The Public Company Accounting Oversight Board today voted to adopt Auditing Standard No. 5, An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements, to replace its previous internal control auditing standard, Auditing Standard No. 2. The Board also adopted the related Rule 3525, Audit Committee Pre-Approval of Non-Audit Services Related to Internal Control Over Financial Reporting, and conforming amendments to certain of the Board’s other auditing standards.
The auditing standard adopted by the Board today is principles-based. It is designed to increase the likelihood that material weaknesses in internal control will be found before they result in material misstatement of a company’s financial statements, and, at the same time, eliminate procedures that are unnecessary. The final standard also focuses the auditor on the procedures necessary to perform a high quality audit that is tailored to the company’s facts and circumstances. The Board worked closely with the Securities and Exchange Commission to coordinate Auditing Standard No. 5 with the guidance to public company management the SEC approved yesterday. A more detailed discussion of the new standard, and the changes that the Board made from the proposal, is attached.
"The internal control reporting requirements of the Sarbanes Oxley Act are a key reason why the reliability and accuracy of financial reporting has improved over the past few years. The renewed confidence in financial reporting is critical for the health of our markets," said Mark Olson, PCAOB Chairman. "The new standard is more risk-based and scalable, which will better meet the needs of investors, public companies and auditors alike."
Tom Ray, PCAOB Chief Auditor and Director of Professional Standards, said, "The new auditing standard, by focusing the auditor’s attention on those matters that are most important to effective internal control, presents another significant opportunity to strengthen the financial reporting process."
The final standard may be used by auditors immediately following SEC approval, and it, along with Rule 3525, and the conforming amendments, would be required for all audits of internal control for fiscal years ending on or after November 15, 2007.
As part of the Board’s commitment to the effective implementation of the new standard, the Board intends in the coming months to adjust its inspection program to assure that it is consistent with the new standard and its principles-based approach. The PCAOB is also continuing to develop for auditors of smaller public companies tailored guidance for applying the new standard as outlined in its four-point plan of May 2006. The Board also is continuing to hold its Forums on Auditing in the Small Business Environment as a way to further monitor implementation issues related to smaller public companies.
The adopted standard and related documents are available on the Board’s Web site under Rulemaking Docket 21
Inspection Frequency Rule
The Board also approved two staff recommendations concerning the Board’s rules on inspections. First, the Board voted to eliminate the June 30, 2007 tentative sunset date for Rule 4003(d). The Board set the sunset date when it adopted the rule on December 19, 2006, to allow for public comment before making a final determination on the new provision. Rule 4003(d) extends the time period during which the Board must conduct the first and second inspections of firms that registered in 2003 and 2004. The Board’s action today allows the rule to remain in place to provide ongoing, albeit limited, flexibility concerning the timing of the first two inspections of firms that registered in 2003 and 2004. That flexibility allows the Board to make scheduling adjustments that will result in a mix of inspected firms (in terms of the size and nature of audit practices) that is relatively consistent from year to year, while avoiding significant year to year fluctuations in inspection resource requirements. The Board has previously submitted Rule 4003(d) to the Securities and Exchange Commission for approval and that submission is pending.
The Board also voted to propose for public comment an amendment to Rule 4003 that would remove that rule's requirement that the Board regularly inspect certain firms that do not regularly issue audit reports, including firms that play a "substantial role" in audits but do not issue audit reports. The Sarbanes Oxley Act of 2002 only requires the Board to inspect registered firms that regularly issue audit reports. More than 800 registered firms have issued audit reports for public companies in one or both of the past two years, and the Board has determined that the focus of its fixed periodic inspection program should be on such firms. The Board would still retain the discretion to inspect any registered firm at any time and so, for example, could decide to inspect a firm that played a substantial role in an engagement based on information the Board learns in inspecting the principal auditor on the engagement. This proposed amendment is consistent with the risk-based focus that the Board generally brings to bear in considering the most prudent allocation of its inspection resources. Following the close of the comment period on July 23, 2007, the Board will determine whether to adopt the amendment. Any final amendment adopted must be approved by the Securities and Exchange Commission, Neither Board action concerning Rule 4003 would affect the annual inspection cycle for firms that audit more than 100 public companies.
On May 24, 2007, the Board adopted Auditing Standard No. 5, An Audit of Internal Control Over Financial Reporting That is Integrated with An Audit of Financial Statements. If approved by the Securities and Exchange Commission, the new standard will supersede Auditing Standard No. 2, which was adopted by the Board in March 2004 and approved by the SEC in June 2004. The new standard will apply to audits of all companies required by SEC rules to obtain an audit of internal control.
The new standard results from the Board’s monitoring of auditors’ implementation of Auditing Standard No. 2, through, among other things, inspections of internal control audits and public roundtable discussions held in April 2005 and May 2006. While the Board observed significant benefits produced by the audit, including higher quality financial reporting, it also noted that, at times, the related effort has appeared greater than necessary to conduct an effective audit. Based on these observations, and in light of the approaching date for smaller companies to comply with the Act’s internal control reporting requirements, the Board proposed for public comment a new standard on auditing internal control. The Board received 175 comment letters from auditors, issuers, investors, academics, trade associations, and other interested parties, a large majority of which were generally supportive of the Board’s proposals. The standard the Board adopted on May 24 reflects the Board’s careful consideration of those comments.
The New Auditing Standard
The Board’s new standard is designed to achieve four objectives:
- Focus the Internal Control Audit on the Most Important Matters – The new standard focuses auditors on those areas that present the greatest risk that a company’s internal control will fail to prevent or detect a material misstatement in the financial statements. It does so by incorporating certain best practices designed to focus the scope of the audit on identifying material weaknesses in internal control, before they result in material misstatements of financial statements, such as using a top-down approach to planning the audit. It also emphasizes the importance of auditing higher risk areas, such as the financial statement close process and controls designed to prevent fraud by management. At the same time, it provides auditors a range of alternatives for addressing lower risk areas, such as by more clearly demonstrating how to calibrate the nature, timing and extent of testing based on risk, as well as how to incorporate knowledge accumulated in previous years’ audits into the auditors’ assessment of risk and use the work performed by companies’ own personnel, when appropriate
- Eliminate Procedures that Are Unnecessary to Achieve the Intended Benefits – The Board examined every area of the internal control audit to determine whether the previous standard encouraged auditors to perform procedures that are not necessary to achieve the intended benefits of the audit. As a result, among other things, the new standard does not include the previous standard’s detailed requirements to evaluate management’s own evaluation process and clarifies that an internal control audit does not require an opinion on the adequacy of management’s process. As another example, the new standard refocuses the multi-location direction on risk rather than coverage by removing the requirement that auditors test a "large portion” of the company’s operations or financial position
- Make the Audit Clearly Scalable to Fit the Size and the Complexity of Any Company – In coordination with the Board’s ongoing project to develop guidance for auditors of smaller, less complex companies, the new standard explains how to tailor internal control audits to fit the size and complexity of the company being audited. The new standard does so by including notes throughout the standard on how to apply the principles in the standard to smaller, less complex companies, and by including a discussion of the relevant attributes of smaller, less complex companies as well as less complex units of larger companies. The upcoming guidance for auditors of smaller companies will develop these themes even further
- Simplify the Text of the Standard – The Board’s new standard is shorter and easier to read. This is in part because it uses simpler terms to describe procedures and definitions. It is also because the standard has been streamlined and reorganized to begin with the audit itself, to move definitions and other background information to appendices, and to avoid duplication by cross-referencing to existing concepts and requirements that appear elsewhere in the Board’s standards and relevant laws and SEC rules. For example, the new standard eliminates the previous standard’s discussion of materiality, thus clarifying that the auditor's evaluation of materiality for purposes of an internal control audit is based on the same long-standing principles applicable to financial statement audits. Also, in order to better coordinate the final standard and the SEC’s new rules and management guidance, the new standard conforms certain terms to the SEC’s rules and guidance, such as the definition of “material weakness” and use of the term "entity-level controls" instead of “company-level controls."
Highlighted Changes Since the Board’s December 2006 Proposal
The Board’s proposing and adopting releases detail the changes the Board has made, both to Auditing Standard No. 2 and the proposed standard. In particular, in response to comments on the proposal, the new standard –
- Aligns key terms and concepts with terms used in SEC rules and guidance.
- Includes a discussion of fraud risk and anti-fraud controls at the beginning of the standard, to emphasize the importance of these matters in assessing risk.
- Explains how different kinds of entity-level controls have different effects on the selection and testing of controls. For example, entity-level controls that monitor the operation of other controls in a precise manner may reduce the need for testing of the underlying, process-level controls.
- Focuses auditors on fulfilling the objectives that a properly performed walkthrough achieves rather than requiring performance of a walkthrough, which, under some circumstances, might lead to a checklist approach.
- Emphasizes that auditors need not scope the audit to find deficiencies that, individually or when aggregated with other deficiencies, do not constitute material weaknesses. At the same time, the standard retains the requirements to evaluate all deficiencies that are identified and communicate both material weaknesses and significant deficiencies, in writing, to the audit committee.
- Instead of adopting the proposed standard on considering and using the work of others, the Board retained AU sec. 322, The Auditor’s Consideration of the Internal Audit Function in an Audit of Financial Statements. In light of this decision, consistent with the Board’s intent in the proposal, the new standard itself expressly permits auditors to use, in the internal control audit, testing and other internal control work of persons other than internal auditors.
- Allows auditors to tailor their top-down approach to the circumstances of individual companies by removing the requirement to specifically identify major classes of transactions and significant processes before identifying relevant assertions.