Risk & Compliance

Panel: Don’t Audit Low-level Risks

Roundtable participants debated the need for an external audit on controls that pose little risk to financial statements.
Marie LeoneMay 10, 2006

See our special report on “The 404 Debate.”

“Don’t sweat the low-risk accounts” was the message from companies to regulators during a roundtable on the second-year experiences of Section 404 implementation. Panel participants said they would like to see more qualitative factors considered during 404 internal-controls audits, especially when accounts are classified as “low risk” from an internal-controls perspective.

Case in point: Emerson Electric Co.’s accrued vacation account. Lisa Flavin, the company’s vice president of audit, explained that external auditors agreed with her department’s assessment that the accrued vacation entry was not a “significant” account. In most cases, that means external auditors can rely on management’s assessment of the controls rather than retest the processes themselves.

In this case, however, the account total exceeded the quantitative threshold mandated by the firm, and retesting was required. “The auditors did a very good job of varying the nature, timing, and extent of the audit,” so the testing was appropriate to the level of risk. What the auditors did not consider, said Flavin, was that retesting the account requires, at a minimum, 500 extra man-hours, with very little value in return. In some cases, “qualitative factors should override quantitative thresholds,” she added.

Flavin made note of 404 inefficiencies during Wednesday’s roundtable sponsored by the Securities and Exchange Commission and the Public Company Accounting Oversight Board. Also on hand to comment was Frank Brod, chief accounting officer of Microsoft. Expanding on Flavin’s comments, Brod noted that pushing controls testing down to low levels of transaction detail runs counter to the SEC’s call to look at 404 from a broader, risk-based perspective.

Furthermore, he took exception to the concept put forth by the PCAOB that 404 should be considered in a silo, year-by-year scenario, instead of as a continuum. Without considering the knowledge gained along the way, asserted Brod, it would be difficult to develop 404 best practices that incorporated benchmarks and risk analysis based on experience.

Some auditors had a slightly different take on the subject. For example, Garrett Stauffer, senior partner at PricewaterhouseCoopers, wasn’t quick to endorse the idea that low-risk accounts should gain an automatic pass regarding auditor controls testing. In fact, he pointed out that while fixed-assets accounts are usually dubbed low risk , many of WorldCom’s scandal problems originated from a lack of controls over capitalization of fixed assets.