FP&A – the Brave New World of Internal Control

This article offers a brief explanation of why and how the treasury and FP&A functions are now being pulled deeper into the audit, why it matters, what could go wrong, and what teams need to do to prepare.

Rising Audit Failures

The US Sarbanes-Oxley Act of 2002 (SOX) created the Public Company Accounting Oversight Board (PCAOB) to provide oversight of the auditing of public companies. Each year since its formation, the PCAOB has inspected selected audit work papers of audit firms and published its findings in public reports.

In the early days of SOX, the PCAOB found problems with about 15% of the audits it inspected. In 2014, the PCAOB’s inspection reports showed an average failure rate for the Big Four audit firms of more than 39%, with two firms reaching 46% and 49% respectively. A substantial number of the PCAOB’s criticisms centred on failure to provide persuasive evidence that internal controls were operating effectively or at a level of precision that would detect or prevent material misstatements. The chair of the PCAOB, James Doty, recently said that reports to be released in 2015 would show no significant improvement.

Audit firms have taken the PCAOB’s criticisms seriously and responded by changing both their audit approach and scope of work. Auditors are performing more extensive, costly, and time-consuming audit procedures related to internal controls, sometimes even after issuing their audit opinion. Some companies had to amend the previously filed Form 10-Ks required annually by the US Securities and Exchange Commission (SEC) to report previously undisclosed material weaknesses, along with significant increases in related audit fees. In most instances, these actions did not result in changes to the financial statements.

Members of the SEC Professionals Group, a private, members-only association of accounting professionals who actively prepare and file financial reports with the SEC confirm that these changes are significant and widespread. In early December 2014, they reported that, compared with prior years, audit firms are now asking more aggressive questions, especially about the basis of management projections and decisions, and demanding substantially more evidence that internal controls are well designed and operating effectively.

How and Why this Affects the Treasury and FP&A Functions

In a substantial number of cases, the audit failures cited by the PCAOB were principally failures of documentation by the audit client. In short, auditors were unable to collect, organise and present the necessary evidence because the individuals preparing projections, or performing key controls, failed to create the necessary evidence in the first place.

For example, when considering financial projections used to support the carrying value of intangible and hard-to-value items such as goodwill and certain investments, the PCAOB found that one firm failed to provide evidence that key assumptions underlying the projections were reasonable. In another case, the PCAOB cited a firm for failure to provide evidence that projections themselves were reasonable, given the client’s past track record with projections. In each case, it’s likely that the auditor could not provide the necessary evidence because the audit client didn’t have it.

The PCAOB also found that what the documentation companies produce is often so vague that it simply fails to describe what the company’s managers and decision makers did. Basically, that’s what the PCAOB means when it criticises companies and their auditors for failing to demonstrate that controls were working at “a level of precision” necessary to detect and prevent material misstatements.

Consider what happens when an executive signs a document to signify that he/she reviewed and approved. What exactly does that signature mean? Companies often provide little or no evidence for the auditor to tell if the signer thoroughly reviewed all of the underlying calculations, confirmed all of the supporting documents and concluded on consistency with accounting principles and overall reasonableness, or if it was only a “robo-signing” exercise.

Auditors will also be scrutinising the statement of cash flows. As the information service Compliance Week reported in December, the SEC “is calling on companies to tighten accounting procedures and controls pertaining to statement of cash flows, amid a steady rise in restatements associated with that rather nettlesome financial document.”

One PCAOB director noted that inspectors will also be looking more intently for evidence that companies (and their auditors) are taking steps to appropriately identify and address all significant transactions which might have a meaningful impact on the statement of cash flows.

The message for treasury and FP&A teams is that to survive in this new audit environment, you need to beef-up your company’s documentation in ways you haven’t had to do in the past.

The Documentation Nightmare

In light of today’s enhanced audit scrutiny, it’s probably a safe bet that the demand for more complete and detailed documentation will create an unwelcome burden on many treasury and FP&A teams. It’s also likely that this demand will get bigger before it gets better.

Satisfying that demand is easier said than done.

In hundreds of interviews – with teams at companies struggling with these issues – Workiva has found a common theme. Most believe they have, or could produce the necessary documentary evidence, but the component parts are too disorganised and scattered to use effectively. Team members complain they suffer from inconsistent versions of key documents and templates that are difficult to track and manage. They also cite inconsistent storage and retrieval practices, as well as cumbersome, time-consuming and error-prone manual processes to capture and document the necessary evidence easily. Without a doubt, most companies find that there are too many moving parts in their business processes.

The result is obvious – even when companies have well-designed controls (including detailed and thoughtful projections) operating effectively, they often don’t have the documentary evidence to give their auditors in a readily accessible and usable form. Therein lies the problem.

Companies that lack adequate documentation have recently faced expensive and time-consuming audit problems. Some have had to amend their 10-Ks to report previously undisclosed material weaknesses. Adding to the pressure, the SEC recently sent comment letters to companies questioning their internal controls and increased the number of enforcement actions due solely to deficiencies in internal controls.

In one recent example, the SEC filed charges against the chief executive officer (CEO) and former chief financial officer (CFO) of a technology services company over internal controls violations. The law firm Morgan Lewis noted this enforcement action was important because it didn’t “involve any allegations of misstatements in financial statements, deliberate or otherwise,” nor did it contain “any allegations of other wrongdoing, such as bribery or corruption.”

This was the first time the SEC filed charges exclusively for an internal controls violation since SOX was enacted. Some SEC watchers believe this case foreshadows even greater scrutiny of internal controls by the SEC’s Division of Enforcement in the future.

What You Need To Do To Prepare

Our advice to prepare and deal with increased demands for more documentation is threefold. First, be aware of these increased audit demands and take them seriously. Discuss your past and new expectations for documentation with your controller, internal auditor and possibly your external auditor.

Second, ensure that your treasury and FP&A teams understand what is required to:

  • Document key assumptions in projections and also why those assumptions are reasonable.
  • Assess historical accuracy of past projections and document the reasons why current projects are credible.
  • Document all significant transactions that might have a meaningful impact on the statement of cash flows.

Finally, seek out and take advantage of new business reporting technologies that dramatically reduce the burdensome manual effort described above. Companies adopting these technologies report that they have been able to eliminate version control problems, automate storage and retrieval practices, and actually reduce the time necessary to comply, even as demands on their time have increased.

Auditors have responded to the demands of the SEC and PCAOB by turning up the pressure on their clients to improve documentation. Much of that pressure will fall on treasury and FP&A teams. Those prepared to satisfy auditors’ increased demands while minimising the associated burdens will likely survive and prosper in the brave new world of internal control.


Related reading