Yesterday the Public Company Accounting Oversight Board (PCAOB) issued its response to concerns that Sarbanes Oxley Section 404 requirements were onerous, unwieldy, and just too expensive. The PCAOB published a policy statement that affirmed the goals and requirements in the regulations implementing Section 404, which requires that public companies have effective internal controls over financial reporting and requires that an independent auditor provides an opinion regarding the effectiveness of these controls. No surprise there.
What was more interesting and important was that the PCAOB did acknowledge that many first year audit efforts were inefficient and too expensive. The important parts of the statement called for a top-down, rather than bottom-up, approach to internal control assessment. The PCAOB also made important clarifications about the kinds of interactions between auditors and the companies that they audit that are permissible and useful.
Understanding this business about "top-down" and "bottom-up" is easier if you put it in the context of how auditing practice has developed over time. Without that big picture perspective, Section 404 and the PCAOB statements sound like a lot of accounting jargon. But, given the perspective, it is easier to see that we are talking about some fundamental changes--and about expense and confusion emerging from not getting the changes right during this past year.
A long time ago, back in the 1930s, audits consisted of checking the numbers. You looked at individual transactions to make sure that the numbers were right and you looked at how transactions added up to the balances presented in the financial statements. "Yep, it adds up -- so it looks good to me." This is "bottom-up" auditing, and it failed spectacularly in the case of fraud at McKesson-Robbins, uncovered in December, 1938.
The impact of the McKesson-Robbins scandal on the way that companies report financial position--and on the way that auditors check on those reports--was larger than the present day impact of Enron and WorldCom. It resulted in two big changes to auditing. The first was that the accounting profession began to regulate itself more closely. In particular, auditors had to begin to adhere to professional standards--set by the profession as a whole--in conducting an audit. The accountant's professional judgment, standing alone, was no longer good enough. That professional judgment and the processes used to reach it were, after 1939, constrained by professional standards. Yesterday's PCAOB statements are direct descendents of this work that began in 1939.
The second big change, which was expressed within the professional standards, was that accountants had to approach an audit by looking first at the big picture and the big questions--What is material here? Where are things most likely to go wrong?--and to use that "big picture" context to guide decisions about which details to examine. This is "top-down" auditing.
You should notice that there is substantial tension between these two outcomes. On the one hand, the auditor's judgment is being constrained by standards set by others. On the other hand, the focus on use of professional judgment, rather than just adding up the numbers, is strengthened by the emphasis on a top-down approach. There is constraint on the range of judgment at the same time that there is increased demand for exercise of judgment. This tension is still central to auditing today, and is, in fact, what much of the PCAOB statement is all about. But ... I am getting ahead of myself.
After the Second World War, the concern with auditing from the top-down led to greater interest in internal controls. Top-down auditing starts with the question of where the risks are. If an organization has good systems in place to control the recording and processing of transactions, then an auditor can reasonably assume that the risk of misstatement is reduced to the extent that these are, in fact, well designed systems that are used as intended. What this meant was that internal controls emerged as a way to reduce the cost of an audit. Testing internal controls was often quicker and cheaper than testing the details of transactions and balances, and so was a way to save time and money.
That is how auditing worked for the last fifty years or so--up until Sarbanes-Oxley Section 404. The goal of the audit was to render an opinion about the likelihood of misstatement within an organization's financial reports. If the auditor saw an opportunity to get to this goal more quickly and less expensively by relying on tests of internal controls, he or she was free to use those tests in place of digging into the details of transactions. On the other hand, if the auditor decided that the internal controls were weak--or that they would be difficult or expensive to test--then the auditor could just ignore the internal controls and dive right into the tests of details of transactions and balances. The testing of internal controls was a means to an end, and not an end in itself.
Sarbanes-Oxley changed that. The logic behind the new law went something like this: "Hey, internal controls are not just a good thing for audits. That view obscures their real purpose, which is to help companies prevent and detect internal problems long before they become external problems. Internal controls are really valuable in their own right, not just as a way to save time and money in an audit."
Well, yes, of course. And, so, the old days of testing internal controls--if at all--only to the extent necessary to support the auditor's opinion about the financial statements came to an end. Now, in addition to providing an opinion about the financial statements, the independent auditor also had to produce an opinion of the effectiveness of internal controls. The PCAOB's idea was that this could be done as an "integrated audit." Rather than doing an old-style audit on financial statements and then doing an entirely separate attestation on the effectiveness of controls, the auditor could combine the two activities. After all, auditors were already looking at some of the internal controls to render an opinion on the financials, and the quality of the financials, in turn, could tell you something about controls. This should be win-win ... right?
Apparently not. Yesterday's policy statement from the PCAOB is, in part, an effort to address the fact that integrated audits have not worked out as planned. It addresses three problems that have gotten the the way of the win-win scenario.
The first has to do with the question of integration. The PCAOB statement says that accounting firms admit that they have not fully integrated the internal control audit with the financial statement audit. They have been duplicating, not reducing, the amount of work. The PCAOB cites a study by accounting firms estimating that costs will be reduced by an average 46% next year due to better integration.
The second problem takes us back sixty years to the basic question in an audit: "What do we look at?" After McKesson-Robbins, the answer has been that you work top-down, assessing risk so that you look at only what you need to look at to formulate an opinion on the financials. But, with the new focus on testing internal controls as an end, not just as a means, the question has reemerged: "What do we look at, if we are looking at controls themselves, rather than just as support for the financial statement opinion?" Apparently, some firms have decided that the answer to this question must be "Everything," and have fallen right back into bottom-up testing of all controls, at all levels of detail.
Well ... no wonder these audits have been so expensive. Companies have complained of auditors appearing on site with one-size-fits-all checklists of controls, and an audit process that has apparently consisted of checking off the boxes. This is classic bottom-up auditing. It is not only expensive, but will, as with the case of McKesson-Robbins back in the 1930s, consistently miss the forest for the trees.
"No, no, no!" is the PCAOB's response to this. If you look at the "Staff Questions and Answers" issued yesterday along with the policy statement, you will find that the first question and answer provides a painstakingly detailed description of just what "top-down approach" means. It is strange, in a way, that the PCAOB ends up having to explain such a basic, elementary auditing concept in a Staff Q&A. My own view is that the fact of the explanation is as important as what it says: The PCAOB is trying to make a point and wants no one to be able to claim that they missed it.
This is an important step. What the PCAOB is saying is that the audit of internal controls, just like the audit of financial statements, must be driven by professional judgment about where the risks are. It is not an investigation of every system, of all levels of significance, within an organization. It is, instead, an opinion that provides reasonable assurance that the systems are effective. It will be interesting to see how this works out in practice--but this is a strong step.
The third problem addressed in the PCAOB statement is that auditors have apparently interpreted the new auditing standard as meaning that they had to do all the system testing themselves, and could not rely on testing already performed by a company's internal auditors. This is obviously redundant and expensive, and the PCAOB has now said that it is not necessary.
So ... yesterday's paper is an interesting, important policy statement. Here are a couple of my own observations and thoughts--not expressed in the PCAOB document, but emerging as I read it:
- It appears that much of this unreasonable, unnecessary activity that we have witnessed over the past year could be just due to caution on the part of the accounting firms. There is no question that the liabilities related to potential shareholder lawsuits are substantial. Perhaps the accounting firms have just been playing it safe. If that is the case, and really is an important source of the problem, the new PCAOB guidance should be a large step in the direction of correcting the problem.
- These kinds of problems are not surprising in a first-year program. My bet would be that the evolution of audit practice will be rapid over the next few years, and that much of this expense and difficulty will go away.
- This top-down vs. bottom-up business seems related to the "see the forest AND see the trees" concerns that I have been writing about both in postings on compliance and with regard to the potential use of XBRL. There could be an opportunity for XBRL vendors to jump in here.
In any case ... take a look at the PCAOB policy statement. It is quite readable ... as well as being important for companies struggling with compliance issues and for vendors supporting compliance work.
Follow us on Twitter
This is a good post. I disagree, however, that it is strange that "the PCAOB ends up having to explain such a basic, elementary auditing concept" as top-down auditing.
It is not strange at all when one considers some of the 404 implementation issues that have been reported. In one report, for example, the same auditor that insisted on "rotated user passwords" for all employee computers also simultaneously accepted un-approved, non-segregated, unlimited-account direct journal entries at various satellite locations, provided they were not beyond a specific threshold ($5000) - because managers did not wish to be inconvenienced! Well obviously such an auditor has no idea whatsoever which of these two business activities presents the greater risk to the financial statements.
The fact of the matter is that auditors, as a group, are petrified of challenging management in areas where the risk (to the auditor) of actually discovering some malfeasance might be high - so they are spending their time at the margins.
By re-focusing on material risk as it relates to financial statements, the PCAOB is taking a first step toward obtaining the needed improvement in auditing.
Again, it is not that this has not been the generally accepted approach in auditing literature, it is just that the profession has not been doing it.
Thanks for your comments, Tom. Perhaps I should have used the word "ironic" rather than "strange."
Your story is a great example of how someone can miss the forest by paying too much attention to the trees -- in this instance, maybe not even seeing trees, either.
-- Bill