The Public Company Accounting Oversight Board has issued an alert cautioning auditors about the significant number of audit deficiencies that the PCAOB staff has seen in the past three years related to audits of internal control over financial reporting.
The PCAOB noted that effective internal control over financial reporting, or ICFR, helps assure that companies produce reliable published financial statements that investors can use in making investment decisions.
“Auditors should take note of the matters discussed in this alert in planning and performing their audits, given the importance of the controls companies use to produce their financial statements,” said PCAOB chairman James R. Doty in a statement.
Staff Audit Practice Alert No. 11: Considerations for Audits of Internal Control over Financial Reporting discusses the application of certain requirements of Auditing Standard No. 5 and other PCAOB standards to specific aspects of audits of internal control.
The alert discusses subjects such as the auditor’s risk assessment and the audit of internal control; selecting controls to test; the testing of management review controls; information technology considerations, including system-generated data and reports; roll-forwards of control testing performed at an interim date; using the work of others; and evaluating identified control deficiencies.
Auditing Standard No. 5, An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements, establishes requirements for performing and reporting on audits of internal control. AS5 is designed to focus auditors on the most important matters in the audit of internal control and avoid procedures that are unnecessary to an effective audit.
In December 2012, the PCAOB issued a report on observations from 2010 inspections of audits of internal control over financial reporting performed by domestic annually inspected firms. It found that in 15 percent of the 309 integrated audit engagements inspected, firms failed to obtain sufficient audit evidence to support their opinions on the effectiveness of internal control due to one or more deficiencies.
Inspections in subsequent years have continued to identify similarly high levels of deficiencies in audits of internal control at other registered firms, the PCAOB noted.
“It is particularly important for the engagement partner and senior engagement team members to focus on these areas and for engagement quality reviewers to keep these matters in mind when performing their engagement quality reviews,” said PCAOB chief auditor and director of professional standards Martin F. Baumann. “Auditing firms also should consider whether additional training of their auditing personnel is needed. Appropriate application of the top-down, risk-based approach pursuant to PCAOB standards can result in an effective audit of internal control while avoiding unnecessary work.”
The PCAOB pointed out that the audit committees of public companies for which audits of internal control are conducted may want to take note of the alert it issued Thursday. Audit committees also may want to discuss with their auditor the level of auditing deficiencies in this area identified in their auditor's internal inspections and PCAOB inspections, request information from their auditor about potential root causes, and inquire how their auditor is responding to these matters.
The PCAOB publishes staff audit practice alerts to highlight new, emerging or otherwise noteworthy circumstances that may affect how auditors conduct audits under the existing requirements of PCAOB standards and relevant laws.
The PCAOB noted that auditors should determine whether and how to respond to these circumstances based on the specific facts presented. The statements contained in the practice alerts do not establish rules of the board, the PCAOB added, and do not reflect any board determination or judgment about the conduct of any particular firm, auditor or any other individual.