VideoIndeed, some auditors, regulators, and CFOs expect the external corporate audit — long a mainstay of corporate financial reporting — to be altered and deepened over the next few years. Some say they're seeing changes already. Below, we look at five of the most striking shifts on the audit horizon.
1. Closer Scrutiny of Internal Controls
The first shoe dropped last August 29, when CEOs and CFOs at selected public companies certified that their financial statements were adequate. Since then, senior executives have been signing off on internal controls on a quarterly basis.
Now auditors will join their clients at a signing party involving annual reports. Under Section 404, auditors must OK management's yearly controls assessments. In a rule proposed last October by the Securities and Exchange Commission, the annual signoff would have started to apply to companies whose fiscal years end on or after September 15. But when the commission got around to issuing its final rules, many senior managers got a breather: The internal-controls signoffs will actually start at companies with fiscal years ending on or after June 15, 2004.
Still, while some of the pressure's been relieved, there's a whole lot of work to do at companies both large and small in what amounts to a little over a year. Managers at pharmaceuticals giant Eli Lilly, for instance, are toiling to make sure that checks and balances are in place and well documented at all the company's subsidiaries, says Arnie Hanish, Lilly's chief accounting officer.
Similarly, executives at Exponential Inc., a small company that owns 26 pawn shops, are struggling to find ways to restructure tasks among employees, says Bob Schleizer, a Tatum Partners consultant who's Exponential's acting CFO. It's a challenge to keep duties separate, since Exponential has just ten home-office employees among which to divvy up the tasks.
What's more, some finance executives and auditors are befuddled about how to test internal controls — and are likely to be befuddled for quite a few months more. That's because the PCAOB hasn't yet issued a rule on the matter or set a timetable for doing so.
Still, the committee's audit chief knows the general direction he'd like the rule to take. Carmichael wants "greater specificity" in the controls guidance, he says, "but not as much as in other cases, because what AICPA has done is relatively thorough." (In March, the accounting institute, which already had a standard in place, issued an exposure draft of a new standard on internal-control reporting.)
In hatching the new guidance, Carmichael says he will focus on "major policy issues." He expects to retain much of the nuts and bolts of the AICPA's work, such as details about how to choose which locations to visit for internal-controls checks.
Absent a PCAOB guidance, however, accounting firms have been auditing at least partly in the dark. "We're in a time warp, with people waiting for the rules," says Ellen Masterson, global leader of audit methodology at PricewaterhouseCoopers. "And we're stating, 'you can't be waiting for the rules.' "
Nevertheless, it's clear that Section 404 has spawned a real change in audit priorities. With the buildup in accounting complexity over the last two decades, auditors have been spending much more time on corporate compliance with generally accepted accounting principles, according to Masterson. "I'm not saying we're going to reduce that amount of time," she says. "But if we had to shave time out, sometimes it was the time [involved] with understanding the controls within the company."
Not anymore. Now, auditors are demanding densely detailed flow charts and narratives describing control activities. Even executives at companies with decent controls are finding it a pain to document them. The result? A pile of mostly unexpected work to be done in a New York minute. "You're talking culture shock for a lot of them," Rosen, the partner in charge of auditing and accounting at Eisner LLP, says of his clients. "I don't think they grasp the amount of work that needs to be done for Section 404."
Take a relatively simple example: making sure that employees who true up company bank accounts don't have access to cash records. Such a procedure can help make sure that a worker "can't steal cash and then cover it up," Rosen notes.
But that's only the beginning. Once the control is set up, management must check that it works, document it, and see that a high-level executive monitors it regularly. "Multiply that by every aspect of business purchasing, sales, payroll, inventory," and you get an idea what needs to be done at many companies, Rosen notes.
On top of all that, management's got to amass internal-controls data so that auditors can see and understand it. At Eaton Corp., a diversified manufacturer, internal controls have long been handled locally, and "without visibility on the part of the corporate office or the engagement partner's line of sight," says Billie Rawot, the company's controller.
Now Eaton executives plan to assemble a massive controls database that Ernst & Young, the company's external auditor, can tap into. Eaton has hired another accounting firm to piece together a "formal, centralized, systematic repository of internal control information," Rawot says.
Reader Comments» Post a comment