PCAOB To Audit Firms: Lighten Up

While audit regulators churn away on promised revisions to Auditing Standard No. 2, their chief auditor is imploring those in the field to heed earlier guidance, use more judgment, and lighten up on excessive testing and audit procedures.

In a speech to the 25th annual SEC and Financial Reporting Institute Conference in Pasadena, Calif., last week, Tom Ray, chief auditor and director of professional standards for the Public Company Accounting Oversight Board, said auditors can do more now—before AS2 is amended—to make audits of a company’s internal control over financial reporting less costly and more effective.

Ray

“We don’t believe auditors are taking full advantage of the flexibility in the existing standard,” Ray told Compliance Week after he delivered his address. “They should not wait for the Board’s amendments to implement these ideas.”

The PCAOB is working on amendments to AS2 while the Securities and Exchange Commission develops guidance for corporate executives; both are intended to simplify and improve the ulcer-inducing challenges of compliance with Section 404 of the Sarbanes-Oxley Act.

Ray’s ideas, offered on his own behalf and without the official imprimatur of the PCAOB, encourage auditors to test less and put more faith in their own work from prior years. Ray also suggests that more complete and accurate documentation from management about its assessment of internal controls would lead to better and more efficient audits.

The goal, Ray said in his conference address, is to “focus the auditor on the parts of a company’s internal control that present the greatest risk of failing to prevent or detect a material misstatement in the financial statements.”

Such words are music to the ears of financial executives everywhere. Most are exasperated with Section 404, and complain that external auditors unnecessarily insist on the exacting standards of AS2 before issuing a clean opinion over a company’s internal controls. The result has been sky-high compliance costs and choruses of criticism to the SEC—which culminated in its May 17 decision to revise AS2, provide more management guidance, and extend the compliance deadline for non-accelerated filers yet again.

Ray said auditors continue to misunderstand what AS2 requires. “The first of the two opinions expressed by the auditor is not on management’s assessment process,” he said in his speech. “Rather, it is the auditor’s opinion as to whether management’s required statements about the effectiveness of the company’s internal control and its descriptions of any material weaknesses are fairly stated.”

While auditors are required to evaluate management’s assessment process, they are not required to re-run the entire assessment to reach a conclusion about whether it is effective, he said.

“In its most basic form, the evaluation of management's process consists of the auditor obtaining from management the documentation of its assessment process, reading that documentation, and discussing the process with management. The procedures the auditor performs to conduct the evaluation need not be extensive and need not include procedures such as retesting items tested by management.”

— Tom Ray, PCAOB

“The extent of the auditor’s work is only that which is necessary for the auditor to form a conclusion as to whether management process was sufficiently complete to provide management with a basis to support its reporting, and whether the results of management’s testing support management’s conclusion about internal control effectiveness,” he said. “In its most basic form, the evaluation of management’s process consists of the auditor obtaining from management the documentation of its assessment process, reading that documentation, and discussing the process with management.”

Ray said management could help that process along by assuring its documentation is complete and accurate. “It is important to point out that what management does has an effect on the auditor’s work,” he told Compliance Week. “If management does that which is minimally required to comply with the law, there will be less opportunity for the auditor to reduce his or her work by using the work of management.”

Ray also implored auditors to make more use of prior years’ experience and to place more faith in automated or monitoring controls where little or no human involvement exists, especially in deciding whether to test low-risk, transaction-level controls. Auditors who have been through two years of internal control audits with their clients “should be able to bring that knowledge to bear in assessing risk and developing their audit strategy in subsequent audits,” he said.

Tim Leech, principal consultant with Paisley Consulting, says he’s concerned auditors don’t have the right training and still don’t have the right approach to the internal control audit process.

Leech

“The key goal of SOX should be to identify the unmitigated risks in management’s internal control over financial reporting control system, and ensure external auditors, senior management and the audit committee are aware of them,” he says—but, Leech adds, many audit firms simply don’t know how to do that.

Training for today’s generation of CPA partners “provided limited coverage of how to assess risk and control and, most importantly, how to assess process reliability,” Leech contends. “The business model of the CPA firms has been, and continues to be, creating checklists that relatively inexperienced field staff can complete. This will continue to push a tick-the-box approach to control assessment that companies continue to vocally complain about.”

Thomas Selling, a financial reporting consultant and adviser to the Association of Audit Committee Members, says Ray’s words foreshadow how the PCAOB will revise AS2. He worries it will add risk to the audit process.

Selling

“He’s saying auditors don’t have to actually retest what management did,” Selling says. “That means management is free to create documentation out of thin air, and the only safeguard against that is a discussion with management. Traditionally, reliance on management representation is about the weakest form of audit evidence you can get. This says they’re willing to weaken audit standards for purpose of expediency.”

Leech also says audit firms that are already highly concerned about their potential legal liability in issuing audit opinions for public companies may have trouble with the notion of issuing opinions based on such limited testing.

Ray’s speech, he says, tells auditors “to cut back on a bunch of stuff they have been hammering clients with pursuant to the written rules in AS2, but it doesn’t really help address the fact that the external auditors can be sued in a big way if they give an incorrect opinion on controls and the numbers.”

Related coverage and resources—including all the FAQs published by the SEC and the PCAOB to date—can be found in the box above, right.