The latest PCAOB firm inspections reveal troubling findings around the inadequacy of management review controls. Out of 211 issuer inspections, the PCAOB identified 40 audits (nearly 1 in 5) with management review control deficiencies.
Management review controls (MRCs) are the top deficiency, followed by failure to test reports. (You can see the full 2016 PCAOB Big Four Inspection summary below - click to enlarge). As a result of these findings, external auditors are pushing the rigor of PCAOB findings to their clients, especially around MRCs. What may have been an adequate review control in prior years is no longer sufficient for external auditors in the current audit period, and companies are being left to figure out how to address the increased requirements and scrutiny for MRCs.
What are Management Review Controls and why are they so important?
Management review controls are any key reviews performed by a company’s management over financial information such as estimates or reconciliations for reasonableness and accuracy. In most cases, a manager will review the specific financial document (e.g., bad debt reserve, etc.) prepared by a financial analyst, review the document in detail and work with the analyst to reconcile any discrepancies, and sign-off on the financial document.
The financial documents reviewed as part of MRCs cover a wide spectrum - some examples include:
- Review of a reconciliation
- Review of journal entries
- Review for triggering events
- Review of the work supporting an estimate
- Review of budget-to-actual variances
Ultimately, these controls are usually the last line of defense in identifying any discrepancies or errors before these financially-relevant documents are considered finalized. As such, they are often a critical detective control in a company’s SOX and internal controls environment.
The Problem with MRCs
While the MRC process seems straightforward upon first glance, there are several other factors that must be considered from an audit perspective. For one, the subjective nature of management review controls makes them more difficult to audit than other types of controls. They require heavy analysis that can only be performed by individuals with extensive experience and knowledge. As a result, auditors are being forced to push for more documentation around the review process. A simple signature on a bank reconciliation is no longer sufficient, and auditors typically need to have enough documentation to be able to prove what a reviewer did as part of their procedures and how they were able to resolve any issues.
Additionally, each situation requires a unique set of procedures as part of the review process and level of precision. There are no universally defined procedures for all of the different review documents in most companies’ environments, and it is ultimately up to the company to develop procedures that meet the appropriate level of precision required by both internal and external auditors. While management may be concerned with allocating too much time / resources to a specific review, auditors are requiring that there be sufficient procedures to identify any material differences (e.g., precision) rather than just a blanket approval.
In some cases, there might be some high-risk areas that are not suited for management review and are better purposed for automation through systematic check & balances in a software or ERP system.
To summarize, some of the key issues PCAOB and SEC focused on when auditing management review controls include:
- Is precision of the review defined and appropriate?
- Clarity required on exactly “What did the reviewer do?” How were outliers identified? What was the follow-up / resolution?
- Is documentation sufficient (consider AS 3)?
- Some high-risk areas may be ill-suited for MRCs.
Building Effective MRCs
When it comes to building effective management review controls, CNM’s biggest tip is to focus on preventative measures. Rather than relying on the review (e.g., detective control), it can be more productive and efficient to build the required elements into the original process, rather than bolting them onto the reviewer control. This could involve building out more automated processes, where an application is set-up to identify and flag any outliers for management review/resolution, or more precise procedures in place to lay out specific steps taken in the event of an outlier.
By addressing the fundamental requirements of a MRC and placing additional effort at an earlier stage in the process, the supporting documentation will be higher quality and better facilitate the reviewer’s review. At this point,
- Precision/action items and conclusions will be already identified
- Contradictory evidence will already be considered
- Differences in assumptions between the future and past will already be already vetted
- Sensitivity analysis, if warranted, will already be completed
- Credentials and prior knowledge of the preparer will already be documented
By pushing the effort to the preparer, reviewers can free up time to focus on truly critical issues and less on creating a paper trail.