Implementing Auditing Standard No. 5
I. Introduction
Good morning and welcome to the PCAOB’s training on inspecting under Auditing Standard No. 5.
This session is the last in a series of training programs we have held since January on how the Board’s inspection staff will be integrating AS No. 5 into its large firm inspection program this year. This training has been presented at headquarters and in each of our regional offices. This final session is for inspectors who may have been unable to attend the earlier programs and for non-inspection staff members with an interest in AS No. 5 implementation. I am glad to see so many of you here.
After today, every member of the Board’s inspections staff will have completed AS No. 5 training. The effort that the Board has put into this training, highlighted by the presence at each session of at least one Board member, underscores the importance we attach to making sure that AS No. 5 is implemented effectively and in a way that is consistent with the Board’s objectives. It is critical that our inspection teams are conveying the same message, and following the same philosophy, as was the Board when it fashioned the new standard. This is the purpose of this training.
We are holding this training at a particularly fitting time. In just a few weeks, we will be celebrating the fifth anniversary of the SEC order that authorized the Board to commence operations. During those five years, we – you, actually – have accomplished a lot. The progress we have made in the inspections program alone is remarkable. For example, the program has conducted around 700 inspections looking at facets of about 4,000 public company audits. Five years ago, when we had a staff of eight – including Board members – it was hard to believe we would be able to do so much in so short a period of time.
However, despite all of the things we have done in the last five years, one issue has dominated the press and public perception of the Board – auditing of internal control over financial reporting. To kick things off this morning, I am going to talk about how we got here and what the Board is hoping to accomplish with the new internal control over financial reporting auditing standard and with this training.
II. How Did We Get Here?
Section 404 of the Sarbanes-Oxley Act is based on a common-sense idea: To strengthen the reliability of financial reporting, the management of each public company should annually assess the effectiveness of the company's internal control over financial reporting and report to shareholders on management's conclusions. Section 404 also requires that the outside auditor attest to management’s report. According to the legislative history, Congress thought this should add little or nothing to the cost of the audit.
In 2003, the SEC adopted rules implementing Section 404, and on March 9, 2004, the Board adopted Auditing Standard No. 2 to apply to these newly required audits. The new world of internal control reporting and auditing began shortly afterwards.
During the next two audit cycles, the PCAOB monitored the implementation of the new standard. Two basic propositions emerged from that monitoring.
First, internal control auditing has produced significant benefits.
The number of material weaknesses disclosed has been surprising, especially given the long-standing requirement to have a system of internal control that provides reasonable assurance that financial statements are prepared in accordance with GAAP. Restatements have also risen in the last two years to record levels. Some of this is undoubtedly a result of Section 404.
Now, the number of material weaknesses is falling, and the pattern of restatements is changing. In effect, it appears that the larger companies – those subject to Section 404 – have indeed strengthened their financial reporting. A Compliance Week study of 9,717 public company filings found that, in the third year of Section 404 compliance (from November 2006 through May 2007) large filers disclosed only about one-third as many material weaknesses in internal control that they did in the first year. Restatements have also declined for accelerated filers subject to Section 404, while they have continued to rise for smaller companies not yet subject to the Act’s internal control reporting requirements.
The second thing that has become clear is that the benefits of internal control reporting have come with significant – many would say unsustainable – costs. Compliance costs in 2006, the third year large companies have reported, averaged $2.92 million per company, down about 23 percent from the prior year, according to an FEI survey. But 78 percent of managers still thought costs exceeded benefits (down from 88 percent).
The result of the widely-held perception that there was a mis-match between costs and benefits was a backlash against Auditing Standard No. 2. In my view, that backlash was also fed by the confluence of factors that were not directly related to the content of the standard itself.
- Timing. The first year of ICFR audits were performed in something approaching a crisis atmosphere. Often, companies did not complete their assessments until late in the reporting cycle, delaying the auditor’s work. Moreover, the firms found themselves short-staffed to perform the new control auditing work in the compressed period.
- Deferred maintenance on controls. Despite the longstanding statutory internal control requirement – enacted in the 1977 Foreign Corrupt Practices Act – many companies had never really looked comprehensively and critically at their controls until Section 404 forced them to do so. The result was considerable pain and expense, particularly in year one, as controls were documented and upgraded.
- Lack of management guidance. While the PCAOB promulgated AS No. 2 to govern the auditor’s internal control audit, the SEC didn’t issue any comparable guidance for managements. As a result, many tried to apply AS No. 2 to management’s assessment – something for which it was not intended.
- Impact of inspections program. Internal control reporting took effect at the same time as our inspections program was ramping up. Auditors knew that we would be looking over their shoulders at their Section 404 audits, but were not sure exactly what we would be looking for. Quite naturally, they decided the best course was to play it as safe as possible.
- The new world of auditing. Heightened concerns about liability, and the recent memory of Arthur Andersen’s demise caused auditors to approach their work differently than they had in the past. Like the prospect of being inspected, these factors resulted in audits that were conducted more conservatively – and many would say appropriately so – than in the recent past.
Another consideration that lead to the backlash against AS No. 2 was the fact that the costs of internal control auditing were disproportionately greater, relative to assets or revenues, for smaller companies than for larger ones. The SEC Smaller Public Company Advisory Committee highlighted this issue. Also, there was a growing concern about the competitiveness of the U.S. capital markets. The issue of Section 404 costs became a point of contention in the larger debate over the competitiveness of the U.S. capital markets.
All of this came to a head when new Chairmen took the helm at both the SEC and the PCAOB. Early in his tenure, SEC Chairman Cox focused attention on the need to “fix Section 404.” New PCAOB Chairman Olson certainly shared the same concerns.
Actually, work was already in progress when Chairman Olson joined the Board. Following a May, 2006 SEC roundtable on the second year Section 404 experience, the Board announced plans to improve the implementation of AS No. 2. The Board’s plan included: (1) amending AS No. 2, (2) reinforcing auditor efficiency through PCAOB inspections, (3) developing guidance for auditors of small companies, and (4) continuing PCAOB Forums for Auditing in the Small Business Environment.
After the same roundtable, the SEC also announced steps of its own to improve Section 404 implementation, including: (1) issuing guidance for companies, (2) coordinating with the PCAOB in revising AS No. 2, (3) overseeing the PCAOB’s ICFR auditing inspections program, and (4) extending the compliance deadline for the smaller, non-accelerated filers.
III. Objectives of AS No. 5
On May 24, 2007, the Board followed up on the most important of the steps it had announced by adopting AS No. 5 to supersede AS No. 2. Similarly, this past Summer, the SEC issued new rules and interpretive guidance for management’s internal control over financial reporting assessment. I want to take a few minutes to give you an overview of what the Board was seeking to accomplish when it replaced AS No. 2 with AS No. 5.
In developing AS No. 5, the Board had four basic objectives.
1. Focus auditors on controls that present the greatest risk that a material misstatement will not be prevented or detected.
First, AS No. 5 seeks to focus the auditor’s efforts and attention on those controls that present the greatest risk that a material misstatement will not be prevented or detected. This idea was a response to reports that auditors were spending too much time testing process-level controls. We even heard about companies with 20,000 “key controls” – something that seemed way out of whack with the objectives of Section 404.
Also along these lines, the new standard is intended to make the internal control over financial reporting audit more of an early warning system. Under AS No. 2, many material weaknesses were simply an after-the-fact reflection of the fact that a restatement had occurred. Ideally, however, internal control audits should identify soft spots in controls before they result in material financial reporting errors. Otherwise, these audits are merely sounding an alarm after the horse has already left the barn.
2. Eliminate unnecessary procedures.
Second, AS No. 5 eliminates some procedures that AS No. 2 required and which the Board concluded were not necessary to accomplish the objectives of an internal control over financial reporting Audit. We will be talking more about this later in the training, but examples include:
- AS No. 5 simply requires the auditor to opine directly on the effectiveness of the controls. The Board eliminated the detailed AS No. 2 requirement that the auditor consider management’s evaluation process and abolished the auditor’s opinion on management’s assessment.
- Further, AS No. 5 incorporates knowledge accumulated in previous years’ audits into the auditors’ assessment of risk. AS No. 2 said that each ICFR audit had to stand on its own, and could be read to suggest that it was necessary to start from scratch every year.
- AS No. 5 also encourages use of work of others, based on a sliding scale approach. AS No. 5 to some degree liberalizes the concepts that governed use of management testing under AS No. 2, but, at least as significantly, the tone of the discussion of this topic makes clearer that, when it is appropriate to do so, using management testing, rather than duplicating it, is desirable.
- AS No. 5 treats walkthroughs as a way of accomplishing certain objectives, not simply a mechanical process that must be performed without thought to the reason. The important thing is to learn how the controls are operating, not to check off a box in the audit program; therefore, walkthroughs are no longer required, although the objectives that underlie them still are.
3. Make the audit scalable to the size and the complexity of the company.
Third, one of the primary goals of AS No. 5 is to make the audit more easily scalable to the size and the complexity of the company.
AS No. 5 includes notes throughout the standard on how to apply the principles in the standard to smaller, less complex companies. Examples of the topics discussed include segregation of duties, documentation, and use of third parties. It also discusses some attributes of smaller, less complex companies, as well as of less complex units of larger companies.
We have also undertaken to prepare guidance for small company internal control over financial reporting audits. That guidance, which expands on many of the scaling points in AS No. 5 and offers practical examples, is now out for public comment. And, along the same lines, we are going to provide education and practical information on internal control auditing in the smaller company environment through our Small Business Forums, timed to the SEC’s decisions about when to extend AS No. 5 auditing to the non-accelerated filers.
4. Re-write the standard to be shorter and more principles-based.
AS No. 2 was 89 pages, with 96 more pages of appendices. AS No. 5 is just 40 pages, with 19 pages of appendices. It is principles- and objectives-based in a way that AS No. 2 was not. It should also be more understandable by non-auditors. While it is still perhaps not in the category of light bedtime reading – at least for those who do not have CPA certificates hanging on their walls – I think the new standard will be more easily understood by managements and audit committee members, and should therefore lead to better dialogue and understanding about how the auditor is approaching his or her work in this area and why.
IV. The Critical Role of 2008 Inspections
That brings us to the reason for these training sessions – the critical role that inspections will play in the transition to AS No. 5. There is only so much that can be done in the words of a standard. A lot more depends on practical implementation.
As I noted earlier, revising AS No. 2 was only one part of the plan to improve audits of internal control over financial reporting. In its May 2006 announcement on improving ICFR auditing, the Board emphasized that it would also use its inspections program to reinforce the philosophy underlying its new standard. And, the SEC has similarly said that it intends to be especially active in overseeing how we inspect for AS No. 5 compliance. This training is part of our efforts to make good on the Board’s commitment.
The major accounting firms are of course the key to implementation. We are dealing with that reality in two ways.
First, we have looked preemptively at how the major firms are changing their internal control audit approaches to reflect the new standard and how they are training their staffs. One of the lessons we learned from the AS No. 2 experience is that our impact on how a new standard is made operational is limited when we wait to see how the firms go about putting the standard into practice and then offer criticism. Following the adoption of AS No. 5, we have taken a different approach. The Chief Auditor’s office and the inspections staff met with each of the major firms to discuss with them how they were translating AS No. 5 into concrete guidance to their engagement teams. In some cases, we offered suggestions, when we didn’t think that the firm’s plans fully conformed to what the Board had intended.
Second, we will still use the inspections program to see how implementation has actually occurred. Using inspections to see how AS No. 5 translates into practice is critical to the success of the initiative begun in May, 2006 – and therefore to the credibility of the Board. We have been told repeatedly that on-the-ground auditors respond much more directly to what they perceive as the position of the Inspections staff than they do to general pronouncements from the Board. Inspectors need to be sensitive to the fact that the inspectors’ actions and conduct of the inspections can have an impact on the engagement team’s behaviors and can drive firm behavior in a positive or a negative manner. In order to make sure that we don’t inadvertently send the wrong message, inspections leadership will be implementing a sophisticated internal process to monitor concerns about ICFR audits and to make sure that any comments issued to the firms are clear and consistent with the objective of AS No. 5.
Stated a little differently, we want to communicate a well-controlled message, especially during this first year of AS No. 5 inspections. We need to be careful not to change behavior through rumor or misunderstanding, but only through carefully thought-out communications to engagement teams and to the firms. As I have already noted, AS No. 5 is less prescriptive and more principles-based than AS No. 2. As a result, inspectors will need to recognize that “auditor judgment” is a key ingredient of the application of AS No. 5. But, that doesn’t mean that anything goes. Part of our job is to make sure that auditor judgments are well thought out and take into account all of the known facts.
One way to look at the challenge we are facing to is recognize that inspecting for AS No. 5 implementation will require a tricky balancing act. Of course, the auditor’s first obligation – and ours – is to investors. We need to make sure that opinions on internal control over financial reporting are meaningful and supportable statements about what is right and what is wrong with the company’s internal controls. There should be no cutting corners in this regard.
But, at the same time, we need to remember that a part of the switch from AS No. 2 to AS No. 5 was concern about restoring the balance between costs and benefits. If auditors don’t take advantage of the opportunities for efficiency and the risk-focus in the standard, the result is likely to be needless cost and frustration for both companies and auditors. And, that, in turn, could also lead to re-igniting debate over the possible repeal or narrowing of Section 404 – something that could also eliminate the benefits that have been attained from this new kind of reporting.
A final thing to keep in mind is that the 2008 inspection season will be a learning year. It is also going to be vital that we gather the necessary information about the firms and their engagement teams’ performance so that we will have a sound factual basis for understanding how AS No. 5 is working in practice. This feedback, gathered in a database, will be very important to our ability to tailor our program and further improve performance in future years. You will be hearing more about the database later in the program.
V. Conclusion
Internal control auditing is still a major Board initiative. It is crucial that we get the inspections of AS No. 5 right in the first year. To paraphrase Winston Churchill, this is not the beginning of the end of the Board’s work in this important area. We are just at the end of the beginning of making internal control over financial reporting auditing work. That is where you come in.
With that, I am going to turn the program back over to Sharon Virag, Greg Wilson, and Bill Powers. Of course, if there are any questions or comments for me, I would be happy to answer them.
Thanks for your attention, and I hope you enjoy and benefit from the rest of the training.
Endnotes
* These comments were presented at non-public PCAOB staff training. The views expressed are solely those of the author and do not necessarily reflect the views of the Board, other Board members, or the staff.