Essential audit skepticism for management
I am pleased to introduce Thomas Ray, member of the accounting faculty at Baruch College and former Chief Auditor at the PCAOB, who will be guest blogging for us this week.
Company managers, not their independent auditors, are required to establish and maintain adequate internal controls over their financial reporting processes. CEOs and CFOs each sign statements that confirm their personal responsibilities for those controls.
Independent auditors are required to exercise and maintain an attitude of professional skepticism throughout their audits of financial statements and internal control over financial reporting.
I believe that this concept of professional skepticism can also play an important role in companies, to provide senior management with more confidence that the many tasks delegated throughout the organization are performed diligently and with due care. In our paper, How to Thrive in the New Era of Professional Skepticism, Joe Howell and I suggest that company management take a cue from their auditor counterparts and exercise skepticism.
As I discussed extensively in my article in the January 2015 issue of The CPA Journal, auditors of public companies recently have been criticized by the Public Company Accounting Oversight Board (PCAOB) for not being sufficiently skeptical, with the PCAOB suggesting that this might be one of the root causes of audit deficiencies identified by its inspectors.
Consequences of this criticism, in combination with numerous audit deficiencies related to internal control auditing, include requests by auditors for additional documentation and information about both the design and the operation of their clients’ internal controls. This also includes an expansion of the number of controls the auditors test, including additional process-level controls, because of concerns related to management review and other entity-level controls.
The idea behind professional skepticism is that auditors need to maintain a questioning mind and critically assess audit evidence, and thus ask themselves questions such as: Does this make sense? What does the audit evidence indicate? Have I obtained sufficient evidence to conclude?
As practice by auditors and companies under SOX continues to mature, especially under the increased scrutiny by both the PCAOB and the SEC, it may be a good time for management to consider whether its attitude and expectations about its employees’ operation of controls is resulting in the gathering of sufficient evidence, including:
- Evidence about whether the control actually operated
- What was done by the control operator
- Whether the control operator obtained, evaluated, and retained the evidence necessary to support the effective operation of that control
For automated process-level controls, this should be programmed and automatically captured by the system. Higher-level controls that require the exercise of judgment might require different types of system functionality to help the control operator perform the control consistently and appropriately, and to make a record of the evidence obtained and evaluated.
To the extent this support can be automated, evidence that the specific tasks associated with the control were performed, and the documents and other evidence considered by the control operator can be captured by the system concurrent with the operation of the control. This would, ideally, make the control easier to perform consistently and allow management to more easily make the information available to auditors and others.
Thomas Ray, Distinguished Lecturer at Baruch College, teaches auditing. Prior to joining the Baruch faculty, Tom was the head of the Audit Group in KPMG LLP’s Department of Professional Practice and was Chief Auditor and Director of Professional Standards at the Public Company Accounting Oversight Board (PCAOB). At the PCAOB, he advised board members on the establishment and application of auditing, quality control, ethical, and independence standards for audits of U.S. public companies. Tom is a licensed CPA and provides consulting services on the application of professional practice standards by CPAs. He also was a member of the COSO Advisory Council in connection with the 2013 update to Internal Control: Integrated Framework.