As audit regulators now begin considering feedback to their proposed rewrite of rules governing audits of internal control over financial reporting, they are confronted with the ongoing tension between rules and principles—to give more or less guidance and to outline more or fewer prescriptive thresholds.
With the public-comment period now closed on the proposed new standard to replace Auditing Standard No. 2 for audits of internal controls, the Public Company Accounting Oversight Board has its work cut out for itself. The market generally has endorsed the Board’s approach to move away from prescriptive auditing rules toward a top-down, risk-based approach that leaves auditors more room to exercise judgment.
The Board, however, is getting conflicting views on how best to achieve that, with some suggesting the proposed new standard, dubbed Auditing Standard No. 5, goes too far in removing prescriptive requirements and giving auditors room for judgment. Members of the Board’s Standing Advisory Group met last week to offer their impressions of the new audit rules, and some said it is viewed in the market as a throttling back of existing audit rules.
Trott
Ed Trott, a member of the Financial Accounting Standards Board, told the PCAOB at the SAG meeting that the problem with AS2 wasn’t its rigidity, but its implementation. “Many people, I expect, look at AS5 as a relaxation of the goals and the needed effort,” Trott said. “That’s the message many people have gotten from your actions. I hope you can communicate AS5 is not a back-off of the objective.”
Consulting firm Accretive Solutions told the PCAOB in a comment letter that the new standard is clear enough in calling for a top-down, risk-based audit, but doesn’t adequately describe how a risk-based assessment of internal controls should be performed.
“Implementation of the standard as currently proposed will continue to require a high level of subjectivity due to a lack of definitive guidance as to the practical application of the top-down, risk-based approach,” wrote Dirk Hobgood, senior vice president for Accretive. “This lack of definitive guidance will lead to inconsistent application by public filers and their external auditors.”
Cynthia Cooper, SAG member and president of her own consulting firm, said the new latitude for auditor judgment will be welcomed, but auditors’ ability to exercise that judgment will depend heavily upon the audit inspection process. “It’s critically important that the inspection process be in sync with the tone we want the standard to set,” to protect auditors from concern about second guessing, she said.
Carcello
Joe Carcello, also a SAG member and director of research for the Corporate Governance Center at the University of Tennessee, said the PCAOB and the Securities and Exchange Commission have struck a laudable, principles-based approach, but cautioned that it only will work in an environment of strong enforcement—and he questioned whether such an environment exists.
“The PCAOB has adopted an inspection model, not an enforcement model,” he said. “The SEC enforcement budget has been squeezed in recent years … [The proposals] will likely reduce costs without hurting effectiveness for good actors, but at the cost of reducing effectiveness for bad actors. Is this socially optimal?”
COMMENTS
An excerpt from the Institute of Management Accountants’ comment to the PCAOB follows.
The Institute of Management Accountants applauds the efforts made to date by
the SEC and PCAOB to make SOX implementation more cost-effective and practical
while still protecting investors. We are pleased to continue sharing our extensive
global research and recommendations with the SEC, PCAOB, professional accounting
associations, the trade media, the U.S. Chamber of Commerce, Members of Congress
and other security regulators around the world interested in this issue.
IMA’s conclusion, after careful consideration of the SEC and PCAOB December 2006 proposals, is that significant additional actions are required to optimize the
cost/benefit equation.
...
We have summarized below the five interrelated issues that we believe remain to be
addressed, together with our technical analysis and recommendations for change.
These five issues have been identified through extensive research and careful
consideration of the reasons cited by Canada, the EU and Japan for not fully adopting
the current U.S. SOX regulations.
Issue 1: Two rule books (SEC, PCAOB) for the same assessment task – a
recipe for unintended confusion and complexity. In short, without major
changes to the draft rules ASX/5 will likely replace AS2 as management’s de
facto standard.
Issue 2: The proposals are not risk-based by global risk management
standards, reducing the benefits that could accrue from an assessment
approach that focuses on identifying specific significant risks and
understanding residual risk status.
Issue 3: The current “quality bar” of zero material defects in draft financial
statements is expensive without significantly increasing investor protection.
This situation is compounded by the current requirement that identification of
even one material control weakness requires management publicly report
ineffective ICFR.
Issue 4: The draft proposals call for elimination of the audit opinion on
management’s ICFR assessment process and retention of the auditor’s
subjective opinion on ICFR effectiveness. While some agree with this
interpretation of the Act, it is contrary to IMA’s and IIA’s publicly reported
views, some early comment letter responses, and the current stance of the
U.S. federal government, Japan, Canada, and the EU capital market
regulatory bodies.
Issue 5: The draft proposals are still not practical for smaller public
companies – all four issues listed above disproportionately impact smaller
public companies.
Source
Rulemaking Docket Matter 021 (Public Company Accounting Oversight Board; As of Feb. 23, 2007)
The Institute of Management Accountants says both the proposed guidance to management issued by the SEC and the new auditing standards should encourage use of global risk-assessment frameworks and a more consistent approach to the risk assessment process. “We would argue that this level of guidance is the appropriate balance between ambiguity at one extreme and prescription at the other,” said Paul Sharman, IMA president and chief executive officer, and Jeff Thomson, vice president, in their letter to the Board.
Even further, the IMA says it sees inconsistencies between the PCAOB’s proposed audit rules and SEC’s proposed guidance that will lead auditors and management into inevitable differences of approach: “When revisions to the draft PCAOB standard are done following the comment period, we recommend all sections that describe how to complete an assessment of [internal control over financial reporting] should be deleted from the standard and auditors directed to use the same SEC interpretative guidance used by management.”
Beyond the risk assessment, views differ on the proposed new standard instructing auditors to use the work of others in completing their audit work. SAG members representing Big 4 accounting firms told the PCAOB that changes within the proposed new rule to replace AS2 provide the flexibility auditors need to draw their own conclusions about where they can use the work of others, making a separate standard unnecessary.
The Council of Institutional Investors, on the other hand, supports the new standard and would like to see further guidance establishing a framework through which auditors would evaluate the competence and objectivity of those on whose work they plan to rely, as required in the proposed standard.
As for the PCAOB’s effort to let audits be “scaled down” for smaller or less complex companies, the Board will juggle differing views there as well. While the market has called for (and received) a reprieve for the smallest public companies because they lack the same scale of resources to comply with the internal control audit rules that large companies have, SAG members said they’re concerned that language in AS5 suggests the rules might be somehow different for smaller companies.
SAG member Arnie Hanish, chief accounting officer for Eli Lilly & Co., said he takes exception with language that suggests audits should be scaled for the benefit of smaller companies. “We shouldn’t lead anyone to believe there’s a different standard,” for smaller companies, he said.
SAG member Craig Omtvedt, senior vice president and chief financial officer for Fortune Brands, said regardless of any changes the Board may make to audit rules, the process still is not effective in detecting fraud, and that’s the risk foremost in investors’ minds for companies of any size. When the Board gets better standards to detect fraud, he said, questions about scaling the Section 404 audit will go away.
“I don’t believe the audit process today is effective in detecting fraud,” Omtvedt said. “The process we have today assures that good people are getting it right. If you look at the body of evidence, there’s never been a major fraud as the result of low-level controls.”
And from out in the trenches, the Board must weight the kinds of concerns raised by the likes of Todd Nielsen, who gave no further identifying information in his comment letter about himself or the company for which he works. He said the complexity of complying with the internal control audit process as it’s been implemented is creating more accounting errors, not fewer.
“We have been mandated to have so much separation of duties that tasks that were once simple and straightforward have now become unduly complicated and involve a number of people,” Nielsen wrote. “As a result, the work flow is constantly interrupted while waiting for someone else to now do their piece, which forces us to set things down and restart them constantly. And items such as journal entries often get keypunched three times because of the separation of duties and system accesses. We now have to deal with keypunch errors that never existed before.”
No comments yet