Addressing "early warning" and the public interest: auditor involvement with internal control. (includes related article on the exposure draft of the Treadway Commission's Committee of Sponsoring Organizations)by Landsittel, David L.
CURRENT PROPOSALS AND
The following recap of current developments about controls illustrates the high degree of attention being given to this topic.
* Representatives Wyden and Dingell introduced legislation in late 1990 during the waning days of the 101st Congress that would have required management of public companies to report on the effectiveness of their internal controls over finanial reporting. The bill also mandated that an independent auditor's report accompany management's report. Some believe the bill will be reintroduced in 1991.
* Representative Gonzales introduced a bill early in 1991 that proposes somewhat similar reporting on internal control effectiveness by both management and auditor, but it is applicable only to insured depository institutions.
* Attention is returning to a previously proposed SEC regulation that would require a management report on controls--without any auditor assurance, except as might be inferred from the auditor's involvement with the financial statements.
* Five professional organizations representing different financial reporting constituencies--the FEI, AICPA, NAA, IIA, and AAA--have mounted a joint effort to develop "integrated guidance" on controls in response to a recommendation in the report of the National Commission on Fraudulent Financial Reporting (Treadway Commission). The new guidance, which includes criteria that define what is needed to ensure an effective internal control structure, is in an exposure draft entitled Internal Control--Integrated Guidance, released in March 1991, with final issuance slated before the end of 1991.
* The AICPA's Auditing Standards Board is developing updated standards on auditor examination and reporting on the effectiveness of internal controls. An exposure draft is scheduled for release in 1991.
Curiously, despite this increased interest in internal controls, there is still no universally accepted definition of the term. Even within the specific discipline of financial reporting, people define internal controls in different ways. Some perceive the term narrowly--as activities of the accounting department surrounding the general ledger. Others have a broader perspective. Everyone, however, understands in general terms what is meant by being "in control" or "out of control." Hindsight has taught us that many business failures have resulted from the enterprise being out of control, and that effective controls contribute to business success. Accordingly, if the public wants early warning, then the auditor's report should provide comments on controls.
AN AUDITOR'S INVOLVEMENT
Unfortunately, current GAAS do not require the independent auditor to extensively examine controls--a point that is rarely understood. Although an auditor's underlying skills and training provide a basis for understanding the business, its processes, and the controls embodied therein, our profession is not charged with a requirement to provide assurances on the effectiveness of controls over these processes. We report on results--that is, a snapshot of an enterprise's financial position at a given moment in time and the results of its efforts for an elapsed period, but not on the processes that generated these results and the financial presentation of them. GAAS requires the auditor to obtain a "sufficient understanding" of the control structure "to plan the audit," but the standards readily accept the auditor's directly testing the reasonableness of the end-product numbers without obtaining an in-depth understanding of the processes by which those numbers got there.
For example, an auditor can observe and test the compilation of the inventory balance at year-end without performing a detailed review and evaluation of the cost and other control systems used during the year. An auditor can confirm accounts receivable balances at year-end without obtaining a detailed knowledge of the related billing and collection processes that generated such balances. More broadly, and we believe most unfortunately, an auditor could test the operating results--that is, the difference between the balance sheet accounts at the beginning and at the end of the year--without thoroughly understanding the manner in which these results translate into financial statements nor, importantly, the business strategies, objectives, risks and key success factors that underpin them.
Consistent with the limited role just described, auditors are precluded by professional standards from publicly communicating any views they may have developed about the control system or its possible weaknesses unless they are engaged to perform a study in greater depth than that required as part of an audit. While the public does not understand the auditor's role in this regard, the cold facts are that the standard auditor's report expresses an opinion on the fairness of the company's presentation of financial position and results in accordance with GAAP--without regard to, and without mention of, internal controls.
THE ULTIMATE PUBLIC
In a relative sense, too many resources are committed to a focus on the GAAP presentation of an enterprise's financial results and not enough to the underlying processes that yield these results. This is true profession-wide, where far more resources are dedicated to developing GAAP than to developing GAAS. It is also true of individual audtis conducted in accordance with GAAS. At any moment, two companies could have similar financial positions, but one could be out of control and the other in control. The GAAP financial presentation is a snapshot that gives no indication of the potential consequences of either condition. There is simply no communication about controls. Yet history has shown repeatedly that controls are critical indicators of a business's future success.
The current expectation gap reflects a public desire for more information that provides early warning signals of potential business problems and/or business failures. The public wants information on risks and uncertainties that will affect the future, not merely a focus on past results. More importantly, investors are eager to know whether the company is in control. Does the enterprise have a process that identifies its objectives or key success factors? Does that process identify the risks associated with these objectives? Does it effectively address the approach used to mitigate risks and their adverse consequences? The ultimate public interest is to build strongly competitive businesses that succeed. Being in control is fundamental to that success.
To advance this public interest, auditors should focus more on reviewing, evaluating and reporting on how management controls the business activities of the enterprise, together with evaluating the controls in place to ensure that these business activities are properly accounted for and reported.
Those who dismiss such auditor activity as only adding unnecessary costs to large segments of American business are wrong. They miss the fundamental significance of recognizing and identifying the increased business risk that exists in poorly controlled enterprises. Effective controls are as important, if not more important, to an orderly flow of capital than is the snapshot picture portrayed in GAAP financial statements. If our profession is to maintain and enhance its value and serve the public interest, we need to accept this responsibility. The expectation gap is not just about the usefulness of the financial statements; it is also about what the auditor does and reports.
THE CHALLENGE TO THE
Our role as auditors should be redirected to address the public expectation for early warning signals and the ultimate public interest. More specifically, we need to address four areas: 1) developing a better understanding of what it takes to have effective controls; 2) enhancing auditor skills relating to business processes and controls; 3) developing more effective auditing standards; and 4) enhancing auditor communications about controls to businesses and the public alike. We propose the following necessary steps:
1. Dedicate more resources to ongoing development and understanding of the attributes of the control processes that provide the assurance that effective controls are in place--both those that surround operations and business decision-making, and those that contribute to reliable financial reporting. The project to develop "integrated guidance" mentioned earlier is an important contribution, but it should be regarded as only the first step. That effort should be extended--first, to develop sharper guidance tailored specifically to individual industries. Perhaps more importantly, a multi-disciplined group should be formed to monitor and obtain ongoing feedback on the guidance in order to enrich it. The profession should dedicate more resources to the control processes that underpin successful operating results, not merely to quantifying results.
2. Further develop the auditor's skills as they relate to business processes and the controls that underpin them. An auditor already possesses effective data-gathering and analytical skills. Exposure to varied business environments enables the auditor to apply objectively what has been learned to analogous situations. However, we need to take advantage of these underlying capabilities by developing more specifically the auditor's knowledge about how the most successful businesses are controlled. The auditor's outside objectivity can be a helpful addition to management's internal perspective.
3. Develop more effective standards to define what the auditor must do to support an opinion on the effectiveness of an enterprise's control processes. The current ASB project briefly described above is a good first step, but it is intended to address only controls over financial reporting. An auditor's public communication needs to extend to include the effectiveness of business controls, but that communication would be hollow without a basis of standards that assures the opinion is well supported. Professional resources should be reallocated. A great deal of thought has gone into drafting GAAS supporting the assurance that an auditor provides on the presentation of financial results. A comparable amount of effort is now needed to define the work necessary to credibly report on the financial and business control processes that generate these results.
4. Develop a more effective means for auditors to communicate control evaluations and recommendations for improvement--both internally to management and to the public at large. Too much of the auditor's attention now goes to whether a finding should be categorized as a material weakness, a reportable condition or a matter of lesser importance. Not enough time is committed to thoughtfully presenting recommendations for improvements. For the public, it is not enough to have a standard report communicating that an organization's controls meet a minimum level of effectiveness. All control systems aren't created equal in terms of their quality. An auditor's responsibility to report publicly on controls needs to be structured to include more qualitative findings that go beyond a pass-or-fail standard of effectiveness. Perhaps standards need to be developed for a management and auditor discussion and analysis of controls, just as there now is a management discussion and analysis (MD&A) of the financial results.
THE PUBLIC EXPECTS MORE
The public wants and needs to know not only about financial results but the control processes behind them. Auditors have an opportunity to meet this need by reporting on the quality of the controls--both those surrounding the financial reporting process and those controlling the business activities that create the results. Such information would provide an early warning of out of control situations that signal a risk of future failure. It would also help identify those companies that have made a significant investment in reducing risk--an investment that should be recognized and rewarded in the marketplace.
James G. Hooton, CPA, is a Partner of Arthur Andersen & Co. and Managing Partner--Audit and Business Advisory and Specialty Consulting Services. His responsibilities include the firm's worldwide accounting and audit practice. Mr. Hooton is a member of the AICPA and the Texas Society of CPAs.
David L. Landsittel, CPA, is a Partner of Arthur Andersen & Co., and is the firm's Managing Director of Auditing Procedures. He is serving on the Advisory Council to the Committee of Sponsoring Organizations of the Treadway Commission. Mr. Landsittel is a member of the AICPA and the Illinois CPA Society and was Chairman of the AICPA Auditing Standards Board.
The CPA Journal is broadly recognized as an outstanding, technical-refereed publication aimed at public practitioners, management, educators, and other accounting professionals. It is edited by CPAs for CPAs. Our goal is to provide CPAs and other accounting professionals with the information and news to enable them to be successful accountants, managers, and executives in today's practice environments.
©2009 The New York State Society of CPAs. Legal Notices
Visit the new cpajournal.com.