Management review controls—are they providing the assurance you need?

I am pleased to introduce Thomas Ray, member of the accounting faculty at Baruch College and former Chief Auditor at the PCAOB, who will be guest blogging for us this week.

Public company auditors—and their clients—continue to feel pressure from the Public Company Accounting Oversight Board's (PCAOB) recent audit inspections. The intense focus over the past several years on compliance with the Board's Auditing Standard No. 5 and on the effectiveness of internal control audits, has auditors and their clients scrambling to orient themselves to seemingly new requirements and expectations.

One of the themes in the May 2015 letter from the U.S. Chamber of Commerce's Center for Capital Markets Competitiveness (CMCC) to the PCAOB and Securities and Exchange Commission (SEC)—which is critical of the PCAOB's inspections approach—is the importance some companies place on certain high-level controls. This includes management review controls for addressing the risk of material misstatement in the financial statements.

Are you getting the protection and assurance you need? The PCAOB's inspections findings and comments from senior SEC staff suggest that may not always be the case.

As I discuss in my white paper, Partner With Your Auditor on Controls, the PCAOB's inspections findings may help a company's management identify important internal control weaknesses. I discuss five of the most frequent internal control auditing deficiencies identified by the PCAOB and provide thoughts on ways in which management can help auditors address those findings and improve controls at the same time. If you place a high degree of reliance on such controls, it may be worthwhile to reconsider whether they are operating at a level that delivers the expected assurance.

When evaluating whether the design and operation of your management review controls are effective, there are several things you should consider.

1. Is the control sufficiently precise?

   Precision refers to the size of misstatement the control would prevent or detect if it operated in accordance with its design. If this is the one control you are relying on, then it needs to prevent or detect misstatements that, when added up, would cause the financial statements to be materially misstated.

2. Is the design of the control accurately captured in a design document?

   This is necessary both for company personnel to be able to perform the control effectively and consistently over time and for the auditor to understand how the control is designed.

   The design document should include:

   • Objective of the control
   • Nature and sources of information subjected to the control
   • Nature and sources of other information used by the control to identify misstatements
   • Steps involved in performing the control
   • Guidance on how the control operator should exercise judgment
   • Level of competence and authority the control operator needs to perform the control effectively
3. Is documentation prepared each time the control operates?

   The audit firm will need evidence that the control actually operated if the control is important to the conclusion on the effectiveness of the company's internal control. Good documentation also enhances the rigor of the control and provides management with assurance that the control operated effectively.


   For a management review control, this documentation should include:

   • Evidence that the control operated
   • Steps the control operator took in performing the control
   • Information and evidence the control operator obtained and considered
   • Significant judgments made by the control operator
   • Matters identified for follow-up, conclusions, actions taken to resolve discrepancies, who performed the control, and the date of its performance

This may seem like a lot—but hopefully not when you consider the high level of assurance that you expect to derive from the operation of these important controls.

To learn more, read the full white paper, here.