Compliance

Auditable Management Review Controls Lower Cost of Compliance


by FEI Daily Staff

Many companies believe they don’t have the time or bandwidth for the manual effort required to increase the auditability of their MRC documentation.

©annatodica/ISTOCK/THINKSTOCK

From the beginning of modern financial reporting, management judgment and review have been essential ingredients for ensuring that financial statements fairly present financial position and results of operations in accordance with GAAP. So, why have internal controls based principally on management judgment and review proven to be such a point of contention for the PCAOB and external auditors?

Repeatedly, PCAOB inspection reports have criticized auditors for failing to test whether management review controls (MRCs) “operate at a level of precision that would prevent or detect material misstatements” and because auditors “failed to ascertain and evaluate the nature of the review procedures performed, the criteria used to identify items for follow-up, and how those items were resolved.” In short, the PCAOB has found many instances where auditors either did not understand or could not evaluate exactly what the person performing the management review did, and why and how well he or she did it.

Who is to blame? 

Did these audit failures result solely from auditor carelessness or poor training, or are audit clients also culpable in some way?

The answer may be found in common company complaints about how their auditors make unreasonable demands for documentation of MRCs. For example, companies often complain that auditors demand to know what was going on in the mind of the person performing the review. When companies push back on their auditors for what they believe are unrealistic demands, they report that auditors respond, “The PCAOB made me do it.”

Asserting that the auditors are making unreasonable demands may suggest that the company has designed or documented its management review controls in ways that make it difficult for auditors to audit. Typically, that means the company defined the objective of an MRC in vague language that was not tied to the specific risk it was designed to mitigate. It may also mean that MRC instructions are vague or open to misinterpretation about exactly how the control operator is supposed to:

  • Select items for review. It is difficult to know what size error could slip through unnoticed.
  • Perform the review. It is crucial to know whether the control is sufficient to prevent or detect an error, regardless of size.
  • Identify and resolve exceptions. Errors or exceptions can indicate fraud or contribute to financial misstatements.
  • Document the performance of the review and maintain it as evidence for management and auditors to review. Without documentation, it can be extremely difficult to prove that controls exist at all.
In short, it may mean that the audit client was unable to provide the auditor with auditable documentation about the MRC. No matter how well-designed and operated your controls might be, without auditable documentation, neither management nor the auditor is able to form an educated opinion about the effectiveness of those controls.

The cost and impact of MRCs
 

The persistence of PCAOB criticism about the audit of MRCs suggests that the cost and impact of MRC problems are high. Improperly designed and documented MRCs lead to inefficiencies that increase the cost of compliance for both management and auditors. It is not unusual for management and auditors to spend more time finding alternative ways to confirm that a control was performed—or going through the time, effort, and trouble of re-performing the control—than it would have been to document the control in the first place. The potential of a failed audit inspection by the PCAOB only adds to this cost and risk.

Companies have tried a number of strategies to address this problem and reduce the cost of auditing MRCs. Often, companies try to re-engineer controls to replace management review with some sort of process-level control. For example, some have sought to standardize language in sales contracts to make it clear how to categorize or treat an item without additional human intervention.

Such efforts may ease the problem for some MRCs, but because so many financial statement elements are estimates, companies will continue to face many situations where human judgment is simply indispensable. Examples can be found in practically all public company financial statements and include calculations of reserves and deferral, allocation, capitalization, and impairment of intangible items.

The new revenue recognition standard will likely exacerbate the problem. As Greg Wilson, a former Deputy Director in the Division of Registrations and Inspections at the PCAOB observed, “The new standard requires companies to recognize revenue based on management’s estimates and judgments, not bright-line rules. Companies are obligated to establish clear internal controls over these management estimates and judgments, and maintain auditable records of how the controls are designed and operating.”

Wilson also noted that James Schnurr, the Chief Accountant at the SEC, believes the “implementation of the new revenue standard provides an opportunity to be proactive and improve the design and operation of management review controls that may exist within a company’s revenue recognition process, including with reference to the various estimates and judgments that the new revenue standard may require. Therefore, as you evaluate your contracts with customers, it would be appropriate to take a fresh look not only at your historical accounting policies and how they may need to change but also at the design of the related controls … maintaining appropriate documentation of the effective operation of these controls will be key to their assessment by auditors.”

What’s the solution? 

Many companies believe they don’t have the time or bandwidth for the manual effort required to increase the auditability of their MRC documentation. Still, there is no way around it—only management can improve the clarity and quality of MRC documentation.

While there’s not much technology can do to help companies improve the clarity of their MRC descriptions or instructions, technology can help minimize painful manual effort and make the entire documentation process easier and substantially more efficient.

For example, some cloud technologies allow companies to link their MRC documentation directly to their assessment of the risk the MRC was designed to mitigate. These technologies make it fast and easy for those performing MRCs to certify exactly what they included—and excluded—in their review, what they did when performing the review, what exceptions they identified, and how they resolved them. They also make attaching supporting documentation as evidence simple.

An effectively designed and documented MRC can be an extremely powerful tool to assess the effectiveness of internal controls for both management and their auditors. Management judgment and internal control over financial reporting are both essential to financial reporting—new accounting and auditing standards only serve to increase their importance. Companies that navigate these increasing demands successfully are most likely to benefit from lower costs of compliance and reduce their financial and operating risks.

 

Joseph Howell is Cofounder and Executive Vice President of Workiva Inc.