We have yet another report today depicting the tensions companies face when building internal control over financial reporting, including the enduring suspicion that many audit firms raise questions about internal controls simply to look good to the Public Company Accounting Oversight Board.
The report, released Tuesday by Financial Executives International, interviewed 145 financial reporting executives at large corporations over the course of 2020. It touches on where businesses get guidance to develop their internal control over financial reporting (ICFR), which internal controls are most difficult to implement, and how companies navigate disagreements with their auditors about control deficiencies. (The report is free to FEI members; for everyone else it costs $200.)
The part about the PCAOB is interesting because (a) that has real implications for internal auditors and controllers, driven crazy by audit firms demanding extensive documentation of internal controls; and (b) this complaint about audit firms and the PCAOB has been around pretty much since the PCAOB was established in 2003. We still can’t get past this? Really?
Apparently not, because the FEI report interviewed numerous financial reporting executives who said (anonymously, of course) that when they push back forcefully enough against auditors demanding controls documentation, almost inevitably the auditors admit they’re only asking for the documentation to cover their own behinds with PCAOB audit inspectors.
One FEI respondent’s quote captured the state of affairs nicely: “There are times for sure, where we’re doing things … purely to help the auditors get a level of documentation they need. They’re like, ‘Yeah, I hear you. I agree with you. But I need more to be able to document this [for the PCAOB].’”
The fundamental tension here is that audit firms do have a tangible set of standards from their regulator, the PCAOB, telling the audit firms what is or isn’t acceptable for ICFR. Audit firms can then point to those standards and tell clients, “Thou shalt take this step for ICFR, or else!” (This has become only more true since the pandemic, and the many challenges it poses to ICFR and financial audits.)
The only comparable guidance corporations have is a relic the Securities and Exchange Commission issued in 2007, to help management prepare its required report on ICFR. It’s nothing sophisticated enough that companies could use it to fire back to their auditors, “Thou shalt buzz off! One’s ICFR is satisfactory for one’s own operations.”
Where ICFR Comes From
So where do financial reporting executives seek guidance on ICFR, since the SEC material isn’t helpful? A solid majority of FEI survey respondents said they rely on the COSO internal control framework, last updated in 2013; fully half the respondents said they use the COSO framework “very much.”
That shouldn’t be a surprise, since SEC rules do cite the COSO framework as an example of how companies could build effective internal control. Everyone just took that recommendation as gospel, and COSO has been a primary source of ICFR advice ever since.
After the COSO framework, the next most common sources of guidance for ICFR were a company’s own internal audit team (cited by 49 percent of respondents) and its external auditors (cited by 38 percent). Although, respondents also stressed that they brought their external auditors into those ICFR conversations early, to avoid awkward conversations later. From the FEI report:
Getting external auditor input early on kept executives from expending time and resources just to have the external auditor disapprove of the changes. One executive explained this dynamic saying, “Internal auditors [come up] with a proposal on … what controls [need] to be in place [and executives] generally form [their] own preliminary conclusion.”
Again, this shouldn’t be news to ICFR teams. If you’re not looping external auditors into your conversations from the start, you’re doing it wrong.
That said, these conversations aren’t a cure-all. First, external auditors can always dodge a tough question by citing the need to preserve their independence — which is a fair point, but that doesn’t help you to resolve murky ICFR questions. Moreover, you’re still mired in the deeper question of whether guidance from your external auditor truly helps to build the best ICFR system for your business, or just the best ICFR system to help the auditor placate pesky PCAOB inspectors. Those aren’t the same thing.
Where Companies Want More Help
The FEI report also asked ICFR teams about which issues are most problematic, where more guidance would be helpful. Figure 1, below, shows the top eight.
Once more, with feeling: this should not be a surprise to anyone who’s been paying attention. Most of these issues drive at giving companies more ability to push back against auditors, who might be claiming that an internal control is deficient, or designed poorly, or not remediated to the proper extent, or whatever. The dilemma for companies is that they don’t have a sufficiently strong body of guidance, independent from the audit firm, that companies could use to justify their own conclusions.
We also have Figure 2, below, showing which specific issues prove most challenging for internal control.
In an ideal world, we could hope that the SEC under new Biden Administration leadership will update that 2007 guidance on ICFR. In our real world I’m not sure that will happen, given that SEC chairman-designate Gary Gensler has a busy agenda already with vigorous enforcement, new disclosures for climate change risks, rules for fintech, and lord knows what else.
(Don’t hold your breath for new guidance from COSO, either. These days it’s more interested in highly focused guidance on subjects like blockchain, compliance, or artificial intelligence.)
Where does that leave ICFR teams? Still a bit lost, and still at the mercy of external auditors pushing you around for more testing, documentation, and remediation.
Hmmm. Maybe I shouldn’t be surprised that people have been complaining about this state of affairs since 2004 after all.