Top 10 Financial Reporting Deficiencies from Regulators and External Auditors

A shorter version of this article was published in the December 2015 edition of WIB Directors Digest.

Most companies would rather avoid an audit deficiency, which is, at a minimum, a distraction for both management and the auditor. A deficiency can also be symptomatic of an ineffective internal control environment and raise concerns about a company’s ability to process, record, and report transactions in its financial statements.

The worst case scenario: Deficiencies can bring the audit or compliance process to a standstill and create tension among management, the audit committee, and external stakeholders. Fortunately, many of the most common deficiencies can be avoided.

Top 10 Deficiencies in Audit Findings

Our top-10 list is based on our review of the Public Company Accounting Oversight Board’s (PCAOB) recent audit firm inspection reports, PCAOB Staff Audit Practice Alerts, information from the Center for Audit Quality on restatement trends, and recent comment letters and public statements from the Securities and Exchange Commission (SEC) staff as well as our experience in working with community banks.

Allowance for Loan Losses

This is the number one issue that requires the most time from auditors and management, which should come as no surprise. Part of the issue is that loan and qualitative data often isn’t accurate or complete. Directional consistency is also a common issue we see when banks continue to maintain elevated levels in the allowance for loan losses when there’s improvement in credit quality. This is often a challenge for both auditors and bankers alike, since regulators may be supportive of higher reserves. Typical audit findings relate to ineffective controls over:

  • Changes in loan grades
  • Lack of support for cash flow estimates or recent appraisals on impaired loans
  • Internal controls over identifying and reporting troubled debt restructuring

Revenue

Accounting firms have been criticized for not focusing on revenue. The auditing standards require external auditors to consider the risk of fraud over revenue on every engagement. In fact, revenue is selected on virtually every audit engagement subject to the PCAOB’s  inspection process, during which it generally focuses on accuracy and whether revenue is recognized in the correct period.

Fair Value

We often see that fair value information for mortgage servicing rights—prepayment speeds, for example—isn’t well supported, especially when it’s derived by an in-house model. There’s also a lack of support for:

  • Market-to-market adjustments
  • Fair value on hedging activities
  • Third-party pricing data for available-for-sale securities (isn’t independently corroborated)
  • Fair value of impaired loans or troubled debt restructuring (unsupported by current appraisals or discounted cash flows)

Accounting for Income Taxes

Accounting for income taxes is an often-overlooked area and may not get a detailed review in some cases, either internally or externally. We often find there’s either a lack of sufficient support for the income tax provision or it doesn’t reconcile with underlying data or a general ledger. This can be attributed to a lack of internal controls over the preparation of the income tax provision. This can be remedied by having appropriately trained personnel or a review at a level that can identify misstatements.

Statement of Cash Flows

This may come as a surprise, but the statement of cash flows is an area where we see frequent deficiencies. This was also cited by the SEC at its 2014 conference as an area that generated a high level of restatements and SEC comment letters. Most deficiencies aren’t necessarily in complex areas but rather in more routine areas—such as property and equipment, other real estate owned, and available-for-sale securities. It isn’t uncommon to have findings related to the classification between operating and investing, such as when an entity sells loans. Overall, consider the adequacy of internal controls and whether the management review controls are operating at the right level of precision to prevent and detect misstatements.

Business Combinations

There are often findings here due to the complex accounting and one-time nature of these transactions. The most common relates to the failure to apply acquisition accounting properly, including identifying all considerations transferred, assets acquired, and liabilities assumed. Management also needs to be aware of the various disclosure requirements and to ensure the recognition and measurement guidance is properly applied. This is especially true where the business combination guidance differs from the typical accounting guidance—with contingencies, for example.

Internal Control over Financial Reporting

Internal control audit deficiencies continued to dominate inspection findings, based on public PCAOB statements. PCAOB staff often reminds auditors, preparers, and audit committees to focus on a few specific questions, such as:

  • Do you understand the flow of transactions and the points within that flow where a misstatement could occur?
  • How are internal controls designed to address those risks?
  • Are the controls designed and operating at a level that can effectively detect a material misstatement?
  • Are there controls designed to identify the risks of material misstatement?
  • Will those controls be effective? 

Financial Instruments

Audit and accounting issues around the treatment of financial instruments as either liabilities or equity tend to be more common in nonbank financial service companies. We see accounting deficiencies under Topic 480, especially as it relates to mandatory redemption features. We also see deficiencies in the determination of liability versus equity treatment for stock awards with repurchase features.

Initial and Secondary Offerings

Since many companies today are raising capital for either growth, acquisitions, or some combination thereof, it’s helpful to highlight a few problem areas here as well. Similar to business combinations, these nonrecurring accounting events present challenges for preparers and auditors alike. Due diligence and changes in audit scope can uncover deficiencies such as:

  • Failing to properly recognize and measure existing contingencies
  • Recognizing revenue in the wrong period
  • Changes in the classification and presentation on the balance sheet and income statement

Independence

Auditor independence standards are heightened for public companies and those preparing to go public. Consulting and other nonaudit services may impair the independence of the audit firm, depending on the nature of the service. In fact, the SEC sanctioned eight firms in 2014 for violating auditor independence rules when the firms prepared the financial statements of broker-dealers that were their audit clients, which is prohibited for SEC issuers and broker-dealers. Private banks subject to the Federal Deposit Insurance Corporation Improvement Act are also subject to these interpretations, as discussed in CAQ Alert #2014-11–SEC/PCAOB Independence Rules for Non-Issuer Audit and Attestation Engagements, which stated audit firms couldn’t provide word processing assistance since it created independence violations.

Implementing Key Controls

Take the time to look at your key controls and make some enhancements. Here are some examples of other actions you can take to help alleviate some of the issues:

  • Expand testing for underlying data in allowance for loan losses models, particularly when it comes to controls over access and changes to inputs
  • Test using larger sample sizes and more subjectivity in controls when looking at design and operating effectiveness
  • Identify the correct controls to be tested and focus on the level of precision
  • Put greater emphasis on IT general controls

The internal audit department can be an invaluable resource in implementing these steps. Management may also want to consider repurposing other finance personnel during peak reporting or control testing periods. This can be an effective cost-management strategy where possible.

Best Practices

Best practices hinge on effective communication. Some things to keep in mind:

  • Communicate frequently with external stakeholders (auditor and regulators)
  • Encourage active involvement of those charged with governance (audit committee)
  • Evaluate alternative treatment for complex and subjective accounting areas and communicate the potential for changes
  • Utilize financial statement disclosure checklists so footnotes are complete and accurate
  • Deploy internal audit resources to supplant corroboration of model inputs for allowance for loan and lease losses
  • Automate system reports when possible

For private and public companies alike, striking the right balance between audit quality, disclosure transparency, and cost effectiveness can be difficult for banks as pressure continues to improve audit quality. Preparers of financial statements should look to invest the appropriate resources in management, the audit committee, and the internal control environment to ensure annual reporting and compliance objectives are achieved in an efficient and cost-effective manner. Only in this fashion can potential audit deficiencies be managed to an acceptable level for all stakeholders involved.