Tips for Evaluating Internal Control Deficiencies

I am pleased to introduce Thomas Ray, member of the accounting faculty at Baruch College and former Chief Auditor at the PCAOB, who will be guest blogging for us this week.

In his remarks at the AICPA Conference on Current SEC and PCAOB Developments last month, Brian T. Croteau, SEC Deputy Chief Accountant, noted some encouraging signs related to public companies' evaluations of their internal control. For the second year in a row, the number of material weaknesses reported by companies in circumstances in which they had not also identified a material misstatement had increased, which suggests that companies are performing a more rigorous analysis of the effectiveness of their controls.

The encouragement came with a caution, however, as Croteau noted the frequency with which internal control issues are identified in SEC staff consultations. He then discussed the importance of properly identifying, understanding, and describing control deficiencies.

In my experience, identifying and evaluating the severity of internal control deficiencies is often difficult and has been a challenge for both companies and their auditors. Croteau's comments in this area are therefore both helpful and timely.

Here are four tips for evaluating internal control deficiencies, based on Croteau's remarks and relevant guidance included in the PCAOB's Auditing Standard No. 5 and elsewhere.

1. The misstatement is not the deficiency.                                                                                                                        Often, an internal control deficiency is identified after the discovery of a misstatement in the financial statements. Companies must look beyond the misstatement to understand how it happened and which control should have either prevented or detected the misstatement. Perhaps, there is not a control in place to deal with the type of misstatement that occurred, which also would be considered a deficiency. The internal control deficiency is not that "we did not properly account for the transactions."
2. Is it a design or operating deficiency?
   Companies should first understand the design of the control and carefully evaluate whether it would prevent or timely detect misstatements if it operates in accordance with its design. If it would not reliably prevent or detect misstatements, then there is a design deficiency.
   Sometimes, a control is well designed, but the person performing that control was not adequately trained or did not perform and document the steps required to perform the control effectively, which allowed the misstatement to end up in the financial statements. This may be considered an operating deficiency.
3. How often and how big?
   There are two components that must be evaluated to assess the severity of a control deficiency: the likelihood that the deficient control will not prevent or timely detect a misstatement, and the magnitude of the potential misstatement resulting from the deficiency.
   Companies should identify the complete population of transactions that a control is intended to address and the size and number of misstatements the deficient control would permit to assess whether the deficiency would allow a material misstatement. An omitted disclosure also can be the source of a material misstatement. Controls over the completeness and accuracy of disclosures may be different and require a different type of analysis.
4. What do we know, and what should we expect?

   Croteau emphasized the importance of the likelihood and magnitude analysis, highlighting what has been termed the "could factor."

   The evaluation of whether it is reasonably possible that a material misstatement could occur and not be prevented or detected on a timely basis requires careful analysis that contemplates both known errors, if any, as well as potential misstatements for which it is reasonably possible that the misstatements would not be prevented or detected in light of the control deficiency. This latter part of the evaluation, also referred to as analysis of the so called 'could factor,' often requires management to evaluate information that is incremental to that which would be necessary, for example, for a materiality assessment of known errors pursuant to SAB 99.

   — Brian T. Croteau, Deputy Chief Accountant, Office of the Chief Accountant, Remarks before the 2015 AICPA National Conference on Current SEC and PCAOB Developments

   Finally, Croteau pointed out that companies should give ongoing consideration to implementing or redesigning controls as necessary in connection with the application of new accounting standards and policies. In addition, companies need to remember their obligations to disclose material changes to their internal control, including in situations where such changes are made in advance of the adoption of a new standard, but also affect current period financial reporting.