Accounting experts aren’t rushing to judgment that Auditing Standard No. 5 will result in an overnight reversal of excessive auditing—primarily because the new rule has no influence over escalating auditor liability concerns—but they are optimistic that it will steer auditors in a new direction.
The Public Company Accounting Oversight Board approved AS5 late last month to replace Auditing Standard No. 2, which governed the audit of internal control over financial reporting and was a linchpin for Sarbanes-Oxley compliance. The new standard directs auditors to take a top-down, risk-based approach to the audit and eliminates many of the prescriptive requirements in AS2 that drove overzealous auditing.
Trent Gazzaway, managing partner of corporate governance for Grant Thornton, says AS5 makes a number of changes that will help auditors focus more on substance over form: increasing the ability of the auditor to rely on the work of others; eliminating the requirement for auditors to obtain their own evidence; allowing prior years’ audits to influence planning for a current audit; eliminating walkthrough requirements; and giving auditors more room to decide how many locations to visit in a multi-location audit.
Livingston
Phil Livingston, vice chairman of software company Approva and a former president of Financial Executives International, says he sees the new standard leading to fewer checklists and more work in identifying where a company’s risks of financial misstatement are greatest.
For example, he says, auditors are no longer required to plan their audit around a risk that a collection of significant deficiencies could add up to a material weakness. “That should bring costs down and bring people up out of the weeds of the work so they can focus more on where problems can really happen,” he says.
The added emphasis on targeting fraud risks will also drive auditors away from checklists, Livingston says. The new rule directs auditors to look more carefully at transactions that often can be tied to fraud, such as late or unusual journal entries. “The kinds of things they address in the fraud part of the text are the problems we’ve been trying to get at with Section 404 for four years now,” he says.
Gazzaway points out, however, that prescriptive requirements haven’t simply been dropped, but replaced with an expectation that auditors will exercise some professional judgment over those areas. “If you put yourself in the shoes of the average auditor in the field, you have to make decisions about what to do, when to do it, and how much to do it,” he explains.
Gazzaway cites the new language around walkthroughs as an example. Previously, auditors were required to perform a walkthrough for each significant transaction class. AS5 eliminates the requirement to perform a walkthrough, but says auditors must still achieve the objectives of a walkthrough. Indeed, when the PCAOB adopted AS5, Deputy Chief Auditor Laura Phillips said that in many cases auditors might still conclude that the best way to achieve the objectives of a walkthrough is to do one.
“So now the auditor has to decide when a walkthrough is the best course of action and when another approach is an acceptable action,” Gazzaway says. “It’s going to be very hard to determine in those gray areas when to do a walkthrough and when not.”
Gazzaway admits that auditors’ concerns about litigation and the potential for PCAOB inspectors to second-guess field decisions are both sure to cast a shadow over auditor judgment. “There’s a justifiable fear that one of two things will happen,” he says. “Either the inspectors will come by and say you should have done a walkthrough, or later, if something goes wrong in that area [litigators will] find there was no walkthrough. Auditors in the field need something to hang their gut feel on.”
Gearing Up For Second-Guessing
Judgment around walkthroughs and a host of other issues is sure to be a significant focus of every audit firm’s internal training around AS5 in the coming months, Gazzaway says. Guidance still in development by the Committee of Sponsoring Organizations that focuses on how companies can better monitor their internal controls will also help improve AS5 implementation, he says.
THE STANDARD
Below is a portion of the newly approved Auditing Standard No. 5.
Role of Risk Assessment
Risk assessment underlies the entire audit process described by this standard, including the determination of significant accounts and disclosures and relevant assertions, the selection of controls to test, and the determination of the evidence necessary for a given control.
A direct relationship exists between the degree of risk that a material weakness could exist in a particular area of the company's internal control over financial reporting and the amount of audit attention that should be devoted to that area. In addition, the risk that a company's internal control over financial reporting will fail to prevent or detect misstatement caused by fraud usually is higher than the risk of failure to prevent or detect error. The auditor should focus more of his or her attention on the areas of highest risk. On the other hand, it is not necessary to test controls that, even if deficient, would not present a reasonable possibility of material misstatement to the financial statements.
The complexity of the organization, business unit, or process, will play an important role in the auditor's risk assessment and the determination of the necessary procedures.
Scaling the Audit
The size and complexity of the company, its business processes, and business units, may affect the way in which the company achieves many of its control objectives. The size and complexity of the company also might affect the risks of misstatement and the controls necessary to address those risks. Scaling is most effective as a natural extension of the risk-based approach and applicable to the audits of all companies. Accordingly, a smaller, less complex company, or even a larger, less complex company might achieve its control objectives differently than a more complex company.
Addressing the Risk of Fraud
When planning and performing the audit of internal control over financial reporting, the auditor should take into account the results of his or her fraud risk assessment. As part of identifying and testing entity-level controls, as discussed beginning at paragraph 22, and selecting other controls to test, as discussed beginning at paragraph 39, the auditor should evaluate whether the company's controls sufficiently address identified risks of material misstatement due to fraud and controls intended to address the risk of management override of other controls. Controls that might address these risks include:
Controls over significant, unusual transactions, particularly those that result in late or unusual journal entries;
Controls over journal entries and adjustments made in the period-end financial reporting process;
Controls over related party transactions;
Controls related to significant management estimates; and
Controls that mitigate incentives for, and pressures on, management to falsify or inappropriately manage financial results.
If the auditor identifies deficiencies in controls designed to prevent or detect fraud during the audit of internal control over financial reporting, the auditor should take into account those deficiencies when developing his or her response to risks of material misstatement during the financial statement audit, as provided in AU sec. 316.44 and .45.
Source
PCAOB (May 24, 2007)
Many in corporate finance roles still worry that auditors will hold the upper hand in the assessment and reporting process, Livingston says. “Companies are saying that auditors still have their opinion, and if their process doesn’t jive with what we did, we’ll still have to bend to their will,” he says. “People are still worried about being second-guessed.”
From Livingston’s perspective, new audit rules—coupled with guidance from the Securities and Exchange Commission directing management on how to conduct its own assessment of internal controls—should enable companies to straighten their spines. “The SEC has empowered companies, so companies need to get assertive and get auditors comfortable with their own positions,” he says.
In addition to ongoing concerns about second-guessing, AS5 provides auditors with a new threshold for how to identify a material weakness in internal controls: the “reasonable possibility” of misstatement rather than the older standard of a “more than remote” likelihood. But Gazzaway points out that the supposed change is actually the same language the PCAOB used in its November 2005 guidance.
“We and the large firms all followed that guidance and trained our people that `more than remote’ means `reasonably possible,’” he says. “So unless someone didn’t follow that guidance, you would have expected firms would have already implemented that definition into their training.”
Orr
Terry Orr, senior managing director of FTI Consulting, says some of the efficiencies that AS5 is intended to create may already have been realized for just that reason. “Many of the accounting firms started adjusting their audit approach after the April 2005 PCAOB roundtable discussions in preparation for AS5,” he says. “Therefore, some of the savings from AS5 have already been taken.”
Orr suspects companies may be resistant to changing their internal control documentation and testing because they’ve invested considerable time and effort into the process. “It will take them time to adjust their approach for the new SEC guidance and to coordinate their efforts with the auditors,” he says. As a result, auditors aren’t likely to embrace a significant reduction in procedures in the near term, Orr believes. “Immediate reductions in audit fees from the implementation of AS5 are unlikely.”
Kathy Schrock, a Sarbanes-Oxley specialist for consulting firm Tatum, says companies and auditors alike need to get comfortable with the new emphasis on risk. “We’ve seen improvement” in how companies assess risk, she says. “There are certainly those who are light years ahead of others. Some are just comfortable with their process because it works, so they’re reluctant to make changes.”
Schrock
Schrock is more optimistic that new terminology for identifying material weaknesses will help drive the risk focus. “We think this will provide a little more leeway in auditor judgment and will also provide management more leverage in the determination,” she says. “It’s hard to argue that something has less than a remote chance of occurring and still be conservative, but it seems easier to establish that something has less than a ‘reasonable possibility’ of occurring.”
Orr isn’t so confident. “It is not expected this will have much of an impact on the auditor’s approach or in the reduction of audit fees,” he says. “The new guidance places more emphasis on auditor judgment. In a litigious environment, judgment is easy to question.” Orr expects the fear of second-guessing will not necessarily drive auditors down the path of AS2-like extremes, but it will cut into the potential for audit fee savings under AS5.
How deep will that cut be? That’s hard to estimate, Gazzaway says. AS5 will eliminate testing that auditors didn’t think was necessary before, he says, “but in the litigation environment we have today, it does increase the work an auditor is going to do to minimize the risk of being second-guessed. When you’re signing the firm’s name on that opinion, one of the thoughts that crosses your mind is ‘I don’t know what I don’t know, and how bad could that come back to hurt me?’”
No comments yet