Proposed Auditing Standard on an Audit of Internal Control over Financial Reporting
I, too, would like to thank the staff for their diligence and perseverance in developing what I think is a clear and scalable auditing standard. It makes good use of our more than two years of experience monitoring implementation of the Sarbanes-Oxley Act's internal control reporting and auditing requirements to find efficiencies that should reduce costs without compromising value to investors.
While we are still in the early stages of implementing the new internal control requirements, there have already been many surveys about the costs, which by any account have been significant. The ultimate question of course is whether the benefits justify those costs. I believe they do, and there is a growing body of empirical research that supports this notion.
When accountants audit internal control, they are expected to find conditions that could result in controls failing to detect or prevent a material misstatement. This allows auditors to adjust their financial-statement audits to account for internal control problems before providing investors reasonable assurance that the financial statements are fairly presented. Auditors do not provide absolute assurance that audited financial statements are fairly presented, especially in the face of internal control weaknesses. But auditors' reports on the effectiveness of internal control help to narrow the gap between reasonable assurance and absolute assurance by providing investors important information about the risk of material misstatement – and the risk that the financial statements will later have to be restated – notwithstanding the audit.
An auditor's opinion that a company's internal control is not effective also provides outside investors and companies critical new information about the risk of a problem in a company's future financial statements. If internal control weaknesses are discovered early enough, companies should have time to address them before a material misstatement actually occurs – that is, before investors receive and act on materially wrong information, and before companies and investors suffer what can be catastrophic losses.
Consistent with the adage "what gets measured gets done," companies who now have to subject their control structures to audit appear to be correcting material weaknesses that are identified so as not to have to report such weaknesses on a recurring basis. Sixteen percent of companies already subject to Section 404 disclosed internal control weaknesses in their first year of reporting.[1] In other words, they reported that it was reasonably possible that their internal control structures will fail to detect or prevent a material misstatement in their financial statements. More than half of these companies reported in Year 2 that they had corrected them.[2]
At the same time that companies have been identifying and resolving material weaknesses in their internal controls, they have also been correcting material misstatements in past financial statements. Indeed, the number of restatements by public companies reached a record level in 2005. Approximately 1 in 12 public companies restated their financial statements in 2005 to correct material errors in current or prior periods.[3] While it's unfortunate when companies announce mistakes in past financial statements, this is a very positive sign that companies are now getting their accounting on the right path.
Restatements are expected to reach another high in 2006. But although the overall rate of restatements has risen in 2006, restatements by large companies peaked in 2005 and declined in 2006.[4] Whereas large audit firms' clients announced 65 percent of the restatements in 2005, they were associated with less than half of public company restatements in the first half of 2006. Smaller auditing firms' clients' share of restatements, on the other hand, has more than doubled, with 497 restatements in the first half of 2006 compared to 185 restatements in the first half of 2005.[5] I expect this trend to continue until smaller companies complete the process of catching up on deferred maintenance on their internal control structures which is why it's particularly important now that we make sure our auditing standard works well for smaller companies, by providing for an effective, efficient and scalable process.
ICFR Audits Can and Should Be Efficient
As great as the benefits are, I also believe that we should do what we can to eliminate costs that are unnecessary to achieve these benefits.
Internal control audits can be more efficient than they have been in the past, especially in areas where auditors might have felt compelled to perform procedures that were not necessary to obtain reasonable assurance that internal control is effective. By focusing on principles and not detailed rules, the proposed standard makes it clear to auditors that they are permitted and encouraged to use their judgment to plan and perform efficient audits.
- I'd like to pause briefly on the topic of auditing in subsequent years, and in particular auditing IT controls, which you did not address specifically in your presentation. Significant concerns have been expressed about whether examinations of IT systems are overly focused on low risk areas. Could you explain how the proposal addresses audit procedures related to IT after the first year audit?
- More broadly, we observed an incredibly challenging learning curve for companies and auditors in the first year of implementation of the internal control reporting requirements. The Board wrote about that challenge in its November 2005 report on its first-year internal control inspections and other monitoring, and many commenters have expressed concern about putting companies and auditors through another round of changes. Could you try to predict for us what kind of learning curve we should expect under the proposed standard?
To my mind, the changes are designed to free auditors from performing tests and other work just for the sake of compliance, which makes these changes meaningful from a cost perspective. At the same time, the proposal is meant to preserve investor benefits by providing auditors the flexibility to examine in the manner they feel necessary to obtain reasonable assurance. I look forward to commenters' views as to whether the reduction of audit effort would in fact still preserve the benefits of the audit to investors.
Use of the Work of Others
Let me turn to the topic of using the work of others. There has been considerable discussion about whether encouraging auditors to use work performed by companies' internal audit departments and other management personnel would reduce the cost of internal control audits. I am somewhat skeptical that significant cost savings would be achieved, especially if what is envisioned is simply transfer of work from an outside auditor to management.
The auditing standards have long permitted auditors to use testing and other work by internal auditors as evidence to inform and, as appropriate, support their opinions. This has not been a particularly complicated area, and so it's not obvious to me that the standards need change. In particular, the proposal to permit auditors to use in their financial statement audits the work of corporate employees outside the internal audit department gives me some concern, although I am encouraged that the proposal attempts to focus auditors on the risk of management bias, such as through compensation incentives.
- Could you explain how you expect the proposed new standard would affect the financial statement audit process?
- Would investors have any way of knowing whether, and if so to what extent, an auditor used company employees to perform testing or other audit procedures?
I am interested in commenters' views, particularly on the impact on financial statement audits, before acting on the idea.
Identifying Weaknesses Before They Result in Material Misstatements
Moody's has raised a concern in a study on internal control reporting that auditors may be reluctant to identify material weaknesses unless they have evidence of an actual misstatement. It may be easier to convince a client that a material weakness exists when there is evidence of a material misstatement, but the internal control audit should provide investors a warning that there could be a problem before one actually materializes.
- We have kept Moody's report in mind in developing this proposal. Could you explain how the proposal addresses this concern?
I'm also interested to learn what commenters think about how our internal control standard can better focus auditors on identifying material weaknesses before they result in material misstatement.
Scaling the Audit for Smaller, Less Complex Companies
Let me turn to the proposed section on scalability. The principles-based style of the proposed standard makes it more readily applicable to any size company. This is because the proposal relies on auditor judgment to determine how to obtain reasonable assurance and eschews bright-line rules that may have encouraged some auditors to follow a cookie-cutter approach, irrespective of the size and complexity of the company. To ensure this point is clear, the proposal includes a section on scaling audits of smaller, less complex companies.
The most important aspect of this section is that it instructs auditors to evaluate the size and complexity of the company. I support this requirement because I think the thought-process involved will improve audit quality. The second most important thing is that the standard does not divide companies into tiers. Rather, it recognizes that companies vary along a continuum of size and complexity. So it requires auditors to "take into account the company's individual facts and circumstances" and gives examples for various circumstances.
It's a very difficult thing to describe what we mean by a smaller, less complex company, and I hope commenters will focus on the approach proposed. Readers will see a reference to the SEC's Advisory Committee on Smaller Public Companies, whose report earlier this year provided a measure of the companies that make up the lowest 6 percent of all U.S. equity market cap. As the Advisory Committee also recognized, the "scale and scope of [a company's operations], as well as [its] complexity"[6] should also affect the internal control audit. And so, regardless of market cap, the proposal also identifies certain attributes related to operations and complexity that auditors should take into account.
More than 18 percent of companies with less than $787 million in market cap that have filed internal control reports disclosed material weaknesses in their first year of reporting.[7] This is higher than the overall average, as has been the restatement rate for such companies. But encouragingly it appears that the rate of such companies disclosing weaknesses in their second year of reporting has halved. This evidence tells me that the internal control reporting requirements are working at these companies, as intended, to improve the overall reliability of financial reporting to investors. I hope the new proposal will help auditors of those companies make the audit both more effective and more efficient for the companies and their investors.
Independence
Finally, I'd like to say something about the proposed independence rule. This is a fairly technical change – from the requirement in AS 2 that audit committees "specifically preapprove" internal control-related non-audit services to a requirement based on the framework the Board developed for preapproval of tax services, which requires auditors to document and discuss with the audit committee the scope of the proposed service. But I believe the change would improve the quality of the preapproval process.
I support proposing this change. After the considerable research we did in connection with our tax rules, I have become increasingly concerned that the term "specific preapproval" is unnecessarily vague. In practice, many audit committees' preapproval policies use the term "specific preapproval" to mean one-off approval outside the context of the committee's annual meeting, sometimes by only one member whose decision is ratified by the committee later. Such a process can be less useful than permitting auditors to seek pre-approval in annual meetings, where audit committees may be able to get a better sense of the context of overall non-audit services. And to the extent companies used such an ad hoc process only because our standard required it, it may also have been unnecessarily burdensome on companies. To my mind, the proposed framework should be both more robust and more convenient for audit committees.
[1] See Audit Analytics, Second Year 404 Dashboard: Third Quarter Cumulative Results, August 15, 2006 Review, at 2 ("Second Year 404 Dashboard").
[2] Id.
[3] See Glass Lewis & Co., Getting it Wrong the First Time, March 2, 2006, at 1.
[4] See Audit Analytics, Financial Restatements Dashboard: Annual Results for 2001 to 2005 and Analysis of First Six Months of 2006, at 2-2.
[5] Id.
[6] See Final Report of the Advisory Committee on Smaller Public Companies (April 23, 2006), available at http://www.sec.gov/info/smallbus/acspc/acspc-finalreport.pdf , at 139.
[7] Source: Audit Analytics; S&P.