PCAOB Inspections: Entity-level versus Application-level Control Deficiencies

• In Event: Internal Controls

Abstract

The Public Company Accounting Oversight Board (PCAOB) inspects registered firms who audit more than 100 issuers annually and firms who regularly audit 100 or fewer issuers at least triennially. While prior research has identified the nature and severity of audit deficiencies, its content generally focuses on transaction-level errors by account type (e.g. revenue recognition issues affecting sales and accounts receivable). This study expands this research by providing a detailed analysis of internal control deficiencies. Our work is motivated by two PCAOB reporting trends. First, since entity-level controls govern the internal control environment, deficiencies in these controls increase the risk of material misstatement. Second, the PCOAB is concerned with whether audit firms are performing appropriate procedures to identify entity-level internal control deficiencies.
Our review examines deficiencies by internal control type (i.e., entity-level or application-level). Results suggest that the PCAOB inspection reports identify significantly more application-level than entity-level control deficiencies. The most common application-level deficiencies involve revenue and accounts receivable accounts whereas the most common entity-level deficiencies involve failure to test business combinations and acquisitions. The number of entity-level internal control deficiencies identified for Big 4 firms increased between 2011 and 2014. However, the number of application-level deficiencies for Big 4 firms and both entity-level and application-level internal control deficiencies for non-Big 4 firms decreased or held steady during this time period. Our findings should be of interest to practicing accountants, regulators, and users of PCAOB inspection reports.

Authors

• Diane J Janvrin, Iowa State University

• Maureen Francis Mascha, Purdue University Calumet

• Melvin Arnaldo Lamboy Ruiz, Iowa State University