A significant number of deficiencies occurred over the past three years in audits of internal controls, which can lead to inadequate disclosures in the financial statement audit, according to a practice alert issued last week by the Public Company Accounting Oversight Board (PCAOB).
The alert, which builds on a PCAOB general-inspection report released in December 2012 that found problems with audits of internal controls, said deficiencies exist throughout the audit process. Some of the defects are concentrated in identifying and sufficiently testing controls intended to address the risks of material misstatement and testing the design and operating effectiveness of management-review controls.
Other deficient areas include obtaining enough evidence to update the results of testing of controls from an interim date to a company’s year-end, and testing controls over a firm’s system-generated data and reports that support important controls.
Internal-control auditing, the board maintains, should be integrated with the audit of the financials. But often auditors “rely on controls to reduce their substantive testing of financial statement accounts and disclosures,” the alert said. PCAOB’s December report also flagged audit firm failures in mustering “sufficient appropriate evidence to support its opinion on the financial statements.”
While PCAOB’s December report used information from the annual inspections of eight publicly registered firms, the audit overseer found similar problems with audits of internal controls at other registered firms.
Defects in a firm’s information-technology system is also a possible cause of problem audits. “A company’s use of IT can significantly affect a company’s internal control,” it said, noting that automated controls can help prevent misstatements. But if a control selected for testing uses system-generated data or reports, the effectiveness of the control depends in part on the controls over the accuracy and completeness of the data or report.
It’s important to note, however, that “an IT control might not be intended to prevent or detect misstatements by itself, but it might impair the effectiveness of important IT-dependent controls if it were deficient,” the alert said.
Audit engagement partners and senior engagement team members should pay attention to the deficiencies in audits of internal control, according to the PCAOB. The board recommended that audit teams consider whether added training of their auditing personnel is needed to help them keep abreast of what’s going on currently in internal controls.
Audit committees were also flagged as needing to take a more active approach to audits of internal controls. In addition to requesting information from their auditors about potential root causes of internal-controls defects, “audit committees may want to inquire about the involvement and focus by senior members of the firm on these matters,” the alert noted.