Meeting PCAOB Expectations for Management Review Controls

A Management Review Control (MRC) is an internal control where management reviews financial information to identify potential material misstatements in financial statements. These controls are subjective and depend on the reviewer’s judgment. They include activities like comparing financial results to budgets, analyzing trends in performance indicators, or reviewing complex accounting estimates. The Public Company Accounting Oversight Board (PCAOB) places emphasis on MRCs during inspections to ensure companies and their auditors design, implement, and test these controls with sufficient rigor.

Identifying Common PCAOB Criticisms

A primary concern in PCAOB inspection reports is the lack of precision in the design of MRCs. This means the control is not structured to detect a misstatement that could be material. For example, a control might involve a monthly review of expenses against a budget, but the threshold for investigating variances is set so high that a material error could go unnoticed. The PCAOB finds that investigation criteria are often not clearly defined or are set at a level insensitive to the specific financial statement account and its risks.

Another recurring criticism involves the competency and objectivity of the person performing the review. The PCAOB expects the reviewer to possess the knowledge and authority to perform the control. The reviewer must understand the business, accounting principles, and potential misstatements. Objectivity is also questioned when the reviewer can override or ignore control findings without independent oversight.

Inspection reports also frequently highlight deficiencies in the documentation of the control’s performance. The PCAOB expects to see clear evidence of the review, including which items were investigated, the follow-up procedures, and the conclusions reached. Without this contemporaneous documentation, auditors have no evidence that the control operated as designed.

Designing and Documenting Effective MRCs

A strong MRC begins with a clearly defined objective that links directly to a specific financial statement assertion and risk of material misstatement. For instance, instead of a vague objective like “review accounts receivable,” a precise objective would be “to ensure the valuation of the allowance for doubtful accounts is reasonable and covers potential credit losses.”

With a clear objective, the next step is to establish precision in the control’s design by setting specific, quantitative thresholds for review. For a budget-to-actual variance analysis, this means defining the exact percentage or dollar amount that triggers a mandatory investigation. The level of aggregation is also important, as reviewing data at a consolidated level may not be precise enough to detect issues at a divisional or regional level.

The control’s procedures must be formally outlined, detailing the steps the reviewer must take, the reports and data to be used, the frequency of the review, and the required follow-up actions. The documentation should also define the level of expertise and authority required to perform the control, ensuring the individual has the competence to understand the information and the power to enact change if an error is found.

Comprehensive documentation provides the evidence that the control was performed as designed. This goes beyond a simple signature and date. Documentation should include the report reviewed, evidence of the investigation into items that met the threshold criteria, a clear explanation for the resolution of those items, and a conclusion about whether the underlying account balance is appropriate.

Evaluating Information Used in the Control

The integrity of the information a control relies upon, often referred to as Information Used in the Control (IUC) or Information Produced by the Entity (IPE), is fundamental. Before an MRC can be considered effective, management and auditors must have confidence in the completeness and accuracy of this underlying data.

To gain assurance over IUC, specific validation procedures are necessary. Reconciling the report or data extract back to the company’s general ledger or sub-ledger provides evidence that the information is complete and ties to official accounting records. For example, the total of an aged accounts receivable report used in a review should be agreed to the accounts receivable balance in the general ledger.

When the IUC is generated by an IT system, its reliability depends on the effectiveness of IT general controls (ITGCs) over system access, program changes, and computer operations. To validate a system-generated report, it may be necessary to test the parameters or logic used in its creation. This could involve inspecting the report’s source code or running a parallel simulation to verify the system is correctly calculating the data.

The documentation for the evaluation of IUC is as important as the documentation for the MRC itself. This should include evidence of the reconciliation procedures, the testing of report parameters, or any other steps taken to validate the data. Validating the completeness and accuracy of IUC is a preparatory step that must be completed before the MRC itself can be assessed.

Auditing Management Review Controls

Auditors first test an MRC’s design effectiveness to evaluate if the control, as designed, can prevent or detect a material misstatement. The auditor performs this by making inquiries of company personnel, inspecting the documented control procedures, and assessing the defined objective and precision thresholds. The auditor evaluates if the thresholds are sufficiently low to catch relevant errors and if the person performing the control has the necessary competence and authority.

If the design is effective, the auditor tests the control’s operating effectiveness over a period of time to determine if it operates consistently. The auditor employs several procedures to accomplish this.

• Inquiry of the control owner to understand how they perform their review.
• Observation, where the auditor might watch the reviewer perform the control.
• Inspection of documentation, which is the most common form of testing.
• Re-performance of the control by the auditor for a high level of assurance.

During the inspection of documentation, the auditor examines the evidence of the control’s performance. The auditor will select a sample of instances where the control was performed and review supporting evidence to confirm the reviewer investigated items that exceeded the defined threshold. The auditor will scrutinize the explanations for variances and assess whether the conclusions reached were reasonable and well-supported.

As a final step, an auditor may re-perform the control. For example, the auditor might take the same financial data that the manager reviewed and perform the analysis themselves. This allows the auditor to independently identify variances and then compare their findings to the evidence of what the company’s control owner investigated.