Each year, the Public Company Accounting Oversight Board (PCAOB) issues a series of reports and inspections briefs on its findings from that year’s inspections of registered public accounting firms’ compliance with the Sarbanes-Oxley Act, the rules of the PCAOB, the requirements of the Securities and Exchange Commission, and professional standards as they conduct their audits. These findings provide valuable insights to the public accounting industry on methods for improving audit quality every year and 2015 was no different. The following sections take a quick look at their key findings and how they apply to internal audit functions in all industries.
1. Information Provided by the Entity (IPE)
The PCAOB found that there was often insufficient evidence that reports provided to auditors were complete and accurate. This requires external auditors request additional support or schedule more meetings with process owners. To avoid this extra work during an already busy time of the year:
- Include screenshots in your files of parameters used to generate reports.
- Restrict who has access to create or modify reports.
- Whenever possible, require all report changes to follow IT’s change management process.
2. Management Review Controls (MRC)
In 2015, external auditors noted that MRC documentation frequently lacked support indicating that controls were operating at a level of precision that addressed the risk of material misstatement. Auditors must ensure that in-scope items have been identified and sufficiently noted so their threshold can be appropriately based on the assessed risk. To ensure you are providing the right level of detail:
- Clearly identify the fields, data, and thresholds included in your review.
- Identify any exceptions and what was done as a result of the deviations.
- Document that you are confident that the reports used in your review are complete and accurate.
3. Insufficient Sampling
This year it was commonly noted that internal audit functions were not consistently following external auditor’s sampling guidelines. When this occurs, external auditors typically require audit functions to conduct additional testing. To make sure your department is meeting external auditors’ requirements:
- Communicate with auditors about sampling requirements before beginning testing procedures.
- Make sure your sampling guidelines meet their sampling methodology.
4. Insufficient Testing Support
External auditors ran into a number of instances where they were not provided supporting documentation for the procedures performed by the company. Without this documentation, external auditors cannot rely on the work performed by internal audit. To provide your auditors with all the support they’ll need,
- Maintain supporting schedules and workpapers.
- Include adequate documentation on workpapers.
- Use tickmarks to explain the work performed.