Accounting & Auditing | Corporate Finance & Governance | Legislative / Regulatory

How much Is ‘enough’? SEC-PCAOB Panelists Discuss Internal Control

“The PCAOB (or, National Office) made me do it!” will no longer fly as the sole justification behind auditor’s calls for more documentation from preparers, or more prescriptive testing of lower level controls relating to internal control over financial reporting (ICFR), a panel of regulators and practitioners told an AICPA conference last week. Instead, representatives from the U.S. Securities and Exchange Commission and Public Company Accounting Oversight Board said that companies should engage their auditors in a dialogue around why certain documentation is being requested, or certain procedures are being performed.

At the same time, preparers were reminded that the Commission’s rules require company management to reasonably support their assessment of ICFR, a critical area relied upon by investors, as noted by SEC Chair Mary Jo White.

Dialogue prompted by U.S. Chamber
“This is a very important issue, you can tell from Chair White’s remarks, myself and others, this is on everybody’s mind,” said Chief Accountant James Schnurr, opening the ICFR panel. “There’s been a lot of noise in the system, including a letter the PCAOB Chairman and I received from the U.S. Chamber of Commerce” said Schnurr.

The U.S. Chamber’s letter, including input from a broader Financial Reporting Working Group of trade associations and businesses, called for a direct dialogue between the business community and the PCAOB, thereby triggering a series of discussions including auditors and preparers with both the PCAOB and SEC. The ICFR panel at the AICPA conference brought some of the key dialogue points out in front of a broader public audience.

Perceived move away from top-down approach
Panelists representing corporate management described their concerns, particularly as relate to auditor requests for documentation, and related testing, in connection with SEC's 2007 management guidance, and PCAOB's Auditing Standard No. 5.

Kevin McBride, Global Accounting and Financial Services Controller at Intel Corporation, said, “We can’t wake up one day and find everything’s different,” with respect to auditor’s expectations relating to ICFR. “Controls are embedded, executed as events occur,” he added.

“Preparers are on the backend, there are conversations between the (audit) firm and the PCAOB, and internal conversations within the firm; this stands in sharp contrast to the accounting standard-setting process,” noted McBride.  He added, “There is a lack of clarity on what exactly is sufficient on management review controls and precision.” He noted that dialogue between preparers, auditors and regulators this year has brought about progress, and should continue.

Susan Insley, VP Internal Audit at VMware, said, “We’ve observed a drift away from AS5’s top down, risk based approach, and moving away from reliance on management review controls, (with auditors) including a broader set of control activities (for testing and documenting), rather than relying on management review controls important to the running of the business.”

SEC Deputy Chief Accountant Brian Croteau responded, “In assessing ICFR, management needs to identify specific controls,” and to have an understanding of the management review controls, because, “not all management review controls are created equally,” and may or may not be designed to reduce financial reporting risk.

PCAOB Board Member Jeanette Franzel replied, “I echo what Brian said; it is also important for auditors to understand how controls fit into the flow of transactions, to apply the  top down approach from AS5.”

Root cause analysis conducted by the PCAOB has identified auditors’ lack of understanding of management’s controls. Because the auditor’s understanding of controls prompts their selection of controls to test, “If the auditor doesn’t have a proper understanding, they may not be getting sufficient evidence to support the internal control opinion,” said Franzel. “Auditors sometimes compound their problems by relying on (certain controls) as if effective; that can result in deficiencies,” she added.

Auditors, preparers differ on use of checklists, templates
Mike Gallagher, Managing Partner, Assurance at PwC, said that the issues auditors are focusing on with clients now, including understanding the design and ‘precision’ of controls, mirrors what happened, “a few years ago, when (PCAOB) inspection findings spiked, those issues were the most common.”

“What we’ve done to remediate,” said Gallagher, is, “a lot of training, tools and templates to help guide the thinking.” Using these tools, he continued, leads to, “having consistency in performance,” of the ICFR audit, which he referred to as “a game-changer.”

Similar sentiments were expressed by Josh Jones, a Partner in EY’s Professional Practice Department, who said, “In terms of remedial actions,” his firm developed, “tools and templates to help guide our teams to understand factors, types of things the reviewer (should be) concerned about, what is he or she using to perform the control, how (are deficiencies) followed up.”

The preparers on the panel, however, expressed reservations about the increased use of checklists and templates by auditors.

Insley said that although she’s seen auditors asking better questions, the use of templates is among “a couple key risk areas we want to keep an eye out on.” Referring to templates as “a great tool for providing consistency,” she added, “there may be things on the template that don’t apply; you may not be able to define the level of precision across (all things); and the other qualitative factors we’ve discussed; your comments about documenting the thought process, we completely agree with, but want to make sure it suits the risk level, not to document every single judgment / decision to the same level of specificity.”

Schnurr said, “We have heard of auditors mandating checklists, templates; some have suggested this seems to contradict a top-down, risk-based approach.”

Gallagher replied, “It is important that templates and checklists are used effectively, not one size fits all.” He added that a review control template was a good example; noting, “we require use of review control templates at PwC, not on every engagement, but where placing reliance on that control; it is important that all things to be considered are considered, not to say that the template needs to be used on all review controls, but on the ones that matter, the ones that drive the audit. The key point is, audit strategy needs to be scaled, needs to be top down, according to the weight of the entire audit.”

Helen Munter, Director of Registration and Inspections at the PCAOB, noted, “We have found proper use of templates have been very effective for auditors, and has helped move the bar,” calling templates “a great tool for auditors to have in appropriate situations."

Franzel observed, “I would caution that if use of tools and templates start substituting for auditors’ understanding of the flow of transactions, we’ll be right back where we started.”

McBride once again expressed unvarnished concerns of preparers, stating, “There can’t be a one-size-fits-all approach; we need to reestablish a common understanding of what’s expected and sufficient in terms of internal control audit evidence.” He added, “it’s not practical to expect all possible scenarios and response protocols can be captured in control design.”

Referencing McBride’s comments, Gallagher added, “Kevin hit the point around communication, I couldn’t agree more, having a great dialogue cannot be overstressed; we are learning from each other.”

Lower level controls vs. management review controls
“It is important to think about controls without regard to labels,” cautioned Croteau. “To the extent there is a difference in view between management and auditors on the population of controls being considered, that is where early communication is important,” he said

“In some circumstances,” explained Croteau, “management or auditors’ looking at lower level controls may be based on a conclusion that higher level controls may provide some comfort, but not sufficient.” (emphasis added). He added that it is important to walk through the three types of entity-level controls that are addressed in the SEC’s guidance for management and PCAOB’s AS5 for auditors. He noted that, “higher-level controls, affecting other controls, may be necessary overall, but it is unlikely those alone would be adequate to prevent and detect financial misstatements.”

PCAOB's Munter added, “The auditor wants to consider everything Brian summarized: is the entity level control sufficient to operate and be tested on its own, in isolation? Does it operate at an appropriate level of precision, or does it depend on the operation of other controls?”

She continued, “The auditor also has to consider whether sufficient evidence is available to support the conclusion on ICFR; if not, there needs to be a discussion: what can be done to close that gap in time for the auditor to adjust the scope of work.”  If there is a failure of a ‘meeting of the minds’ between management and the auditor on a timely basis, that failure can drive auditors to test lower level controls, indicated Munter.

Reliance on internal audit
Gallagher said, “There is a huge missed opportunity if the auditor doesn’t look at management’s testing; that’s a great dialogue between management and auditor; maybe as auditor you are right or you are wrong, you may be pointing something out to management they haven’t focused on, that’s great, you’ve added value.”

“We love root causes these days,” continued Gallagher, adding, “missed communication is a root cause in these type issues.”

Schnurr noted that questions have also been raised on the ‘precision’ of controls. Croteau explained, “This is an important area; in understanding precision, I’d encourage management to look at the framework you are using – COSO in most cases.”

For higher level judgments, he continued, “you’d expect process level controls to be important in combination with higher level controls.” As an example, he said, “think about the number of judgments, inputs, and assumptions that go into a loan loss reserve; it’s not surprising that looking at higher level controls alone would be insufficient.”

Munter said that the concept of precision “absolutely goes beyond quantitative thresholds.” She pointed out that PCAOB’s Staff Audit Practice Alert No. 11 details this concept, including the objective of the review, level of aggregation, consistency of performance of the control, and predictability of expectations.

Gallagher added, “It’s a matter of judgment, it's not always very objective in terms of how precise a control is, it’s important to have a good thought process, and document that thought process.”

EY’s Josh Jones added, “Not all review controls are created equally, a review that insures a reconciliation is done is different from a review of qualitative adjustments of the loan loss or discount rate of an investment; to the extent teams recognize those differences and modulate accordingly is important; make sure they have the tools.”

Croteau said, “Consistent with discussions we have when we engage in this area with management, it is important to step back and examine the nature of the control and what it actually does; then think about how precise it is against the financial reporting risk it is intended to address.”

In thinking about controls, it’s important to consider “flows of transactions, how risks present themselves, changes over time, very specific facts and circumstances-based discussions,” said Croteau.

Management must maintain reasonable support
Schnurr reminded the group that, “SEC rules require management to maintain reasonable support for its assessment of ICFR; that’s why documentation is important.. [providing] a level  of evidence necessary to support” management’s conclusion on the effectiveness of ICFR.

Croteau added, “(The SEC’s) management guidance makes clear management’s responsibility for having evidence, including for the population of controls on which management relies to support its (financial reporting); the form (of such evidence) can take the form of process manuals, flow charts, job descriptions, a whole host of things; if management doesn’t have documentation for its own (use), it’s hard to see how management would know if (the controls are) operating effectively.”

“One thing I like to look at is the diagram in (the SEC’s) management guidance: the higher the risk of control failure, the more evidence one would expect; the amount of evidence is dependent on the amount of risk,” said Croteau. He added, “COSO also speaks to the importance of documentation necessary to maintain controls, separate and apart from SEC (compliance) purposes.”

‘Inquiry alone is never enough’: PCAOB

Further on the question of ‘how much (evidence; documentation) is enough’ Munter said, “PCAOB standards speak to this: AS5 does not prescribe s one-size-fits-all approach to audit, the approach should be top-down risk based, where the risk associated with a particular control needs to drive the documentation needed to support the effectiveness of the control.”

“Inquiry alone is never enough,” said Munter, “but it is important for auditors to understand some controls may have no documentation.” Speaking to a particular pain point – whether auditors must attend meetings to have adequate proof they took place, Munter said, “instead of attending and observing meetings where certain controls occur is not required; auditors can review a summary of the meeting, consider items followed up from a meeting; its never enough just to observe that a meeting occurred.” Significantly, she acknowledged, “I understand management sometimes want to hold a closed meeting; but there does need to be a record of the meeting so the auditor can understand what the control is and how it operated, to determine if it is effective.”

Croteau commented, “Management and auditors have gone back thinking together about alternate forms of evidence; to the extent evidence is created through operation of a control, that is the most simple evidence to gather; we are hearing more discussions occur earlier in the process, as management and auditors think about next year.”

Insley suggested, “Mak(e) sure that walkthrough process at the beginning - during the design review with the auditors - is effective, and we understand mutually what the expectations are in terms of level of evidence that needs to be produced, and trying to avoid surprises where we are in the substantive testing period towards year end.”

Also important, she said, is that, “In that conversation, making sure we are all aligned on the value of documentation, so we are not documenting for the sake of documentation; make sure the level of effort to produce evidence is appropriate for the activity and risk level.”

Intel's McBride emphasized the importance of, “ongoing dialogue with our auditors, (including) the topic of supporting evidentiary matter, facts and circumstances, the need to apply judgment, and sharing that information with others in our control community.”

He added that, in advance of a “large, pending acquisition,” his company has “spent the better part of this year redesigning our control framework, looking at what we typically do for smaller transactions, in collaboration with those on the business side as well as the auditors, so when we execute controls contemporaneous with events, that the design is effective and that documentation coming out of it will be sufficient for us and the auditors.”

No more ‘the PCAOB’ (or National Office) made me do it’
SEC Chief Accountant James Schnurr stated, “Between management and auditors, we sometimes hear from preparers that auditors have been changing their approach, generally to perform additional procedures; however, they aren’t always able to explain the reasons, and sometimes imply the procedures are from the national office or PCAOB.” (emphasis added).

PCAOB Board Member Jeanette Franzel said, “In all of our outreach, this is one of the most important things that has come out in terms of a point of tension.” She continued, “I want to reiterate, if auditors say, we have to do this because of the PCAOB, or a national office publication, you have to understand why… (and consider) is the auditor going down a bad path? That is not an acceptable response; that also takes openness on management’s side, sometimes management demands an overwhelming case for the auditor to do something different vs. last year - well, sometimes things change/you learn things,” explained Franzel (emphasis added).

Rather than just leaving it at ‘the PCAOB (or national office) made me do it,’ she outlined issues that need to be discussed between auditors and management, including, “is there agreement between management and the auditor on risk assessments, you want to talk about that early on and figure out why; does management and the auditor agree on the population of key controls?”

Franzel had a lot more to say. “Some conversations that haven’t been happening need to deal with management controls that need to be improved, taking a harder look at it, management could and should make improvements, not only to facilitate controls but also the audit process.” She continued, “Given what we’ve seen with management review controls, those controls warrant a special conversation to make sure the auditor has a full understanding, management has a full understanding; in some cases, those controls may not have been designed to address the risk the auditor is (looking at).”

McBride commented, “This idea when the auditor says, ‘The PCAOB says, the national office says,’ reminds me of.. you’ve got to understand, there is great learning in the dialogue, it can be an enriching conversation, not only about the purpose and design of the control; there can be a blow back to folks that designed the controls; if you aren’t getting an answer (you understand), escalate it as you would any accounting issue.”

PwC’s Gallagher weighed in on this point, “When Jeanette [Franzel] and I were out at (the audit committee conference held earlier this year at) USC, we heard that, as a way of shutting down conversation, auditors would say, ‘I have to do it’ because the national office or PCAOB tells me to do it.’ That is an incredibly weak response; I worry about any professional that can’t articulate the “why’ of what you are doing. My advice to preparers, audit committees, management, if that is the answer you are getting from your auditor, you ought to talk to someone in the organization who can give you an answer that makes sense, not ‘I had to,’ but how it contributes to the quality of the audit; particularly with respect to controls. My advice is: get the answer; by all means, push back, if you can’t get the answer from (the engagement) team, ask for somebody in the firm to get (you) the answer.” (emphasis added)

Asked to comment on the role of the audit committee, Croteau said, “The audit committee certainly has a role in the context of ICFR: using risk assessment, the population of controls, the nature of management review controls, perhaps the nature and extent of evidence, the way templates are being used, are areas in which the audit committee could be engaged.” He continued, “I understand the audit committee is not nearly as involved as management and auditors in the ICFR assessment,” but, “I think there are areas, you are hearing about on the panel today, that are appropriate (for you to get involved in).”

Schnurr closed the session by thanking the panelists, and addressing the audience, said, “If you haven’t heard the message, communication, dialogue, and push back - if someone tells you that you have to do something you don’t understand, you have to push back and get an explanation.” He added, “I would fully expect we will get the parties back together after year end, hopefully you have all found this valuable.”

Regulators still hold the rulemaking card
During a separate  Q&A with the SEC Chief Accountant and Deputy Chief Accountants at the AICPA conference, Croteau took on a question about whether the SEC and PCAOB should issue further guidance to address any perceived ‘gap’ between management and/or auditor’s current practice and the intent of the SEC’s and PCAOB’s 2007 guidance on ICFR. 

Based on Croteau’s response, although the SEC and PCAOB clearly hold the rulemaking card, it appears they want to allow a more open dialogue to play out to hopefully narrow any perceived gaps in understanding between management (preparers), audit committees and auditors, before launching into another rulemaking process.  Specifically, Croteau said, “This is why we are engaged in the dialogue, we’d like to better understand; ... dialogue grounded in existing standards is a good place to start.” He continued, “I am glad dialogue is occurring in this space, I encourage folks to be in touch with us,” if they have concerns or questions.

Further, he said, “Whether something more to bridge the  gap between (the SEC’s) management guidance and AS5 - to everyone who has raised that to me so far, we are getting to a place where whatever gap is perceived is a lot smaller than was originally thought; to anyone who perceives a gap, we are happy to have a dialogue.”

Stepping back: What does this mean for management?
In my view, based on remarks by several layers of SEC leaders in speeches preceding the ICFR panel as well as their remarks during the panel, a foundational point before questioning whether ‘overauditing’ is taking place in the ICFR realm, is for management to determine if both the design and operation of its system of internal control – particularly management review controls and entity level controls - remain effective.

Said another way, management cannot ‘presume’ the design and operating effectiveness of process level controls or management review controls remain effective, particularly in the face of changing business practices and a changing business environment.

It is true that the SEC’s management guidance – cited in the letter sent by the U.S. Chamber of Commerce to the SEC and PCAOB in May, 2015, states: “if management determines that a risk of a material misstatement is adequately addressed by an entity-level control, no further evaluation of other controls is required.” (emphasis added).

However, if there is faulty logic in the design of management review controls or entity level controls, or those controls are no longer operating effectively given changes in the control environment or changes in the business, the premise of relying on testing those controls and not other controls is washed away.

As much as the ICFR panel may have appeared to some to be an exercise aimed at auditors, key remarks in speeches by the SEC Chair, Chief Accountant and Deputy Chief Accountant preceding the panel appeared aimed at reminding management that the responsibility to maintain effective internal controls over financial reporting, and to properly assess the effectiveness of those controls, rests with management.

SEC Chair Mary Jo White: “Preparers must recognize that management’s ability to fulfill its financial reporting responsibilities significantly depends on the design and effectiveness of internal control over financial reporting (ICFR)… It is hard to think of an area more important than ICFR to our shared mission of providing high-quality financial information that investors can rely on…. We need to be frank about any challenges in the operation and assessments of ICFR and address them to the extent appropriate.” (emphasis added) 

SEC Chief Accountant James Schnurr:the ICFR issues identified by the PCAOB may not be just a problem of audit execution. Rather, they may, at least in part, be indicative of deficiencies in management’s controls and assessments. Therefore, both auditors and management as well as audit committees need to focus on the ongoing maintenance and assessment of ICFR. I encourage the three parties to engage in robust dialogue regarding ICFR design and assessment in the context of existing guidance from the SEC and the PCAOB.” (emphasis added)


During the final Q&A with the senior staff of the SEC’s Office of the Chief Accountant, Croteau responded to a question regarding whether the Commission would object to any filers’ continued use of the 1992 COSO internal control – integrated framework, vs. COSO’s 2013 framework. 

Croteau replied, “The short answer is no, but as I've said, questions will come from us and investors why a company would continue to use a framework that is no longer supported," (i.e., COSO announced that effective December, 2014, it would no longer support the '92 framework, in light of issuance of the updated framework in 2013.) He added that in the case of any companies continuing to use the '92 framework, "there is increased interest, but not an 'objection.' 

Another COSO-related question from a conference participant, said Croteau, was around whether organizations could rely on a SOC 1 report based on the ’92 framework. “That is an interesting point,” said Croteau, adding, “again, since we wouldn’t object necessarily to using the ‘92 framework, the question is whether a company should make some kind of disclosure, if otherwise disclosing it has done its evaluation (of ICFR) in accordance with the 2013 framework, and may have a question to the service provider why (they are) not using the 2013 framework as well.” He indicated it is worth giving “some thought to whether disclosure is appropriate” if the SOC 1 report is based on the 92 framework, for a company that is otherwise reporting under the 2013 COSO framework.

The 'Could' Factor

When it comes to ICFR, the question of “how much is ‘enough’” does not just apply to how much documentation or testing is enough to demonstrate that internal control is ‘effective,’ but how much internal control is enough to prevent a ‘reasonably possible’ misstatement that ‘could’ happen.

In his speech which preceded the ICFR panel, Croteau discussed at length the expectation of the SEC staff that companies consider whether material misstatements ‘could’ have occurred, based on material weaknesses found in the system of internal control – and disclose that fact – whether or not any actual material misstatement of the financials in fact occurred.

This point – let’s call it, as Croteau did, the ‘could’ factor – may still not be widely recognized by management, and since companies can be liable and face enforcement action over a failure to properly disclose material weaknesses in internal control relating to the ‘could’ factor – the relevant portion of Croteau’s remarks on this point are excerpted below. The essence of this point relates to investors’ calls for ICFR reporting to be more of an ‘early warning’ of potential material misstatements, or a leading indicator, so to speak, of potential misstatements, rather than a lagging indicator, which is still largely the case, of a finding and disclosure of a material weakness in internal control after a material restatement is made. 


From Croteau’s speech:


[O]nce ready to assess the severity of a deficiency, it’s important to remember that there are two components to the definition of a material weakness - likelihood and magnitude.  The evaluation of whether it is reasonably possible that a material misstatement could occur and not be prevented or detected on a timely basis requires careful analysis that contemplates both known errors, if any, as well as potential misstatements for which it is reasonably possible that the misstatements would not be prevented or detected in light of the control deficiencyThis latter part of the evaluation, also referred to as analysis of the so called “could factor,” often requires management to evaluate information that is incremental to that which would be necessary, for example, for a materiality assessment of known errors pursuant to SAB 99.  The final conclusions on severity of deficiencies frequently rest on this “could factor” portion of the deficiency evaluation; however, too often this part of the evaluation appears to be an afterthought in a company’s analysis.  Yet consideration of the “could factor” is very important. 


It’s also important that the information used in evaluating the severity of control deficiencies is reliable, including the use of reasonable assumptions about the risks of misstatements that flow from the deficiency being evaluated.  If the evaluation leads to an effort to obscure the severity of a control deficiency, investors are less likely to receive the disclosures they expect.   Likewise, limitations on management’s own internal understanding about the nature and severity of a deficiency can result in a lower likelihood that the remediation is comprehensive and sufficient.” (emphasis added)

During the ICFR panel, Croteau provided an example pertaining to impairment of fixed assets or intangibles, that, “management might have a flawed methodology, or math error; they may reach a conclusion… [but] by being lucky, getting to the right GAAP answer isn’t sufficient in having effective controls.”

Read more about the AICPA’s SEC-PCAOB Conference

Here are links to additional news articles and audit firm summaries of remarks made by the FASB, SEC, PCAOB and IASB at the AICPA’s national conference on current SEC and PCAOB developments, December 9-11, 2015:

(Photo credit: Withum, Smith & Brown, PC)