Good morning Chairman Cox, Commissioners Atkins, Campos, Casey and Nazareth. Thank you for the invitation to be with you today to provide a sense of the analysis underway at the PCAOB as we move to adopt a final rule on auditing internal control over financial reporting.
This effort continues to be the Board’s highest priority, and we are committed, just as the Commission is, to the goal of completing the process of replacing Auditing Standard Number 2 as soon as possible so that the new standard will be in place for 2OO7 audits. In achieving that goal, we are also committed to working in partnership with the Commission throughout this process. The PCAOB and the Commission also are partners more broadly in our common mission to protect investors.
Every public company and every investor (including retirees and pension funds) relies on financial reporting. The importance of effective internal control to reliable financial reporting cannot be understated, and Congress understood this when it enacted Section 404 of the Sarbanes-Oxley Act.
As you are aware, in December of last year, the PCAOB issued a set of proposals that would supersede the Board’s existing standard on auditing internal control – Auditing Standard Number 2. The proposals were the culmination of two years of in-depth efforts to understand the positive and negative aspects of the implementation of Section 404.
We have worked hard to understand how the language of AS 2 has been understood and implemented by auditors. This understanding has helped us identify changes that will preserve the benefits of the standard, and meet the statutory objectives of Section 404, without resulting in the routine performance of unnecessary audit procedures .
In addition to monitoring implementation, the Board also has made a concerted effort to obtain the views of all stakeholders. Among other things, the Board participated with the Commission in two roundtable discussions with representatives of issuers, auditors, investor groups, and others. The PCAOB’s Standing Advisory Group has focused discussion on issues related to the standard over the course of the last few years. The Board also made a special effort to hear from smaller registered public accounting firms through our Forums on Auditing in the Small Business Environment, which continue to be held around the country and sometimes include sessions with smaller issuers.
In response to our proposal in December, we received over 170 comment letters, totaling some 1200 pages of comments. The comments reflect a broad range of views. In general, they articulate considerable support for the proposals as well as many helpful suggestions. Since the first comments came in, our staff has been reviewing, compiling and analyzing these comments. Indeed, my colleagues and I on the Board have spent many hours reading and thinking about the comments.
Owing to the thoughtful and constructive public input we have received, our staff has already begun to identify potential ways to revise the proposed standard, and I anticipate that the Board will be able to make several improvements, including further streamlining the standard in order to provide additional flexibility to promote scalability, avoid unintended consequences, and address other valid concerns.
While the Board has been carefully considering and discussing the key issues, I am not in a position today to say how the Board will act on any particular issue, nor to commit to any course of action on behalf of the Board. As with the Commission’s process, the PCAOB brings the perspectives of its five Board members to bear in deliberating on, and eventually voting on, final Board standards. I can assure you, however, that we are open to, and are carefully considering, all comments we’ve received, and that we are committed to adopting a standard that fulfills the mandate of Section 404 without resulting in the performance of unnecessary audit procedures.
Under the Sarbanes-Oxley Act, the Board’s role is to determine in the first instance what the auditing standards should be based on its knowledge and experience, and in light of the statutory criteria – and to submit for the Commission’s approval standards that reflect that judgment. We understand our responsibility and value the Commission’s role in the process...
Of course, in addition to its oversight role, the Commission is charged with implementing Section 404(a) of the Act, which requires management to assess the effectiveness of internal control. Because implementing Section 404 is a responsibility shared by the SEC and the PCAOB, our staffs regularly meet, and the Board members and I have met with the SEC commissioners to further coordinate our work. This collaboration is important, and I am pleased to describe for you today some of the issues that, in light of the comments received on the proposal, are commanding particular attention as we move toward adoption of a final standard.
In the interest of time, let me highlight a few key areas where we received substantial comment.
We are looking closely at the comments on the topic of the alignment between the Board’s standard and the SEC’s management guidance and anticipate making some changes to address this issue. Management’s assessment and the audit of internal control are distinct, yet complementary, steps in the Section 404 process of providing assurance to investors about the reliability of companies’ financial reporting. It is important, therefore, that these steps be coordinated.
At the same time, we must not lose sight of the fact that management and the auditor have different perspectives on the company’s internal controls, and the assessment and audit have different objectives under Section 404. Management is more directly involved with the daily operations of the company and therefore works with the company’s controls on a constant basis. Therefore, management’s assessment of the effectiveness of the company’s internal control can, and should, reflect that familiarity. The auditor’s perspective, however, is quite different. Like the financial statement audit, the audit of internal control is intended to provide investors with an independent accountant’s opinion, formed on the basis of procedures performed with appropriate professional skepticism, about whether the internal control is effective. The standard must therefore establish a process through which an independent auditor can form a sufficient basis for expressing such an opinion.
Because of the fundamentally different roles management and the independent auditor serve, the standard the Board proposed in December would not require the auditor to specifically evaluate management’s assessment process. Our intention was to recognize that management may perform its assessment in a manner that may be different from the process the auditor uses to reach an independent opinion. Removal of the requirement to specifically evaluate management’s process, together with the SEC’s guidance to management, should see to it that the auditing standard does not become the de facto guide to performing a management assessment.
Just as management must prepare the financial statements to be audited, management also must establish internal control over financial reporting within the company and assess the effectiveness of its internal control, which the independent auditor must then audit. While there is a close relationship between management’s and the auditor’s work, this does not mean that the audit should not consist of any different or additional procedures other than what management has already performed as part of its assessment. By requiring an audit of internal control, the Act clearly mandated an independent process of testing and reporting on management’s assessment of whether the company’s internal controls are effective.
We will carefully consider recommendations in this area and continue to work with the Commission to make sure that our final standard and the SEC’s management guidance appropriately complement each other.
The proposed standard includes a section on scaling the audit for smaller, less-complex companies. This section incorporates discussion of both size and complexity. We received many comments on this section from commenters in all affiliation groups – auditors, issuers, investors, academics and others. In general, most commenters were supportive of the concept of scalability and the proposed standard’s general approach but made several recommendations for change.
Regarding the proposal’s overall approach to scaling, a number of commenters held the view that scaling is an implicit aspect of the risk-based approach and specific tailoring approaches are a natural extension of complexity as a risk factor. Many commenters stated emphatically that this should not be a stand-alone discussion that applies only to smaller companies. Most commenters felt strongly that all audits should be tailored based on the complexity of the company even though the benefits of scaling are likely to be of greater benefit to smaller companies. Regarding the practical implications of scalability, there was general agreement among commenters that the attributes listed were sufficient and that the tailoring directions for auditors were adequate.
A few commenters believed that the standard did not provide sufficient relief for smaller companies; these commenters suggested that the standard should include more credit for controls testing based on the work done as part of the financial statement audit.
These are useful perspectives and the Board will carefully evaluate the relevant provisions within the proposed standard and consider whether additional changes should be made to enhance the application of the scalability concept for issuers of all sizes and complexity.
As I mentioned earlier, the Board’s proposed standard is written to provide a clear statement of the principles that auditors should apply when performing an audit of internal control. Those who rely on financial statements should have some level of confidence that all internal control audit opinions afford the same level of assurance about the effectiveness of companies’ controls. Accordingly, the proposals provide a framework that is designed to enable the auditor to obtain the reasonable assurance necessary to support his or her opinion.
Some commenters, primarily auditors, pointed out that the proposed standard includes a large number of mandatory and presumptively mandatory requirements. Based on documentation requirements in other PCAOB standards, for each of these requirements, the auditor would need to document the performance of the requirement, which these commenters believe would substantially increase the burden of the audit. Other commenters referred to the documentation requirements as one of the largest impediments to the auditor’s use of the work of others, particularly in light of the different nature of the SEC’s management guidance.
Based on the comments received, the Board intends to apply a critical eye to each of the “must” and “should” requirements in the proposed standard to ensure that each of them is necessary. The Board is committed to issuing a standard that affords auditors the flexibility they need to perform an effective and efficient audit of internal control.
There are a number of other significant areas, such as use of cumulative knowledge, use of the work of others, company-level controls and risk assessment, where comments were thoughtful, yet mixed. The Board also is working through those issues.
As we move towards adopting a final standard, we know that we must get the language of the standard calibrated correctly, and we intend to make that happen. What ultimately will matter the most, however, is what happens in the field. To that end, we plan to continue our dialogue with stakeholders, including our focused outreach to accounting firms of all sizes (with a special emphasis for small firms). We also plan to continue to use our inspection process to monitor implementation of the new standard governing audits of internal control.
The PCAOB looks forward to continuing to coordinate with the Commission in implementing section 404 and other aspects of Sarbanes-Oxley Act. We share the common objective of investor protection and are committed to implementing the internal control provisions of the Act in a way that maximizes their benefits to public companies and their investors.
Thank you again for the opportunity to be here today, and we look forward to receiving the Commission’s input.