As year-end approaches, tax departments can already sense the year-end process looming. With limited time to get year-end financials released while maintaining a robust tax control process, it is critical that the tax department prepares well in advance. We reached out to Jennifer Crawford, director at Baker Tilly, to gain insights into the latest trends and developments related to tax and internal control over financial reporting (ICFR) and how tax departments can prepare for year-end.
Question: Are ICFRs still relevant, and what should we expect from our audit programs?
Answer: ICFRs continue to be a focus area and a source of adverse auditor attestations. However, there are some new trends in the source of those ICFRs. According to Audit Analytics, for FY 2022, information technology, which encompasses information technology, software, and/or security issues, was the number one internal control issue for ICFR, followed by accounting and personnel resources. These trends demonstrate that ICFRs are not usually around the technical concepts; rather, it’s often the operational and nontechnical items that result in the highest risk for companies to manage.
The Public Company Accounting Oversight Board (PCAOB), whose objective is to protect investors in public companies, continues to emphasize the need to effectively select and test management review controls, so that is not going away any time soon. In a 2023 Spotlight: Staff report, the PCAOB noted the following focus areas for 2024, which include increasing the number of engagements reviewed, expanding inspection procedures, and performing quality inspections, all which will likely drive increased rigor from your external auditors. We continue to see more requests for support, added management review evidence, and more transparency. They’ve also emphasized a focus on business combinations, information technology-related matters, [and] industries with specialized accounting or subject to economic volatility.
Challenges in Internal Controls
I recently had the opportunity to present as part of a panel at TEI’s financial reporting conference in Chicago, where we discussed some key areas of concern and focus areas for auditors for the upcoming year-end. Many of the attendees have noticed an increase in evidence, inquiry, and general level of effort required as part of the audit process, which is fairly common across tax departments. We also saw an increase in the level of documentation needed to support audits, whether it was increased evidence of review, supporting the use of third-party providers and review over discrete items, complex calculations, and business transactions. The need to provide comprehensive support around how the analysis was performed, assumptions considered, and how the reviewer came to the determination that the resulting calculations were complete and accurate were some of the items receiving additional inquiry and support.
Industry Tax Trends
Tax departments often deal with tight budgets, so the goal is often to invest in the items that provide the most return on investment. Among a few trends we’re seeing is a movement to shared service centers or outsourcing of certain tax processes to free up resources. We are also seeing investment in technology across all areas of an organization, particularly financial reporting and tax, whether it is implementing a new solution or identifying ways to optimize existing software. Software needs to be continuously maintained and monitored to keep providing you the most benefit. We often forget how quickly technology changes, so look for updated functionality, new ways to organize or process information, and new modules or other improvements that may bring significant benefit to your process.
Technology and Software Impacts on Controls
As companies look to reduce costs and maximize efficiency, incorporating technology is one way to accomplish that goal. The use of tax software, robotic process automation, and other technology has provided a wealth of opportunities for better, faster, and more accurate calculations, but it doesn’t come without oversight. Technology and software come with their own sets of controls and testing requirements, so you need to ensure that the tools you use have adequate oversight (for example, SOC 1, SOC 2) and that you have controls not just at implementation, but also for ongoing maintenance including software updates, change management, access, and security.
Problem Areas in Internal Controls
The number one problem I see related to internal controls is relying on an old, outdated control framework. Controls are living documents that are meant to change as your environment changes. The tax department is constantly changing. Many other factors, among them personnel, processes, or technology, may impact the design of your controls. I also challenge tax management to take a comprehensive look at their risk and control matrices, and if they do not reflect the process, you should adjust the language, evidence, or other procedures so they align with how the control operates. The control framework was meant to be a living framework that can be continuously adjusted and improved. If you can’t remember the last time you made edits to your control documentation, it probably needs a refresh, and if you have recently experienced changes to the organization such as business combinations or implementation of software or other tools, this is your nudge to go ahead and review your documentation to ensure that your controls still accurately reflect your process.
Another common challenge I run into is when the control language is so general that it leaves too much room for interpretation. It’s natural to want to include less detail so you can accommodate change or unexpected items; however, when controls lack detail, that vagueness immediately results in follow-up questions and requests for information that may not be relevant to your process, which can take up a lot of time. There needs to be a balance between designing controls to have enough detail that the procedures are clear, address the control risk, and provide enough context so they can be reproduced, but also not so detailed that they become an administrative burden and difficult to comply with. If you often find that you are getting a lot of questions at year-end that don’t seem to be aligned with your process, I recommend having a year-end walkthrough with your audit team before the year ends. That way, you can provide an overview of how you expect the process to work and what your review process entails as well as help to guide your auditors as they develop their test plans and hopefully minimize questions during the year-end audits.
Getting Ready for the Year-End Audit Cycle
First among high-priority preparations for year-end audits is to review your control framework and ensure that the control language matches your process. If there are any disconnects, identify what they are and how they need to be addressed—are these design gaps, or are they operational effectiveness gaps? Adjust either the design (the control language) or how you are performing the controls to ensure that they are aligned.
Second, examine your control documentation to ensure it can stand alone during audit. Will the auditor know exactly what procedures were performed without asking you and your team? If not, consider updating your documentation to include more comprehensive support. Will they need to make assumptions as to what management considered when executing those review procedures? Ensure those are documented. Gone are the days where auditors relied only on inquiry to document management review. Although inquiry and walkthrough procedures may create a road map for supporting management review, clear and transparent evidence has now become the new best practice standard for supporting management review.
Last, identify what can be done in advance or contemporaneously with your process to avoid tracking down support after the close. Keep discussion notes, review support, analysis, and other evidence readily available and prepare these items as you are doing your review. If you are doing a live review in a meeting, ask a team member to take notes during the meeting and send them back to the group for approval and consensus for next steps and open items. Document discussions with third parties and ensure that assumptions and conclusions are supported.
Takeaways
Be proactive and take ownership of your controls to align with your actual process and incorporate documentation around performance of review as part of the process, rather than trying to pull it together after the fact. Additionally, I would recommend that in advance of year-end you step out of your day-to-day routine and take a fresh look at your entire tax process, paying particular attention to your tax internal controls and allowing enough time for any necessary changes or optimizations of your current controls. Finally, documenting internal controls can often feel overwhelming, but if you take the time to prepare, you can set yourself up for a successful year-end.
Jennifer Crawford is a tax director at Baker Tilly.
