Matching Internal Controls to Real Life Change
Division Accounting and Finance, Executive Leadership, Information Technology
June 21, 2018
Auditing Transition Adjustments
Obtaining an understanding of a company’s selection and application of accounting principles is part of the auditor’s procedures to identify and evaluate risks of material misstatement under PCAOB standards. Additionally, the auditor is required to evaluate a change in accounting principle to determine whether the method of accounting for the effect of a change in accounting principle is in conformity with generally accepted accounting principles and whether the disclosures related to the accounting change are adequate.
The new revenue standard provides two transition options for applying the new standard (full or modified retrospective application). A full retrospective application requires the recasting of prior year financial statements as if the new standard had been applied in those years. In contrast, a modified retrospective application requires disclosure of the effect on each financial statement line item in the period of application, and explanations of significant changes between the reported results under the new standard and those that would have been reported under current accounting principles. Under either option, the company recognizes the cumulative effect of adopting the new standard against opening equity of the earliest period of application.
The new revenue standard also provides optional practical expedients that may be applied during the transition. The standard requires the practical expedients to be consistently applied and disclosed in the financial statements.
It is important for auditors to identify and assess the risks of material misstatement associated with the company’s transition adjustments and design and implement audit responses that address those assessed risks. Specific considerations in assessing and responding to the risks of material misstatement of the transition adjustments include, among others, (a) internal control over financial reporting, (b) data that may not have been audited previously, (c) opportunities for committing and concealing fraud, and (d) prior-period misstatements identified in the current period’s audit.
Internal controls over the transition adjustments will generally be relevant to the audit, including in selecting controls to test in an audit of financial statements (if the auditor plans to rely on such 1.12 18 controls) or an audit of internal control over financial reporting. As described in Practice Alert No. 11, auditors are cautioned that controls must be tested directly to obtain evidence about its effectiveness; an auditor cannot merely infer that control is effective because no misstatements were detected by substantive procedures. This applies to the evaluation of evidence about the effectiveness of internal controls over the transition adjustments.
Auditing transition adjustments involves obtaining company-produced information (e.g., standalone selling prices of the distinct goods or services underlying each performance obligation). As is the case generally with company-produced information, the auditor should perform procedures to evaluate whether the information produced by the company is sufficient and appropriate for purposes of the audit.
In situations where management has asserted in the financial statements that the company’s transition adjustments are immaterial, it is important for auditors to perform procedures to test the accuracy of management’s assertions.
The transition adjustments could pose new or heightened fraud risks. For example, a company could improperly identify performance obligations or improperly allocate transaction prices to performance obligations to defer revenue in order to recognize that revenue in subsequent periods. Auditors should evaluate whether the information gathered in obtaining an understanding of the company’s transition adjustments indicates that one or more fraud risk factors are present and should be taken into account in identifying and assessing fraud risks.
When auditing the company’s transition adjustments, the auditor may identify a misstatement of revenue reported in prior-period financial statements. The auditor should perform procedures described in AS 2905, Subsequent Discovery of Facts Existing at the Date of the Auditor’s Report, to determine whether or not the financial statements and auditor’s report should be revised as a consequence of the misstatement.
Considering Internal Control over Financial Reporting
PCAOB standards require the auditor to obtain a sufficient understanding of each component of internal control over financial reporting to (a) identify the types of potential misstatements, (b) assess the factors that affect the risks of material misstatement, and (c) design further audit procedures. Changes to company processes for the implementation of the new revenue standard can affect one or more components of internal control. For 19 relating to this principle is management evaluating competence across the organization and in outsourced service providers and acting as necessary to address any shortcomings identified.
In addition, new or modified processes and systems to gather contract data, develop new estimates, and support new financial statement disclosures can affect the auditor’s risk assessment. Performing walkthroughs can help the auditor understand the flow of transactions, evaluate the design of controls relevant to the audit, and determine whether those controls have been implemented. In an audit of internal control, walkthroughs can also be an effective way to further understand the likely sources of potential misstatements and select controls to test.
Internal Control-Related Considerations
The following discussion highlights certain internal control-related considerations that may be relevant to auditing the implementation of the new revenue standard in audits of internal control over financial reporting and audits of financial statements.
– Information system and manual controls. The auditor should obtain an understanding of the information system relevant to financial reporting, including, among other things, (a) the related business processes; (b) the related accounting records and supporting information used to initiate, authorize, process, and record transactions; and (c) how the information system captures events and conditions, other than transactions, that are significant to the financial statements. As discussed in Practice Alert No. 11, how a company uses or modifies its information systems (e.g., upon implementation of the new revenue standard) can affect internal controls and, in turn, the auditor’s evaluation of those controls. The auditor should obtain an understanding of, among other things: • The extent of manual controls and automated controls related to revenue used by the company, including the information technology general controls (“ITGCs”) that are important to the effective operation of the automated controls; and • the specific risks to a company’s internal control resulting from information technology. During the transition to the new revenue standard, some companies might utilize spreadsheets and other short-term manual processes until automated processes and controls are implemented. These short-term manual processes may present different or greater risks of material misstatement than automated processes subject to effective ITGCs.
– Management review controls. Some companies may design and implement management review controls over revenue as part of their implementation of the new revenue standard. When testing management review controls, PCAOB standards require the auditor to perform procedures to obtain evidence about how those controls are designed and operate to prevent or detect misstatements. Practice Alert No. 11 described considerations for evaluating the precision of management review controls and identifies factors, such as the level of aggregation and the criteria for investigation, that can affect the level of precision of an entity-level control. 1.14 20 When selecting and testing management review controls over revenue, it is important for auditors to consider the impact of the new revenue standard on management review controls that rely on expectations based on historical operations or trends. Further, controls over the accuracy and completeness of the information used to perform the management review control can affect the control’s operating effectiveness.
– Reviews of interim financial information. The auditor’s understanding of internal control is also important when performing a review of interim financial information. The auditor should have sufficient knowledge of the company’s business and its internal control as they relate to the preparation of both annual and interim financial information to:
Identify the types of potential material misstatements in the interim financial information and consider the likelihood of their occurrence; and
Select the inquiries and analytical procedures that will provide the auditor with a basis for communicating whether he or she is aware of any material modifications that should be made to the interim financial information for it to conform with generally accepted accounting principles.
The auditor should perform procedures to update his or her knowledge of the company’s business and its internal control during the interim review to (a) aid in the determination of the inquiries to be made and the analytical procedures to be performed and (b) identify particular events, transactions, or assertions to which the inquiries may be directed or analytical procedures applied. Such procedures should include, among other things, inquiries of management about changes to the company’s business activities, and the nature and extent of changes to internal control.
Identifying and Assessing Fraud Risks
The auditor should presume that there is a fraud risk involving improper revenue recognition and evaluate which types of revenue, revenue transactions, or assertions may give rise to such risks. Auditors should perform substantive procedures, including tests of details that are specifically responsive to the assessed fraud risks. As discussed in Practice Alert No. 12, performing such procedures involves (a) considering the ways management could intentionally misstate revenue and related accounts and how they might conceal such misstatements, and (b) designing audit procedures directed toward detecting intentional misstatements. Identifying specific fraud risks arising from the implementation of the new revenue standard involves having a sufficient understanding of the standard as well as the company’s processes, systems, and controls over its implementation of the standard.
Fraud risks may exist at various levels and in different areas of a company. PCAOB standards require auditors to make certain fraud-related inquiries of management, the audit committee (or the equivalent), and others within the company.
Key engagement team members, including the engagement partner, should brainstorm about how and where they believe the company’s revenue and related accounts might be susceptible to fraud. They should also discuss how management could perpetrate and conceal fraud, including by omitting or presenting incomplete or inaccurate disclosures.
Brainstorming also includes discussing factors that might (a) create incentives or pressures for management and others to commit fraud, (b) provide the opportunity for management to perpetrate fraud, and (c) indicate a culture or environment that enables management to rationalize committing fraud.
One potential incentive for fraud arises when new accounting requirements affect a company’s reported financial performance. When combined with excessive pressure to meet expectations of third parties or targets set by the board of directors or management, this could create the motivation to misstate revenue to achieve these expectations. For example, management could establish incorrect accounting policies and practices that achieve revenue targets when the correct application of the new revenue standard would result in revenue below expectations.
Opportunities for fraud in implementing the new revenue standard may arise in the development of significant new accounting estimates or due to control deficiencies that might result from changes made to systems, processes, and controls to implement the new standard. For example, companies may be required to develop estimates for variable consideration and standalone selling prices, which might involve subjective judgments or uncertainties that are difficult to corroborate.
Certain risk factors may reflect attitudes or rationalizations by board members, management, or employees that lead them to engage in or justify fraudulent financial reporting, and may not be susceptible to observation by the auditor. Nevertheless, an auditor who becomes aware of the existence of such information should consider it in identifying the risks of material misstatement arising from fraudulent financial reporting. Examples of risk factors that might arise in connection with implementation of the new revenue standard are (a) non-financial management’s excessive participation in, or preoccupation with, the selection of accounting principles or the determination of significant estimates, and (b) attempts by management to justify marginal or inappropriate accounting on the basis of materiality.
The auditor’s identification of fraud risks should also include the risk of management override of controls. Controls over management override are important to effective internal control over financial reporting for all companies and may be particularly important at smaller companies because of the increased involvement of senior management in performing controls and in the period-end financial reporting process.
Furthermore, the auditor should emphasize to all engagement team members the need to maintain a questioning mind throughout the audit and to exercise professional skepticism in gathering and 1.16 22 evaluating evidence. Practice Alert No. 10 identifies a number of threats to professional skepticism inherent in the audit environment. Auditors should be mindful that circumstances related to the implementation of the new revenue standard may increase such threats in some audits.
Circumstances, where a company is late in implementing the new revenue standard, might create incentives and pressures on the auditor that could inhibit the exercise of professional skepticism and allow unconscious bias to prevail. Incentives and pressures may arise, for example, to avoid significant conflicts with management or provide an unqualified audit opinion prior to obtaining sufficient appropriate audit evidence. In addition, the implementation of the new revenue standard could heighten scheduling and workload demands, putting pressure on partners and other engagement team members to complete their assignments too quickly. This might lead auditors to seek audit evidence that is easy to obtain but may not be sufficient and appropriate, to obtain less evidence than is necessary, or to give undue weight to confirming evidence without adequately considering contrary evidence.
As discussed in Practice Alert No. 12, auditors who merely identify revenue as having a general risk of improper revenue recognition without attempting to assess ways in which revenue could be intentionally misstated may find it difficult to develop meaningful responses to the identified fraud risks.
Because of the nature and importance of the matters covered in this practice alert, it is particularly important for the engagement partner and senior engagement team members to focus on these areas and for engagement quality reviewers to keep these matters in mind when conducting their engagement quality reviews. Auditing firms may find this practice alert helpful in determining whether additional training of their personnel, revisions to their methodologies or implementation thereof or other steps are needed to assure that PCAOB standards are followed
Auditors and auditing firms might also find certain matters discussed in this practice alert to be relevant to their preparations for auditing the application of new accounting standards on leases and credit losses. The PCAOB will continue to monitor auditing of revenue as part of its ongoing oversight activities.