control, and governance
Extended Update Q&A
A Perfect Storm
PCAOB Board Member Jeanette Franzel shares her personal views on internal audit’s role in financial reporting and implementation of COSO 2013.
Does the updated COSO Internal Control–Integrated Framework present an opportunity to improve internal and external audit’s assessments of internal control over financial reporting (ICFR)?
I have recently referred to this opportunity as the “perfect storm” in internal controls. Management and internal auditors are navigating COSO 2013 at the same time that audit firms are responding to Public Company Accounting Oversight Board (PCAOB) inspection findings in their audits of ICFR. I have heard a number of participants in the financial reporting and auditing chain admit that they have “dropped the ball” on internal controls over the past few years. It is time to take a fresh look to ensure that the internal control regime is providing the intended value and benefits while safeguarding against threats.
Are there certain deficiencies commonly found in ICFR audits that internal audit should give more focus?
In October 2013, the PCAOB issued Staff Audit Practice Alert No. 11, Considerations for Audits of Internal Control Over Financial Reporting, which lists some of the commonly found deficiencies in audits of ICFR. Many of the deficiencies occur when the auditor does not obtain the understanding of the company’s system of internal control that is needed to identify and sufficiently test controls that are intended to address the risks of material misstatement. Internal audit, meanwhile, is a logical, high-value resource to help address this problem. Internal auditors are resident experts in their companies’ operations and financial processes and are aware of changing conditions and risks that impact their companies. This puts internal audit in a unique position to provide comprehensive and dynamic input to the external auditor’s process of identifying and testing controls.
What are the dangers associated with taking a checklist approach to map controls to the COSO principles?
Professional and expert judgment is needed in using a top-down, risk-based approach to assessing the effectiveness of internal control over financial reporting (ICFR). Such an approach needs to be tailored to each company’s circumstances when evaluating whether the system of internal control provides reasonable assurance that material misstatements will be prevented or detected. When used properly by competent personnel, checklists can enhance decision-making by adding structure and providing a mechanism for thorough consideration of criteria and risks. However, there is a downside with checklists. Of concern is staff without the appropriate experience relying too much on checklists and even viewing them as the end product.
How can internal audit support management in its implementation and assessment of internal controls?
The role and actions of internal audit can help ensure that management’s process and assessment are credible and complete. Specifically, internal auditors can add value by providing expertise and assistance in identifying financial reporting risks, determining the significant accounts and key controls for testing, and assessing and reporting on ICFR. This puts internal audit in a good position to help resolve any gaps or differences between management’s process and the approach taken by the external auditor. This should help make the internal and external processes more efficient and effective and help prevent unanticipated problems during the external audit. This approach also uniquely positions internal audit as a key resource to the audit committee in its oversight of ICFR.
How does your knowledge of the internal audit profession in general, and The IIA specifically, better inform you in your role as a PCAOB board member?
Internal auditors play a key role in an organization’s governance and control systems by providing objective assurance and evaluation with the goal of ongoing improvement. While at the U.S. Government Accountability Office (GAO), I had the opportunity to coordinate with numerous internal audit organizations as well as most of the federal Inspectors General. I have seen the important work done by internal audit organizations, and have relied on that work during the course of GAO audits. As a PCAOB board member, I clearly see the value that internal audit can provide in strengthening companies’ ICFR processes and external audits. In this respect, we have complimentary roles in protecting investors and the public interest.
The views expressed by Franzel are her own and should not be attributed to the PCAOB as a whole or other Board members or staff.