Acceding to fierce criticism of Sarbanes-Oxley and the internal control provisions of Section 404, regulators are promising to tone down the auditors’ role—possibly even eliminating the audit for smaller companies, at least temporarily—while giving companies new guidance and ultimately new leverage over financial reporting.
Last week the Securities and Exchange Commission and the Public Company Accounting Oversight Board outlined steps they will take in coming months to ease the burden of Section 404. The two biggest measures: new guidance for corporations on how to assess internal control over financial reporting, and revisions to the much-maligned Auditing Standard No. 2, which auditors use to govern their own audits of clients’ internal controls.
“The guidance is likely to cover how to conduct a risk assessment and how to identify, document and test controls from management’s perspective.”
—John Nester, SEC spokesman
The SEC promised a concept release covering a variety of issues the agency might address in the management guidance, including “possible alternatives” to the role of outside auditors. “The concept release will ask management what kinds of guidance would be useful to management, and we will see what we hear,” SEC spokesman John Nester said in an interview. “The guidance is likely to cover how to conduct a risk assessment and how to identify, document and test controls from management’s perspective.”
That guidance will address the outcry the SEC has heard in recent months—especially at its May 10 roundtable on "Year Two" of SOX compliance—that so far financial reporting has been driven by AS2 and other audit rules, giving external auditors an upper hand in determining what companies must do to comply with Section 404.
Members of Congress are trying to address the outcry as well, especially on behalf of smaller public companies. Lawmakers last week introduced legislation to exempt smaller companies from Section 404, as recommended last month by the SEC Advisory Committee on Smaller Public Companies; the bill would also establish a process of random audits for larger companies that have already complied with Sarbanes-Oxley since 2004.
The SEC has balked at an outright rollback for smaller companies, vowing instead to establish a scaled-down system that works for companies of all sizes. In its quest for management guidance, the SEC is likely to address issues such as “how to follow a top-down, risk-based approach, how to rely on day-to-day monitoring controls versus period-end procedures, advice on assessing information technology controls, how to evaluate control deficiencies that are discovered, and advice on the levels of documentation that are appropriate,” Nester said.
Changes In Filing Requirements
It’s too early to say what alternatives regulators might devise for the auditor’s role in the opinion they issue over financial reporting, according to Nester, but the PCAOB says it plans to “revisit and clarify the auditor’s role, if any, with respect to evaluation of the process that a company uses to reach its own conclusion about the effectiveness of company controls.”
PCAOB spokeswoman Christi Harlan says regulators might consider dropping certain auditor requirements, but such a move would require a change in SEC filing rules before the PCAOB could act.
“They may be looking at a way that, at least for smaller companies, they would start with requiring management assessment and maybe not the auditor’s attestation of management’s assessment,” Harlan says. “It’s an issue because right now we have rules for how an auditor looks at internal control, but the filing requirement of the auditor’s report is a rule for the company. To the extent SEC wants to say we’re going to require company XYZ to file this but not that, that’s going to be entirely up to them. We’ll just stand by and provide whatever auditing guidance or standards are needed to match with what they are asking be filed.”
The SEC may decide to release smaller companies from the internal control audit process entirely, at least for their first year of reporting, according to Nester.
FOUR POINT PLAN
Below are excerpts of the PCAOB's four-point plan to revise Auditing Standard No. 2, as stated in "Board Announces Four-Point Plan to Improve Implementation of Internal Control Reporting Requirements," published May 17, 2006:
In a continuation of its efforts to assist with the implementation of Auditing Standard No. 2, the Board will undertake four initiatives:
Amend Auditing Standard No. 2. While preserving the principles of Auditing Standard No. 2, the Board plans to consider amendments that would ensure that auditors’ primary focus during an integrated audit is on areas that pose higher risk of fraud or material error. The amendments to be proposed would reinforce the Board's expectation that the integrated audit be conducted in the most efficient manner, while achieving the objectives of the standard, by incorporating key concepts contained in the guidance issued by the PCAOB on May 16, 2005. The Board also plans to revisit and clarify the auditor's role, if any, with respect to evaluation of the process that a company uses to reach its own conclusion about the effectiveness of company controls.
Additional amendments to Auditing Standard No. 2 being considered by the Board include:
Clarifying the definitions of significant deficiency and material weakness in internal control;
Reconsidering the “strong indicators of a material weakness” to allow for more judgment in determining whether a deficiency exists;
Guiding auditors to increase their use of the work of others where appropriate;
Clarifying materiality and scoping decisions;
Emphasizing the integration of the audit of internal control with the audit of the financial statements; and
Allowing for and promoting auditors’ use of experience gained in previous years’ audits to focus and make most efficient the work in subsequent years.
Reinforce auditor efficiency through PCAOB inspections. As the Board described in a statement issued May 1, 2006, the Board’s 2006 inspections of registered public accounting firms will focus on the firms’ efficiency in conducting internal control audits, as emphasized in the Board’s May 2005 Policy Statement. The Board welcomes the SEC’s announced intention to inspect its inspectors’ implementation of the Board’s May 2006 statement.
Guidance and Education for Auditors of Small Companies. The Board plans to develop or facilitate development of implementation guidance for auditors of smaller public companies. In addition, the Board plans to explore various means of facilitating opportunities for auditors of smaller public companies to obtain effective training on auditing internal control over financial reporting.
Continue PCAOB Forums on Auditing in the Small Business Environment. As previously announced, the Board will hold a total of eight forums during 2006 for the auditors, directors and financial officers of smaller public companies. In addition to providing general education about PCAOB issues, the Board will use these forums to monitor real-time reaction to the various internal control-related implementation changes that are announced throughout the year.
Source
Board Announces Four-Point Plan to Improve Implementation of Internal Control Reporting Requirements (PCAOB, May 17, 2006)
The SEC also said it plans to issue a “short postponement” of the effective date of internal control reporting requirements for non-accelerated filers—principally small public companies yet to experience the pain of Section 404—to allow those companies to benefit from the developing shift in Section 404 requirements. But the agency still intends for those companies to complete their first management assessment within the existing timeframe.
In its release, the SEC said it anticipates that any postponement “would nonetheless require all filers to comply with the management assessment … for fiscal years beginning on or after Dec. 16, 2006.” Until now the effective date for companies to comply had been for fiscal years ending on or after July 15, 2007.
Nester said the shift in language from fiscal year-end to fiscal year-start is largely harmless, since it will affect only companies whose fiscal years begin between July 15 and Dec. 15, which comprise only 10 to 15 percent of all affected filers. The main point, he said, is that “initially, meaning 2007, only a management assessment and not an audit will be required. But ultimately full compliance will be required.”
Tackling AS2 And More
As for its plans to amend AS2, the PCAOB says it will focus on ensuring auditors primarily target areas that pose high risk of fraud or material misstatement. It will incorporate language from its May 2005 guidance, where the Board called for a more efficient audit process following a top-down, risk-based approach, plus guidance from earlier this year calling for the integration of audit processes to avoid unnecessary redundancy between the audit over financial statements and the audit over internal controls.
The PCAOB decided to amend AS2 because feedback suggests auditors aren’t fully responding to the guidance that has already been issued, Harlan says. “Primarily, it was issuers who were asking that it be codified,” she explains. “It would give issuers something to point to.”
The Board will consider language to clarify the difference between a significant deficiency and a material weakness—a move much-desired by corporate executives—to allow more judgment in determining whether a deficiency exists. It will also try to give external auditors more room to rely on the work of internal auditors and experience gained in earlier years’ audits, and to clarify how auditors should make decisions about materiality and setting the scope of audits.
Beyond amending AS2, the PCAOB also plans to develop guidance and training opportunities for auditors of smaller public companies, and to continue its informational forums for auditors, directors and financial officers of smaller public companies.
Another vital element of the SEC’s future plans is the guidance under development by the Committee of Sponsoring Organizations. COSO’s 1992 framework for assessing internal controls is widely touted as a standard for large public companies, and the SEC assigned COSO early in 2005 to scale down its framework to make it more applicable to smaller companies. Ultimately, regulators hope all companies will use the COSO framework to audit their internal controls for financial reporting, rather than be bossed around by external auditors insisting on the far more exacting standards of AS2.
COSO issued a draft of its smaller company guidance last August, collected comments, and is now revising its original proposal. COSO Chairman Larry Rittenberg says the commission plans to have the guidance available “no later than June 30.”
Popular Support
Lipman
Frederick Lipman, president of the Association of Audit Committee Members, says he is encouraged by regulators’ direction, but most pleased with the PCAOB statement in early May that it intended to hold auditors accountable to efficiency during its 2006 inspections.
Lipman says he welcomed that announcement because it gives audit committees more immediate leverage over audit costs. “A lot of firms are still coming up with fairly large budgets for second-year audits,” he says. “The May 1 announcement gives audit committees more leverage over cost right away.”
Dennis
Leroy Dennis, executive partner for McGladrey & Pullen and a member of the SEC’s advisory committee that recommended exempting the smallest companies from Section 404, says the SEC is still trying to achieve what the committee recommended, but in a different way. “The SEC is saying it’s deferring the requirements but expects to have a standard in place that will work for these companies,” Dennis says. “When you boil it down it’s the same things said a little differently.”
Tim Leech, principal consultant at Paisley Consulting, says he likes the SEC’s idea of changing the auditor’s role in the management assessment of internal control. He supports requiring an auditor opinion on the state of controls, but not necessarily on management’s process of assessing controls. “Britain and Canada both concluded that the idea of the auditor separately deciding whether they like what management thinks about good controls is not in the best interest of anybody,” he says.
Extensive details on the SEC’s and PCAOB’s announcements—as well as related coverage and guidance—can be found in the box above, right.
Websites
We are not responsible for the content of external siteshttp://sec.gov/news/press/2006/2006-75.htm
http://pcaob.com/News_and_Events/News/2006/05-17.aspx
http://sessions.house.gov/News/DocumentSingle.aspx?DocumentID=43926
http://sec.gov/info/smallbus/acspc/acspc-finalreport.pdf
http://pcaob.com/Standards/Standards_and_Related_Rules/Auditing_Standard_No.2.aspx
http://pcaob.com/News_and_Events/News/2006/05-01a.aspx
http://sec.gov/info/accountants/stafficreporting.htm
http://pcaob.com/Rules/Docket_008/2005-05-16_Release_2005-009.pdf
http://pcaob.com/Rules/Docket_014/2005-11-30_Release_2005-023.pdf
No comments yet