PCAOB Board Member Clears the Air About SOX and the External Auditors

Norman Marks, CRMA, CPA, is an evangelist for better run business, focusing on corporate governance, risk management, internal audit, enterprise performance, and the value of information. The views expressed in this blog are his personal views and may not represent those of The IIA.


Board Member Jeanette Franzel spoke on the 26th at the IIA’s GAM conference on the topic of “Effective Audits of Internal Control in the Current “Perfect Storm.” The full text of her speech has been posted by the PCAOB.

She talked about a number of issues that I believe are important:

  1. Has the PCAOB released new guidance on how the external auditors should perform their assessment of internal control over financial reporting?
  2. Where the external auditors are saying they need to do more work because of new and specific requirements by the PCAOB, are they justified in that explanation?
  3. Should companies and their auditors use what I and others have called checklists (some call them templates, but that is semantics) that require all the COSO Principles to be satisfied without first considering whether there would be financial reporting risk should they not be fully satisfied?
  4. Have management and the internal auditors failed, in some cases, to adequately document, test, and assess key controls relied upon to prevent or detect a material misstatement of the financials? In other words, have the failures reported by the PCAOB in their October Staff Alert been caused, at least in part, by failures of management?

The answers are:

  1. No. She said “the PCAOB has neither changed the auditing standards nor introduced new rules for audits of internal control over financial reporting since the issuance of AS 5 in 2007.”
  2. If the external auditors had been performing their audit consistent with the requirements of AS 5, then the answer is “no”. They would have to do more work if they had previously fallen short, especially if those defects are in the areas discussed by the PCAOB in the October 2013 Staff Audit Alert*. In addition, Jeanette points out that some of the comments apparently made by certain external auditors are misleading.

“In some cases, audit firms have told issuers that the PCAOB insists on detailed procedures such as the use of "screen prints" to document certain systems-related features; or specifying the number of pages that must be involved in summarizing key controls; or that auditors must attend management meetings to observe certain controls in action. I assure you that the Board is not requiring procedures at that level of detail. AS 5 provides the guiding standard for ICFR audits.”

  1. Jeanette is very clearly opposed to the use of checklists (or templates) that do not first consider the level financial reporting risk should there be any gap in the presence and functioning of the COSO Principles.

“... the PCAOB has heard from some issuers concerns that audit firms may take a checklist approach to the audit to map controls to the principles articulated in the 2013 COSO Framework. And we also have heard speculation that firms are taking such an approach because they are worried that PCAOB inspectors will inspect against the points in the 2013 COSO Framework."

“I am concerned that a checklist approach to the 2013 COSO Framework would result not only in a missed opportunity to take a fresh look at management's and the auditor's approaches to evaluating and auditing internal control, but also that such an approach could increase the likelihood of missing new and evolving risks in financial reporting and the related auditing.”

“I will once again emphasize the importance of auditors following the top-down, risk-based audit approach in AS 5, along with the guidance in the Board's October 2013 audit practice alert, for conducting the audit.”

  1. Yes. As Jeanette says:

“Experienced auditors and financial statement preparers know that the ICFR audit is made more difficult if management's process is not as effective or well-documented as it should be. Effective and efficient solutions to some of the audit deficiencies found by the PCAOB may also require some improvements to both the issuer's and the auditor's process. I am concerned that, in some cases, the auditor's reaction is to "bolt on" a series of new audit steps when a more efficient and effective solution may require some tightening up of the controls on the part of management, in addition to changes to the audit procedures.”

I like the point made in the speech about the need for improved communication between management (and/or internal audit) and the external auditor. Personally, I think both sides are likely at fault: the external auditor for blaming the PCAOB (IMHO, without justification) and laying down the law to management, and management and internal audit for failing to challenge the external auditor. From what I hear, management (including the CAE and SOX program management) are not asking the external auditor to show them where the PCAOB examiner has said what is being asserted as a new requirement.

What do you think? I strongly recommend a careful read of the speech.

*BTW, I hope you saw my earlier post where I discussed the PCAOB Staff Alert.

Posted on Mar 29, 2014 by Norman Marks

Share This Article:    

  1. Norman; Thanks for drawing attention to the PCAOB remarks.  It would seem to me however that, if some external auditors are deliberately misleading clients in the area of ICFR to justify higher hours or avoid alerting clients that their ICFR has been flagged as inadequate, stronger action than comments during a speech are warranted.  I believe one way to correct the type of deficiencies identified in the PCAOB October 2013 guidance would be to indicate COSO ERM 2004 and ISO 31000 are "suitable: frameworks.  As long as the PCAOB restrict their list of approved frameworks to "control criteria centric frameworks with the 17 principle COSO 2013 being the de facto model both clients and external auditors will continue to focus on the control criteria  dimension in their assessments, instead of focusing on the statistically most probable risks clients face by business sector linked to reliable financial reporting. In my opinion , as the old saying goes, the PCAOB is reaping what it sows in its requirements and guidance..  The argument that AS 5 clearly calls for methods that reflect best global practice in risk management is simply patently wrong. .

  1. Tim, a few comments:

    1. This was not an official PCAOB speech. It was by a member of the PCAOB Board, speaking for herself (although I would be astonshed if the full Board and staff disagreed).

    2. The Examiners did not say the external auditors were "deliberately misleading clients". While I know of companies whose auditors are telling them 'untruths', the auditors involved probably believe they are true statements because of what their leadership is telling them about the Gestapo examiners.

    3. Nobody's ICFR has been flagged as "inadequate". The audit of ICFR was flagged as inadequate: insufficient evidence was obtained to support the external auditors' assessment of ICFR.

    4. It is the SEC and not the PCAOB that recognizes internal control frameworks. They are bound by the law, SOX, to recognized internal control frameworks. However much I prefer ISO 31000 to COSO ERM, neither is an internal control framework and neither has been nor should be recognized.

    5. AS5 is not intended to call for "best global practice in risk management". It is intended to direct external auditors in their risk-based assessment of ICFR - and, by the way, the top-down process in AS5 and SEC Interpretive Guidance, and repeated in the Staff Alert, is consistent with ISO 31000.

  1. Norman;  I understand the points you are making.  My observations are based on the fact that my firm provides SOX 404 and Canadian equivalent services to clients and I, like you,  have trained tens of thousands of SOX specialists since 2004.  I regularly see evidence that the most statistically probable risks are not being identified and formally evaluated.  A simple example is the risk "CFO/Controller technically not current with GAAP".  How many internal SOX programs or external audit firms actually evaluate the professional development program followed by the CFO and controllership staff with specific focus on the actual training taken each year.? Restatement statistics regularly show this to be a significant risk to materially reliable financial statements.  Another example is "CFO and CEO collude to misstate the FSs".   Perhaps these are seen as too sensitive to actually assess how good the controls are for this type of risk.   Another example is the frequency that I see real research using tools like Audit Analytics to identify the most statistically probable material misstatements.  (not often)   True risk management does not rely on "brain storming" and sitting around a room throwing out ideas.  It seeks to obtain fact based information on risks.  I haven't seen any specific guidance from the PCAOB that calls for the risk identification phase to go beyond brain storming, interviews and discussion. The focus continues to be on control documentation and testing.   Recent research indicates tax provisions are still a statistically high cause of restatements.  That suggests ICFR work in that area needs improvement.

  1. Tim, thank you for the comments and explanation.

    The risk where the CFO/Controller is not technically qualified is the very first potential material weakness that I reported to the audit committee after I joined Maxtor as CAE, with SOX program management in my area. The risk is specifically identified in AS12 (one of the auditing standards released in 2010 that few in management seem to be familiar with).

    Collusion is a major issue, and fraud at the top has been a concern with every external audit firm I worked with as CAE. I believe that is one of the reasons why they always do their own review of journal entries posted around the time of the close.

    Here is the link for those who have not seen them to the 2010 auditing standards (all released in one package as appendices to this report: http://pcaobus.org/Rules/Rulemaking/Docket%20026/Release_2010-004_Risk_Assessment.pdf


  1. Thanks for sharing these points as perspective, Norman. 

    Appreciate you reiterating that the PCAOB has not issued new guidance or standards since AS5. I think that's the key point in this discussion and in my experience, management and auditors are not yet clear on this point.

    Very well summarized.

Leave a Reply