Documentation of ControlsPosted: February 8, 2016
In my blog last month covering the first day of the SEC conference I discussed the focus on Internal Control over Financial Reporting at both the PCAOB and the SEC. I mentioned that I thought it left a potentially huge issue untouched – that management did not adequately document their controls. While I do believe that is an issue, I am beginning to wonder if the PCAOB and AS 5 have an unreasonable expectation about management documentation, not of the controls themselves, but of how the controls are working.
Let me give an example. Indefinite lived intangible assets are not subject to amortization, but instead are subject to annual impairment testing. While there are many steps to calculating the fair value of the assets and comparing that to the book value of the assets, ultimately the results of that work are presented to an appropriate level of management for review and approval. In the past companies could simply say the meeting took place and they might even include a representation about the review in the management representations letter, but now companies all over the U.S are being told that is not sufficient. We have to “prove” the meeting took place and that appropriate discussions and inquiries took place during the meeting. Auditors say we can provide them detailed minutes of the meeting (who has time, or from a management perspective the need, to do that) or we can invite the audit staff to “observe” the meeting (do you really want them charging you to watch you during meeting after meeting throughout the year to prove you were actually performing a control).
I had the privilege of working on the COSO revision of Internal Control – Integrated Framework and we were very clear that an effective internal control process was NOT contingent on document every detail in writing. In fact I challenge anyone from the PCAOB or SEC to go find that requirement in the Internal Control – Integrated Framework document that was released in 2013.
I’ve heard the statement that all the auditors are being asked to do is enforce a “trust but verify” level of skepticism. While I find the quote from Ronald Reagan interesting, it sure feels like the auditors are being pushed into a stance of presume the company is guilty of not having sufficient controls unless they can prove their innocence that they actually do. You can call me naive, but if management says they did something and the auditor looks at the information and verifies that the accounting answer was indeed correct, it seems to me the auditor did trust and did verify without making management prove their innocence, but I guess that is not enough for the PCAOB.