Management review controls (MRCs) are the top deficiency, followed by failure to test reports. (You can see the full 2016 PCAOB Big Four Inspection summary below - click to enlarge). As a result of these findings, external auditors are pushing the rigor of PCAOB findings to their clients, especially around MRCs. What may have been an adequate review control in prior years is no longer sufficient for external auditors in the current audit period, and companies are being left to figure out how to address the increased requirements and scrutiny for MRCs.
Management review controls are any key reviews performed by a company’s management over financial information such as estimates or reconciliations for reasonableness and accuracy. In most cases, a manager will review the specific financial document (e.g., bad debt reserve, etc.) prepared by a financial analyst, review the document in detail and work with the analyst to reconcile any discrepancies, and sign-off on the financial document.
Management Review Controls are important because they are critical to an effective control environment. The financial documents reviewed as part of MRCs cover a wide spectrum - some examples include:
Ultimately, these controls are usually the last line of defense in identifying any discrepancies or errors before these financially-relevant documents are considered finalized. As such, they are often a critical detective control in a company’s SOX and internal controls environment.
While the MRC process seems straightforward upon first glance, there are several other factors that must be considered from an audit perspective. For one, the subjective nature of management review controls makes them more difficult to audit than other types of controls. They require heavy analysis that can only be performed by individuals with extensive experience and knowledge. As a result, auditors are being forced to push for more documentation around the review process. A simple signature on a bank reconciliation is no longer sufficient, and auditors typically need to have enough documentation to be able to prove what a reviewer did as part of their procedures and how they were able to resolve any issues.
Additionally, each situation requires a unique set of procedures as part of the review process and level of precision. There are no universally defined procedures for all of the different review documents in most companies’ environments, and it is ultimately up to the company to develop procedures that meet the appropriate level of precision required by both internal and external auditors. While management may be concerned with allocating too much time / resources to a specific review, auditors are requiring that there be sufficient procedures to identify any material differences (e.g., precision) rather than just a blanket approval.
In some cases, there might be some high-risk areas that are not suited for management review and are better purposed for automation through systematic check & balances in a software or ERP system.
To summarize, some of the key issues PCAOB and SEC focused on when auditing management review controls include:
When it comes to building effective management review controls, CNM’s biggest tip is to focus on preventative measures. Rather than relying on the review (e.g., detective control), it can be more productive and efficient to build the required elements into the original process, rather than bolting them onto the reviewer control. This could involve building out more automated processes, where an application is set-up to identify and flag any outliers for management review/resolution, or more precise procedures in place to lay out specific steps taken in the event of an outlier.
By addressing the fundamental requirements of a MRC and placing additional effort at an earlier stage in the process, the supporting documentation will be higher quality and better facilitate the reviewer’s review. At this point,
By pushing the effort to the preparer, reviewers can free up time to focus on truly critical issues and less on creating a paper trail.