More Hints Emerge On AS2 Changes

The Public Company Accounting Oversight Board shared more thoughts last week on how it might amend Auditing Standard No. 2 at a much-touted meeting of its advisory board—where, not surprisingly, opinions differed on the wisdom of revisiting the much-maligned standard.

The PCAOB revealed seven possible steps it is considering, mostly to clarify questions such as how much auditors should rely on management statements or what a “strong indicator” of material weakness actually is. The Board made its presentation at a two-day meeting of its Standing Advisory Group, even as many SAG members still questioned the need to reopen AS2 and repeatedly called for caution in doing so.

Revising AS2 is a cornerstone of regulators’ efforts to make the Sarbanes-Oxley Act more palatable for corporations, particularly small companies that must start complying with the law next year. At issue is Section 404 of the law, which requires companies and their external auditors to test the effectiveness of internal controls over financial reporting. Both the PCAOB and the Securities and Exchange Commission have come under fierce criticism from corporate executives, who say the exacting standards of AS2 have led to the nightmarish costs of 404 compliance.

Board members say their planned amendments to AS2 would help keep auditors’ primary focus on areas that pose a higher risk of fraud or material error. One proposed change would incorporate into AS2 the key concepts of the PCAOB’s widely discussed May 2005 guidance, which first urged auditors and companies to employ a top-down, risk-based approach to audits of controls. PCAOB Chief Auditor Thomas Ray said that move is based on feedback from issuers and others who have told the Board that “to see the full benefits from the [May 2005] guidance, it needs to be reflected in rule text itself.”

Ray

“We’ve tried to highlight the flexibility in AS2 to permit auditors to do less, but we concluded that to really provide auditors comfort to exercise judgment, we need to get the words into the standards,” Ray said at the SAG meeting. As reported previously by Compliance Week, Ray believes most auditors aren’t taking full advantage of the flexibility in the existing standard. In an oft-cited speech earlier this month, he urged auditors to heed earlier guidance, use more judgment, and lighten up on excessive testing and audit procedures.

Other amendments discussed last week include:

Clarifying the definitions of “significant deficiency” and “material weakness” in internal control by incorporating portions of a November 2005 report on the Board’s inspections, which clarified that the definition of material weakness meant “at least reasonably possible,” and eliminated the term “significant deficiency” from the definition of material weakness.

Reconsidering the “strong indicators of a material weakness” to allow for more judgment in determining whether a deficiency exists. Ray said the Board would retain its list of indicators but modify it to permit more judgment of whether a significant deficiency or material weakness exists.

Guiding auditors to increase their use of the work of others. For example, Deputy Chief Auditor Laura Phillips noted that one possible change would allow auditors to use the work of others for some aspects of the control environment, which currently isn’t allowed.

Clarifying materiality and scoping decisions to say materiality should be based on annual, rather than quarterly, financial statement materiality.

Emphasizing the integration of the audit of internal control with the audit of the financial statements to incorporate key concepts of the May 2005 guidance.

Adding a section on subsequent-year audits to allow auditors to use experience gained in previous years to help determine the nature, timing and extent of their work. Phillips explained that, “We’re not saying they could do nothing” on a control or risk. “What we’re talking about is areas where they would do much less based on previous positive experience,” such as a walk-through instead of full testing.

Warning, Changes Ahead

When one SAG member asked for an explanation of why changes to AS2 are needed, Ray said the move “clearly has to do with efficiency.” (Or as Phillips put it: “My answer to that question is to keep 404 from collapsing under its own weight.”) But several SAG members cautioned the board to be careful of focusing too much on efficiency at the risk of compromising audit quality.

Kueppers

“As painful as it’s been to implement and as volatile as some of the debates around it have been, the underpinnings of the standard are fine,” said Bob Kueppers, deputy CEO of Deloitte & Touche. “If we do any renovation on structure my concern is that we do not start moving load-bearing walls. My own experience has been that when there’s pressure to gets fees down, there’s tendency for some to interpret the word ‘efficiency’ to mean ‘do less work.’ ”

Former SEC Chief Accountant Lynn Turner, now managing director of research at Glass, Lewis & Co., said he would “applaud any effort by the Board that would get us higher quality audits,” but shared concerns about focusing on efficiency.

SPEECH

Below is an excerpt of Chief Auditor Tom Ray's speech on June 8 outlining how AS2 should be implemented.

There continues to be some misunderstanding with regard to the first of the two auditor opinions. Some believe that the auditor is expressing an opinion on management's assessment process. That belief, in turn, is fueling what probably is unnecessary additional work directed to evaluating the adequacy of management's process …

The principal objective of the auditor's evaluation of management's assessment process is for the auditor to be satisfied that management has an appropriate basis for its conclusion. Accordingly, the extent of the auditor's work is only that which is necessary for the auditor to form a conclusion as to whether management's process was sufficiently complete to provide management with a basis to support its reporting, and whether the results of management's testing support management's conclusion about internal control effectiveness.

In its most basic form, the evaluation of management's process consists of the auditor obtaining from management the documentation of its assessment process, reading that documentation, and discussing the process with management. The procedures the auditor performs to conduct the evaluation need not be extensive and need not include procedures such as retesting items tested by management.

Similarly, the auditor's documentation of his or her evaluation of management's process need not be extensive. For example, the audit documentation might consist of a summary document prepared by management that explains, perhaps for the benefit of the audit committee or other senior managers, the process management used in making its assessment, along with a memorandum prepared by the auditor that documents the auditor's procedures, the results of those procedures, other evidence obtained, if any, and conclusions.

Source

PCAOB (June 8, 2006)

Turner said the dialogue reminded him of discussions at the SEC in the late 1990s when the Commission sent letters to the audit profession with “concerns about efficiencies.” The result, Turner said, was that, “We did see an increase in efficiency—and a reduction in audit quality.”

Nick Cyprus, senior vice president, controller and chief accounting officer at Interpublic Group, said while he initially felt no changes to AS2 were needed, “We got some good answers” about why adjustments are necessary. Still, Cyprus said he is “concerned” that making changes could slow implementation. “Any change we make needs interpretation, and that will lead to debate and that could lead to non-implementation,” he said.

Meanwhile, SAG member John Morrissey, operating controller at General Electric Corp., questioned whether the issues could be addressed via staff guidance. “I’ve never been a fan of cracking open a rule and tinkering with it,” he said.

Among other goals, the PCAOB also plans to revisit and clarify the auditor’s role, if any, in the evaluation of the process a company uses to reach its own conclusion about the effectiveness of company controls. Phillips noted that changes to the auditor’s role would require rulemaking. Under such changes, paragraphs in AS2 that describe how auditors should evaluate management’s process and documentation would be eliminated, and portions of the standard that say the auditor must end the engagement if they find management’s assessment lacking would be lifted to allow auditors more judgment about whether management’s assessment would cause a scope limitation.

Noting that panelists at last month’s May 10 roundtable “cautioned against taking auditors off of their hard-won experience curve by making unnecessary changes,” Ray said some areas won’t change, such as the guidance on independence considerations, performing walkthroughs, and evaluating the effectiveness of audit committees.

Meanwhile, during a panel discussion on the auditor’s role, questions arose as to whether both the auditor opinion on the effectiveness of internal control and a second auditor’s opinion on management’s assessment are both needed.

While auditors on the panel said they wouldn’t oppose limiting the auditor’s report to a single opinion on the effectiveness of internal controls, Ernst & Young partner Dan Montgomery told the Board, “Eliminating one opinion won’t result in substantial reduction in audit effort” and would have little if any effect on audit costs.

Exactly when the SEC and PCAOB will issue their new guidance still remains unclear. The SEC has promised more guidance to help managements conduct their own audits of internal controls soon, but none has yet been released. The Committee Of Sponsoring Organizations has also promised a new risk management framework for smaller companies by the end of June, although that has not been made public yet either. Regulators do, however, want to move forward with their changes quickly so that companies can use them for fiscal 2007 financial statements.