PCAOB to Auditors: Focus on the CFO

A new guidance by the audit oversight board shows how finance chiefs can either buttress or make a hash out of a small company's internal controls.
David KatzJanuary 23, 2009

A sharp and experienced CFO with broad knowledge of a small company’s operation can make for a much easier and cheaper audit of the company’s internal controls over financial reporting. An unruly finance chief, however, can wreak havoc on the controls of a tiny firm.

Through pithy scenarios, a Public Company Accounting Oversight Board staff guidance issued today reveals such down-home wisdom about the crucial role of the CFO in the audit process.

Aimed at helping independent auditors adapt their controls audits to the size and complexity of the company, the PCAOB guidance is an instruction manual designed to accompany Auditing Standard No. 5, “An Audit of Internal Control Over Financial Reporting That Is Integrated with an Audit of Financial Statements.”

Drive Business Strategy and Growth

Drive Business Strategy and Growth

Learn how NetSuite Financial Management allows you to quickly and easily model what-if scenarios and generate reports.

In 2007, that amply titled standard replaced AS 2, the controversial stricture issued in tandem the Sarbanes-Oxley Act’s Section 404, which governs corporate internal controls. Both the auditing and accounting measures were roundly criticized as being overly costly and burdensome to smaller public companies.

In an attempt to correct what many saw as a bias against small companies, the PCAOB sought, in AS5, to direct auditors to make their audits of internal controls “scalable” to the size and shape of the company. Today’s guidance makes clear that many smaller companies should be treated differently than larger companies because of the clear differences between them.

Because smaller companies tend to have simpler business processes and financial reporting systems, fewer business lines, and more centralized accounting functions, they demand different treatment from the auditor, according to today’s guidance. And in citing two other differences — more intense involvement by senior management in day-to-day business activities and fewer management levels, “each with a wide span of control” — the PCAOB’s staff suggests that auditors should focus more on the CFO when checking out a small company’s controls.

In one hypothetical case geared to show auditors how to check out a small firm’s controls over bank reconciliations, for instance, the oversight board zeroes in on the finance chief of“a small public video game developer [that] conducts business in the United States and other countries, requiring the company to maintain a multitude of bank accounts.”

If the auditor finds the CFO an effective monitor of checkbook-balancing, the company could save on audit fees. According to the example, the finance chief of the fictional company, a seasoned accountant, reviews the bank reconciliations prepared by a staff accountant to find out if they’re timely and accurate. “If the auditor concludes that the CFO’s review is effective, she could reduce the direct testing of the reconciliation controls, absent other indications of risk,” according to the guidance.

Sometimes the controls that small-company CFOs can supply on their own link up with other needed controls, such as information technology. In one such scenario, used to instruct auditors how to assess payroll-processing controls, an alternative-fuels manufacturer has a diverse group of employees, including union workers, supervisors, managers, and executives, and runs two shifts that work six days a week.

The company has a simple reporting structure and a finance chief who has been with the company for a decade and has a close familiarity with the company’s workflows and budget and reporting processes. Because of those factors, the CFO can quickly catch “any sign of improprieties with payroll and their underlying cause,” according to the PCAOB guidance. Based on that assessment, the auditor can sign off on the company’s ability to detect payroll-processing misstatements.

But the auditor also learns that that particular internal control also depends on reports produced by the company’s IT system, “so the CFO’s review can be effective only if controls over the completeness and accuracy of those reports are effective,” according to the PCAOB. “After performing the tests of the relevant computer controls, the auditor concludes that the review performed by the CFO, when coupled with relevant controls over the reports, meets the control objectives,” the oversight board’s staffers report.

But woe to a startup with a flawed CFO. Another of the PCAOB’s scenarios involves “a development stage company” with no sales as yet. The firm, engaged only in research and development, has a tiny finance department consisting of just a finance chief and an accounting clerk. “Its accounting records consist of a checkbook and payroll records, and the company has no documentation of policies and procedures,” according to the PCAOB. “Most of its controls are undocumented supervisory checks by the CFO.”

Then, after a dispute with management, the CFO leaves, and the clerk is fired. How’s an auditor to sort through such a mess? Impossible, is the short answer. “The auditor’s report on internal control over financial reporting contains a disclaimer of opinion and disclosure of the substantive reasons for the disclaimer,” the PCAOB’s staff posits. Lacking a stable finance chief, the startup’s prospect seem dim.