by Cydney Posner
It’s getting to be that time of year when visions of sugarplums may dance in your head — alongside more mundane thoughts and concerns about financial statements, audits, audit committees and year-end reporting that just might disturb your otherwise pleasant holiday season. With that in mind, this column in Compliance Week offers two tips that may help the audit committee prepare for the year-end onslaught.
The first is a reminder about the 2013 COSO internal control framework. As you know, Exchange Act Rule 13a-15 requires that management evaluate annually the effectiveness of the company’s internal control over financial reporting based on a “suitable, recognized control framework.” As previously discussed in PubCo here and here, the original 1992 COSO internal control framework was deemed by COSO to be “superseded” as of December 15, 2014. However, because COSO has no regulatory enforcement authority, there has been some question about how rigid that timeframe really is, and the SEC has not clearly addressed the question of whether a framework that is past its sell-by date is still considered “suitable” and “recognized” for 10-K purposes. However, the longer companies have delayed adoption — and apparently some companies have still not adopted the new framework — the more likely they are to receive SEC staff comments. The column indicates that the SEC’s chief accountant has recently been dropping hints about the new framework and that the SEC may be getting more serious about the need to shift gears: the “scuttlebutt in Washington is that starting in 2016, any public company disclosure that has not updated and continues to use the previous 1992-era COSO guidelines will have a higher chance of drawing scrutiny, and possibly some questions, from the SEC Division of Corporate Finance.” The columnists advice: “Do the work to embed risk and ICFR disclosure in the COSO 2013 guideline framework, or prepare for questions about why you haven’t.”
The second organizing tool that might be of use to audit committees is the PCAOB’s initiative on audit quality indicators (AQIs) proposed in a PCAOB concept release that seeks “comment on the content and possible uses of audit quality indicators, measures that may provide new insights into audit quality.” (See the sidebar in this PubCo post.) Here are the press release and the related fact sheet for the AQIs. The AQIs address topics such as the availability, competence and focus of audit professionals; the audit firm’s tone at the top and leadership, incentives, independence, infrastructure and record; and audit results for the financial statements (e.g., frequency of financial restatements), internal control, going- concern reporting, communications between auditors and audit committees and enforcement and litigation. The column suggests that the AQIs, while not mandatory, may be instructive in planning the audit and selecting an audit firm or engagement team. Alternatives to the PCAOB’s AQIs could be the Center for Audit Quality’s approach to AQIs or the Audit Committee Collaboration’s new tools, the External Auditor Assessment Tool: A Reference for Audit Committees Worldwide and an updated U.S. version of the External Auditor Assessment Tool (see this PubCo post ).
In addition to providing tools for the audit committee to actually oversee the audit process and assess the auditors, the columnists contend that AQIs may be useful for another purpose: they will also help the audit committee explain how it fulfills its obligations. While there is no current requirement to do so, the SEC has floated this concept release seeking public comment on possible new reporting requirements focused on the audit committee’s responsibilities with respect to its oversight of the independent auditor. (See this PubCo post.) Among the types of disclosures being considered are disclosures addressing the actions the audit committee has taken during the most recently completed fiscal year to oversee the auditor and the audit and the steps involved in the process to assess the independence and objectivity of the auditor and the quality of the audit. Employing some of the AQIs could help the audit committee respond to some of those disclosure issues if they are ultimately mandated. And given the positive results in the UK (which has already mandated expanded audit and audit committee reports), as reflected in this study showing that enhanced reports have led to better audits (see this PubCo post ), it seems fairly likely that some type of expanded disclosure will be imposed.
But even if additional disclosures are not mandated by the SEC, the columnists note that institutional investors expect to increase their focus on audit committees (after having temporarily strayed, in connection with say on pay, to focus on the compensation committee). For example, they cite a CalSTRS comment letter on the SEC concept release “reveal[ing] that it has contacted a number of companies in its portfolio that have used the same audit firm for more than 100 years and asked for an explanation.” According to the columnists’ forecast, “scrutiny [of audit committees] is about to increase,” and use of these tools may help audit committee members manage their increased burdens.