New AS5 More In Line With SEC Guidance

Promising a new direction in the audit of internal control over financial reporting, the Public Company Accounting Oversight Board has put to pasture the oft criticized Auditing Standard No. 2, replacing it with Auditing Standard No. 5.

The newly approved AS5 differs from what the Board proposed when it first exposed its package of rules to reform the implementation of Sarbanes-Oxley Section 404 in late December 2006. The revised standard has been modified to ensure it is consistent with new guidance for management, which was also adopted last week by the Securities and Exchange Commission. It leans more heavily on the importance of fraud risk and anti-fraud controls.

The new AS5 focuses more on objectives and less on prescriptive requirements, giving the auditor more room for judgment about how to scope and scale the audit to different circumstances. It also incorporates direction about the extent to which auditors can rely on the work of others, instead of addressing that area of rules in a separate standard as originally proposed.

Olson

PCAOB Chairman Mark Olson says the 175 comment letters received by the Board helped the staff assure that the standard would require auditors to obtain sufficient evidence to support an opinion on a company’s internal controls without imposing unnecessary requirements.

The new standard “reinforces the Board’s expectation that the integrated audit be conducted in a manner that eliminates procedures that are unnecessary to an effective audit of internal control and increases the likelihood that material weaknesses will be found before they allow material misstatements to occur,” Olson says. “The new standard should drive important improvements in the audit of internal control.”

Olson focuses on four key features of the new standard that he says will “make a genuine difference and promote a balanced approach to the audit of internal control over financial reporting.” It’s principles-based, allowing auditors to take into account the facts and circumstances of each audit individually. It emphasizes the importance of scaling the audit to the circumstances of smaller companies, Olson says, and it better emphasizes the focus on fraud risk throughout the audit process. It is also more consistent with the SEC’s management guidance.

Walkthroughs, Evidence, And The Work Of Others

Phillips

Laura Phillips, deputy chief auditor for the PCAOB, says the final standard as adopted is better aligned with SEC’s management guidance than when it was initially proposed. The alignment focused on key terminology to ensure, for example, that both documents follow the same definition for material weakness and significant deficiency. (The SEC has established a definition for material weakness and plans to follow a subsequent rule-making process to establish a definition for significant deficiency.)

Phillips notes the final standard, further emphasizing a top-down approach, eliminates requirements to check certain major classes of transactions to give auditors more room for judgment in deciding which controls to test. It also eliminates the requirement for auditors to perform a walkthrough, giving auditors more room to decide if a walkthrough is necessary to achieve the audit’s objectives. “A walkthrough frequently will be the best way to achieve the goals, but the auditor’s focus should be on the objective, not the requirement to perform the walkthrough,” she adds.

The new standard also gives further direction to scale the audit to the size and complexity of the company, Phillips says. That will be important for smaller companies that learned last week the SEC plans to offer no more delays for the requirement for smaller companies to begin reporting under Section 404.

Chief Auditor Tom Ray says the staff is still working on guidance that will offer further direction on applying AS5 in a smaller company environment. That guidance should be available later this year, in plenty of time for smaller companies when they face their first ICFR audit. Phillips notes that under SEC rules, smaller companies reporting under Section 404 for the first time won’t be required to have the management ICFR assessment audited until the second year of compliance.

Lastly, Phillips says the final AS5 folds in the Board’s direction on how much auditors may rely on the work of internal auditors and others who contribute to the reporting process, instead of carving that direction out to a separate auditing standard as originally planned. Phillips says the standard eliminates the principal evidence provision, which in AS2 drove auditors to perform redundant analysis. “The standard allows auditors to use the work of company personnel other than internal audit in the audit of internal control and financial statements,” she says. “This will achieve the goal of permitting use of the work of others.”

Reviewing The “Musts” And The “Shoulds”

While the staff said the changes from the proposed AS5 to the final version were not substantial, the change from AS2 to AS5 is more significant. “We’ve evaluated every word, more than once,” says Associate Chief Auditor Sharon Virag, to assure the language of the standard does not inadvertently direct auditors to perform unnecessary work.

The PCAOB staff even noted during last week’s meeting that they spent considerable time tweaking the prescriptive verbs in the standard—words like “must” or “should” that compel certain actions. “We looked again at each one of those,” says Ray, “whether we needed each of those ‘musts’ and ‘shoulds.’”

Assuming it is approved by the SEC, the new AS5 is to take effect for audits of fiscal years ending after Nov. 15, 2007, but early adoption will be permitted. Virag notes, however, that for audits falling after SEC approval but before Nov. 15 fiscal year-ends, if auditors elect not to adopt AS5 early, they’ll still be required to adhere to new definitions of material weakness.

Olson says the Board will realign its inspection process, including providing training for inspectors, to assure inspections are consistent with the objectives of the new standard. Separate from the new auditing standard, the PCAOB also approved a rule that would facilitate a shift in the inspection schedule for firms that are only checked every three years, enabling the inspection load to be more evenly distributed over the three-year process. The Board also proposed a new rule to drop the current requirement that it regularly inspect firms even when they do not issue audit reports.

Phil Livingston, a former president of Financial Executives International who serves on the audit committees of several public companies, says the new AS5 represents a welcome change to the focus and direction of Section 404 implementation.

“This is the right tone, focusing auditors and eliminating the unnecessary work,” he says. “I’ve heard criticism already that it’s too vague, but I think they’ve been clear enough that they want auditors to focus and eliminate the unnecessary work.”

Fornelli

Cynthia Fornelli, executive director of the Center for Audit Quality, says the new auditing standard retains the safeguards for investors while making the audit more efficient. She said the Center especially supports the notion that all the rules are provided in a single comprehensive standard scalable to companies of all sizes, and that it focuses auditors on how controls are operating rather than how they are designed.

“Our view and the PCAOB’s view based on the standard issued is that while the audit should be scaled based on both size and complexity of the company, there shouldn’t be arbitrary lines drawn,” she says. “Everyone’s interests have been served. The SEC and PCAOB are to be commended for their process and their results.”

Tim Leech, principal consultant and chief methodology officer for Paisley Consulting and long-time critic of the SOX 404 regulatory implementation, admits he still has some concerns about whether the new rule truly redirects auditors and eliminates unnecessary work. “I continue to believe the standards underemphasize the need for management and auditors to learn from the mistakes made both internally and by others in their business sectors that have led to materially wrong financial statements,” he says.