ICFR: Sunlight through the Clouds

From a high level, we can easily make two observations regarding the complex issue of internal control over financial reporting (ICFR). First, effective ICFR is a keystone of investor confidence. Investors depend on reliable financial information, and ICFR helps reduce the risk that financial statements will contain material errors or misstatements. The high degree of confidence that U.S. investors consistently express in financial markets and audited financial statements is testimony to the U.S. approach to ICFR.

Second, ICFR is challenging. The design, implementation, and oversight of effective controls demand attention and effort from senior management, boards, auditors, regulators, and others. What's more, given the dynamic and evolving nature of our financial markets, these challenges are both shifting and persistent.

The good news? In the face of these challenges, stakeholders from across the financial reporting supply chain have elevated the debate and dialogue around ICFR to new heights. Through this interaction, they are taking control of internal control—identifying ways to enhance our approach to this critical safeguard for investors.

Policy Context

Before discussing any efforts towards enhancements, however, it helps to get situated in the policy landscape surrounding ICFR.

Since 1977, federal law has required public companies to establish and maintain a system of internal control that provides reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements in accordance with generally accepted accounting principles. In the wake of Enron and other turn-of-the-century accounting scandals, the Sarbanes-Oxley Act of 2002 (SOX) added a requirement, SOX 404 (a), that management at most public companies annually assess the effectiveness of the company’s ICFR and report the results to the public. SOX 404(b) requires most large public companies to engage their independent auditor to audit the effectiveness of the company’s ICFR.

Another key milestone: Following the implementation of SOX 404 internal control reporting, the Public Company Accounting Oversight Board (PCAOB) in May 2007 adopted its Auditing Standard No. 5 (AS 5). This standard required that public company auditors take a top-down, risk-based approach to their assessment of management’s report on ICFR. AS 5 was designed to be scalable to the size and complexity of businesses. The following month, the SEC issued management guidance that instructed companies on their ICFR responsibilities.

ICFR's "Perfect Storm"

Despite the adoption of AS 5 and the SEC’s management guidance, concerns have simmered around ICFR. "We are currently in a 'perfect storm' in the area of internal control over financial reporting," declared PCAOB Board Member Jeannette Franzel in March 2014.

Indeed, for several years, the PCAOB repeatedly has expressed concerns about the number and significance of deficiencies identified in firms' ICFR audits. Many of the PCAOB’s recent inspection findings focus on a failure of the auditor to provide persuasive evidence that ICFR is operating effectively. For its part, the SEC also has drawn attention to management's role in effective execution of ICFR.

Meanwhile, ICFR concerns and frustrations also have simmered at companies. Frustrations reached a peak in May 2015, when the U.S. Chamber of Commerce sent a letter on behalf of the preparer community to PCAOB Chairman James Doty and the SEC Chief Accountant James Schnurr. The 19-page letter raised issues about the extent of testing being performed and level of documentation being requested by the auditor, specifically with respect to management review controls. In addition, the letter highlighted the preparer community’s view that audits of ICFR are being conducted with a checklist mentality, resulting in management and auditors spending time testing non-key controls and performing and documenting unnecessary procedures.

Another concern voiced by the preparer community is a lack of clarity on what is sufficient in terms of management review controls, their precision, and documentation, as well as a disconnect between SEC guidance for management for ICFR and the requirements of the auditor under AS 5.

Rays of Sunlight: Recognition that Communication is Essential

Yet in this perfect storm, we've seen shafts of sunlight breaking through the clouds recently. One has been a renewed commitment to improving the communication that is essential—and achievable—in tackling ICFR challenges. Following the U.S. Chamber's letter, all parties came together with regulators to voice concerns, share ideas, and reignite robust conversation around ICFR.

A key point: auditors must be able to articulate the "why" of what they are doing. The auditing profession is dedicated to making sure their professionals are prepared to communicate with management and provide answers about their testing methodology that makes sense, is not overly technical, and describes how it contributes to the quality of the audit.

In turn, this communication can facilitate a beneficial conversation between management and the auditor—one in which both sides can learn something. What is a particular control trying to accomplish? What evidence is the auditor trying to obtain with respect to testing the control?

Audit committees can facilitate this dialogue, as can chief audit executives (CAEs) or internal audit executives. With their unique appreciation for both the processes and controls of the company as well as their own testing approach for them, CAEs can serve as a useful third-party contributor in these conversations—whether by helping the external auditor explain something to management (e.g., why there is a need to test lower-level controls, why the documentation management has for a specific control may be insufficient for audit purposes), or by helping the auditor understand management’s processes and control environment.

Rays of Sunlight: Recognition of the Proper Use of Checklists

About those checklists: As noted, some preparers have criticized auditors for overreliance on checklists and applying the same level of procedures and requiring the same amount of evidence for all controls in a company’s ICFR environment, regardless of the risk of material misstatement that the control is designed to prevent or detect—or without consideration of other controls that are designed to address the same risk.

However, it's important to note that in developing a standardized approach for auditing internal controls, auditors have found checklists and templates to be a helpful tool for engagement teams. Likewise, PCAOB inspectors have confirmed that the use of checklists and templates has contributed to improvements in recurring areas of audit deficiencies.

The takeaway? Templates and checklists can be very effective to understand management’s process—when used appropriately. However, they are not a substitute for applying judgment on the persuasiveness of audit evidence to suit the level of risk. Audit strategy with respect to ICFR—and generally speaking—should be scaled, top-down, and risk-based. This approach can be supplemented by templates and checklists, which can help drive good audit practices when used based on the weight of an individual area and its importance to the entire audit.

Rays of Sunlight: Leveraging the Audit Committee

The financial reporting process is one characterized by intersecting roles among key parties. Given their role of overseeing the financial reporting process, audit committees can act as useful intermediaries in managing expectations and facilitating communication. On several topics—including differing views on risk assessment, population of controls, the nature and extent of documentation for management review controls—the audit committees may want to engage in the conversation. This dialogue will be especially necessary and helpful when differences arise between the views of auditors and management.

Simple Ways to Address a Complex Issue

We can end where we began: with the simple observations that ICFR is (1) critical for investors and (2) challenging. Equally simple are strategies that can help all of us weather ICFR storms, perfect or otherwise: communicating robustly, prioritizing judgment over one-size-all approaches, and leveraging key players (like audit committees and chief audit executives) in the financial reporting process. All of these are steps towards effective ICFR and the maintenance of healthy companies and capital markets.

A securities lawyer, Cindy Fornelli has served as the Executive Director of the Center for Audit Quality since its establishment in 2007.

This post originally appeared in the second quarter 2016 edition of Ethisphere magazine.