Audit regulators have published some preliminary guidance on how the new Auditing Standard No. 5 can be implemented in smaller, less complex companies—the ones that must begin evaluating their internal control over financial reporting at the end of this year.
The Public Company Accounting Oversight Board has floated the document for a 60-day comment period. But Tom Ray, the PCAOB’s chief auditor and director of professional standards, says companies and their auditors need not wait for comments and revisions before putting the guidance to work.
“We have this comment period, so we want to avail ourselves of the opportunity that others might have suggestions on how we might improve this document,” he says. “But I would encourage auditors to read it and apply it now.”
Ray
The 52-page document provides staff views on how Auditing Standard No. 5, An Audit of Internal Control Over Financial Reporting That Is Integrated With an Audit of Financial Statements, can be implemented at smaller companies. The PCAOB approved AS5 earlier this year to encourage a more risk-based approach to auditing internal controls, and it will go into effect for the 2008 audit cycle. But many small companies have wondered how AS5 might work for them, when they lack the personnel and processes large companies employ to manage internal control over financial reporting.
For non-accelerated filers—companies with a market capitalization below $75 million—the Securities and Exchange Commission is requiring only the management report on internal control, not the auditor’s report, for their first year of compliance with Sarbanes-Oxley Section 404. The rule applies starting with fiscal years ending on or after Dec. 15, 2007. The audit report will be required the following fiscal year.
Still, Ray says, small companies should find this guidance helpful, since auditors can use the guidance to help their clients through their first Section 404 reporting cycle and be well positioned for the auditor review in subsequent years.
“Those auditors are wondering about and getting questions from their clients about what they need to do,” Ray says. “So hopefully this will help auditors be better informed as they go forward.”
Ray also stresses that the guidance is not solely for non-accelerated filers. A bright line between large and small companies may exist for reporting purposes, he says, but plenty of accelerated filers have the attributes and characteristics of smaller, less complex companies. Those attributes might include fewer business lines, more centralized accounting, and more extensive involvement of senior management in day-to-day activities.
“There are a lot of smaller accelerated filers that would benefit from implementing this guidance now,” Ray says.
Keith Wilson, the PCAOB’s associate chief auditor who helped author the guidance, says the guidance focuses on several areas where smaller companies differ from larger ones.
“The risk of errors in financial statements can be different in smaller companies compared with larger companies,” he says. “Likewise, the controls to address those risks can also be different. To tailor the audit for smaller companies, you have to take into account those risks and the controls to address those risks.”
SMALL STEPS
Below are the main areas of concern the PCAOB sees for applying AS5 to small companies.
Use of entity-level controls to achieve control objectives. In smaller, less complex companies, senior management often is involved in many day-to-day business activities and performs duties that are important to effective internal control. Consequently, the auditor’s evaluation of entity-level controls can provide a substantial amount of evidence about the effectiveness of internal control. Chapter 2 discusses methods of evaluating entity-level controls and explains how that evaluation can affect the testing of other controls.
Risk of management override. The extensive involvement of senior management in day-to-day activities and fewer levels of management can provide additional opportunities for management to override controls or intentionally misstate the financial statements in smaller, less complex companies. In an integrated audit, the auditor should consider the risk of management override and company actions to address that risk in connection with assessing the risk of material misstatement due to fraud and evaluating entity-level controls. Chapter 3 discusses these
considerations in more detail.
Implementation of segregation of duties and alternative controls. By their nature, smaller, less complex companies have fewer employees, which limits the opportunity to segregate incompatible duties. Smaller, less
complex companies might use alternative approaches to achieve the objectives of segregation of duties, and the auditor should evaluate whether those alternative controls achieve the control objectives. This is discussed in Chapter 4.
Use of information technology (IT). A smaller, less complex company with less complex business processes and centralized accounting operations might have less complex information systems that make greater use of off-the-shelf packaged software without modification. In the areas in which off-the-shelf software is used, the auditor’s testing of information technology controls might focus on the application controls built into the prepackaged software that management relies on to achieve its control objectives, and the testing of IT general controls might focus on those
controls that are important to the effective operation of the selected application controls. Chapter 5 discusses IT controls in more detail.
Maintenance of financial reporting competencies. Smaller, less complex companies might address their needs for financial reporting competencies through means other than internal staffing, such as engaging outside professionals. The auditor may take into consideration the use of those third parties when assessing competencies of the company. Chapter 6 discusses the evaluation of financial reporting competencies in more detail.
Nature and extent of documentation. A smaller, less complex company typically needs less formal documentation to run the business, including maintaining effective internal control. The auditor may take that into account when selecting controls to test and planning tests of controls. Chapter 7 discusses this in more detail.
Source
PCAOB (Oct. 17, 2007).
How to Slim Down
In the document, the staff offers guidance on how the audit can be scaled to smaller, less complex companies and how the auditor should evaluate entity-level controls. It offers advice on how to assess the risk of management override of controls and how to evaluate any actions or controls in place to mitigate that risk.
Management override is one of the more challenging problems for smaller companies, Wilson says, since management has so much more opportunity to override controls. “It’s one of the considerations the auditor would look at when evaluating the risk of fraud,” he says. “This guidance helps walk the auditor through the process. Their responsibilities are closely related to the existing fraud standard.”
The guidance also delves into other hot-button areas:
evaluating segregation of duties when staffing may be limited;
auditing IT controls when use of technology may be less sophisticated;
studying financial reporting competencies and their effect on internal control;
gathering sufficient audit evidence when a company may have less formal documentation; and
auditing smaller companies where there may be pervasive control deficiencies.
The guidance asserts, for example, that when a company lacks internal resources to complete all aspects of financial reporting, it may not be viewed as a weakness or deficiency in internal controls if the company relies on outside resources to get the job done.
“It’s perfectly acceptable for a company to be using third parties to assist them in understanding accounting pronouncements and evaluating accounting policies,” Ray says. “The auditor can recognize other resources company can use to help satisfy that responsibility.”
The guidance also offers auditors some views on segregation of duties, typically seen as necessary to assure that no single person has too much control over certain aspects of financial reporting. “It talks about the types of controls that companies may implement as alternatives where they don’t have the resources to segregate duties and what kind of audit procedures auditors can use to test those controls,” Wilson says.
The PCAOB first promised guidance for smaller companies in May 2006 when it also committed to overhauling the prior standard governing the internal control audit, Auditing Standard No. 2. AS5 ultimately replaced AS2.
The guidance was developed with the help of a working group of auditors who had some experience with AS2 in smaller companies, Ray says. They helped identify issues that were particularly vexing for smaller companies given their staffing and control environment.
Ray says the project to write guidance for smaller companies was developed in tandem with AS5. As such, it tracks closely with the requirements of the standard, taking principles in AS5 and providing context that will be applicable specifically to smaller, less complex companies.
No comments yet