October 20, 2015
The Public Company Accounting Oversight Board (PCAOB) has released several reports that provide direction to public accounting firms in conducting their audits and recommendations to audit committees in an effort to enhance audit quality. These reports may have an impact on the demands and expectations issuers receive from their external auditors. Accordingly, we have summarized a few high points below. Anyone interested in understanding all of the detailed points raised by the board’s reports are encouraged to read them directly.
The PCAOB’s Reports
On October 1, the PCAOB issued a Staff Inspection Brief (SIB) to assist auditors, audit committees, investors and preparers with further understanding the board’s inspection-related activities and its results.1 This brief provides information about PCAOB staff inspections of registered audit firms and their audits during 2015 and highlights important aspects of the inspection plan, scope and objectives. Although the PCAOB’s requirements apply directly to external audit firms, issuers and preparers alike are all too aware that when the board‘s inspections raise issues with the audit firms, they often translate into new and changing external auditor expectations and requests to which they must respond.
We are focusing on the SIB in this Flash Report, as it lifts the curtain on the scope of the activities driving the inspections process, which, in turn, has a pervasive effect on the audits of financial statements and internal control over financial reporting (ICFR).
Last week, the PCAOB also issued PCAOB Release 2015-007: “Inspection Observations Related to PCAOB ‘Risk Assessment’ Auditing Standards (No. 8 through 15).”2 According to the board, these standards are intended to address the auditor's assessment of audit risk, responses to the risks of material misstatement, and evaluation of the results of procedures performed in an audit. Because the procedures required by these standards underlie the entire audit process, the board is of the view that noncompliance with them can have serious implications for the audit of ICFR or the audit of the financial statements, and may affect whether the auditor performs enough work to support conclusions in the auditor's opinion.
As of October 19, 2015, the PCAOB has issued 2015 inspection reports for four of the six global network audit firms and two of the four non-affiliate firms.3 Issuers should become familiar with the most recent inspection report from their respective external audit firm and have discussions with them regarding new areas of emphasis for this year’s audits of the financial statements and ICFR.
Below we cover a few of the key points related to audits of ICFR in the above reports that will be of particular interest to issuers and preparers.
Ongoing Deficiency Areas
Due to continued gaps in a few key areas emanating from prior inspection reports, the PCAOB’s inspections staff is taking a close look at three themes of recurring audit deficiencies: auditing ICFR; assessing and responding to the risk of material misstatement; and auditing accounting estimates, including fair value measurements, and testing the data used in developing them.
These deficiencies were also highlighted in the PCAOB’s Staff Audit Practice Alert 12 in September 2014, and Alert 11 in October 2013. Although some of the issues surfaced in those alerts have seen evidence of improvements, the message to the audit firms is that more attention is needed.
Related to audits of ICFR, the 2015 inspection report deficiencies requiring attention relate to:
- Failure to sufficiently test the design and/or operating effectiveness of controls that the firm selected for testing, including management review controls and in some cases yearend update testing;
- Failure to sufficiently test controls over, or sufficiently test the accuracy and completeness of, issuer-produced data or reports (information produced by entity/IPE);
- Failure to identify and test any controls that addressed the risks related to a particular account or assertion, including responding to the risk of fraud (particularly in revenue and inventory) and management override; and
- Failure to sufficiently evaluate control deficiencies.
These matters are important because they represent insights as to areas of emphasis in conjunction with 2015 and fiscal 2016 audits of ICFR.
Evaluation of Control Deficiencies
The last of the four above items pertains to the auditor’s assessment of the severity of control deficiencies. The PCAOB has continued to express concern that management is not sufficiently vetting control deficiencies, and that there may be unidentified material weaknesses that are not getting properly scrutinized. One of the indicators of concern to the board is the increasing trend of the percentage of all companies with ICFR audit opinions that restate their financial statements continuing to exceed the trend of the percentage of companies reporting material weaknesses.
With respect to companies with financial restatements, a strong majority (more than 80 percent) of companies restating prior year financial statements received a “clean” audit opinion on ICFR in the year in which the restatement was announced – all this in spite of the fact that a restatement of prior period financial statements to correct a material misstatement is being considered an indicator of a material weakness in ICFR.4 It is important to note that the reporting of material weaknesses is not just a concern of the PCAOB. As one official of the U.S. Securities and Exchange Commission noted, “I continue to question whether material weaknesses are being properly identified, evaluated and disclosed.”5 With this increased attention by regulators on the assessment of the severity of control deficiencies, issuers would be well-served to focus on connecting the dots between disparate issues as they analyze deficiencies to determine whether a combination of deficiencies constitutes a significant deficiency or material weakness. In addition, they should assess whether auditor-proposed adjustments are the result of a significant deficiency or material weakness. Furthermore, issuers restating financial statements can expect stronger scrutiny of conclusions that a material weakness does not exist.
Inspection Selection Criteria
The PCAOB reports that its audit selections are risk weighted, considering risk factors from economic trends, company or industry trends, and the audit firm inspection history. The PCAOB plans to inspect 220 firms in 2015, including 10 U.S. firms which are inspected annually. The issuers selected for inspection span across a wide variety of industries, including industrial and materials, consumer discretionary and staples, IT and telecommunications, financial services, energy and utilities, and healthcare. An appendix to the SIB charts the size of the issuers inspected, their industry, and the top five financial statement reporting areas selected for the annually inspected firms, which in turn are broken down between global network firms (six) and non-affiliate firms (four).
Economic developments that factored into the 2015 PCAOB inspection selections included:
- The high pace of mergers and acquisitions activity, the likes of which we have not seen for several years;
- Risk taking in the search for higher yielding investment returns due to the low interest rate environment; and
- Recent fluctuation in oil prices and its varying effects on the financial reporting risks of different industries (e.g., asset impairments, valuation adjustments, and collectability of loans and receivables).
PCAOB inspectors focus on audit areas that present unique auditing challenges and significant audit and financial reporting risks, as well as areas of recurring audit deficiencies both within and across the audit firms. For example, referred work engagements represent an area where inspectors found significant deficiencies over the past several years.
The primary focus areas in this year’s audits include:
- Characteristics of the issuer or its industry (e.g., market cap size, nature of operations, and industry risks);
- Potential audit or accounting issues likely to be encountered (e.g., complex revenue recognition issues);
- Geographic considerations of the issuer (e.g., emerging markets); and
- Considerations related to the audit firm, office and/or partner, including prior inspection results.
Financial Reporting Focus Areas
The most frequently selected financial reporting areas in 2014 were revenue and receivables, non-financial assets (assets acquired in business combinations, including goodwill and other intangible assets, and other long-lived assets), inventory, financial instruments, allowance for loan losses, income taxes, benefit-related liabilities, and equity transactions. Additional focus areas in 2015 include statements of cash flows (as they continue to be a frequent factor in restatements), additional focus on income tax accruals (particularly as they relate to foreign undistributed earnings and cash held overseas) and cybersecurity controls. The PCAOB also reviewed the implementation of Audit Standard 16, Communications with Audit Committees.
Cybersecurity in the ICFR realm is a new area companies are being asked about from their auditors this year. When the company does not have any known incidents, management is well served by documenting:
- A general description of the relevant risks;
- People, processes and technology in place to address these risks;
- Recent internal audit projects (non-SOX) the organization has performed; and
- A statement that management is not aware of any relevant breaches this year that would warrant disclosure to investors.
In the event of a cyber-incident, the level of auditor scrutiny will increase, with a focus on the risk of material misstatement to the financials due to cyber-related losses, including contingent liabilities and claims, financial statement impact and disclosures. If management has not done so already, it may be prudent to discuss expectations with the auditor regarding cybersecurity disclosures sooner rather than later.
We believe that issuers are on the front end of understanding the external auditor’s expectations for what additional controls are required to sufficiently address the related party audit standard (AS18). We anticipate slight adjustments and refinements to existing internal controls and process documentation, given that issuers have had disclosure controls around related party transactions and significant and unusual transaction disclosures for some time. This too is a topic management should discuss with their auditor for this year’s audit.
Audit Firm Quality Control
Other areas of ongoing PCAOB inspection focus are directed to both the engagement level and the firm level. At the engagement level, the focus is on the auditor’s: implementation of automated testing tools; referred work engagements involving other firms on multinational audits; conducting engagement quality reviews in accordance with required audit standards; exercise of professional skepticism, taking into account all evidence relevant to management’s assertions and estimates, regardless of whether it confirms or contradicts management’s judgment; and implementation of Audit Standard 18 (AS18) dealing with related parties.
At the firm level, the focus is on the audit firm’s system of quality control, and independence monitoring systems to ensure that consulting and non-audit services do not impair independence.
The October 15 PCAOB Release 2015-007, which was mentioned earlier, expands on the gaps at audit firms around implementing the risk assessment audit standards and overall systems of quality control. For example:
- Firms did not perform substantive procedures, including tests of details that were specifically responsive to fraud risks and other significant risks that were identified.
- Firms did not perform sufficient testing of the design and operating effectiveness of controls to support their planned level of control reliance, including testing controls over the system-generated data and reports that were used to support important controls or substantive procedures performed in response to the assessed risks of material misstatement.
- Firms did not evaluate the accuracy and completeness of financial statement disclosures.
- Firms did not take into account relevant audit evidence that appeared to contradict certain assertions in the financial statements.
The PCAOB release points out that the internal training and tools of the firms were sometimes deficient, including:
- Hard and fast materiality percentages that missed the requirements of Audit Standard 11;
- Not requiring the separate identification of significant risks per Audit Standard 12;
- Establishing thresholds in excess of financial statement materiality for accumulating and evaluating misclassification misstatements within the same financial statement element or within the statement of cash flows in conflict with Audit Standard 14; and
- Pre-populated generic risks used in the automated work papers which led to insufficient assessment of risk in each individual situation.
Audit Committee Discussions
While the observations in the PCAOB’s reports are directed primarily to the external audit firms, audit committees are encouraged to ask their auditors whether any of these problems are showing up in their external auditor’s inspections, what the significant risks of material misstatement are for the company and how the auditor plans to address them, and how that has changed from the prior year and why.
It is clear that the audit process is being continuously refined over time. For example, subsequent to the PCAOB issuing the SIB, the Center for Audit Quality issued its Select Auditing Considerations for the 2015 Audit Cycle to provide auditors with guidance on key areas for improvement focus.6 As auditors refine their processes for planning, executing and communicating the audit, issuers will likely see new demands and expectations emerge – including in 2015.
1The Staff Inspection Brief.
4“Current Issues, Trends, and Open Questions in Audits of Internal Control over Financial Reporting,” Jeanette M. Franzel, PCAOB Board Member, speech to American Accounting Association Annual Meeting, August 8, 2015.
5“Remarks Before the 2014 AICPA National Conference on Current SEC and PCAOB Developments,” Brian Croteau, Deputy Chief Accountant, Office of the Chief Accountant, December 8, 2014.
6This resource is available here.