The Public Company Accounting Oversight Board (PCAOB) identifies a significant number of deficiencies in the independent audits of internal controls at public companies. Because of auditors’ reliance on these inadequate internal controls, the companies’ financial statements may not be reliable. The PCAOB, in its Staff Audit Practice Alert, has recommendations for auditors about planning the scope of an integrated audit of internal controls and financial statements. The report has implications for audit committees’ inquiry of both senior management and auditors.

Management is responsible for providing a fair account of the company’s financial statements. Because internal controls are relied on in the accounting process to generate accurate financial information, federal laws have required public companies to maintain rigorous internal accounting controls since the 1970s. For large public companies, auditors must now assess and provide their opinion of the effectiveness of the company’s internal controls following PCAOB-adopted auditing standards. The PCAOB audit practice alert is based on the inspection of audits and the observation of noncompliance with Auditing Standard No. 5, “An Audit of Internal Control over Financial Reporting That Is Integrated with an Audit of Financial Statements.”

Inadequacies in the audits of internal controls were found in these areas:

• Assessment of controls that address risks of material misstatement,
• Tests of the design and effectiveness of management review controls, 
• Roll-forward procedures and follow-up tests when controls were examined at an interim date (i.e., not the year-end), 
• Evaluation of information technology general controls, 
• Reliance on the work of others, such as in high-risk areas involving significant judgment, evaluation, and tests of the design of the internal audit procedures and documentation of the internal audit control testing, and 
• Appraisal of identified internal control deficiencies and the magnitude of potential misstatements—for example, when audit adjustments and exceptions were found in the financial statement audit.

Auditors must exercise professional skepticism, carefully assess the combined risks of the various control deficiencies, perform sufficient tests of the internal control systems to gain assurance that they will prevent or detect a material misstatement in the accounts, and document evidence.

The PCAOB warns auditors against performing a cursory review or following a checklist without considering relevant risk and other factors.

The Sarbanes–Oxley Act of 2002 required the independent oversight of auditors of US public companies. The PCAOB periodically inspects registered public accounting firms to assess whether the audits are in compliance with the Sarbanes–Oxley Act and professional auditing standards.

In its 2010 inspection of domestic firm audits of internal controls, the PCAOB reported deficiencies in 15% of the audit engagements. Of those, 85% did not obtain sufficient evidence to support the audit opinion on the financial statements.

Audit quality affects the reliability of the financial statements used by investors. Management and auditors rely on internal controls in the accounting systems to ensure the completeness and accuracy of the information.

Due care and skeptical analysis in the audit of internal controls—including information systems, management control reviews, and reliance on work done by others—are important for gaining investors’ trust in the audit opinion and in the financial statements. The PCAOB standards advocate a top-down, risk-based audit approach to evaluate internal controls and an integration of the audit of internal controls with the audit of financial statements.

The PCAOB reports deficiencies found in its inspection of internal control audits over the past three years. It emphasizes that the PCAOB-adopted auditing standards should be diligently followed in a thorough assessment of internal controls.