Risk Rating the Audit Universe
, analyzes the control deficiency disclosures made by 329 companiesin various SEC filings from November 1, 2003, to October 31, 2004. It analyzesover 950 disclosures to identify trends to help users of financial statements betterunderstand the nature of control deficiency reporting made by SEC registrants.Management and internal auditors appear to have performed poorly in detectingand reporting deficiencies. Evidence suggests that only about 28 percent of com-panies were proactively bringing reportable deficiencies to the attention of theiraudit committees or external auditors. This strongly suggests that internal audi-tors either used risk prioritization models that routinely scoped out high-risk areasfor internal control deficiencies or did not detect or report deficiencies that werefound.More recent statistics confirm this trend. A February 2007 trend alert from GlassLewis & Co, a leading investor analyst firm, reported:
2,931 U.S. companies,about 23 pecent, filed at least one restatement during the last four years; 683companies restated two or more times.
There is little to suggest that either internal or external auditors are improvingtheir track record of looking in the right places or finding problems if they exist.The February 27, 2007, Yellow Card Trend Alert produced by Glass Lewis & Cotitled,
The Errors of Their Ways,
“Companies take note: If you restated, you must have had material weaknesses.We still have a hard time figuring out how so many companies that restated alsocould have reasonably concluded that their internal controls are effective and thatthey have no material weaknesses – or that no material weaknesses even existedat the time of the errors.”
The trend in reported deficiencies is alarming. While individual companiesand their internal auditors may fail to detect or report some internal control defi-ciencies in audits they conduct, the trend in the total number of restatements andthe number of companies reporting deficiencies, and their late and sudden disclo-sure suggest a systemic problem. Material weaknesses and significant deficienciesare simply not being found and reported by management. Restatements continueat a high level.Unless internal auditors are applying completely different risk-based standards toplanning audits of internal control over financial reporting, it is reasonable to sug-gest that the method of prioritizing internal audit activity may be a problem. Isthe error rate experienced in audits of ICFR the same as the error rate in audits of other areas?
Internal auditorseither used riskprioritizationmodels thatroutinely scopedout high-riskareas for internalcontrol deficien-cies or did notdetect orreport deficienciesthat were found.