When SOX was first invented, we all struggled to figure out what companies were supposed to be doing, and what auditors were expecting to see. All this happened while the auditors were trying to follow new audit rules just as their new regulator (the PCAOB) came into existence. We were all stumbling around together.
AS2 came out with principles-based guidance—and was the shortest auditing standard in history. It threw everything into the auditors’ scope regardless of materiality, and created a lot of work for dubious value. And a lot of expense.
Along came AS5 to replace that standard, with an attempt to focus auditors on items that could reasonably give rise to a material misstatement. Use professional judgment was the message. That helped settle things down for a while … until the PCAOB started failing audit firms in the inspection process, citing deficiencies in its reviews of internal control over financial reporting.
The audit firms pushed back, and the PCAOB pushed harder. All the pushback was occurring behind the curtain. Companies were often left in the dark about priorities and expectations. And disagreements over what should be in scope of the audit have persisted.
Interpretations in flux
Over a decade after SOX’s passage, a mismatch in expectations continues. The interpretation of the rules keeps evolving. The new directives aren’t always official but are instead happening piecemeal, audit firm by audit firm, and sometimes even engagement team by engagement team. Companies have often been caught unawares of new changes, not realizing that the bar had been raised.
Most of this direction has stemmed from inspection findings. Audit firms are in the unenviable position of delivering the news to their clients about what the PCAOB inspectors find, and companies understandably cry foul that it’s not helpful to have them change their ways “after the fact.” When it comes to audits, no one likes surprises.
The upsides of SOX
Years of SOX compliance have resulted in positive progress. The way companies design controls is far different today than the early days—and how they evidence the execution of controls has matured as well. We see that companies have integrated SOX into their operations—it is not some “thing” off to the side, separate and apart from ongoing operations. And real, tangible benefits are being derived from it. Financial statements are more reliable. There are more checks and balances in place. We see a better defined “tone at the top”—there’s clear integrity and transparency in how SOX-compliant companies do business.
We’ve also seen companies becoming more mature in their operations and documentation of accounting entries. In the past, we were more likely to see journal entries with no supporting documentation. Or we’d find that reconciliations were performed but nobody reviewed them. Now, the level of documentation produced and retained is more robust, and there is more scrutiny of the underlying data itself.
What do they want?
Still, it’s not always clear whether companies are living up to their auditors’ (and their auditors’) expectations. In 2013, some light shone through when the PCAOB released an audit alert following three years’ worth of serious deficiencies in internal-control audits. The general public finally got to hear what the inspectors were seeing beyond their vague inspection reports. The PCAOB expected to see more proof that the auditors were doing what they are supposed to be doing while reviewing internal controls, and those demands have trickled down to the auditors’ clients.
Here’s one example of how it plays out now: When auditors want to look over management review controls (controls that help management identify errors), they need to understand them and then test to see if they are operating at a precise enough level to detect a material misstatement. The potential snafu here is that management documented their review in accordance with their own needs, not the auditors’. The auditor will want sufficient evidence to prove what management looked at, what was investigated and how it was resolved.
Management does not need a stack of paperwork to perform a meaningful budget-to-actual analysis and be comfortable that there are no material misstatements. But auditors want to know for sure that the analysis was done and thoroughly reviewed or else they are hard-pressed to place reliance on that control. Ten years ago, a simple signature on a page was often sufficient evidence. Not so today.
At times it seems audit requests are coming from a “one size fits all” approach rather than a tailored approach based on specific facts and circumstances. Companies end up feeling a need to pile on the documentation to make future audits easier but on areas that have little connection to the possibility of a material misstatement.
How the PCAOB goes about its inspections could change. In May, the PCAOB revealed that it may go about the selection of audits to review differently, shifting from a risk-based focus to taking some audits at random (as it is now, the PCAOB tends to review the riskiest/most complex clients in a company’s portfolio).
That change may not address the issue of mismatched expectations but it will certainly get the conversation going, which isn’t a bad thing. As usual, the devil is still in the details. What matters to the regulator—and the firms it audits—will continue to evolve as precedents get set and the bar gets raised. Some areas, such as cybersecurity risks, could attract more focus.
Here’s the bottom line: The evolution could all be for the better, as long as we can use judgment about what adds value and what is merely checking off boxes.
Pat Voll is a vice president at RoseRyan, where she mentors and supports the dream team, and heads up client experience, ensuring all our clients are on the road to happiness. She was recently asked by ComplianceWeek for her take on the “new normal for internal controls.” Pat previously held senior finance level positions at public companies and worked as an auditor with a Big 4 firm.