Protecting Investors through a Coordinated System of Audit and Audit Oversight

Date: March 9, 2015

Speaker: Jeanette M. Franzel, Board Member

Event: Institute of Internal Auditors 2015 General Audit Management Conference

Location: Las Vegas, NV

I am honored to be here today to discuss how stakeholders view the internal audit function. We, at the PCAOB, have many aligned and common interests with internal auditors at public companies.

Those common interests include promoting reliable financial reporting, strong internal controls, and high quality financial audits — all necessary to promote confidence and integrity in the securities markets while protecting investors and the public interest.

We also have common stakeholders, including investors, audit committees, CFOs and other business leaders, and external auditors, although the nature of our relationships with them are different.

Before I go further, let me say that the views I express today are my own and do not necessarily reflect those of the Board, other Board Members, or the staff of the PCAOB.

* * *

Internal auditors and the PCAOB are part of the larger ecosystem of key actors who have roles and responsibilities in assuring effective and efficient capital markets. To best achieve these objectives, we each need to do our part.

Today I'd like to provide my perspective on the relationships among some of these key actors, or stakeholders, and the contributions that internal auditors make to the assurance process. I will also touch on PCAOB inspection results involving the external auditor's use of the work of internal audit.

My key message to you today is that internal audit is vital to the overall assurance framework, including the external audit process, and I encourage internal and external auditors to continue to engage effectively throughout the process.

IIA's "Three Lines of Defense" and the PCAOB

In its "Three Lines of Defense" model,^[1] the IIA presents a compelling case for the importance of effective and efficient coordination among the components of a company's risk management and control structure.

It describes a "systemic approach" made up of three lines of defense within a company to "coordinate essential risk management duties:" (1) management control, (2) management's risk and compliance oversight functions, and (3) internal audit. The model defines senior management and governing bodies (including audit committees) as the primary stakeholders for these three lines of defense.

Source: The Institute of Internal Auditors, IIA Position Paper: The Three Lines of Defense in Effective Risk Management and Control, January 2013, page 2. Used with permission.

As the IIA acknowledges in its paper, external auditors, regulators, and other external bodies have an important influence in a company's governance and control structure, and "when coordinated effectively [they] can be considered as additional lines of defense."^[2]

The PCAOB is one such regulator, overseeing the external auditors of public companies trading in U.S. markets. The diagram below depicts the relationship of PCAOB regulation and the external audit to the three-lines-of-defense model.

PCAOB and External Audit Relationships to the Third Line of Defense

Source: PCAOB Board Member Jeanette M. Franzel. Adapted, with permission, from the Institute of Internal Auditors.

The connections, aligned interests, and common stakeholders of the PCAOB and internal audit are evident. A fairly direct connection exists through internal audit's involvement in and coordination with the external financial audit, which is subject to PCAOB inspection.

Another connection is through the company's audit committee, which oversees both internal and external audit functions. The audit committee is a shared stakeholder.

In 2012, the PCAOB began an initiative under its strategic plan to enhance its outreach to and interaction with audit committees. The goal was and is to constructively engage to further our common interests, including audit quality and auditor independence. The Board continues to focus on this initiative as a high priority.

Needless to say, internal audit plays an important role in this system of assurance and oversight.

PCAOB Inspections and Internal Audit

We all know — and IIA survey results and other data bear this out -- that internal auditors frequently provide needed support to the external audit, and external auditors use that work as evidence to support their own audit work and conclusions.

This is consistent with what we see in our inspections. As a result, PCAOB inspection procedures often involve looking at whether a firm appropriately used the work of internal auditors. For example, if PCAOB inspectors select revenue as a focus area in an inspection, and the audit engagement team used the work of internal auditors (or others) to support its own work, the PCAOB would inspect the totality of the work performed in auditing revenue, including how the external auditor used the internal auditor's work as part of the overall audit procedures for that audit area.

In addition to looking at the totality of the audit work for a given audit area, such as revenue, inspectors specifically consider how the external audit team met the requirements set forth in PCAOB standards for using the work of internal auditors.^[3]

In those situations, our inspectors ask the following questions, based on the standards:

• Did the external audit team evaluate the objectivity and competence of the individuals performing the work?
• Did the external audit team consider materiality, the risks of material misstatement, and the degree of subjectivity involved when assessing the extent to which it used the work of internal auditors?
• Did the external audit team evaluate the quality and effectiveness of the work performed by internal audit?

With that background, I will say that, overall, our inspection results regarding the external auditor's use of internal auditors' work are relatively positive.

For the U.S.-based member audit firms of the six largest global networks,^[4] the number of audit deficiencies involving the external auditors' use of internal auditors' work is low overall; and it is low on a relative basis as well, when compared to other frequently cited deficiencies and to the total number of deficiencies identified through our inspections.

The table below summarizes the deficiencies related to the external auditor's use of the internal auditor's work in relation to overall inspection results.

a — Generally, inspection reports for these firms were issued in the calendar year following the inspection year. In general, audits inspected during the inspection year were audits for fiscal years that ended during the prior calendar year.

b -- These deficiencies relate to the external auditor's use of the internal auditor's work under AS No. 5, paragraphs 16-19, and AU sec. 322.

Common findings involving the use of internal audit work generally fall under the following themes:

• The auditor did not obtain an understanding of the nature, timing, and extent of the procedures performed by internal audit and failed to test internal audit's work.
• The auditor failed to appropriately respond to the nature of the evidence and the specific audit findings provided by internal audit.
• The auditor used the work of internal audit but did not perform any work or performed only very limited work in cases where additional work should have been done by the external auditor.
• The extent of the auditor's use of internal audit's work was inappropriate, given the significance and risk associated with that audit area and the fact that the auditor conducted little or no testing of the area.

Here is a list of the inspection reports and the corresponding audits that included the deficiencies involving the use of internal audit work noted above. These are all on our website if you'd like to read more details on these issues.

In addition to the above deficiencies related to the external auditor's use of the work of internal audit under AS No. 5, paragraphs 16-19, and AU sec. 322, there were also several deficiencies in which the external auditor did not properly respond to internal control deficiencies detected by internal auditors. (See AS No. 5, paragraphs 62-70.)

Even though internal audit-related deficiencies do not appear in PCAOB inspection reports as frequently as other types of audit deficiencies, the issue is serious when the external auditors' use of internal audit work does not meet PCAOB standards and results in insufficient evidence to support the external audit opinion.

Such scenarios may indicate a lack of effective coordination and should be of great concern to an audit committee in its oversight of both the internal and external audit functions.

If your company's audit has been cited for a deficiency in the use of internal audit's work, you can take the lead by working with the external auditor and the audit committee to help ensure that the external audit team has what it needs from you on a timely basis. Although compliance with PCAOB standards is the responsibility of the external auditor, both internal audit and the audit committee have an interest in making sure that the auditors properly use and evaluate the work of internal auditors.

Internal auditors are in a position to have a significant positive impact on the external audit by making sure that the communication and coordination with the outside auditor and the audit committee run smoothly and swiftly.

Because of the seriousness of this issue, the topic, "Using the Work of Others," was discussed in a PCAOB Staff Audit Practice Alert No. 11, Considerations for Audits of Internal Control over Financial Reporting, issued a year and a half ago (October 2013), and audit firms have been taking steps to help ensure that they are following PCAOB standards in this area.

I want to stress the importance of getting this right. I am disappointed to hear anecdotal accounts of external auditors choosing to reduce or avoid reliance on the work of internal audit, regardless of risk, in an attempt to avoid a potential PCAOB finding in this area. Such an approach removes professional judgment from the process, potentially causes gaps in the system of assurance over financial reporting, and can put even more stress on an already stressed external audit team.

Letting the pendulum swing too far is not a solution audit firms should be using to respond to PCAOB findings in this area. Essential value will be lost if external auditors simply avoid the use of internal auditors' work or turn this process into a massive duplication effort and check-the-box documentation exercise.

Effective use of internal audit work to support the external audit enhances assurance not only through the external audit process, but also enhances internal audit's knowledge and experience that can be applied across its assurance functions as the "third line of defense."

I am pleased to see that the IIA's 2015 Pulse of Internal Audit report deals with this issue in some depth.^[5] The "Strategic Considerations for Internal Audit" included in the report^[6] include a great set of questions for internal auditors to use as a starting point when collaborating with external auditors and audit committees.

I urge external auditors, internal auditors, and audit committees to continue to seek ways to use internal audit effectively in order to maximize the benefits of an integrated system of assurance, including the value added by internal audit to the external audit function.

Ultimately, all of these functions must work effectively, and work effectively together, to protect investors.

PCAOB Outreach to Audit Committees is Relevant to Internal Audit

The PCAOB also reaches out directly to audit committees to pursue our common interest in achieving high quality audits. The Board's engagement with audit committees involves two fundamental components: listening to audit committees to understand their priorities, needs, and concerns; and exercising the Board's oversight activities to make sure that auditors are communicating effectively with audit committees about the audit. These activities cascade across PCAOB's programs and operations.

Because you, as internal auditors, support the audit committee and often interact with outside auditors, you are sitting in a seat of tremendous opportunity to be proactive and add significant value to the process. I have been privileged to be invited by some audit committees to visit with them and see firsthand this valuable coordination, as well as the overall heavy workload and concerns of audit committee members. I have also had the privilege to interact with many of you and gain an appreciation for the contributions that you make to this system.

In addition, we, at the PCAOB, benefit from the insight and perspectives of audit committee members through a variety of venues, including:

• Formal meetings of the Board's Standing Advisory Group, on which many members of audit committees serve, to discuss matters related to the Board's professional standards as well as other PCAOB-related issues;^[7]
• Roundtables and other public meetings to discuss standard-setting topics, such as the auditor's reporting model and auditor independence, at which members of audit committees and governance bodies participate;
• Rulemaking, consultation papers and other activities through which we ask questions and solicit data related to the needs and interests of audit committees;
• Discussions with audit committee members about potential enhancements to our inspection reports and on the potential use of audit quality indicators;
• Conferences and events at which we participate to engage with the corporate governance community about PCAOB's programs and activities; and
• Global dialogue with foreign regulators and audit committee members about audit quality, at events such as those hosted by the International Forum of Independent Audit Regulators.

Through this outreach, I have heard a number of consistent themes from audit committees and their members that center around the increasing levels of stress in the system, involving audit committees' increased workloads and the increased risk and complexity of the many issues that companies are currently facing. These issues include cybersecurity risks, geopolitical conflicts and uncertainty, economic volatility, increasing regulatory scrutiny and new initiatives, and operational risks.

At the same time, audit committees tell us that they are dedicating significant time and effort to maintaining a focus on the core functions of overseeing financial reporting, internal controls, and the audit functions. To that end, many audit committee members have asked the PCAOB for more timely and targeted information about our oversight results, as well as analysis that provides useful insights that audit committees can immediately apply in their day-to-day activities.

The PCAOB is taking steps to respond to such calls. Stay tuned.

There is also an opportunity here for internal auditors. A recent global audit committee survey indicates that audit committees are generally satisfied with the value that internal audit delivers to their companies, with some room for improvement. In fact, audit committees are looking to internal audit for greater value.^[8]

I believe it is well worth the time and effort for internal audit functions to formally assess their own performance on a regular basis, including getting the perspectives of the audit committee.

In my view, internal auditors are uniquely positioned to make significant contributions to audit committees as they face the challenges of the current business environment and its related risks. The opportunity is enormous, given internal audit's responsibilities across a company for performing risk assessments, developing risk-based audit plans that cover a full range of operational and financial risks, conducting those audits, and performing work to support the external audit.

In addition, internal audit can use the knowledge and insights gained from their work to further analyze and address other issues related to strategic and business risks and corporate governance.

So you see I have a high regard for internal auditors and their role in the financial ecosystem.

Update on the "Perfect Storm" in ICFR

Lastly, I want to update you on my theme from last year's conference, at which I discussed the "perfect storm" developing in internal control over financial reporting. That storm was brewing as management, internal auditors, and external auditors were implementing the 2013 COSO Internal Control Framework^[9] at the same time that external audit firms were taking steps to respond to PCAOB inspection findings on their audits of internal control. External auditors were responding to PCAOB inspections that detected a high level of deficiencies in internal control audit work.

A year later, I think it is fair to conclude that we are weathering the storm well. During the past year, auditors have focused on improving the quality of their audits of internal control over financial reporting while companies have focused on adopting the updated COSO framework

Preliminary results of the 2014 inspections indicate that some improvements have been seen in the area of auditing internal control. That is positive news, especially given the significant changes that were occurring for both management and the auditors.

Recently, the head of inspections at the PCAOB, Helen Munter, reported that 2014 inspections have shown some promising overall improvements in the audit work performed at many firms. We are starting to see a downward trend in the number of findings and the nature (severity) of findings in some firms, and this includes findings in the area of auditing internal control over financial reporting.

We've seen some improvements in the assessments of the risks of material misstatement and identification of the appropriate controls to address those risks. But we continue to find persistent deficiencies in the testing of those controls, particularly controls that have a review element associated with them.

I will caution you, though; more strides still need to be made by audit firms here, as auditing internal control is still the most frequent area of inspection findings.

Internal control over financial reporting is an area for which is it very important to achieve the right balance and "get it right" through the entire financial reporting and auditing chain. To the extent that external audit deficiencies persist in this area, investors are not provided with sufficient assurance or information about the effectiveness of a company's internal control over financial reporting.

A strong set of internal controls, the "First Line of Defense" in the IIA's model, is key to providing assurance over the integrity and fairness of financial reporting. External audits under Auditing Standard No. 5 are designed to provide investors and other stakeholders with an opinion on the effectiveness of the company's internal control over financial reporting, and information about whether material weaknesses in internal control exist as of the date of management's assessment.

Although we are seeing positive indications in the audit of internal control over financial reporting, this is an area where all parties need to remain vigilant and continue to strive for improvements.

Concluding Thoughts

Internal audit is frequently a key part of an effective external audit, and I again encourage internal auditors and external auditors to continue to collaborate effectively throughout this process.

So, here we are: internal auditors, audit committee members, regulators, and external auditors in this audience — protecting investors, company shareholders and employees, and the integrity of our financial system, one audit at a time.

This conference presents a fantastic opportunity to advance the dialogue on these important topics. I look forward to continued progress as we work toward our common goals of assurance and integrity throughout the financial reporting and auditing chain.