Careers
SubscribeRemarks
Introduction
This is a remarkable time to be involved in accounting and financial reporting, not only due to the many changes that have occurred since 2002, but also due to the changes that continue to unfold as innovation and globalization push us forward, and further into the twenty-first century. As a regulator in such an environment, it is imperative that we work to assure that financial regulation does not unnecessarily impede this forward motion. Principles-based regulations, properly implemented, allow for growth and innovation while enabling financial regulators, such as the PCAOB, to meet their mandates. The PCAOB’s mandate, of course, is to protect the interests of investors and further the public interest in the preparation of informative, fair, and independent audit reports. The Board is a proponent of principles-based regulation and took such an approach in developing the new standard for the audit of internal control over financial reporting, which I will discuss today.
July will mark the fifth anniversary of the Sarbanes-Oxley Act of 2002, and a number of significant developments in the field of corporate governance and financial reporting can be attributed to that Act. The PCAOB, for one, was created by the Act to oversee the auditors of U.S. public companies, replacing the previous self-regulatory model. In addition, through Section 404 – which has become a hallmark of the Act – Congress set higher expectations for internal control over financial reporting for all U.S. public companies. Many of you have likely grappled with the implementation of Section 404.
Two weeks ago, on May 24, the Board adopted Auditing Standard No. 5, An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements, the Board’s new auditing standard for the audit of internal control over financial reporting.[1] If approved by the Securities and Exchange Commission, the new standard will replace the Board’s previous standard, Auditing Standard No. 2.[2] AS No. 5 will thus become the implementing standard for Sections 103 and 404 of the Act by establishing a process for auditing public companies' internal control over financial reporting that is integrated with an audit of financial statements.
Because AS No. 5 is still new to many of you, I will focus my remarks on the new standard and its implementation. In addition to an overview of AS No. 5, I also will briefly address some audit challenges surrounding fair value accounting, an important issue that also warrants mention today.
Before I begin, please note that the views I express today are my own, and not necessarily those of other Board members or the PCAOB.
AS No. 5
In May 2006, the Board made a commitment to revise its then-current standard for internal control audit, AS No. 2.[3] This decision was based on two years of careful monitoring, which included, among other things, outreach to a number of stakeholders and inspections of registered audit firms. When I arrived at the PCAOB in July 2006, the initiative to revise AS No. 2 was well underway, and I am grateful to my fellow Board members for having this foresight.
In December 2006, after months of close work with the SEC, the Board published for public comment a proposed new standard for internal control audits, marking a decision to replace rather than merely revise AS No. 2.[4] At the same time, the SEC put its proposed management guidance out for public comment. It was important to the PCAOB and the SEC that the public have the opportunity to review and comment on both the standard and the management guidance concurrently, particularly because there were concerns that AS No. 2 had become the de facto management guidance.
The Board received 175 comments on the proposal. Comments were generally supportive of the direction the Board had taken with the proposal (that is, the top-down, risk-based approach), but many offered suggestions on improving the proposal. The PCAOB carefully scrutinized the comment letters, discussed the proposal at its February Standing Advisory Group meeting, and listened to the input provided by the SEC at its open meeting on April 4. As a result of this outreach, the new standard adopted by the Board generally is consistent with the December proposal but contains a number of refinements. While these refinements are important, I think it is more important that you have a general understanding of how the new AS No. 5 differs from AS No. 2, the standard that has been in effect for the past three years. My brief overview today will take that approach.
Before describing AS No. 5, I would like to stress something that was a driving force for the Board. That is, throughout the process of developing AS No. 5, the Board was monitoring public reporting by accelerated filers and was aware that the investing public was beginning to realize the important benefits of improvements in internal control over financial reporting and in the internal control audit. To maintain these benefits, the Board worked hard to ensure that the fundamental principles of the internal control audit were preserved in AS No. 5.
From AS No. 2 to AS No. 5
In announcing its commitment to revise AS No. 2, the Board outlined four primary areas of focus. Today, in describing the changes from AS No. 2 to the new standard, AS No. 5, I will track some notable provisions of AS No. 5 against the Board’s four goals:
(1) Focus the Internal Control Audit on the Most Important Matters –
First, the new standard focuses auditors on those areas that present the greatest risk that a company’s internal control will fail to prevent or detect a material misstatement in the financial statements. AS No. 5 does so by focusing the audit on identifying material weaknesses in internal control before they result in material misstatements of financial statements. The top-down approach to the audit within AS No. 5 is an example of a provision that is meant to drive this result. The top-down approach also provides appropriate room for auditor judgment, so that the audit scope can reflect the facts and circumstances of a given company, and the auditor can select for testing only those controls that are important to the effective functioning of a company’s internal control over financial reporting.
Consistent with that line of thinking, AS No. 5 also emphasizes the importance of focusing on higher risk areas, such as the financial statement close process and controls designed to prevent fraud by management. The standard also more clearly demonstrates how to calibrate the nature, timing and extent of testing based on the level of risk, as well as how to appropriately incorporate knowledge accumulated in previous years' audits into the auditor’s assessment of risk and use the work performed by a company’s own personnel. By focusing more audit work on areas of greatest risk, investors will also benefit.
The added emphasis given to fraud risk and anti-fraud controls in the final standard should make clear to auditors the importance of assessing fraud risk throughout the audit process. The standard incorporates the auditor's fraud risk assessment – required in the financial statement audit – into the auditor’s planning process for the audit of internal control. This is another important way to promote audit quality and improve integration with the financial statement audit.
(2) Eliminate Procedures that are Unnecessary to Achieve the Intended Benefits --
Second, the Board examined every area of the internal control audit to determine whether AS No. 2 encouraged auditors to perform procedures that are not necessary to achieve the intended benefits of the audit.
For example, the new standard does not include AS No. 2's detailed requirements to evaluate management's own evaluation process. Moreover, AS No. 5 clarifies that an internal control audit does not require an opinion on the adequacy of management’s process.
As another example, the new standard refocuses the multi-location direction on risk rather than coverage by removing the requirement that auditors test a "large portion” of the company’s operations or financial position. I have already heard from many, larger companies that this will eliminate unnecessary work at relatively low-risk locations and thereby drive a measurable difference in the scope of their audit.
In addition, AS No. 5 expressly incorporates previous PCAOB interpretive guidance -- which many commenters suggested would be helpful -- and modifies a few existing requirements in a way that affords auditors more choices in designing an audit strategy while maintaining the underlying audit objective.
(3) Make the Audit Clearly Scalable to Fit Any Company’s Size and Complexity --
Third, when developing AS No. 5, the Board placed significant emphasis on assuring the scalability of the internal control audit. As we worked to develop the new standard, there was significant public debate over the application of Section 404 to smaller companies. While the decision to exempt companies of any category falls outside the PCAOB’s mandate, it is within the Board’s mandate to examine how the audit could be appropriately tailored to the unique profile of a given company.
The top-down, risk-based approach set forth in AS No. 5, as well as its greater reliance on principles, is fundamentally designed so that an auditor will tailor the audit to the specific profile of a company. Smaller companies, in particular, will benefit from the scalability built into AS No. 5. Importantly, however, the standard does not rely solely on size as a decision factor. Instead, it leads the auditor to assess the complexity of a company, or a given business line. By doing so, smaller companies and their investors should realize the benefits of internal control over financial reporting without unnecessary costs.
The Board also is working with practitioners to develop tailored implementation guidance for auditing internal control in smaller public companies, which will reinforce the scalability of AS No. 5. This guidance will be released later this year and will provide further direction to auditors on how to tailor internal control audits. The timing is important so that the guidance is available well in advance of the deadline for non-accelerated filers to obtain their first internal control audit.
(4) Simplify the Standard --
Fourth, the Board’s new standard is shorter and easier to understand. This is due in part to AS No. 5’s use of simpler terms to describe procedures and definitions. It is also because the standard has been streamlined and reorganized to follow the flow of the audit itself. To do so, the Board moved definitions and other background information to appendices and cross-referenced existing concepts and requirements that appear elsewhere in the Board’s standards and relevant laws and SEC rules to avoid duplication. For example, the new standard eliminates AS No. 2's discussion of materiality, thus clarifying that the auditor’s evaluation of materiality for purposes of an internal control audit is based on the same long-standing principles applicable to financial statement audits.
Also, to better align AS No. 5 with the SEC’s new rules and management guidance, the new standard conforms certain terms to the SEC’s rules and guidance, such as the definition of “material weakness” and use of the term “entity-level controls” instead of “company-level controls.” While management’s process and the audit should work together, management and the auditor have different perspectives on the company’s internal controls, and the assessment and audit have different objectives under Section 404. However, it is essential that general concepts necessary to an understanding of internal control are described in the same way.
One of the many goals of simplifying the standard is to make it more easily understandable to non-auditors in order to facilitate dialogue between auditors and the companies they audit, which I believe is critically important.
Implementation
AS No. 5 has an effective date for audits of fiscal years ending on or after November 15, 2007. Once the SEC approves the standard, earlier adoption would be permitted.
By issuing AS No. 5, however, the PCAOB’s work in this area is far from completed. The Board’s attention must now turn to effective implementation, which will entail a number of interwoven initiatives, ranging from outreach, to training, to inspections. Among other things, in the coming months, the Board and staff from our Standards and Inspections Divisions will work closely to communicate to audit firms the Board’s expectations on effective implementation of AS No. 5. Also, and equally important, the Board’s inspection program will be adjusted to be consistent with the new standard.
I encourage firms that have already done internal control audits to take a step back and re-challenge every aspect of their methodologies – just as the Board has re-challenged each provision of AS No. 2. I encourage firms to assess whether their methodologies are appropriately risk-focused, take adequate advantage of the top-down approach and other important changes in the new standard, and encourage their firms’ professionals to exercise judgment.
The market will bear out how the new standard affects overall audit costs, but in revising its standard, the PCAOB has been committed to providing for a sound audit that gives auditors the flexibility they need to design and perform cost-effective audits that are tailored to the unique attributes of a given company.
We will monitor AS No. 5 implementation carefully. The new standard’s principles-based approach provides room for companies and auditors to evolve, and the Board will work closely with its inspections staff to assure that the Board remains informed, and we do not unnecessarily impede innovation.
Auditing Fair Value Accounting
For financial statements to be useful to investors, they must be both relevant and reliable. They must be relevant in the sense that they give investors the type of information they need in order to decide whether to buy, sell, or hold a company’s securities. They must be reliable in the sense that the numbers reported both reflect a company’s underlying economic results and are accurate. Auditors play an essential role in assuring that financial statements are both relevant and reliable.
Advocates of fair value accounting maintain that it holds the promise of offering investors more relevant information. In many situations, providing investors with more current values for a company’s assets and liabilities will be more useful to investors than providing only historical data. In considering this benefit, however, we must be mindful that any apparent improvement gained by providing investors with more relevant, fair value information, will be lost if that information is not also reliable. In this regard, the increased use of fair value accounting poses a challenge for auditors and the PCAOB.
I will take a moment to mention a few of the challenges auditors are confronting as issuers transition to fair value. First, valuation requires training, and many auditors may not have extensive training in valuation techniques. Second, auditors should be mindful that financial statement preparers can be biased (even if unknowingly so) in their assessments of fair values. As a result of this potential bias, preparers may fail to consider alternative valuation scenarios. Third, auditors should keep in mind that internal controls surrounding fair value measurements may be different from those over typical business transactions.
As issuers move to adopt accounting standards, FAS 157 – “Fair Value Measurement” - and FAS 159 – “The Fair Value Option for Financial Assets,” auditors should be prepared for these challenges. FAS 157 governs how fair value should be measured, and while the standard does not expand the use of fair value, it does apply to most other standards that require (or permit) fair value measurement. Accordingly, the application of this standard will require a change in practice for many issuers.
In addition, companies are now allowed to elect fair value accounting pursuant to FAS 159 for certain financial instruments that were previously accounted for at amortized cost. While it is not yet known what impact this election will have on audit risk, some users of financial statements have expressed concern about comparability in financial reporting both within an institution as well as among institutions. FAS 159 is a principles-based standard, and the auditor should look to see that the way in which the standard is adopted by companies is consistent with those principles.
In summary, fair value accounting, while presenting the promise of greater relevance, represents an area of potential audit risk. Thus, we are monitoring this area to understand how firms are addressing this potential risk.
Conclusion
As I mentioned at the outset, financial reporting, and thus auditing, are in a very dynamic age. As we poise ourselves for change, certain fundamentals can and should be preserved. The integrity of financial reporting that places reliable information into the hands of investors is one such fundamental. Whether it be the audit of internal control or auditing fair value, the PCAOB will continue to view this fundamental as a core value.
As for AS No. 5, while there are many important changes to the standard from AS No. 2, the Board steadfastly retained the fundamental principles that are essential to an effective internal control audit. We have maintained our focus on the need for -- and right of -- investors to receive fairly stated financial statements and complete and accurate disclosure about the effectiveness of internal control. As we move to AS No. 5, we move to the next generation of the internal control audit standard. This standard retains the important benefits of the previous standard while allowing the audit to be tailored to the individual facts and circumstances of an audit. This should drive auditors to use their judgment, and it should ultimately better align the costs of such audits with their benefits.
Thank you very much.
Endnotes
[1] See PCAOB news release, Board Approves New Audit Standard For Internal Control Over Financial Reporting and, Separately, Recommendations on Inspection Frequency Rule (May 24, 2007).
[2] See Auditing Standard No. 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction With an Audit of Financial Statements (released March 9, 2004).
[3] See PCAOB news release, Board Announces Four-Point Plan to Improve Implementation of Internal Control Reporting Requirements (May 17, 2006).
[4] See PCAOB news release, Board Proposes Revised Auditing Standard on Internal Control over Financial Reporting (December 19, 2006).