Earlier today, the PCAOB released a '4010' report
summarizing observations from its inspections of audits performed by the 8 largest public accounting firms of their clients' internal control over financial reporting (ICFR) in 2010. (Note: 'ICFR' is also sometimes referred to - e.g. in COSO's Exposure Drafts
- as Internal Control over External Financial Reporting, or 'ICEFR') The PCAOB's '4010' reports summarize inspection findings at a high level and do not identify particular firms, companies or audits. Of particular concern, noted one board member, was the increase in the rate of inspection deficiencies found between 2010 (the year of the report, covering 2009 audits) and 2011 inspections (not yet finalized).
Report released today
As noted in the first paragraph of the PCAOB's '4010 'report released today, the largest eight firms whose summarized PCAOB inspection findings re: audits of ICFR include: BDO Seidman, LLP
, Crowe Horwath LLP, Deloitte & Touch LLP
, Ernst & Young LLP
, Grant Thornton LLP, KPMG LLP
, McGladrey LLP
and PricewaterhouseCoopers LLP
. The PCAOB's '4010' reports summarize findings at a high level and do not identify particular firms, companies or audits. The report summarizes the types of deficiencies in audit procedures found, and potential root causes.
The PCAOB's report, formally entitled Observations from 2010 Inspections of Domestic Annually Inspected Firms Regarding Deficiencies in Audits of Internal Control Over Financial Reporting
, "is based on PCAOB inspections that examined portions of approximately 300 such audits[*]
... describes the most pervasive deficiencies identified in those audits
....[and] includes information on the potential root causes
of the deficiencies," as noted in a related PCAOB press release
] [* note: the exact # was 309.]
The 4010 report examined the audit firms' implementation of Auditing Standard No. 5, An Audit of Internal Control Over Financial Reporting That is Integrated With an Audit of the Financial Statements (AS5
Linkage Between Audit of Internal Control and Audit of Financial Statements
During a press conference announcing release of the report, PCAOB Board Member Jay Hanson explained that the idea of internal control requirements for companies has been around since the Securities Acts and FCPA, as well as the Sarbanes-Oxley Act. With respect to the interrelationship between the (or what is referred to as the integrated audit of) the audit of the financial statements and the audit of internal control over financial reporting (ICFR), he explained,
The idea of internal controls are fundamental to the business... and testing internal controls are integral to the audit.
If a company's internal controls are inadequate, an auditor cannot issue a 'clean' opinion of the company's system of internal controls and may need to do more work on individual accounts and balances. And if a firm's audit of ICFR was found to be inadequate, then it must do more work to determine if its opinions can still be relied upon....
The work our [inspections] staff does is [similar to the approach] under the AS5 standard, a top down approach, rather than a bottom up approach."
Concern over Increase in Rate of Deficiencies in Audits of ICFR Between 2010 and 2011, and More Discussion of Linkage to Support of Financial Statement Audit
PCAOB Board Member Jeanette Franzel discussed some of the findings in the report, noting:
This is our first inspection of audits done under AS5, approximately 3 years after implementation of AS5 [adding] ... The report contains good news and bad news.
Starting with the 'bad news,' Franzel said:
The bad news is that the number of audits in which firms failed to obtain sufficient audit evidence to support their audit opinions on internal control over financial reporting is too high, and getting higher.
In fact, Franzel noted, citing from the report, that:
Our reports for 2011 inspections are not yet completed, but inspections staff have found that the percentage of ICFR audits with insufficient audit evidence to support the ICFR opinion rose from 15 percent [representing 46 out of 309 audit engagements examined in total] to 22 percent in 2011.
Another statistic in the report, cited by Franzel, is that:
In 39 of those 46 engagements [i.e. the 46 engagements found to have insufficient evidence to support their opinion on ICFR]- or 85 percent -- the firms also failed to obtain sufficient audit evidence to support their financial statement audit opinions. This is 13 percent of the 309 engagements inspected.
The Good News
But the good news is that, on the flip-side of the 15% of audits of ICFR found to have insufficient audit evidence to support their ICFR opinion - 85% of the 309 audit engagements inspected had sufficient audit evidence to support their ICFR opinion.
As stated by PCAOB Board Member Jeanette Franzel:
The good news is that, in many of the audits inspected, our inspections staff did not find such deficiencies. Many engagement teams can and do properly implement PCAOB’s Auditing Standard No. 5.
Most Pervasive Deficiencies Found in Audits of ICFR
The report issued by the PCAOB today summarizes six of the 'most pervasive deficiencies" that account for 70% of the deficiencies found in audits of ICFR examined in 2010 as being audit firms' failures to:
Potential Root Causes
- Identify and sufficiently test controls that address the risk of material misstatement;
- Sufficiently test the design and operating effectiveness of management review controls; such as: monthly comparisons of budget and actual results to forecasts for revenues and expenses; comparisons of other metrics, such as profit margins and certain expenses as a percentage of sales; and quarterly balance sheet reviews;
- Obtain sufficient evidence to test controls from an interim date to the company’s year-end (the roll-forward period);
- Sufficiently test system-generated data and reports that support important controls;
- Sufficiently perform procedures regarding the use of the work of others; and
- Sufficiently evaluate identified control deficiencies and consider their effect on both the financial statement audit and on the audit of internal control.
As noted in the report, the PCAOB Inspections staff found four general types of potential 'root causes' or 'factors' that may explain what may have helped cause or contribute to the deficiencies in firms' performance of the audit of ICFR:
How Does Deficiency in Audit of ICFR Relate to a Company's ICFR Itself, and to Reliability of the Co's Financial Statements? Does PCAOB Make Referrals to SEC?
- Improper application of the top-down approach to the audit of internal control as required by AS5,
- Decreases in audit firm staffing through attrition or other reductions, and related workload pressures,
- Insufficient firm training and guidance, including examples of how to apply PCAOB standards and the firm's methodology;
- Ineffective communication with firm's information specialists on the engagement team.
During the press conference announcing release of the report, in response to a question from Compliance Week's Tammy Whitehouse, as to the relationship between the audit of ICFR and the (quality) of the company's ICFR itself, and whether the PCAOB ever refers significant issues to the SEC, two PCAOB board members replied:
Franzel: this report is on the audit of ICFR; that said, whenever we find significant concerns with the controls, we do share [concerns] with the SEC
Hanson: the findings [in our report] reflect when we see noncompliance [with the audit of ICFR], it doesn’t mean the financial statements were noncompliant.
Audit Committees, as Well as Auditors, Issuers, Investors Urged to Review Report
Audit Committee Members, as well as auditors, issuers and investors are urged to review this report. As noted in the report itself:
Audit committees may find this report useful in fulfilling their responsibilities with respect to independent auditors. Audit committees may consider inquiring of the issuer's auditor how the controls to be tested will address the assessed risks of material misstatement for relevant assertions of significant accounts and disclosures. Also, audit committees may consider discussing with the auditor his or her assessment of risks, evaluation of control deficiencies, and whether the auditor has adjusted as necessary the nature, timing and extent of his or her control testing and substantive audit procedures in response to risks related to identified control deficiencies.