with regard to audits of ICFR, PCAOB Director of Registration and Inspections Helen Munter said Wednesday at the AICPA Conference on Current SEC and PCAOB Developments in Washington.
The report is expected to be released next week, according to PCAOB spokeswoman Colleen Brennan.
Rule 4010 reports are general summaries the board is allowed to publish regarding inspection findings, provided that the reports do not identify the firms involved in the quality-control criticisms. They are designed to help inform auditors about issues with regard to procedures their peers have performed.
Munter said the PCAOB’s concerns are related to the application of Auditing Standard No. 5, An Audit of Internal Control Over Financial Reporting That Is Integrated With an Audit of Financial Statements. She said that when properly applied, the standard produces a good and reasonable audit result.
“But at times we do see practitioners struggling to meet the requirements to support their opinions on audits of internal control,” Munter said. “And sometimes that leads practitioners to also not meet the requirements for their audit on the financial statements.”
Four main problem areas will be highlighted in the report, Munter said. Here are those areas, plus Munter’s comments:
1. Identifying and sufficiently testing controls
“At times the controls that the auditor has identified don’t directly or appropriately line up with the risks that the auditor has also identified. This is an area where sometimes the issuer can have something to do here. If the issuer doesn’t have good entity-level controls in place, or if those controls are not well-described, not well-linked, it can be very difficult for the auditor to do his job, and we recognize that.
“I hope issuers will think long and hard about the controls they have in place, and that auditors will engage in good discussions with issuers about the controls that exist and whether there are tweaks that could be made to the controls that would allow the auditor to better test and better rely on those controls.”
2. Entity-level or management-review-type controls
“In this instance, the problem might be that those controls are not precise enough to ensure that a material misstatement would be detected. One of the things that we might see in this area that could cause us concern is a financial statement review control that in the last ‘x’ number of years has never resulted in any items to investigate.
“That makes it very difficult to test that control because there’s really nothing happening. There are just no items that come up that require investigation, and I think the auditor in that situation needs to think about what that might mean.”
3. Evaluation of control deficiencies
“We’ve seen firms identify audit adjustments and exceptions, whether they be on substantive testing or controls tests, and then not evaluate whether those findings were an indication of possible control deficiencies. At other times we’ve seen firms identify a significant deficiency with the issuer’s process, but not evaluate the severity of the deficiency. So we encourage you to think about that again.”
4. Compensating controls
“An auditor identifies a problem with a certain control but says, ‘Well, with this compensating control, I can test that and rely on that.’ But the compensating control really doesn’t compensate for the deficiency that has been identified.”
—Ken Tysiac (firstname.lastname@example.org) is a JofA senior editor.