PCAOB Approves Internal Control Standard

As expected, the Public Company Accounting Oversight Board has approved its long-awaited standard for audits of internal control over financial reporting.

The auditing standard, known officially as "An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statements," addresses both the work that is required to audit internal control over financial reporting and the relationship of that audit to the audit of the financial statements.

In a speech delivered the day the standard was approved, Board Chairman William McDonough noted that the PCAOB's action would "forever change" how public companies do business. "I don't think I exaggerate when I say this is one of the most important days in the world of financial management," he said.

Quick Background

Section 404 of the Sarbanes-Oxley Act, and the SEC's related implementing rules, requires the management of a public company to assess the effectiveness of the company's internal control over financial reporting.

The company's independent auditor must then sign off on management's assessment. SOX 103 and 404 direct the PCAOB to establish the standards governing such an "attestation" on management's assessment of the effectiveness of internal control.

Applicability And Deadlines

Companies considered "accelerated filers" were originally required to comply with the internal control reporting and disclosure requirements of SOX 404 for fiscal years ending on or after June 15, 2004.

As was reported first in Compliance Week, the SEC extended that date in February, so that accelerated filers must comply with the requirements for its first fiscal year ending on or after Nov. 15, 2004.

Accordingly, auditors engaged to audit the financial statements of such companies for fiscal years ending on or after Nov. 15, 2004, also are required to audit and report on the company's internal control over financial reporting as of the end of such fiscal year.

Other companies — including smaller companies, foreign private issuers and companies with only registered debt securities — have until fiscal years ending on or after July 15, 2005, to comply with these internal control reporting and disclosure requirements.

"Watching And Listening"

According to the PCAOB, the Board considered the possible effects of the proposed standard on small and medium-sized companies, noting that internal control is not "one-size-fits-all."

In fact, Chairman McDonough specifically noted that "the Board will be watching and listening closely to learn whether companies, especially small and medium-sized companies, are being unduly charged" for unnecessary services.

Added McDonough, "The internal controls necessary for one company may not be necessary for all companies."

Nothing New? Well, More Expensive

The new PCAOB standard requires auditors to look at a company's internal controls themselves, and to conduct walkthroughs of important stages of certain controls.

In general, auditors must be satisfied that the internal controls over financial reporting are designed and operating effectively.

According to PCAOB member Daniel Goelzer, federal securities laws have required SEC-registered companies to maintain an adequate system of internal accounting controls for the past 27 years. "The Sarbanes-Oxley Act gives teeth to this requirement," said Goelzer.

Goelzer also noted that, while there are real benefits to internal control reporting, the benefits won't come cheap. "This new auditor responsibility will add new complexity to the audit," he stated after the standards were approved, "and fees will almost certainly increase to some extent as a result."

Board member Kayla Gillan agreed. "This additional work will result in increased audit fees," she stated.

However, Gillan also noted that the increase in costs should not be misconstrued as an opportunity for accounting firms to overcharge for their services, or to provide unneccesary services. "Let me be clear," she stated, "the work that auditors must now perform with respect to internal controls is not an excuse to price gouge."

She also urged any company that believes its auditor is overcharging for internal control-related work to contact the Board. Appropriate contacts are listed in the box above, right.

KEY POINTS

The 211-page internal control standard is available from the box above, right; however, here are a few key provisions and items of note (in no particular order):

Integrated Audit — The audit of internal control over financial reporting is to be integrated with the financial statement audit.

Two Opinions — Auditor must provide two opinions as a result of the audit

of internal control over financial reporting: one on management's assessment and one

on the effectiveness of internal control over fin. reporting;

Principal Evidence — Standard limits how much an auditor can rely on the work of others;

First-Hand Evidence — Standard requires auditors perform "walkthroughs" of certain internal control processes;

Auditing Your Boss — Auditors will assess the effectiveness of the audit committee’s internal control oversights;

Documentation — Management needs to support its written effectiveness report with sufficient evidence and documentation;

Deficiencies — All control deficiencies, regardless of severity, will need to be communicated in writing to management;

Significant Deficiencies — All significant deficiencies and material weaknesses must be reported to audit committee;

Escalation To Board — Deficiencies above need to be reported to the whole board if the problem is a result of poor audit committee oversight;

"Reasonable Assurance" — Concept is baked into the definition of internal control over financial reporting. While it "includes the understanding that there is a remote likelihood that material misstatements will not be prevented or detected on a timely basis," it is, nevertheless, "a high level of assurance."

Adverse Opinions — Material weaknesses require an "adverse opinion" and does not allow for a qualified "except for" report;

Auditor Can't Design Controls — Standard reminds issuers that auditors cannot audit their own work, and hence can't design or implement internal controls.

Big Or Small: No Difference

While the Board apparently took into account the comments and concerns of smaller, less complex companies, the new standards make no distinction between size of issuer.

According to Board member Bill Gradison, "The law does not, as I read it, seek to give greater assurance to investors in large companies than small ones."

He did note, however, that — as PCAOB inspectors begin examining the engagements of smaller audit firms — the Board would "gain valuable insights into the question of whether one set of auditing standards will work for all public companies regardless of size," and whether a separate set of standards or amendments might need to be considered.

Principal Evidence

According to the new standard, it is not enough to simply ask auditors to attest to and report on management's assessment of a company's internal controls. Chairman McDonough notes that Sarbanes-Oxley clearly requires that auditors determine for themselves that the internal controls are adequate to support reliable financial statements.

As a result, the new standard requires that an auditor perform the audit of the financial statements and the audit of internal control as part of one engagement. According to McDonough, this is "not so much as a cost- and time-saving measure but because each audit could have consequences for the other."

Regarding an auditors' ability to rely on the work of others, the Board apparently tried to strike a balance between the work that an auditor must do himself, and the work performed by management, internal auditors and others.

"We require that an auditor obtain the principal evidence supporting his or her opinion through procedures performed by the auditor, including walkthroughs," noted McDonough.

According to Board member Gillan, this "work of others" topic "is an area in which we have made the most changes from the original proposal." Gillan noted that the Board believes "internal audit programs that are both highly competent and independent from company management represent a valuable long-term tool for increasing financial reporting reliability."

She also notes that an effective internal audit function would enable auditors to rely more readily on internal reports, "thus reducing the external auditor's fee. As a result, she stated that "we encourage companies to strengthen their internal audit departments."

Many internal auditors, however, have complained that the principal evidence requirement implies that an internal auditor's work might be duplicative or even irrelevant. McDonough disagrees, stating that the new standard "in no way says an internal auditor's work lacks value." He does not believe the standard should discourage internal auditors from testing and evaluating internal controls, "especially those related to the timely prevention and detection of fraud."

Audit Committee Oversight

The new standard also requires that auditors gauge the effectiveness of the company's audit committee, including whether the committee is independent of management.

While some have argued that this places auditors and audit committees in an untenable conflict — what auditor would negatively judge the committee that hired them? — chairman McDonough disagrees. "Auditors have to confront similar conflicts every time they must make a judgment that disagrees with management," he says. "Experienced auditors can do this."

McDonough also noted that longstanding frameworks for internal control "make it clear that the audit committee is an integral part of the control environment," and that "any evaluation of internal control would be incomplete without a review of the audit committee."

Additional Moves And Amendments

In addition to the internal control standard, the Board proposed amendments to its existing interim auditing standards to conform them to the new standard.

The registration deadline for non-U.S. accounting firms was also changed from the previous deadline of April 19 to July 19, 2004.

The Board also approved amendments to its bylaws, including one that would require the Board to hold at least one public meeting per calendar quarter. The bylaw amendments also modify portions of the indemnification provisions of the current PCAOB bylaws to clarify:

The types of costs and expenses for which the PCAOB will provide indemnification;

The manner in which the Board may determine whether indemnification is to be provided;

The right of the Board to undertake an individual's defense in lieu of payment of indemnification, and other matters.

The auditing standard on internal control, the change in the registration date for non-U.S. firms and the bylaw amendments will be submitted to the Securities and Exchange Commission for approval, as required by the Sarbanes-Oxley Act.

Comment Period

The public comment period has expired. Final rule available in box above, right.

NOTE: Please note that this is a summary of a PCAOB rule, and should not be construed to be a complete or final rule. Please refer to the PCAOB's Web site for updated and final rule information.