|
|
With the passage of the Sarbanes-Oxley Act (SOX), the highly
controversial Auditing Standard No. 2 (AS 2) emerged, which has
until recently governed the independent audit of internal controls
over financial reporting (ICFR), setting the criterion for SOX
compliance. Critics have long complained that AS 2 is overly
prescriptive and costly, particularly for smaller companies, and
encourages excessive auditing by focusing auditor attention on
minutiae which in the grand scheme of things pose low risk threats.
In an effort to address these (valid) arguments, both the Securities
& Exchange Commission (SEC) and the Public Company Accounting
Oversight Board (PCAOB) have recently released new guidance and
standards respectively, intended to enable effective audits of
internal controls while reducing their burden and cost.
Streamlining Efforts
The new SEC interpretative guidance outlines an approach for
Management to conduct ICFR reviews. The new PCAOB-approved Auditing
Standard No. 5 (AS 5) replaces AS 2, and directs the nature of
external audits. Importantly, both emphasize a focus on evaluating
higher risk areas by employing a "top-down" and "risk-based"
approach.
Management's Process
Management, as before, must identify
and evaluate the design of controls addressing the prevention or
detection of material misstatements in financial statements,
particularly due to fraud, in a timely manner. The guidance
discusses the role of Entity-Level Controls (controls that impact a
company's entire system of internal control) and how they may be
sufficient, in specific instances, to reduce risks at the same level
of precision as operational controls. The practical significance is
the potential reduction of controls and associated testing by
leveraging more corporate-level controls to address a variety of
specific financial reporting risks. Examples of entity-level
controls include monitoring of operational results, controls over
management override, or centralized processing controls that reside
in shared service environments. It's important to consider though
that the more indirect the relationship of an entity-level control
to the financial reporting risk, the less likely the control
suffices by itself to detect or prevent a material misstatement.
Management must also continue to evaluate evidence demonstrating the
effective operation of its controls. The new guidance provides more
latitude to management in employing different techniques in its
review, commensurate with the risk level. For example, management
might use self-assessments and ongoing monitoring activities in
low-risk areas, while performing more extensive testing in high-risk
areas. As far as documentation retention, while the SEC has stated
that reasonable support must be maintained, the nature and extent of
documentation is not strictly prescribed. Adequacy of documentation
is left to management judgment; however, a lack of sufficient
documentation may cause the independent auditors to perform more
work to support their opinion on ICFR. Documentation of assessments
and testing, in connection with ongoing monitoring and separate
evaluations by management, are factors that will significantly
impact the nature, timing and extent of the independent auditor's
work.
Auditor's Process
The streamlining of processes is not limited
only to management. AS 5 is substantially smaller than AS 2 and is
far less prescriptive. For example, AS 2 contained approximately 240
"shoulds", which were mandatory requirements for the auditor. AS 5
cuts this number by at least half in an effort to be more principles
based, empowering auditors to exercise greater judgment.
Specific
reductions in the level of auditor work include:
|
- |
Removal of requirement to evaluate management's assessment
process. The auditor will now report only on the effectiveness
of a company's internal controls. |
|
- |
Visiting multiple company locations based on risk. This differs
from the AS 2 requirement to audit a "large portion" of a
company's operations and financial position. |
|
- |
The auditor is also permitted more latitude in determining when
interviews (walkthroughs) are needed. In lower risk areas,
observation alone may be sufficient and greater use of the work
of others such as company Internal Audit reviews appropriate.
|
AS 5 also revises the
definitions of "material weakness" and "significant deficiency". A
material weakness is a control deficiency through which it is
reasonably possible that a material misstatement might not be
detected or prevented. A significant deficiency is a control
deficiency that is less severe than a material weakness but is
important enough to be brought to the attention of those charged
with governance. These new definitions do not raise or lower the
threshold of a material weakness, but are expected to raise the
threshold for significant deficiencies. Another by-product is an
expected reduction in the number of matters requiring communication
to management and those charged with governance.
Will these changes
increase efficiencies?
The impact that the SEC's guidance and the PCAOB's revised auditing standard will have on companies and
integrated audits will vary significantly. The following are some
factors that could increase or decrease the efficiencies these
latest releases might generate for any given company.
Company
factors:
|
1. |
The degree of centralized vs. decentralized processing and
financial reporting control |
|
2. |
The competence and objectivity of
the people performing ICFR testing/evaluation work for the company
|
|
3. |
The quality and extent of the company's ICFR evaluation
documentation |
|
4. |
The strength of the company's entity-level controls, including
the effectiveness of: |
| |
a. |
The control environment; |
| |
b. |
The risk assessment process; |
| |
c. |
Management's and the
audit committee's ICFR monitoring procedures; |
| |
d. |
Controls that monitor and evaluate the results of operations;
|
| |
e. |
Controls over management override; |
| |
f. |
Controls over the period-end financial reporting process. |
|
5. |
The degree of change in a company's processes, risks and
controls from year to year. |
|
6. |
A history of financial reporting problems or material audit
adjustments |
Auditor factors:
|
1. |
The extent to which the auditor applied the PCAOB's previously
issued guidance |
|
2. |
The extent to which the auditor's previous audit scope was
driven by AS 2's coverage requirements (especially for companies
with a large number of homogeneous locations)
|
|
3. |
The extent to which the auditor is able to place reliance on the
work of others |
Can cost savings be realized?
Some companies are expecting
audit cost savings of up to 10 percent. While it is not possible to
predict exactly how much efficiency might be generated by the
issuance of this new company guidance and the new auditing standard,
there is room for substantial overall savings for some companies,
particularly in their own ICFR evaluation processes. In addition, as
long as reasonable judgment is used in planning and performing these
ICFR evaluations/audits, those efficiencies should not come at a
cost of diminished effectiveness.
Discuss with your auditors now
AS
5 is effective for fiscal years ending on or after 15 November 2007,
though early adoption is permitted. While it will take some time for
companies and their audit firms to fully evaluate and implement
these changes, it would be wise to begin to have discussions now
with your auditor about the following:
|
1. |
What changes you are
thinking of making to your ICFR evaluation process and the related
documentation. |
|
2. |
Areas where the auditor might reasonably consider using more of
the work of others. |
|
3. |
Areas (i.e., locations, accounts or classes of transactions)
that are currently viewed as higher risk and the reasons for
that assessment. |
|
4. |
Areas that are generally lower risk, with a high degree of
stability, where the auditor's results in the prior year's audit
indicated controls were effective, which might lead to less
intense testing in the current year. |
|
