Yesterday the Public Company Accounting Oversight Board (PCAOB) issued its
response to concerns that Sarbanes Oxley Section 404 requirements were onerous,
unwieldy, and just too expensive. The PCAOB published a policy
statement that affirmed the goals and requirements in the regulations
implementing Section 404, which requires that public companies have effective
internal controls over financial reporting and requires that an independent
auditor provides an opinion regarding the effectiveness of these controls. No
surprise there.
What was more interesting and important was that the PCAOB did acknowledge
that many first year audit efforts were inefficient and too expensive. The
important parts of the statement called for a top-down, rather than bottom-up,
approach to internal control assessment. The PCAOB also made important
clarifications about the kinds of interactions between auditors and the
companies that they audit that are permissible and useful.
Understanding this business about "top-down" and
"bottom-up" is easier if you put it in the context of how auditing
practice has developed over time. Without that big picture perspective, Section
404 and the PCAOB statements sound like a lot of accounting jargon. But, given
the perspective, it is easier to see that we are talking about some fundamental
changes–and about expense and confusion emerging from not getting the changes
right during this past year.
A long time ago, back in the 1930s, audits consisted of checking the numbers.
You looked at individual transactions to make sure that the numbers were right
and you looked at how transactions added up to the balances presented in the
financial statements. "Yep, it adds up — so it looks good to me."
This is "bottom-up" auditing, and it failed spectacularly in the case
of fraud at McKesson-Robbins, uncovered in December, 1938.
The impact of the McKesson-Robbins scandal on the way that companies report
financial position–and on the way that auditors check on those reports–was
larger than the present day impact of Enron and WorldCom. It resulted in two big
changes to auditing. The first was that the accounting profession began to
regulate itself more closely. In particular, auditors had to begin to adhere to
professional standards–set by the profession as a whole–in conducting an
audit. The accountant’s professional judgment, standing alone, was no longer
good enough. That professional judgment and the processes used to reach it were,
after 1939, constrained by professional standards. Yesterday’s PCAOB statements
are direct descendents of this work that began in 1939.
The second big change, which was expressed within the professional standards,
was that accountants had to approach an audit by looking first at the big
picture and the big questions–What is material here? Where are things most
likely to go wrong?–and to use that "big picture" context to guide
decisions about which details to examine. This is "top-down" auditing.
You should notice that there is substantial tension between these two
outcomes. On the one hand, the auditor’s judgment is being constrained by
standards set by others. On the other hand, the focus on use of professional
judgment, rather than just adding up the numbers, is strengthened by the
emphasis on a top-down approach. There is constraint on the range of judgment at
the same time that there is increased demand for exercise of judgment. This
tension is still central to auditing today, and is, in fact, what much of the
PCAOB statement is all about. But … I am getting ahead of myself.
After the Second World War, the concern with auditing from the top-down led
to greater interest in internal controls. Top-down auditing starts with the
question of where the risks are. If an organization has good systems in place to
control the recording and processing of transactions, then an auditor can
reasonably assume that the risk of misstatement is reduced to the extent that
these are, in fact, well designed systems that are used as intended. What this
meant was that internal controls emerged as a way to reduce the cost of an
audit. Testing internal controls was often quicker and cheaper than testing the
details of transactions and balances, and so was a way to save time and money.
That is how auditing worked for the last fifty years or so–up until
Sarbanes-Oxley Section 404. The goal of the audit was to render an opinion about
the likelihood of misstatement within an organization’s financial reports. If
the auditor saw an opportunity to get to this goal more quickly and less
expensively by relying on tests of internal controls, he or she was free to use
those tests in place of digging into the details of transactions. On the other
hand, if the auditor decided that the internal controls were weak–or that they
would be difficult or expensive to test–then the auditor could just ignore the
internal controls and dive right into the tests of details of transactions and
balances. The testing of internal controls was a means to an end, and not an end
in itself.
Sarbanes-Oxley changed that. The logic behind the new law went something like
this: "Hey, internal controls are not just a good thing for audits. That
view obscures their real purpose, which is to help companies prevent and detect
internal problems long before they become external problems. Internal controls
are really valuable in their own right, not just as a way to save time and money
in an audit."
Well, yes, of course. And, so, the old days of testing internal controls–if
at all–only to the extent necessary to support the auditor’s opinion about the
financial statements came to an end. Now, in addition to providing an opinion
about the financial statements, the independent auditor also had to produce an
opinion of the effectiveness of internal controls. The PCAOB’s idea was that
this could be done as an "integrated audit." Rather than doing an
old-style audit on financial statements and then doing an entirely separate
attestation on the effectiveness of controls, the auditor could combine the two
activities. After all, auditors were already looking at some of the
internal controls to render an opinion on the financials, and the quality of the
financials, in turn, could tell you something about controls. This should
be win-win … right?
Apparently not. Yesterday’s policy statement from the PCAOB is, in part, an
effort to address the fact that integrated audits have not worked out as
planned. It addresses three problems that have gotten the the way of the win-win
scenario.
The first has to do with the question of integration. The PCAOB statement
says that accounting firms admit that they have not fully integrated the
internal control audit with the financial statement audit. They have been
duplicating, not reducing, the amount of work. The PCAOB cites a study by
accounting firms estimating that costs will be reduced by an average 46% next
year due to better integration.
The second problem takes us back sixty years to the basic question in an
audit: "What do we look at?" After McKesson-Robbins, the answer has
been that you work top-down, assessing risk so that you look at only what you
need to look at to formulate an opinion on the financials. But, with the new
focus on testing internal controls as an end, not just as a means, the question
has reemerged: "What do we look at, if we are looking at controls
themselves, rather than just as support for the financial statement
opinion?" Apparently, some firms have decided that the answer to this
question must be "Everything," and have fallen right back into
bottom-up testing of all controls, at all levels of detail.
Well … no wonder these audits have been so expensive. Companies have
complained of auditors appearing on site with one-size-fits-all checklists of
controls, and an audit process that has apparently consisted of checking off the
boxes. This is classic bottom-up auditing. It is not only expensive, but will,
as with the case of McKesson-Robbins back in the 1930s, consistently miss the
forest for the trees.
"No, no, no!" is the PCAOB’s response to this. If you look at
the "Staff
Questions and Answers" issued yesterday along with the policy
statement, you will find that the first question and answer provides a
painstakingly detailed description of just what "top-down approach"
means. It is strange, in a way, that the PCAOB ends up having to explain such a
basic, elementary auditing concept in a Staff Q&A. My own view is that the
fact of the explanation is as important as what it says: The PCAOB is trying to
make a point and wants no one to be able to claim that they missed it.
This is an important step. What the PCAOB is saying is that the audit of
internal controls, just like the audit of financial statements, must be driven
by professional judgment about where the risks are. It is not an investigation
of every system, of all levels of significance, within an organization. It is,
instead, an opinion that provides reasonable assurance that the systems are
effective. It will be interesting to see how this works out in
practice–but this is a strong step.
The third problem addressed in the PCAOB statement is that auditors have
apparently interpreted the new auditing standard as meaning that they had to do
all the system testing themselves, and could not rely on testing already
performed by a company’s internal auditors. This is obviously redundant and
expensive, and the PCAOB has now said that it is not necessary.
So … yesterday’s paper is an interesting, important policy
statement. Here are a couple of my own observations and thoughts–not
expressed in the PCAOB document, but emerging as I read it:
- It appears that much of this unreasonable, unnecessary activity that we
have witnessed over the past year could be just due to caution on the part
of the accounting firms. There is no question that the liabilities related
to potential shareholder lawsuits are substantial. Perhaps the accounting
firms have just been playing it safe. If that is the case, and really
is an important source of the problem, the new PCAOB guidance should be a
large step in the direction of correcting the problem. - These kinds of problems are not surprising in a first-year program. My bet
would be that the evolution of audit practice will be rapid over the next
few years, and that much of this expense and difficulty will go away. - This top-down vs. bottom-up business seems related to the "see the
forest AND see the trees" concerns that I have been writing about both
in postings
on compliance and with regard to the potential
use of XBRL. There could be an opportunity for XBRL vendors to
jump in here.
In any case … take a look at the PCAOB policy
statement. It is quite readable … as well as being important for companies
struggling with compliance issues and for vendors supporting compliance work.
This is a good post. I disagree, however, that it is strange that “the PCAOB ends up having to explain such a basic, elementary auditing concept” as top-down auditing.
It is not strange at all when one considers some of the 404 implementation issues that have been reported. In one report, for example, the same auditor that insisted on “rotated user passwords” for all employee computers also simultaneously accepted un-approved, non-segregated, unlimited-account direct journal entries at various satellite locations, provided they were not beyond a specific threshold ($5000) – because managers did not wish to be inconvenienced! Well obviously such an auditor has no idea whatsoever which of these two business activities presents the greater risk to the financial statements.
The fact of the matter is that auditors, as a group, are petrified of challenging management in areas where the risk (to the auditor) of actually discovering some malfeasance might be high – so they are spending their time at the margins.
By re-focusing on material risk as it relates to financial statements, the PCAOB is taking a first step toward obtaining the needed improvement in auditing.
Again, it is not that this has not been the generally accepted approach in auditing literature, it is just that the profession has not been doing it.
Thanks for your comments, Tom. Perhaps I should have used the word “ironic” rather than “strange.”
Your story is a great example of how someone can miss the forest by paying too much attention to the trees — in this instance, maybe not even seeing trees, either.
— Bill