Requirements for adequate internal controls are not new. For the past 27 years, the SEC has demanded that public companies meet certain standards of control. As long ago as 1992, the Committee of Sponsoring Organizations of the Treadway Commission created a framework for evaluating them
Just maintaining internal controls, however, is no longer good enough. Sarbox requires companies to analyze and document their internal-control processes, which means they must in effect create elaborate procedural manuals and update them whenever a process changes. And before controls can be certified, both the company and its auditors must test them for their “design and operating effectiveness,” says Stephen Poss, senior partner and chair of the securities litigation and SEC enforcement practice area at law firm Goodwin Procter LLP.
To do that, the final PCAOB standard — known as “Auditing Standard No. 2: An Audit of Internal Control over Financial Reporting Performed in Conjunction with an Audit of Financial Statements” — requires auditors to examine the controls themselves and even conduct “walk-throughs” of important stages. There are limits on how much an auditor can rely on the work of others, even though internal finance staffs may have already tested the same processes. And because the audit covers the entire year, there are also extensive interim testing requirements.
Moreover, because the auditors are required to test anything materially significant to a company’s financial statements, they must look for weaknesses in everything from how entries are consolidated and adjusted to what security controls are in place for accessing corporate technology.
What’s still uncertain is just how far auditors will go in applying the new PCAOB standards. Their tests will vary “company to company and auditor to CFO,” notes George P. Herrmann, vice president and CFO of Jefferson Wells International, a Brookfield, Wisconsin-based consultancy that specializes in internal controls. But factors such as the nature of the control, its complexity, and its frequency of use will all determine the extent of the testing, says Steve Wagner, a partner with Deloitte & Touche LLP and co-chair of its Sarbanes-Oxley steering committee.
Whatever is tested, the process promises to be extensive. According to the FEI survey, in fact, plan to document processes at 80 percent of their locations, and expect their auditors to test approximately 57 percent of those documented controls.
One thing is certain: the standards have greatly strengthened “the position and power of accounting firms,” says Harold B. Finn III, founding partner of law firm Finn Dixon & Herling LLP. Because controls audits are uncharted territory, he explains, the auditors can extend the scope of their work as they go along. And because the work will be subject to review by the PCAOB, auditors have an interest in being as thorough as possible.
Public disclosure only heightens that interest. Previously, “material weaknesses received attention only at the board level and were not disclosed publicly,” says Herrmann. But now, says Poss, “we live in a kind of binary world, where internal controls are either effective or not.” Consequently, if an auditor does uncover a material weakness that isn’t fixed, it must issue an unclean opinion.