As the calendar year comes to a close, auditors are gearing up for their first audits of internal control over financial reporting under a new rulebook. Regulators will be watching closely to assure their instructions are heeded.
Mark Olson, chairman of the Public Company Accounting Oversight Board, last week told a packed house at the American Institute of Certified Public Accountants conference that the PCAOB staff has visited with the national offices of the largest audit firms. The goal: to assure successful implementation of the new Auditing Standard No. 5, which governs how audits of internal controls are conducted.
The PCAOB approved the standard earlier this year to replace the original rule, Auditing Standard No. 2, and it takes effect for audits of 2007 calendar-year financial statements.
“The firms have made good progress in both re-challenging their audit methodologies and embracing the changes of the standard,” Olson said. “As we all know, however, the execution in the field is a crucial aspect of the implementation of any standard, and this one is no exception … It is important that all of you re-challenge the way you have conducted these audits in the past, to ensure that you have made the necessary adjustment to your audits for this year.”
Ray
PCAOB Chief Auditor Tom Ray said he hasn’t received much direct feedback on AS5 implementation yet, but he finds the audit community is generally supportive of the changes. “I hadn’t heard of auditors complaining about the things we’ve taken out of the standard, for example,” he said.
The PCAOB trimmed the volume of the original rule by about two-thirds, cutting the text from 180 pages to 60. The new rule provides fewer bright lines and a more principled approach, instructing auditors to take a more risk-based approach to the audit of internal control over financial reporting.
Olson said that type of audit will inherently require auditors to exercise a new level of judgment in the audit process. But that’s a touchy subject for auditors, who worry that judgments won’t be respected in the inspection process, where PCAOB inspectors study audits looking for deficiencies in audit quality.
Olson acknowledged the inspection process hasn’t reflected the PCAOB’s desire for increased use of professional judgment and said the Board will train its inspectors to be more open-minded. “The PCAOB understands the critical role that our inspectors play in the successful implementation of this new standard,” he said. “We are focusing inspection training on this area to ensure that inspectors fully understand the numerous critical decisions that went into the development of the new standard.”
The training program includes a focus on evaluating auditor judgment, to assure an appropriate level of skepticism but also fairness, Olson said, to provide an environment that encourages auditor judgment. “There’s a range of possible answers as you look at the basis on which you establish judgment, and it still depends on the use of auditing standards,” he said. “If you can demonstrate to us you’ve utilized standards as the basis for your judgments, we’re a long way toward agreement.”
Palmrose
Zoe-Vonna Palmrose, the Securities and Exchange Commission’s deputy chief accountant for professional practice, said that as part of the SEC’s oversight of the PCAOB, SEC staff this year conducted a review of the PCAOB’s inspection program. The findings, however, are shared only with the PCAOB and not made public.
SUMMARY
Below is an excerpt from a speech delivered by PCAOB Chief Auditor Tom Ray to the AICPA conference:
Now let's go back to those areas that are the most important. What are they? AS 5 directs the auditor's attention to some of these areas, and I will describe three of them: the control environment, the period-end financial reporting process, and anti-fraud controls.
Internal Control: Integrated Framework, developed and published by the Committee of Sponsoring Organizations of the Treadway Commission, describes the control environment as the foundation for all other components of internal control, providing discipline and structure. AS 5 specifically directs the auditor to assess –
Whether management's philosophy and operating style promote effective internal control over financial reporting,
Whether sound integrity and ethical values, particularly of top management, are developed and understood, and
Whether the Board or audit committee understands and exercises oversight responsibility over financial reporting and internal control.
Other aspects of the control environment also are important to the effective functioning of a system of internal control. The tone set by top management and appropriate oversight by the Board or audit committee, however, are key factors to implementing and sustaining effective controls, which is why they received special attention in AS 5.
The period-end financial reporting process is a high-risk area. As compared to other parts of the accounting and financial reporting systems, in many companies there is a higher likelihood that errors will be made in the period-end financial reporting process. It also presents opportunities to intentionally misstate the financial results. Accordingly, it is an area in need of the auditor's focused attention. AS 5 defines the period-end financial reporting process and directs the auditor's attention there.
The risk of financial reporting fraud also is one of those most important matters. AS 5 requires the auditor to take into account the results of his or her fraud risk assessment when planning and performing the internal control audit. The auditor should evaluate whether the company's controls sufficiently address identified risks of material misstatement due to fraud. The auditor also should evaluate controls intended to address the risk of management override of other controls.
Specific matters in need of the auditor's attention include whether there are controls over journal entries, period-end adjustments, significant or unusual transactions, related party transactions, and significant management estimates, and controls that mitigate incentives for, and pressures on, management to falsify or inappropriately manage financial results.
Source
PCAOB (Dec. 10, 2007)
“As part of this ‘inspection of inspections,’ the Commission is focusing on the PCAOB’s compliance with the relevant provisions of [Sarbanes-Oxley] and the PCAOB’s own rules and procedures, as well as considering the overall efficacy of the inspection process in carrying out the PCAOB’s mission,” Palmrose said.
A Stronger SOX Framework
Pozen
Robert Pozen, chairman of the SEC Advisory Committee on Improvements to Financial Reporting, told the AICPA conference he’d like to see the development of a regulatory framework that describes how the PCAOB and SEC will assess judgment. He’d recommend it require three steps to establish the parameters for acceptable exercise of judgment: that preparers and auditors describe the options they considered in adopting a particular accounting treatment; explain why they chose as they did; and document it upfront, not after the fact.
A second pillar of the reforming SOX compliance has been the SEC’s new guidance to management on how to assess internal control over financial reporting. Josh Jones, professional accounting fellow for the SEC, said while the management guidance was intended partly to improve efficiency of the reporting process, effectiveness was another important goal.
Four aspects of the guidance are specifically aimed at making the evaluation of internal control more effective, Jones said. They are evaluation of the design of internal control, the focus on risk, evaluation of deficiencies, and disclosure of material weaknesses.
Jones said a review of material weakness disclosures showed that a majority were the direct result of management or auditors noting material or numerous adjustments in preparing year-end financial statements. That raises questions, he said, about whether the weakness is new or should have been flagged earlier and whether the weakness existed at year-end, but didn’t get reported because it didn’t result in a material judgment.
Those questions highlight the importance of getting to the root cause of weaknesses, he said. It also serves as a reminder that “it does not take an error in the financial statements to have a material weakness,” he added.
Jones said the new guidance around material weakness disclosures is intended to address concerns that disclosures were difficult for investors to understand. The guidance suggests management consider a number of new items to help investors grasp the significance of a given disclosure.
“Said differently: Is the material weakness disclosed representative of the issue resident in the company’s control system? Or is there another, more pervasive material weakness that should have been identified and disclosed?” Jones said. “While the discovery of multiple material weaknesses does not automatically indicate deficiencies in these areas of entity-level control, such deficiencies may be important to investors given their pervasive impact on [internal controls over financial reporting], and management should be mindful of this when evaluating and communicating the results of its assessment.”
No comments yet