This week marks our third week exploring five common issues associated with accounting and auditing business combinations (ASC Topic 805). Why? Because in 2015, mergers and acquisitions reached an all-time record level of activity, and that means that more companies and auditors are being exposed to business combinations than ever before. GAAP Dynamics is here to help! In the first two weeks of our blog posts, we focused on common accounting issues related to business combinations: asset purchases vs. business combinations and the identification and valuation of intangible assets. This week, we’re diving head first into the wonderful world of internal controls and turning our focus to management review controls (MRCs) and business combinations.

So, what’s the big deal with management review controls?

First off, let’s point out that internal controls, especially MRCs, have been a hot topic and a consistent PCAOB inspection finding. Not only was Staff Audit Practice Alert No. 11 (SAPA No. 11), Audits of Internal Control Over Financial Reporting, issued in 2013, but Helen A. Munter, PCAOB Director of Division and Registration Inspections, gave a speech in 2015 that stressed the importance of audits of internal controls. Included in both SAPA No. 11 and Helen A. Munter’s speech, are specific references to issues surrounding the testing of management review controls.

MRCs are selected and tested by auditors because they are a common type of control and an important control that most companies have in place. As Helen A. Munter stated in her speech, “management review controls serve as a detective control – meaning it is intended to help management identify errors, inaccuracies, or fraud.” So, if MRCs are so common and so important, why are there so many issues associated with testing the controls?

Management review controls are special controls, because not only must the auditor perform procedures to understand the control and how it is designed, but the auditor must also perform procedures to ensure that the control is operating at a level precise enough to prevent or detect material misstatements on a timely basis. In other words, simply verifying that a review was signed off provides little or no evidence at all about the control’s effectiveness.

Whoa! So, what does “a level precise enough” mean?! Well, there are certain factors that an auditor must consider and document when determining the level of precision and whether that level of precision is appropriate to prevent or detect material misstatements. We’ll get to these factors in a bit!

Now we know that testing MRCs is a hot topic, but what does it have to do with business combinations?

One may argue that for some companies, a business combination is a non-routine transaction and therefore, the company doesn’t need to establish specific controls over the business combination. Guess Again! Even though a business combination may be a non-routine transaction, companies must still design and implement controls over business combination activities, especially if they are material to the financial statements!

As we pointed out in our first two blog posts, there is a considerable amount of management judgment involved when accounting for business combinations, so most companies engage a third-party valuation specialist to assist in accounting for the business combination. Between the judgment involved and the use of a valuation specialist, companies must implement controls to ensure that the business combination is accounted for appropriately! Some of the most important controls that companies have in place surrounding business combinations are management review controls. For example: Is management reviewing the purchase agreement? Is management reviewing the acquired company’s prior year’s balance sheets and income statements? Is management reviewing the third-party valuation report? These are only a few management review controls that a company may have in place!

Not only should companies have controls in place surrounding business combinations, but auditors are required to test controls surrounding business combinations, which means that auditors will more than likely be testing some MRCs! SAPA No. 11 states that, “Internal control is not limited to frequent processes and normal recurring transactions. It also applies to…nonrecurring transactions outside the normal course of business, such as a material business combination. When a company has infrequent processes or enters into nonrecurring transactions that present a reasonable possibility of material misstatement of the financial statements, the auditor should test the controls over those processes or transactions.”

It looks like we’ll probably be testing MRCs surrounding business combinations. But how exactly do we test MRCs?

Good question! Like testing any other control, procedures must be performed to ensure that the control is designed appropriately and operating effectively. The difference when testing MRCs is evaluating the precision of management review controls, as well as identifying the steps involved in identifying, investigating, and resolving differences that are outside management’s criteria for investigation.

Assessing the level of precision isn’t as hard as it sounds. The main concern? Whether or not the control is precise enough to detect or prevent a material misstatement on a timely basis. SAPA No. 11 outlines various factors that can affect the level of precision. The factors are as follows:

• Objective of the Review – Is the review put in place to prevent or detect misstatements? If so, the control is probably more precise than not.
• Level of aggregation – Is the control being performed at an aggregated or disaggregated level? If the control is being performed at a disaggregated level, it is probably more precise than not.
• Consistency of performance – Is the control being performed routinely and consistently? If the control is being performed routinely and consistently, it is probably more precise than not.
• Correlation to relevant assertions – Is the control specifically related to relevant assertions? If the control is linked to relevant assertions (for example, the valuation of the business combination), it is probably more precise than not.
• Predictability of expectations – Is the control designed to detect misstatements by using key performance indicators? If so, than the control is probably more precise than not.
• Criteria for investigation – What is the threshold for investigating differences from expectations? If the threshold is near materiality, it probably isn’t very precise when compared to a threshold that is at a lower level.

When evaluating whether the MRC is designed and operating effectively, the above factors must be considered. Based on the information gathered surrounding the MRC, including considering the factors above, is the control actually precise enough to detect or prevent a material misstatement? Additionally, when determining whether the MRC is designed and operating effectively, the steps that management goes through to identify, investigate, and resolve any differences that meet the criteria for investigation, must be understood and taken into account when concluding if the MRC is designed and operating effectively! Even if a conclusion is reached that the control is precise enough, if management is not identifying, investigating, and resolving differences that are outside that level, the control is not designed and operating effectively!

And the conclusion is…

Remember, even though a business combination may not be a recurring transaction, companies must still develop and implement controls over the transaction (many of which are MRCs) and auditors must still test the controls! Last but not least, document, document, document! When documenting your MRCs, do not forget to document the factors that may affect the level of precision, what the level of precision is, and the steps that management goes through to identify, investigate, and resolve differences that are outside the level of precision!