The PCAOB has released its latest inspection report for Deloitte, finding that 20 percent of the audits examined were flawed enough to question whether auditors had reached defensible conclusions.
This is the first inspection report we’ve seen this year for a Big 4 firm, and also the first one issued since new leadership took over the PCAOB last year. Inspection reports always make for interesting reading anyway, since they offer hints at how the audit firms might handle your audit engagement, based on how the PCAOB is inspecting their work. In theory, if your business is similar to the flawed audits dissected in your audit firm’s inspection report, you can anticipate what your audit firm might demand for evidence and testing next time it sets up camp in your conference room.
What did the PCAOB find with Deloitte? In brief…
- The PCAOB examined 55 audits performed in 2017, on clients’ financial activity that happened in 2016. Inspectors flagged 11 of those 55 audits as so problematic that “it appeared to the inspection team that [Deloitte], at the time it issued its audit report, had not obtained sufficient appropriate audit evidence to support its opinion.”
- Of those 11 problematic audits, seven had deficiencies relating to poor testing of controls that included a management review element.
- Six of the 11 audits had deficiencies relating to revenue recognition, including recognition of deferred revenue.
None of that is surprising. Management review controls have been a sore point with CFOs and corporate accounting departments for years, especially since the SEC has not updated its guidance about management controls since 2007. Financial systems have changed enormously since then, so we’re all stuck poring over inspection reports and speeches from SEC or PCAOB officials, trying to infer what an effective management review control should look like absent any clear, modern guidance from the SEC.
Nor is it news that deferred revenue, especially if it stems from “multiple-element arrangements” such as a long-term contract for equipment and services, can drive audit and accounting teams totally bonkers. That will likely become only more true for audits done this spring, under the new revenue recognition standard the companies had to implement last year.
Testing Tricky Controls
One good example of the challenge is “Issuer A,” a financial services firm where Deloitte flubbed the audit of internal control over financial reporting. A significant chunk of the financial firm’s portfolio were so-called Level 3 investments — financial instruments that rarely trade on the open market, so companies typically estimate their value through models rather than historical pricing data.
Deloitte tested three controls related to the portfolio:
- A review of the issuer’s valuation guidelines, which set forth a range of possible assumptions to be used to value these investments;
- A review of the reasonableness of the specific assumptions used in the valuation of these investments, including an evaluation of whether the assumptions were consistent with the issuer’s valuation guidelines.
- Meetings to review and approve the conclusions resulting from the second control.
Those were all controls the financial firm implemented, to assure that its Level 3 investments were valued appropriately. Deloitte’s testing of those controls consisted of asking about those reviews and inspecting some documentation (meeting minutes, approval forms, and so forth).
Testing like that isn’t wrong per se; it just isn’t sufficient. But as more companies assign more value to financial statement items that don’t have objective, easy-to-see value — goodwill, intellectual property, thinly traded financial instruments — then weak testing like what we see with Deloitte and Issuer A will become a bigger problem.
Likewise, Issuer A also had some Level 2 assets on its books, where valuation is a mix of model estimates and market prices. The controls there were a set of four reports management reviewed that listed investments with missing, stale, or potentially unrealizable values. Deloitte tested the controls that generated those reports, but didn’t test the completeness and accuracy of three of those four reports.
Again: someone show me a future where management by data analytics will become less common. Because all I can see from here to the grave is increasing reliance on analytics, which really is just a whole wide world of management review controls. So attention to them, and the controls that govern them, will only become a bigger thing.
Which all means that the people who design and test controls for that world (both internal and external auditors alike) will need to think that much harder about what assurance and effective internal control should look like.
Deloitte Inspection in Context
As much as we all like to complain about Big 4 audit firms and their fees, we can’t use this inspection report to clobber Deloitte too much. First, the report only inspected 55 audits; that is a drop in the well of work that Deloitte does. We have no idea how many of Deloitte’s audits were deficient overall.
Second, this inspection report is simply old. The corporate financial statements under its scrutiny are nearly three years old now. Heck, the inspection report flagged six audits as problematic for a revenue recognition standard that doesn’t even exist any more.
This inspection report is simply old. More than anything else, this inspection report shows just outdated the entire PCAOB inspection process is.
So while we can pick over some specific examples like Issuer A, to show how they represent larger trends in audit and internal control that we’ll all need to confront sooner or later — more than anything else, this inspection report shows just outdated the PCAOB inspection process is.
The good news is that current PCAOB leadership knows this, and wants to change the inspection process. The bad news is that nobody knows what that better process might be, and it’s always possible said process might veer into something more favorable for audit firms than for investors. I would watch PCAOB chairman Bill Duhnke and board member Duane DesParte for clues; Duhnke because he’s the chairman with the power, DesParte because so far he seems to have said the most about possible changes.
Soon enough, inspection reports will arrive for PwC and Ernst & Young, and in all likelihood we’d be able to make exactly the same points we did with Deloitte.
The inspection report you really want to read will be KPMG’s, because that’s the firm implicated in an insider information scandal with former PCAOB staffers. The staffers leaked advanced intel to KPMG partners about audits slated for inspection, and in exchange KPMG gave the PCAOB insiders cushy jobs at the firm.
Huge scandal, disgraceful behavior, indictments, guilty pleas. That all came into public view last year, based on misconduct from prior years. So whenever KPMG’s next inspection report comes out (the last one was published November 2016), it should include audits from that contaminated period. That’ll be one document worth a close review.