By Cydney Posner
This article in WSJ, "Surprise! Audits Dig Deeper," observes that, as a result of recent PCAOB warnings, financial executives have witnessed more rigorous audits. As noted in prior emails, (12/19/13, 11/22/13, 2/12/13, and 12/10/12), the PCAOB has admonished firms for several years to improve their efforts to identify and test controls and to better scrutinize management review controls. Yet, in 2013 inspections, one of the audit deficiencies most often flagged by the PCAOB was in the area of internal control over financial reporting. The WSJ reports that in "recent years, the [PCAOB] has found nearly 1 in 3 of the audits it inspected had deficiencies in testing of internal controls."
Apparently in reaction to a PCAOB alert issued in October warning that "it had found ‘high levels of deficiencies' in audits of internal controls," this audit season, auditors are "requesting far more documents and details than usual on everything from pension assets to management reviews. As companies rush to close their books on 2013, [financial executives] say these new and unanticipated demands are adding time, cost, and confusion to the audit process." According to the article, the "PCAOB's warning has pushed audit firms to make rapid changes." James Doty, chair of the PCAOB, contends that auditors need to dig deeper to find out the substance of transactions: "As business has changed, a signed document from a manager no longer tells the whole story in an audit, he says. It ‘doesn't tell you all you need to know about whether a transaction has real financial substance or is merely designed to achieve a tax result, and whether a deal is competitive or with a related party,' Mr. Doty added." The article reports that, to "test management's oversight controls, for example, auditors in the past might have checked that managers signed off on a particular transaction. Now, auditors are asking for more documentation, going line-by-line through budgets, sitting in on meetings to observe internal controls in action, and meeting with company accountants to understand their thinking when they signed a specific document. The intensity forces companies to produce more minutes from meetings in which executives approved transactions and produce more evidence for valuation assumptions…. [According to one executive,] ‘The view is, if it's not documented it didn't happen,' she added." According to another executive, "'Any business transactions that involve a lot of judgment get audited over and over again.'" The article reports that the "average audit of a public company took almost 17,000 hours of work in 2012…." Moreover, the average cost was about $4.5 million, with costs rising between 4% and 5% a year.
Financial executives quoted in the article complain that the new auditors new requests and procedures make them feel like they are "'operating in somewhat of a black hole, with only the ability to react to the changes, as opposed to being able to proactively work with our auditors'….When companies disagree with their auditors on accounting matters, both groups have a common set of standards to call upon, but when an auditor says it is making a new request because of criticism or deficiencies cited in previous PCAOB inspections,… there isn't ‘a set of standards that we can all interpret.'" As the article notes, because full copies of the PCAOB's inspection reports are made available only to audit firms, are published years later and only in part, and do not identify which company audits were problematic, companies have difficulty predicting whether "they will be put under the microscope."
As a result, as noted in this WSJ article, "Tougher Audits May Spur Companies to Update Internal Controls," this year, companies have been "spending more time documenting procedures, meetings and management review processes," especially in light of the requirement to issue a management's report on internal controls. In addition to PCAOB warnings to auditors, the SEC has warned companies that "it is increasingly worried that companies aren't identifying material weaknesses in their internal controls unless they cause financial restatements." Consequently, some companies are finding that "it is time to update their controls altogether," even "going back to square one to see if they have an appropriate control environment across the whole company….Updating control frameworks could also give companies a chance to incorporate some of the recent changes in practices from auditors."
The demands for new information are leading companies to scramble to provide responsive information, which may require a better understanding of their controls and control frameworks. Moreover, the COSO framework will be out of date on December 15, "spurring more companies to start updating internal controls." (See my articles of 5/20/13 and 11/20/13) According to one audit firm executive, "'[o]ne area where companies may update is their so-called key controls, he said. Some firms may identify as many as 2,000 key controls today, which could potentially be drastically reduced under the new framework and make an audit more efficient…'."