As part of its oversight mission, the PCAOB has sought to improve the quality of U.S. public company audits. A major part of its focus has centered on auditors’ assessments of companies’ internal controls over financial reporting (ICFR), as required under the Sarbanes-Oxley Act of 2002. This article assesses whether audit quality has improved by looking at PCAOB inspection reports containing ICFR-related audit deficiencies over the past decade and determining whether auditors responded to PCAOB criticism and remediated the deficiencies found. This review can provide independent auditors, management, internal auditors, and audit committees with insight into the PCAOB’s evaluation of problem areas in internal control audits. In addition, auditors can avoid becoming targets of inspection reports with ICFR-related audit deficiencies by paying closer attention to such areas.
The Sarbanes-Oxley Act of 2002 (SOX) created the PCAOB to oversee public company audits in the United States by establishing auditing standards and registering and inspecting public company auditors. By the end of 2012, the PCAOB had registered 2,363 audit firms—1,452 U.S. firms and 911 foreign firms. In addition, the board conducts annual inspections of accounting firms that provide audit reports for more than 100 public issuers, and at least one inspection every three years of those that provide audit reports for 100 or fewer public issuers (SOX section 104 and PCAOB Rule 4003). In 2012, the PCAOB inspected nine annual firms (all U.S. auditors) and 244 triennial firms (167 U.S. audit firms and 77 foreign audit firms). These inspections evaluated the quality of audit work performed on selected audit engagements and the accounting firms’ quality control system. The PCAOB publishes an inspection report for each inspection it conducts.
SOX section 404(a) requires management of public companies to assess and report on the effectiveness of its internal control over financial reporting (ICFR). In addition, SOX section 404(b) requires auditors to provide an independent opinion of clients’ ICFR. Auditing Standard (AS) 5, An Audit of Internal Control over Financial Reporting That Is Integrated with an Audit of Financial Statements, effective since November 2007, requires auditors to integrate audits of internal control and financial statements, and provide opinions on the effectiveness of a company’s ICFR. It also requires auditors to adopt a top-down risk-based approach that emphasizes such vital areas as entity-level controls and high-risk items.
The PCAOB has indicated that auditors sometimes fail to test all the relevant assertions of significant accounts and disclosures.
The PCAOB has continued to monitor the implementation of AS 5 and pays close attention to the quality of internal control audits (PCAOB Staff Audit Practice Alert 11, http://bit.ly/1T1Mrft). Against this backdrop, the PCAOB publishes its findings during the inspection process and provides guidance and alerts for auditors regarding internal control audits (PCAOB 2012 Annual Report, “Report on 2007–2010 Inspections of Domestic Firms that Audit 100 or Fewer Public Companies,” http://bit.ly/1S2cHWe). Furthermore, 58% of the accounting-related federal class action lawsuits filed in 2014 cited internal controls—the most frequently mentioned problem in such cases—as an issue (Coming into Focus: 2014 Litigation Study, PricewaterhouseCoopers, http://pwc.to/1Wrv4Vt). By contrast, 38% of the cases mentioned revenue recognition (the second–most frequently cited item).
A Study of Inspection Reports
This article investigates audit deficiencies related to ICFR, as documented in 131 PCAOB inspection reports published from August 2004 to November 2013 for inspection years 2002 through 2012. Using the Audit Analytics database, the authors analyzed 2,047 completed PCAOB inspection reports submitted by the end of 2013. Of the 1,025 inspection reports with audit deficiencies (about 50%) during this period, the authors identified 131 ICFR-related deficiencies, composed of 89 U.S. inspection reports (40 U.S. auditors) and 42 foreign inspection reports (31 foreign auditors).
The PCAOB found audit deficiencies among a wide array of auditors. Big Four auditors as a group, which audit the vast majority of listed U.S. companies, dominated the count with 35 inspection reports (26.7%) that contained ICFR-related audit deficiencies. Other annually inspected U.S. auditors followed (23 inspection reports, 17.6%), including such firms as BDO, Crowe Horwath, Grant Thornton, MaloneBailey, and McGladrey. The remaining 73 inspection reports disclosed ICFR-related audit deficiencies for triennially inspected U.S. auditors (23.6%) and auditors from 16 different foreign countries (32.1%). Of those foreign inspection reports, Canada had the highest number (9.1%) with ICFR-related deficiencies, followed by India (4.6%) and Mexico (3.0%). The results seem to suggest that, in the PCAOB’s judgment, ICFR-related audit deficiencies are prevalent, regardless of auditor type.
Deficiencies in the Inspection Reports
The authors used Audit Analytics to categorize each report into five types of ICFR-related audit deficiencies, then hand-collected detailed descriptions from the inspection reports (http://pcaobus.org/Inspections/Reports/Pages/default.aspx). In some cases, the authors observed multiple types of audit deficiencies in a single inspection report. Deficiencies in testing of design of controls or operating effectiveness of controls (94) were the most frequently cited, followed by deficiencies in the application of the top-down risk-based approach to the audit of internal control (53); information technology (IT) consideration (40); the use of the work of others (28); and evaluating identified control deficiencies (21). Exhibit 1 provides disclosure examples of such deficiencies from the inspection reports to highlight the nature of the issues observed by the PCAOB; however, detailed descriptions about specific problematic audit procedures and related remediation processes are not available in the inspection reports. Exhibit 1 also summarizes the PCAOB’s suggestions to address each audit deficiency area (PCAOB Staff Audit Practice Alert 11). The sections below briefly discuss each major ICFR deficiency area.
Audit Deficiencies Related to ICFR and PCAOB Guidance
Testing of design or operating effectiveness of controls.
The PCAOB inspection reports document numerous deficiencies in the testing of design of controls or operating effectiveness of controls of various accounts. AS 5 and AS 12, Identifying and Assessing Risks of Material Misstatement, require auditors to first obtain an understanding of internal controls designed to prevent and detect material misstatements, which should then help them select relevant controls to test for the identified risk. AS 5 cautions that auditors cannot infer effectiveness because no misstatements were detected by substantive procedures; instead, they should obtain direct evidence about a control’s operating effectiveness. The PCAOB identified several cases where auditors did not perform important assessments. Furthermore, the PCAOB has indicated that auditors sometimes fail to test all the relevant assertions of significant accounts and disclosures (PCAOB Staff Audit Practice Alert 11).
Management review controls.
In some cases, the inspection reports have disclosed audit deficiencies related to design or operating effectiveness of management review controls. Management reviews are usually performed to compare actual results with forecasted or budgeted revenues and expenses and to investigate significant differences from expectation. Auditors often test management review controls in internal control audits to obtain evidence about the controls’ design and implementation to prevent or detect misstatements. The PCAOB points out that CPA firms have placed undue emphasis on testing management review control in some instances without considering whether these controls adequately addressed the risks of material misstatements (PCAOB Staff Audit Practice Alert 11).
The findings suggest that auditors should perform more thorough evaluations of the design and operating effectiveness of management review controls.
Roll-forward procedure of controls.
In other cases, the PCAOB has disclosed audit deficiencies related to roll-forward of controls tested at an interim date. The board noted instances where firms did not perform any testing or used inquiry alone for assessing the effectiveness of roll-forward procedures, despite high inherent or fraud risks associated with these controls. AS 5 requires auditors to perform roll-forward procedures to update the results of interim testing to year end. It also notes that inquiry might be a sufficient roll-forward procedure for low-risk situations but is unlikely to be sufficient when the evaluation of the above-mentioned factors suggests otherwise. This is particularly true when—
- the control is related to items that are high risk, complex, subjective, or not tested extensively at the interim date;
- exceptions were identified in the interim testing;
- the roll-forward period is long; or
- significant changes occurred during the roll-forward period.
The findings suggest that auditors should perform more thorough evaluations of the design and operating effectiveness of management review controls. In particular, such evaluations should assess and draw inferences about procedures involved in resolving significant differences from expectations, the competence and authority of the person who performs related test controls, and the conclusions reached by the reviewer. Furthermore, auditors need to assess the risk associated with roll-forward procedures and use evaluation approaches that go well beyond mere management inquiries when an auditor considers risk to be high. Such closer attention to high-risk rollovers is consistent with AS 5, which requires auditors to use more persuasive evidence as risk increases.
Top-down risk-based approach.
AS 5 requires the use of a top-down risk-based approach for the internal control audit. This approach, which is important for performing effective internal control audits, refers to the sequential thought process that auditors should employ in identifying risks. A top-down risk-based approach begins at the financial statement level and focuses on entity-level controls, then on significant account–level controls, and account-level controls. Examples of entity-level controls include controls of the control environment, risk-management process, monitoring control, and period-end financial reporting processes (AS 5).
PCAOB inspection reports have identified many audit deficiencies in the auditors’ use of a top-down risk-based approach. Disclosure examples show that auditors failed to test entity-level controls and period-end financial reporting processes. In addition, several auditors failed to properly assess the risk of misstatements in various accounts.
Risk assessment is a key element of the audit of internal control: identifying the risks of material misstatement is essential for the auditor in planning and selecting relevant controls to test and in appropriately evaluating those controls (PCAOB Staff Audit Practice Alert 11). The risk assessment process includes understanding the company, its business processes, and related internal control and assessing the likely sources, the types, the likelihood, and magnitude of potential misstatements based on the identified risks (AS 12; PCAOB Staff Audit Practice Alert 11). Employing a top-down mindset is challenging because an auditor frequently performs an audit in distinct steps built around financial statement components and might not develop the mindset to think sequentially about risk, starting at the highest level and working down to specific assertions that might point to the likelihood of material misstatements.
Many companies rely on IT, such as enterprise resource planning (ERP) systems to process accounting data—and the role of IT is even more important in internal control audits. Auditors should identify IT risks and assess general and application IT controls as an integral part of the top-down risk-based approach used in the financial statement audit. The PCAOB expects auditors to understand how IT affects a company’s flow of transactions and “obtain an understanding of specific risks to a company’s internal control over financial reporting resulting from IT” (AS 15, Audit Evidence, para B4).
Inspection reports have identified several audit deficiencies related to the IT consideration. According to the PCAOB in Staff Audit Practice Alert 11, some audit firms failed to 1) “test information technology general controls (ITGC) that are important to the effective operation of the applications that generated the data or reports,” 2) “test the logic of the queries (or parameters) used to extract the data or reports,” or 3) “address control deficiencies that were identified with respect to the ITGCs over either the applications that process the data used in the reports or the applications that generated the reports.”
The use of work of others.
Auditors can more extensively use the work of competent and objective third parties in low-risk areas because as the risk decreases, the necessary level of competence and objectivity decreases (AS 5). On the other hand, auditors should perform more extensive testing of the work done by third parties in high-risk areas involving significant judgment and fraud risk, particularly when the competency of those third parties is judged to be low.
The PCAOB disclosed several audit deficiencies related to the use of the work of others (e.g., internal auditor and service auditor). These auditors relied on tests of controls performed by third parties without a sufficient basis for using these works. The PCAOB commented, in some instances, “the extent to which firms used the work of internal audit in higher risk areas involving significant judgment, such as aspects of revenue and the valuation of complex, hard-to-value investment securities, was inappropriate” (PCAOB Staff Audit Practice Alert 11). The board also noted that some auditors did not redo any of the tests of controls performed by the clients’ internal auditor and did not have documentation of the nature, timing, and extent of that control testing. In addition, the PCAOB reports disclosed that some auditors did not perform sufficient tests of controls of service organizations when relying on the service auditor’s report and did not assess an interaction between a service organization’s control and a company’s control.
Evaluating identified control deficiencies.
Auditors should perform sufficient evaluations to determine whether audit findings related to the substantive procedures in the financial statement audits are indicators of the existence of control deficiencies. They should also evaluate the severity of identified control deficiencies to the existence of material weaknesses of internal controls and the related magnitude of material misstatements.
PCAOB inspections indicate that auditors fail to evaluate the severity of identified control deficiencies. The PCAOB provided examples of failure in evaluating identified control deficiencies, including that auditors did not 1) “sufficiently evaluate whether audit adjustments and exceptions identified from substantive procedures were indicators of the existence of control deficiencies”; 2) “consider all of the relevant risk factors that should have affected the determination of whether there was a reasonable possibility that a deficiency, or a combination of deficiencies, could result in a material misstatement”; 3) “consider all of the relevant factors that should have affected the determination of the magnitude of potential misstatements”; or 4) “sufficiently evaluate compensating controls, including identifying and testing those controls and determining whether they operated at a level of precision that would prevent or detect a mis-statement that could be material” (Staff Audit Practice Alert 11).
Deficiencies by Auditor Type
Exhibits 2 and 3 present ICFR-related audit deficiencies by auditor type. Big Four auditors were relatively more frequently cited for deficiencies related to the evaluation of identified control deficiencies and assessment of IT issues. Surprisingly, no triennially inspected U.S. auditors were cited for shortcomings in evaluating identified internal control deficiencies. Another interesting observation is that foreign auditors were cited relatively more frequently for deficiencies in testing of design of controls or operating effectiveness of controls.
Types of Audit Deficiencies Related to ICFR and Auditor Type
In general, it appears that auditors were not responsive to the PCAOB’s feedback on their audits of ICFR and did not remediate observed deficiencies by the next inspection.
Deficiencies by Year and Period
Exhibit 4 presents the various types of ICFR-related audit deficiencies by year and period (defined as before and after AS 5). The PCAOB generally inspects audit engagements one year after completion of the audit; thus, clients’ financial statements in the year before inspections were used for classification by year and period. Audit deficiencies related to ICFR of all types occurred more frequently in the period following AS 5 (2007–2012) than in the period before (2004–2006). This might be attributed to auditors applying the salient features in AS 5 (top-down risk-based approach, using work of others, and testing of design of controls or operating effectiveness of controls) improperly (Observations from 2010 Inspections of Domestic Annually Inspected Firms Regarding Deficiencies in Audits of Internal Control over Financial Reporting, http://bit.ly/1U9UNA4). In an alternative interpretation, the PCAOB might have strengthened its processes for inspections of internal control audits and identified more audit deficiencies related to ICFR after AS 5.
Audit Deficiencies Related to ICFR by Year
Remediation of Deficient Audits
In general, it appears that auditors were not responsive to the PCAOB’s feedback on their audits of ICFR and did not remediate observed deficiencies by the next inspection. Of the 131 inspection reports containing deficient audits related to ICFR, 16 auditors—8 annually inspected U.S. auditors and 8 foreign auditors, representing 75 inspection reports—had multiple inspection reports containing ICFR-related audit deficiencies. In comparison, 10 inspection reports with ICFR-related audit deficiencies were remediated by the next PCAOB inspections. Of the 10 subsequent reports, 6 were clean reports without any audit deficiencies and 4 contained other audit deficiencies that are not related to ICFR. No information about the outcomes of subsequent inspections was available for the remaining 46 deficient ICFR audits as of the end of the period examined (December 31, 2013). Based on the available information, it seems that auditors do not adequately address the ICFR-related audit deficiencies pointed out by the PCAOB inspections and improve the quality of subsequent audits of ICFR.
Audit deficiencies related to ICFR seem to be prevalent among all auditor types, including both U.S. and foreign auditors. The data indicate that deficiencies in testing design or operating effectiveness of controls (94) are the most frequently cited deficiency, followed by deficiencies in applications of the top-down risk-based approach (53), IT considerations (40), the use of work of others (28), and evaluating identified control deficiencies (21). In general, auditors were not responsive to the PCAOB’s feedback on their ICFR audits, and many did not remediate identified ICFR-related deficiencies by the subsequent inspections. The reasons for the inadequate response by auditors are outside the scope of this article. Nonetheless, this issue merits further research—both the PCAOB and the profession would benefit a great deal from understanding the dynamics that lead this aspect of the regulatory process to fail.
Both the PCAOB and the profession would benefit a great deal from understanding the dynamics that lead this aspect of the regulatory process to fail.
This review and discussion of the audit deficiencies identified in the inspection reports should benefit external auditors as they plan the audit and test ICFR properly to avoid receiving inspection reports with ICFR-related audit deficiencies in the future. Management, audit committees, and internal auditors can benefit as they plan, execute, monitor, and assess ICFR systems. AS 16, Communications with Audit Committees, emphasizes the importance of two-way communications between the auditor and the audit committee in order to enhance the relevance and effectiveness of those communications. Audit committees can consider discussing problem areas related to internal control audits with the external auditor and use the PCAOB’s guidelines as a framework for assessing how problems are being addressed. The agenda for conversations between the auditor and the audit committee could, among other things, highlight 1) assessment of the design or operating effectiveness of controls; 2) the methods used to assess controls, including a top-down risk-based approach; 3) IT considerations; 4) use of and reliance on the work of others; and 5) the auditor’s assessment of the nature and significance of identified control deficiencies.
PCAOB inspection reports do not disclose a detailed remediation process of ICFR-related deficiencies, though auditors, internal auditors, and management would likely benefit from such disclosures. At the very least, disclosures could assist with identifying the issues and minimizing the risk of repeating deficiencies. In the authors’ opinion, it would be helpful to the profession as well as registrants if the PCAOB disclosed detailed remediation processes for ICFR-related deficiencies.
Recently, many companies have experienced changes in auditors’ approaches to internal control audits as a result of PCAOB inspections; in some cases, auditors have performed additional procedures related to previously issued audit opinions on ICFR (Jeanette M. Franzel, “Effective Audits of Internal Control in the Current ‘Perfect Storm,’” http://bit.ly/23cSwu2). Such changes of audit methodologies and additional audit staff training could increase audit fees. On the other hand, the PCAOB’s continuous efforts on identifying problems of internal control audits and encouraging remediation of ICFR-related audit deficiencies could improve the quality of internal control audits and financial statements. Further investigation is needed as to whether PCAOB inspections of internal control audits affect audits of internal control as well as the fees associated with the audit. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued a new internal control framework in 2013, with the original 1992 COSO framework being superseded on December 15, 2014. It will be interesting to see whether any meaningful changes in the quality of auditors’ evaluations of internal control systems result from the new COSO framework—as well as how it might affect the PCAOB’s approach to inspections.