Tag Archive: audit

Updating the Auditor’s Report: Opportunities and Challenges

Published by

Scott Zimmerman, Phillip Austin, Marty Baumann, Dan Sunderland, and the author discuss “Challenges Facing the Audit Profession” at the AAA’s 2018 Auditing Section Midyear Meeting.

“The new audit report is a great opportunity for the profession.” So spoke Marty Baumann, chief auditor and director of professional standards at the US Public Company Accounting Oversight Board (PCAOB), at a panel during the American Accounting Association (AAA) Auditing Section’s midyear meeting this past January.

I agree wholeheartedly with Marty.

Updating the auditor’s reporting model in the United States represents an extraordinary opportunity, as it has in the United Kingdom and elsewhere. Yet as we discussed on that January panel, with opportunities come challenges—and I have put together some strategies for addressing those challenges.

The Standard

To understand the opportunities and challenges associated with updating the auditor’s report, it helps to start with the basic elements of the new PCAOB auditing standard.

The standard features a phased implementation approach. The first phase—which affects PCAOB audits of companies with fiscal years ending on or after December 15, 2017—includes disclosing auditor tenure and other changes to the form and content of the auditor’s report.

The second phase of implementation requires communication of critical audit matters (CAMs). The standard defines a CAM as any matter arising from the audit of the financial statements that meets all the following criteria:

  • was communicated or required to be communicated to the audit committee;
  • relates to accounts or disclosures that are material to the financial statements; and
  • involved especially challenging, subjective, or complex auditor judgment.

The effective dates for CAMs to be included in the auditor’s report are (1) fiscal years ending on or after June 30, 2019 for audits of large accelerated filers and (2) fiscal years ending on or after December 15, 2020 for audits of all other companies to which the requirements apply.

Opportunities

What opportunities will these changes bring? Conversation at the AAA panel covered a range of possibilities.

  1. Possible insights for investors. Scott Zimmerman, a partner at EY and its Americas Assurance Innovation division said that each audit should result in “some type of meaningful insight.” Baumann suggested that such insights can “add to the total mix of information that investor use in making decisions,” and offered his view that the audit report could, for some investors, even become “the first place to go in a very big 10-K with a complex set of financial information.”
  2. Differentiation via technology. As a digital expert, EY’s Zimmerman knows how technology can be a competitive differentiator for audit firms, particularly as use of data analytics and artificial intelligence grows. He noted that EY, like many firms across the profession, is examining how technology can be leveraged in the context of the CAMs that will be communicated in an expanded auditor’s report.
  3. Future academic research. As each audit generates insights, academics can sift through the data to track broader patterns in financial reporting. Baumann noted that researchers might investigate possible correlations between CAMs and stock prices, for example, or financial disclosures.

Challenges

While acknowledging the excitement around these and other opportunities, panelists also recognized challenges.

  1. Boilerplate potential. In December 2017, US Securities and Exchange Commision Chair Jay Clayton quipped that it would be a “bummer” if CAMs devolved into boilerplate language of little or no use to investors. At the AAA meeting, panelist Dan Sunderland, chief auditor and national leader for Audit and Assurance Services at Deloitte & Touche LLP, noted that the nature of the disclosure in CAMs would be the “keys to the kingdom”—and that auditors are well aware of the importance of avoiding boilerplate.
  2. Interference with audit committee communication. Panelist Phillip Austin, the national managing partner of Auditing at BDO USA, noted that, with the new disclosure of CAMs, some company executives might be tempted to “manage” communication between the auditors and the audit committee.
  3. Disclosure tension. In the discussion, panelists contemplated scenarios where auditors may disclose in CAMs information that management is not obliged to disclose. “That’s going to be tricky,” said Austin. Baumann indicated this would be an area that the PCAOB would track carefully.

Strategies for Success

To make the most of the opportunities presented by the new report, panelists discussed strategies to address the challenges of implementing the new reporting models. Audit committee members should become familiar with the following strategies for success.

  • Maintain open dialogue between auditors and audit committees. As with many items related to the financial reporting process, strong and ongoing communication will be critical around the new auditor’s report. Baumann cited the importance of dialogue around challenging issues, such as revenue recognition or significant and unusual transactions that a company might have, that could be critical audit matters. To foster this dialogue, the Center for Audit Quality (CAQ) has produced a tool for audit committees regarding changes to the auditor’s report.
  • Pilot-testing. For auditors, “the critical thing is to try to pilot things in the short run,” said Sunderland. This pilot-testing should involve auditors talking through the process with the audit committee, he added.
  • Pay close attention to the post-implementation review. For regulators, it will be vital to monitor implementation of the standard, particularly given risks such as creeping boilerplate. Marty Baumann voiced the PCAOB’s strong commitment to robust post-implementation review, starting with the implementation of CAMs.

What challenges, opportunities, and necessities do you see regarding updating the auditor’s report? I welcome your thoughts in the comments. And be sure to visit the CAQ’s resource page on auditor reporting for more information.

Cindy Fornelli is a securities lawyer and has served as the Executive Director of the Center for Audit Quality since its establishment in 2007.

The Auditor’s Report: Reading Between New Lines

Published by

Alexandra R. Lajoux

Now that the U.S. Securities and Exchange Commission (SEC) has released an order approving the Public Company Accounting Oversight Board’s (PCAOB) new rules on the auditor’s report, what items should the audit committee and shareholders look for there?

The Auditor’s Report on an Audit of Financial Statements When the Auditor Expresses an Unqualified Opinion and Related Amendments to PCAOB Standards, released by the PCAOB June 1 and approved by the SEC October 23, contains five main changes, including one that requires careful reading between the lines.

As NACD summarized in a recent brief to its members, the new PCAOB standard will require auditors to:

  • Standardize the format of the auditor’s report, placing the auditor’s opinion in the first section of the auditor’s report, followed by the basis for the opinion. This change makes the auditor’s opinion easier to find in the auditor’s report.
  • Disclose the auditor’s tenure, stating when the audit firm began its current service to the company. This new requirement comes in lieu of limiting audit firm tenure through mandatory audit firm rotation, a concept NACD and others have rejected in the past.
  • State that the auditor is required to be “independent.” This requirement is intended to strengthen shareholder confidence in the auditor’s report, possibly as an offset to the tenure disclosure, if it reveals that the auditor has been serving the client for more than a quarter century, for example.
  • State that the financial statements are free from material misstatements “whether due to error or fraud.” This change aligns with other recent or pending regulations on error vs. fraud, such as the proposed executive pay clawbacks rule still pending under Dodd-Frank, which mandated disgorgement of performance-based pay after financial restatements even if restatements were due to error rather than to fraud.

Report on critical audit matters (CAMs), defined as “matters communicated or required to be communicated to the audit committee and that: (1) relate to accounts or disclosures that are material to the financial statements; and (2) involved especially challenging, subjective, or complex auditor judgment.” A number of commenters said that the CAMs mandate is “redundant” with existing reports, which already reveal the required information. See for example NACD’s comment to the PCAOB or State Street’s comment.

The key letter in CAM is M, for material. For those who may wonder what may be “material” to the financial statements, join the club. The SEC has still never defined this term, leaving this job to the courts as they interpret federal securities laws.

The going definition of “material” is more than 40 years old. The SEC release cites TSC Industries v. Northway, Inc., 426 U.S. 438, 449 (1976), in which the U.S. Supreme Court states that a fact is material if there is “a substantial likelihood that the . . . fact would have been viewed by the reasonable investor as having significantly altered the ‘total mix’ of information made available.” In that same case, the Supreme Court said that determining materiality requires “delicate assessments of the inferences a ‘reasonable shareholder’ would draw from a given set of facts and the significance of those inferences to him . . .”

Such wisdom is not lost on the PCAOB and SEC. In its June 1 release, the PCAOB cites as CAMs the auditor’s evaluation of the company’s “goodwill impairment assessment” and, more broadly, the auditor’s assessment of the company’s “ability to continue as a going concern.” These two examples are material to financial statements. By contrast, the following two examples are not material to the financial statement: a loss contingency already discussed with the audit committee and “determined to be remote;” and a “potential illegal act.”

Audit committees need to ensure that their auditors are in a position to recognize critical audit matters, and to learn from those matters.  But this does not mean looking for problems where there are none.

Significantly, SEC Chair Jay Clayton had this to say about the new standard:

“I would be disappointed if the new audit reporting standard, which has the potential to provide investors with meaningful incremental information, instead resulted in frivolous litigation costs, defensive, lawyer-driven auditor communications, or antagonistic auditor-audit committee relationships — with Main Street investors ending up in a worse position than they were before.

I therefore urge all involved in the implementation of the revised auditing standards, including the Commission and the PCAOB, to pay close attention to these issues going forward, including carefully reading the guidance provided in the approval order and the PCAOB’s adopting release.”

To Chairman Clayton’s point, the SEC makes this point in its approval order:

“As the [PCAOB] notes, in order to succeed, any claim based on these new statements would have to establish all of the elements of the relevant cause of action (e.g., when applicable, scienter, loss causation, and reliance). Moreover, as discussed above, CAMs could be used to defend as well as initiate litigation. …However, because of these risks and other concerns expressed by commenters, we expect the Board to monitor the Proposed Rules after implementation for any unintended consequences.“  (SEC approval order , pp. 32–33)

Shareholders and others should read between the lines of auditor’s report (appreciating the regulations behind it), but they should not expect auditors to “look under rocks” to find problems. That is the job of management, internal control, and the audit committee. The auditor’s job is to focus on the audit of the financial statements to ensure that they conform to generally accepted accounting principles (GAAP). Given the complexity of GAAP, that is a big enough job as it is.

The CAM standard can’t be mastered overnight and won’t be required any time soon. Auditors of large accelerated filers will not be required to adopt CAM changes until audits of fiscal years ending on or after June 30, 2019—with audits of all remaining filers to adopt CAM changes for fiscal years ending on or after December 15, 2020.

By contrast, all the other changes will apply to audits of fiscal years ending on or after December 15, 2017.  That mean, essentially that auditors must work on this immediately, since most companies they are working with right now have fiscal years ending December 31, 2017. (According to Audit Analytics, 71 percent of public companies have a fiscal year ending December 31.)

So now is the time to prepare for the changes! In its above-cited report on the new rule, NACD prepared questions for directors to ask, along with related resources.

Questions for Boards

  • For which fiscal year will our auditor first be required to report on CAMs?
  • What areas during the audit do we anticipate our auditor will find challenging, subjective, or complex—and how can we preemptively address those concerns?
  • How will the auditor’s insights in the newly expanded report affect our ongoing work as we prepare the audit committee report for the proxy and review risk disclosures in the annual report on Form 10-K?
  • How will it shape our meeting with auditors, who themselves have extensive standards for their communications with audit committees?
  • How might our company need to adjust our year-end reporting calendar in order to file the 10-K on time?

NACD Resources: See NACD’s commentary on this topic to the PCAOB in the Corporate Governance Standards Resource Center, and visit NACD’s Audit Committee Resource Center for a repository of content related to leading practices for the audit committee. Register for the KPMG webinar “What You Need to Know About the New Auditor Reporting Model” on Thursday, November 9, and review the Center for Audit Quality’s recent alert “The Auditor’s Report—New Requirements for 2017.”

Is Internal Audit Meeting the Board’s Expectations?

Published by
Jim DeLoach

Jim DeLoach

Recently, the world’s largest ongoing study of the internal audit profession—the Global Internal Audit Common Body of Knowledge (CBOK)—was completed by the Institute of Internal Auditors (IIA) and Protiviti to ascertain expectations from key stakeholders regarding internal audit performance at organizations of varying operational models and sizes. The study sought input from members of audit committees all over the world about their expectations of the internal auditor’s role in the organization. We think all directors will find the results of the study applicable to their work in the coming year and beyond.

Below are six imperatives for internal auditors from the CBOK study based on feedback from audit committee members.

1. Focus more on strategic risks. According to the CBOK study, two out of three board members believe internal audit should have a more active role in evaluating the organization’s strategic risks. Study respondents indicated that internal audit should focus on strategic risks (as well as operational, financial and compliance risks) during audit projects (86 percent) and periodically evaluate and communicate key risks to the board and executive management (76 percent). Accordingly, chief audit executives (CAE) must focus their function sufficiently on the bigger picture to think more strategically when evaluating risks, proposing risk-based audit plans, and formulating audit findings. By understanding the organization’s business objectives and strategy, and identifying risks that create barriers to the organization achieving its objectives and executing its strategy successfully, the CAE increases internal audit’s value proposition.

2. Think beyond the scope. The call for internal auditors to think strategically leads to another challenge: thinking beyond the scope of the audit plan. Thinking beyond scope means, for example, that the auditor should:

  • “Connect the dots” when considering enterprisewide implications of the findings of multiple audits, particularly findings with significant business model underpinnings;
  • Broaden the focus on operations, compliance, and nonfinancial reporting issues; and
  • Watch for patterns or signs indicating a deteriorating risk culture.

By focusing more broadly on the implications of audit findings, and thinking beyond the expressed or implied boundaries set by the audit plan, internal audit is better positioned to deliver stronger, more practical, and harder-hitting recommendations aligned with what directors are seeking.

3. Add more value through consulting. In today’s era of slower economic growth, a high premium is placed on operational effectiveness and efficiency. The CBOK study respondents picked up on this point, as 73 percent of respondents recommended that internal audit advise on business process improvements. For example, consulting activities by internal audit can result in: strengthening of the lines of defense that make risk management work; more effective collaboration with other independent functions focused on managing risk and compliance; improvements in the control structure, including greater use of automated controls; and suggestions for improving and streamlining compliance. These study findings underscore the benefit of investing in consulting services that will strengthen business processes.

4. Facilitate effective, high-quality communication. Board members generally rate internal audit’s communication at a high level of confidence. For example, a large majority of directors give high scores for the quality (83 percent) and frequency (81 percent) of internal audit’s communication. That’s good news and a great foundation on which to build the board’s satisfaction with the internal auditor’s role.

5. Elevate stature and perspective. Intentionally positioning the CAE and internal audit within the organization is vitally important to their ability to meet elevated expectations. Access and perspective have always been keys to positioning. Access has typically been attained through direct reporting to the audit committee, as well as to the C-suite. But beyond these reporting lines, the study reports that two out of three board members rank the CAE’s participation in board settings beyond the traditional audit committee meetings as an effective strategy for broadening the CAE’s perspective. The board settings that are relevant in this context must be defined by directors to fit the organization’s specific needs. However the goal is defined, increased access to and more frequent interaction with the board broadens the CAE’s perspective of the organization and elevates the stature and visibility of the internal audit function within it. It also enables the CAE to establish relationships with directors, understand their views on addressing competing audit priorities, and earn the right to be viewed as a valued source of insight for the board.

6. Align with stakeholder expectations. In most organizations, not all stakeholders see eye to eye or want the same value from internal audit. This reality creates a significant challenge for CAEs tasked with building consensus among stakeholders. While directors may not expect their company’s CAE to address all of the above imperatives, they should initially and periodically assess whether internal audit is doing what matters based on previously-established imperatives. The CAE bears the brunt of the responsibility for addressing this challenge by articulating the value that a top-down, risk-based audit plan contributes to each facet of the organization, and by providing an assurance and advisory perspective that the board, executive management, and other stakeholders can understand.

Following are some suggested questions that directors may consider based on the risks inherent in the entity’s operations.

  • Does the board periodically evaluate the scope of internal audit’s activities and discuss whether modifications are needed in view of changes in company operations and the business environment? Is the board getting the insights it needs?
  • Does internal audit provide adequate attention to strategic risk issues, including barriers to the organization’s execution of the strategy?
  • Does internal audit have an appropriate mix of consulting and assurance activities?
  • Does internal audit have the stature and access necessary to maximize its effectiveness?

Jim DeLoach is managing director with Protiviti, a global consulting firm.