The Public Company Accounting Oversight Board says audits of internal controls over financial reporting are improving—but they still are not focusing as much on risk and efficiency as regulators would like.
In a report issued last week to review second-year compliance with Auditing Standard No. 2, the Board said that in some cases auditors still don’t fully integrate the audits of internal controls over financial reporting and audits of the financial statements. They also fail to apply a top-down approach to testing controls, assess risk at the account level instead of focusing on management’s assertions, and ignore the work of others that might make the audit process more efficient.
The 13-page report summarizes the Board’s findings from field inspections in 2006 that looked at portions of about 275 audits. Those inspections followed the Board’s report in May 2006, when it vowed that PCAOB inspectors would pay attention not only to audit effectiveness, but also to auditors’ efficiency in compliance with AS2.
In addition to making their own audit processes more efficient, the Board says auditors even have some responsibility to protect clients from their own missteps that might inhibit an efficient audit.
“Engagement teams often stated that the issuers’ circumstances contribute to the need to do more work to complete the audit of internal control,” the report says. “While the issuer’s circumstances can increase the amount of work that the auditor needs to perform, the Board encourages auditors to engage in discussions with issuer clients and their audit committees as early as possible, in order to identify and address issuer-specific obstacles to efficiency.”
Jim Lee, chief auditor for PricewaterhouseCoopers, says timing of management activity is perhaps the most significant client issue that might complicate an otherwise efficient audit. “If management performs its assessment later in the year, it might make it difficult for the auditor to rely on management’s work,” he explains. “It certainly is appropriate to have a discussion with management or with the audit committee if that’s an issue. It’s good practice.”
Olson
In testimony last week before a U.S. Senate committee on concerns to smaller companies, PCAOB Chairman Mark Olson reiterated the Board’s passion for audit efficiency. “The Board is determined to make internal control audits as cost-effective as possible for companies that are required by the SEC’s rules to obtain an audit report on internal control,” he said.
The report also outlines other areas of concern where auditors are not properly applying the requirements of AS2. The Board says some auditors spent unnecessary time examining management’s internal control testing processes, rather than using that work to reduce their own testing. The Board also contends that some auditors didn’t appropriately test automated controls and didn’t have a monitoring system in place to determine if audit teams were adhering to PCAOB guidance on auditing efficiently.
Hermanson
Dana Hermanson, accounting professor at Kennesaw State University, says improved audit efficiency was expected in the second year of AS2 compliance; the first year was filled with uncertainty over what auditors should do and how aggressively the PCAOB might enforce its standards. “There was a great deal of uncertain ground to cover in year one, and some auditors may have wanted to err to the side of effectiveness rather than efficiency,” he says.
Hermanson says he’s hopeful that efforts to make audits more efficient won’t eclipse the need for audits to remain effective. “Audit effectiveness ultimately is what will protect investors from financial statement errors and fraud,” he says.
The End Of AS2 Anyway
While AS2 does remain in force, it likely has governed its last round of audits over accelerated filers, the largest companies that are required to report on and obtain an audit of their internal controls over financial reporting. The PCAOB and the Securities and Exchange Commission are nearly done with an overhaul of Sarbanes-Oxley Section 404 compliance, including potentially two new audit standards that would replace AS2.
Olson tells Compliance Week that continued monitoring of AS2 implementation—especially audit integration, a top-down approach, and using the work of others—is driving the overhaul of the standard. “This continues to be important because those principles were directly incorporated into the proposed new standard,” he says. “The results tell us that firms are making progress in improving the efficiency of their audit work, but there is still significant room for improvement.”
Although AS2 itself has little remaining life span (the PCAOB is expected to unveil its replacement standards by June), audit observers are happy to see its implementation still analyzed and critiqued.
Roper
“What [the PCAOB] learns from such a review ought to inform their decisions about how to revise the standard,” says Barbara Roper, director of investor protection for the Consumer Federation of America. “While we question whether such a wholesale revision is needed, if it is to be undertaken, it absolutely should be driven by what the Board has learned from its review of AS2 implementation.”
Anand
Sanjay Anand, chairman of the Sarbanes-Oxley Institute, says the report provides “empirical evidence” to support the wholesale rewrite of AS2 and underscores issues that C-suite executives have been raising for some time. “We need to further simplify, streamline, and consolidate efforts from both an implementation as well as an audit perspective,” he says. “We see that reflected in the recent draft proposal.”
While the analysis may be helpful to the revision of AS2, it does little to help auditors with continued improvement in implementation, says Pat Woodbury, managing director for FTI Consulting. The report addresses audits inspected in 2006 for financial statements largely covering calendar year 2005. Quite simply, she says, “It’s old.”
No comments yet