The labor-saving evidence the PCAOB forgot to mention

As I write, the SEC's website is inviting comments on the PCAOB's rules for auditing the effectiveness of internal controls over financial reporting. Take this document as a guide to auditing internal controls effectiveness and you will be following an inefficient approach that will cost you far more than it should.

Why? The PCAOB's rules focus on evidence from the design of the internal control system and from tests of individual controls to confirm that they have operated as designed. There are other sources of evidence at least as persuasive, and by creaming off the most cost effective evidence in all areas you can design a much more efficient audit.

What might have been holding many companies back from doing this is the worry that using other forms of evidence might not be understood or accepted by internal or external auditors. Now, an online survey conducted during April 2004 with the help of the AuditNet® community gives clear evidence that this strategy should be understood by nearly all auditors, internal and external.

New research

Respondents were presented with 20 pieces of information and asked which, in their personal opinion, were relevant as evidence of effectiveness of internal controls over financial reporting. There were 46 respondents, about half from the USA, mainly internal auditors.

Not surprisingly virtually all respondents thought that information about tested internal controls was relevant or somewhat relevant as evidence, though they placed less weight on 'tone at the top' information. They also discarded statements with no relevance, such as that the CFO had brown eyes.

The interesting findings were that:

• Everyone recognized that process health measures, such as level of customer complaints about billing, were relevant as evidence, even though they do not relate to the operation of any individual control but are more an indicator of the overall results of applying controls.

• Nearly everyone recognized information about inherent risks to be relevant as evidence. (Just 2 people - both mainly or exclusively internal auditors - out of 46 respondents thought that inherent risk was irrelevant.)

Application to SOX reviews

Designing a more efficient SOX audit using more evidence types involves:

• identifying process health measures that are or could be collected easily and including them as evidence;

• including the most relevant inherent risk information as part of the evidence pack (rather than using it only to decide on scope); and

• reducing the level of detail and extent of testing for individual controls.

Process health measures, such as error rates and statistics on processing backlogs, were the most persuasive evidence in the survey and in actual audit practice tend to be highly cost effective as they usually provide indirect evidence of the operation of individual controls as well as overall effectiveness, are easy to collect, and cover the whole period.

More information on this approach is given in my previous article on SOX 404 compliance and can be found on the AuditNet® S-OX page.

Compliance with the rules

Nothing in the PCAOB's audit rules says that audit evidence must be limited to evaluating design of the control system and testing individual controls, even though the focus of its technical advice goes no further. Paragraph 127 lists what evidence to consider and the wording is quite clear:

"127. When forming an opinion on internal control over financial reporting, the auditor should evaluate all evidence obtained from all sources, including:

• The adequacy of the assessment performed by management and the results of the auditor's evaluation of the design and tests of operating effectiveness of controls;

• The negative results of substantive procedures performed during the financial statement audit (for example, recorded and unrecorded adjustments identified as a result of the performance of the auditing procedures); and

• Any identified control deficiencies."

In other words, the evidence most discussed in the rules is not the only type that could be used and the external auditor has no choice but to consider any evidence provided. The research described above shows that auditors, when presented with other evidence types, see the relevance.

Finally, could it be that the two survey respondents who made a point of saying that inherent risk information was not relevant are the only ones who understand what the SOX requirements really mean? Perhaps there is a lawyer somewhere who can clear this up, but to me it is obvious that the originally intention of SOX 404 was that accounts should be reliable, and that implies that the controls should rise to the challenge of the risk factors. Could it really be an adequate excuse to say, for example, "The controls were effective, but with such complex contracts and a culture of dishonesty in the company something was bound to slip through."

More information

For more information, try the AuditNet® special collection on "Sarbanes-Oxley Corporate Governance and Internal Audit", compiled by Jim Kaplan.

For more details on the audit strategy and research described in this article visit:

• Efficient compliance with s302 and s404 of the Sarbanes-Oxley Act

• Evidence for an efficient approach to evaluating controls effectiveness

  ---

Matthew Leitch
www.internalcontrolsdesign.co.uk
matthew@internalcontrolsdesign.co.uk