Public Company Accounting Oversight Board member Jeanette Franzel described a “perfect storm” of issues that auditors are facing with the internal controls of organizations today during a speech at an auditing conference.
“We are currently in a perfect storm’ in the area of internal control over financial reporting, which demands effective action by all participants in the financial reporting and auditing chain,” she said in a speech Wednesday at the Institute of Internal Auditors’ 2014 General Audit Management Conference in Orlando, Fla.
Franzel discussed how management, internal auditors and external auditors will be navigating the updated “Internal Control - Integrated Framework” from the Committee of Sponsoring Organizations of the Treadway Commission, or COSO, at the same time that outside auditing firms are taking steps to respond to the PCAOB’s inspection findings of their audits of internal control.
“Unfortunately, over the decades, we've seen multiple cycles in which company management and internal and external auditors simply didn't get it right in the area of internal control, resulting in failures to effectively define, understand, implement and assess internal control,” Franzel said.
She hopes to encourage constructive communications between public companies and audit firms as company management considers potential changes to internal control based on the updated COSO Framework. Franzel pointed out that the PCAOB has not changed the auditing standards nor introduced new rules for audits of internal control over financial reporting since it issued AS 5 in 2007, but she acknowledged that many issuers are experiencing changes in firms' audit approaches as a result of PCAOB inspections and the recent guidance in Audit Practice Alert No. 11.
The PCAOB has also proposed a number of other changes such as in the auditor reporting model, although they have not yet been finalized.
Franzel said the PCAOB has received feedback indicating there has not been effective communication and dialogue between audit firms and public companies about issues in internal control over financial reporting, or ICFR.
“In some cases, audit firms have told issuers that the PCAOB insists on detailed procedures such as the use of screen prints’ to document certain systems-related features; or specifying the number of pages that must be involved in summarizing key controls; or that auditors must attend management meetings to observe certain controls in action,” she said. “I assure you that the board is not requiring procedures at that level of detail. AS 5 provides the guiding standard for ICFR audits.”
But she noted that these types of comments are not helpful with encouraging communication between auditors and preparers. “Unfortunately, such responses from audit firms tend to close down the dialogue with financial statement preparers about important basic issues such as identifying key controls, establishing the appropriate level of management documentation and testing, and the nature and extent of auditor testing needed to support the auditor's ICFR opinion,” she said. “Productive dialogue between the audit firm and financial statement preparers is necessary to coordinate management's responsibilities to implement effective ICFR and assess its effectiveness, and the auditor's responsibilities to audit and report on ICFR.”
Some public companies have also expressed concerns about the value of additional audit work in the ICFR area, and whether there will be significant increases in costs as a result, she acknowledged.
“Experienced auditors and financial statement preparers know that the ICFR audit is made more difficult if management's process is not as effective or well-documented as it should be,” said Franzel. “Effective and efficient solutions to some of the audit deficiencies found by the PCAOB may also require some improvements to both the issuer’s and the auditor’s process. I am concerned that, in some cases, the auditor’s reaction is to bolt on’ a series of new audit steps when a more efficient and effective solution may require some tightening up of the controls on the part of management, in addition to changes to the audit procedures.”