How the Audit Firms Are Implementing AS5

The regulatory mandate that audits of internal controls focus sharply on the risks of fraud or material misstatement has been heard loud and clear. Still, companies can expect some bumps along the road to achieving consistent implementation of that new attitude spelled out under Auditing Standard No. 5.

Exactly how AS5 will be implemented by audit firms is a matter of much speculation by Corporate America. Companies are still months away from closing the books for 2007, the first year they will obey new (and relaxed) rules from the Securities and Exchange Commission and the Public Company Accounting Oversight Board regarding how to assess and audit internal controls. Audit firms, meanwhile, are training staff intensively on how to conduct an internal control audit under AS5.

Beier

“AS5 certainly codifies the need for a risk-based approach,” says Raymond Beier, head of national technical services at PricewaterhouseCoopers. “A risk-based approach is critical in terms of how auditors will eliminate some of the work that many have viewed as excessive.”

Regardless, some uncertainties will persist as the market digests this major change in reporting and audit rules—which includes not only AS5, but also the SEC’s guidance to management on how to assess and report on internal controls themselves.

“Philosophically, people are on the same page,” Beier says. “There is a common understanding as to what we’re trying to accomplish with AS5, and the auditing profession has made a tremendous effort to get transition itself to the AS5 model, but there will be challenges in the execution … I think it should be expected that there may be an element of unevenness that may take a couple of years to work out.”

Most notably, audit experts say, AS5 has prompted considerable thought about how much auditors can take advantage of the standard’s new freedom to rely on the work of others—principally a company’s internal auditors or similar consultants. Other popular topics of discussion are where auditors can reduce the number of walkthroughs they have to perform and the number of visits they must make to various company locations to test controls.

While observers generally agree approaches are fairly consistent across the audit profession so far, several areas of disagreement remain.

DeLoach

Jim DeLoach, managing director at consulting firm Protiviti, says he sees differences in how auditors are scoping the audit to include or exclude various company locations. Under Auditing Standard No. 2 (the far more exacting, now defunct predecessor to AS5), auditors had to meet a coverage threshold, testing controls at some percentage of locations to achieve a minimum level of coverage of a company’s multiple sites. Under AS5, auditors have more flexibility to make their own risk assessment of given locations to determine whether it should be included in the scope of the audit.

DeLoach says some auditors don’t expect to change their approach to assessing multiple locations as a result of AS5's new focus. “There’s no question that AS5 says you use the same level of materiality in both the audit of internal control and the audit of financial statements,” he says. “Some auditors are taking that premise and extending it to also mean if you select a unit or location into scope for one audit, you have to do it for the other as well.”

Newton

Keith Newton, partner in charge of audit methodologies for Grant Thornton, says that as auditors master the art of the integrated audit—performing both audits in tandem instead of separately—it’s hard to conceive how a location could be included in the scope of one audit but not the other. “My view is that in almost all cases they should line up, and if they don’t line up, the audit team should understand clearly why they don’t,” he says.

Richard Ueltschy, head of Crowe Chizek’s financial services audit practice, believes the change around multilocation testing will result in less work. “I believe most auditors will find they can audit multilocation companies in a more efficient way without losing much in audit quality,” he says. “The feeling was AS2 might have driven you to do work in areas where there was not a lot of risk, but under the coverage criteria you felt like you had to touch it.”

The New Walkthrough

Walkthroughs are another unanswered question about AS5. While AS2 required auditors to perform their own walkthroughs of key controls and processes, AS5 gives the auditor flexibility to achieve the objectives of a walkthrough in other ways or to use a client’s internal staff or other outside resources under the auditor’s supervision to perform the walkthrough.

STANDARD LANGUAGE

Below is an excerpt of Auditing Standard No. 5, outlining how walkthroughs should be conducted.

Performing walkthroughs will frequently be the most effective way of achieving the objectives in paragraph 34. In performing a walkthrough, the auditor follows a transaction from origination through the company’s processes, including information systems, until it is reflected in the company’s financial records, using the same documents and information technology that company personnel use. Walkthrough procedures usually include a combination of inquiry, observation, inspection of relevant documentation, and re-performance of controls.

In performing a walkthrough, at the points at which important processing procedures occur, the auditor questions the company’s personnel about their understanding of what is required by the company’s prescribed procedures and controls. These probing questions, combined with the other walkthrough procedures, allow the auditor to gain a sufficient understanding of the process and to be able to identify important points at which a necessary control is missing or not designed effectively. Additionally, probing questions that go beyond a narrow focus on the single transaction used as the basis for the walkthrough allow the auditor to gain an understanding of the different types of significant transactions handled by the process.

Source

PCAOB (June 12, 2007)

Audrey Gramling, a professor at Kennesaw State University who studies auditing and auditor behavior, says she expects firms to reduce the number of walkthroughs they perform. “My guess is the number of walkthroughs they’re going to do will be cut back,” she says. “There may be more efficient ways to achieve the benefits of a walkthrough.”

Newton is less sanguine about the prospect of fewer walkthroughs. “For now the walkthrough is still going to be important,” he says. “The walkthrough is probably still the most efficient way, and the standard doesn’t provide any examples of how to get there any other way. I haven’t heard of any other way to achieve the objectives of a walkthrough.”

Time will tell whether companies will choose to allocate their own staff to the auditor’s supervision to free the auditor from performing the walkthrough directly, Newton says. “It’s a trade-off management has to make in terms of deciding how to use their resources.”

Schrock

Kathy Schrock, a partner and Sarbanes-Oxley specialist with consulting firm Tatum, says she sees auditors showing an increased willingness to use outside resources to get comfortable with internal control assessments, even on walkthroughs. “We have a couple of client situations where we’re performing walkthroughs together with the auditor so we don’t have to go through it twice, or they’re relying on the work we perform,” she says. “We’re definitely seeing movement on that.”

A Smoother Standard

Newton believes audit firms are working hard to iron out such differences as AS5 is implemented. “This process began even before AS5 became final,” he says.

Fornelli

Beier at PwC says his firm is preparing its staff with revised internal guidance and training both in the classroom and via Webcast. Cindy Fornelli, executive director of the Center for Audit Quality, adds that audit professionals are now being asked to give presentations at industry conferences regarding new audit processes.

Daly

Amy Daly, managing director with CFO services firm SolomonEdwardsGroup, says auditors are focusing on risk and fraud more than ever before. “There is a constant reminder and a constant checking in on ‘What is the risk?’” she says. “We’re clearly seeing audit firms assuring that fraud risk has been addressed. Under AS2, that was never in the forefront of the discussion or methodology. It was more of an afterthought a few years ago. Now, they’re saying ‘Let’s start the discussion with risk and fraud risk.’”

Lipman

Frederick Lipman, a partner with Blank Rome and president of the Association of Audit Committee Members, still has some doubts about whether AS5 can effectively mitigate the risk of fraud. In comments during the SEC and the PCAOB’s rule proposal process, he pointed out that the kinds of frauds and accounting failures that led to Sarbanes-Oxley and internal control reporting are still possible under new rules, because management can override controls. “The regulators are to be congratulated, however, for at least attempting to mitigate some of these costs by adopting Auditing Standard No. 5.”