5 tips for managers to survive the new era of auditor skepticism
Yes, it's true. The quality of internal control over financial reporting (ICFR) audits show evidence of improvement.
PCAOB member Jeanette Franzel, recently stated in a speech,"We are weathering the storm well, as auditors have focused on improving the quality of their audits of ICFR while companies have focused on adopting the 2013 COSO framework."
Of course, this comes with a grain of salt—professional skepticism is still lacking. Regulators and inspectors have taken note and are placing increased pressure on auditors and their clients to be skeptical, obtain sufficient evidence, and to improve their internal control assessment.
To get ahead of forthcoming demands for more compelling evidence of control and compliance, managers need to find and implement solutions and processes that enable evidence collection in a cost-effective, timely, and thorough manner.
In a recent white paper, How to Survive in the New Era of Professional Skepticism, Joe Howell, Co-Founder and Executive Vice President of Workiva, and Thomas Ray, Distinguished Lecturer at Baruch College and former Chief Auditor of the PCAOB, identified five tips to surviving the new era of auditor skepticism:
- Establish a single source of the truth for critical information
Problem: Information stored on a shared network drive or across multiple locations creates issues for many companies, especially when the information is processed in different files and applications. For SOX and internal control teams, it's a nightmare to make sure risk assessment and control process data is identical across narratives, flowcharts, and spreadsheets—and if they aren't, figure out which version is correct.
Solution: Managers should leverage solutions that enable their companies to design and implement a single environment as the source of truth. These should allows users to collaborate in a single place, leveraging information seamlessly across all documents.
- Ensure that supporting documentation is consistent—linking it to the single source of truth
Problem: To maintain consistency across documentation for the same control process information, companies get by with human memory and typing skills. Inevitably, discrepancies and mistakes will happen with this method as team members work with tens, hundreds, or thousands of references.
Solution: Don't leave decisions susceptible to human error. Improve your data and decision-making by implementing a solution that links all information between narratives, flowcharts, and spreadsheets. When an update is made to the source information, that change can be propagated across all references.
- Help control owners remember to follow critical control procedures
Problem: When a management review control is performed incompletely or inaccurately, the SOX and internal controls team is left struggling. Companies rely on professional training and memories of control owners to perform complex and critical steps for management review controls—leaving the door open for human error.
Solution: Make sure that the design of all controls is documented well, and provide a control owner with a checklist related to the operation of the control. This checklist will assist managers in remembering and documenting critical steps required to consider the control reliable, such as:
- Reviewing supporting information for completeness and reliability
- Evaluating whether evidence is sufficient and whether it supports significant assumptions and inputs
- Checking calculations for accuracy and consistency with policy and GAAP
- Assessing and resolving outliers or exceptions
- Concluding on the overall result
- Capture evidence of compliance concurrent with performance
Problem: It's been a few weeks since an event or transaction has occurred and signatures have been collected as evidence of key management review controls, but other evidence has not been collected. Due to the amount of time that has passed, it can be difficult to collect necessary evidence, leaving gaps.
Solution: Design processes to capture essential information about how a control operates, concurrent with its performance. This builds on the last recommendation of a checklist to outline complex and critical processes.
- Consider the design of the underlying accounting process
Problem: The line between the accounting process itself and the operation of the control over the process is sometimes difficult to see. This is especially true with usual and infrequent transactions.
Solution: Design a process that includes simultaneously obtaining and documenting matters to help assure management that it has all the necessary information to make a decision. This will also help the auditors. Matters that should be documented include, but are not limited to:
- Significant assumptions made and the evidence obtained regarding the appropriateness of the assumptions
- Information from outside the organization that can be provided to the auditor and should be considered
- Information about the transaction or event that was shared with the board of directors, when such the discussion occurred, and what decision was made
It's clear that regulators and inspectors will continue to apply pressure to companies and auditors to improve the quality of their evidence and audit. It's up to management to select the right tools and processes to meet those expectations.
Read the full white paper, How to Survive in the New Era of Professional Skepticism.