Good afternoon. It always is a pleasure to participate in this important conference, and I am glad to be here. I would like to thank Bill Holder and the other conference organizers for inviting me to speak with you again this year.
One week ago today, the Public Company Accounting Oversight Board, in a unanimous vote, adopted a new auditing standard, Auditing Standard No. 5, An Audit of Internal Control Over Financial Reporting That is Integrated With an Audit of Financial Statements. The new standard, if it is approved by the Securities and Exchange Commission, will supersede the Board's Auditing Standard No. 2. The Board also adopted an independence rule on audit committee pre-approval of internal control-related non-audit services that is a revision of an existing requirement in Auditing Standard No. 2, and certain amendments to the Board's other standards to conform those standards to the Board's new standard and rule.
My focus this afternoon will be on some of the significant features of the new internal control auditing standard, and some of the likely implications to integrated audits of financial statements and internal control going forward.
Before I go further, I have to note that the views I express are my own, and do not necessarily reflect the views of the Board, members of the Board, or other members of the Board's staff.
In the short time I have with you, it probably will be most helpful to discuss the significant features of the new auditing standard by focusing on how it differs from Auditing Standard No. 2.
At first glance, it should be apparent that the new standard looks a lot different than AS2. It obviously is much shorter – about one-third the length of its predecessor – and we worked on making the new standard simpler and easier to read. It also contains fewer requirements.
We added some direction on scaling the audit for smaller, less complex companies. Additionally, we aligned the new standard with the new management guidance issued by the SEC and provided additional guidance on entity-level controls. Finally, the new standard is designed to help the auditor focus attention on those matters that are most important to effective internal control over financial reporting.
I will briefly discuss each of these areas of change from AS2.
Retaining Requirements Needed for an Effective Audit
In developing and adopting Auditing Standard No. 5, we did not lose our focus on the substantial benefits to investors and other financial statement users of improved internal control. Accordingly, the new internal control auditing standard – as does Auditing Standard No. 2 – requires the auditor to obtain reasonable assurance about whether material weaknesses exist in the company's internal control. A single audit framework, one that is scalable based on factors related to a company's size and complexity, would apply to all companies that must have their internal control audited in accordance with this standard.
The Board incorporated into the auditing standard important elements from the Board Statement and staff guidance issued in May of 2005, including the top-down approach and an enhanced focus on risk.
The new standard describes the top-down approach as beginning at the financial statement level and with the auditor's understanding of the overall risk to internal control over financial reporting. The auditor then focuses on entity-level controls and works down to significant accounts and disclosures and their relevant assertions.
This approach directs the auditor's attention to accounts, disclosures, and assertions that present a reasonable possibility of material misstatement to the financial statements and related disclosures. Risk of material misstatement, therefore, is an explicit focus of the approach.
Furthermore, this top-down approach describes the auditor's sequential thought process in identifying risks and the controls to test, not necessarily the order in which the auditor will perform the procedures. This thought process, or perspective, is most important in identifying those controls that should be tested. The auditor is free to perform the testing in the order that makes most sense given the specific facts and circumstances of the company. For example, in a new audit engagement, it might be more important to test entity-level controls early in the process than it might be once the auditor has performed an internal control audit for a company several times.
In adopting the new standard, the Board eliminated requirements that either were unnecessary or that unnecessarily restricted the auditor's ability to exercise judgment. The change I am about to describe also relates to the top-down approach.
In the process of identifying controls to test, AS2 requires the auditor to identify significant processes and major classes of transactions. That explicit requirement was not retained. Rather, in AS5, as a part of selecting the controls to test, the auditor should understand the flow of transactions related to the relevant assertions, including how those transactions are initiated, authorized, processed, and recorded.
Thus, while these concepts of major classes of transactions and significant processes likely will continue to remain important and useful to auditors, to focus the auditor on them, as an end in itself, as is required by AS2, might have entailed work that is not related to risks of material misstatement reflected in the relevant assertions. It might also have reduced the ability of the auditor to tailor the work to the specific facts and circumstances of the engagement.
Another example of where the Board changed requirements is in walkthroughs. Auditing Standard No. 2 required the auditor to perform a walkthrough for each major class of transactions in each significant process, and the Board's proposal included a similar, although more streamlined, requirement.
In finalizing the new standard, however, the Board refocused the related requirements on the important objectives that should be achieved in each audit, rather than on the mechanics of performing a walkthrough. Thus, to further understand the likely sources of potential misstatement, and as a part of selecting the controls to test, the auditor should achieve the following objectives –
- Understand the flow of transactions related to the relevant assertions, including how those transactions are initiated, authorized, processed, and recorded,
- Verify that the auditor has identified the points within the company's processes at which a misstatement – including a misstatement due to fraud – could arise that, individually or in combination with other misstatements, would be material,
- Identify the controls that management has implemented to address the potential misstatements, and
- Identify the controls that management has implemented over the prevention or timely detection of unauthorized acquisition, use, or disposition of the company's assets that could result in a material misstatement of the financial statements.
We continue to believe that, in many cases, a walkthrough will be the most efficient and effective way to achieve these objectives, and we therefore included in AS5 a discussion on how to properly perform a walkthrough. Nevertheless, we recognize that there will be circumstances in which a walkthrough either will not be necessary or will not otherwise be the best approach. The new standard, therefore, permits the auditor to exercise judgment in this area.
The Board also eliminated the specific requirement in AS2 that requires the auditor to obtain an understanding of and evaluate management's assessment process. This is a subject I spoke about last year at this conference. In monitoring the implementation of AS2, we found that some auditors were performing some unnecessary work in this area, which was compounded by confusion about the meaning of the dual opinion on internal control required by AS2. The Board concluded that it is sufficient to focus the auditor's attention on the subject matter – that is, whether the internal control is effective – rather than additionally requiring the auditor to evaluate whether management's process of assessing the effectiveness of internal control was adequate.
The Board further clarified the scope of the auditor's responsibility by changing the auditor's report. AS2 requires the auditor to express two opinions – one on whether management's assessment was fairly stated and one on whether the internal control was effective. Although we never intended the first opinion – the one on the fairness of management's assessment – to require an audit of management's assessment process, we have eliminated that opinion, so that under AS5, the auditor will express an opinion solely on whether the internal control is effective.
The Board also eliminated certain redundancies, notably in the areas of using the work of others and multi-location testing. In AS2, the Board provided principles on when and to what extent the auditor could use the work of others, and on how to determine which and how many locations the auditor should perform tests of controls in entities with multiple locations. In addition to these principles, AS2 requires the auditor to obtain the "principal evidence" by performing tests of controls himself or herself, and to perform tests of controls over a "large portion" of the company's operations or financial position, regardless of the results of applying the stated principles.
The Board concluded that the principal evidence and large portion provisions were unnecessary because the principles I referred to, if properly applied, are sufficient to guide the auditor to appropriate conclusions about the nature, timing, and extent of testing necessary in the circumstances.
In the multi-location testing area, the Board also revised the principles so that the auditor determines the locations or business units at which to perform tests based on the risk of material misstatement to the financial statements associated with the location or business unit. These principles are a revision of those in AS2, which had a stronger focus on coverage.
The Board also revised the direction on using the work of others to permit the auditor to more fully integrate the internal control and financial statement audits. Under AS2, the auditor could use the work of internal auditors, management and others in forming his or her opinion on whether the internal control was effective. However, the auditor was limited to using the work of internal auditors in assessing control risk for purposes of the financial statement auditing procedures. This barrier to integration has been eliminated in AS5. The auditor may use the work of internal auditors, management and others for all internal control-related work, including assessing control risk.
In finalizing the new auditing standard, the Board also added some additional principles related to the assessment of the competence and objectivity of the personnel whose work the auditor plans to use. These principles, in conjunction with the existing direction in AU sec. 322, are used to assess competence and objectivity.
Scaling the Audit
The increased focus on objectives and principles in the new standard, combined with a reduction in the number of prescriptive requirements, will permit the auditor to more easily and appropriately tailor the audit to a company's specific facts and circumstances. We also included in AS5 some specific direction on scaling the audit based on the size and complexity of the company and its business units. This direction is principally in the form of notes that appear at various places throughout the new standard.
Based on the experience of small companies and auditors who have been – and are currently going – through the process of evaluating internal control, we also are working with practitioners to develop tailored implementation guidance for audits small public companies. This guidance is being designed to emphasize the scalability of internal control audits at a practical level, by providing auditors with examples of how the internal control audit process can and should be scaled to fit the relative sizes of small companies. We are targeting publication of this guidance later this year, now that the Board has adopted the new auditing standard.
Alignment with Management Guidance
During the comment process, the SEC and PCAOB received a lot of comment that the SEC management guidance and the PCAOB internal control auditing standard should be aligned. We worked closely with the SEC Staff to identify those areas where the direction to management and the auditor needed to be consistent. For example, we aligned the definitions of material weakness and significant deficiency, coordinated our lists of indicators of material weakness and provide a similar discussion of the nature and effects of entity level controls.
In the Board's proposal, we used the term "company-level controls." We have adopted the term "entity-level controls" to be consistent with the SEC management guidance. These controls were emphasized in the proposed standard because of their importance both to the effectiveness of a company's internal control over financial reporting and because of their potential effect on the auditor's ability to tailor the audit through the top-down approach.
Commentators asked for more guidance on the effect of entity-level controls on management's assessment and the audit, and we have done so.
We included in the new standard a discussion of three broad categories of entity-level controls and how each category might affect the performance of tests of other controls. AS5 states that entity-level controls vary in nature and precision, and that –
- Some entity-level controls, such as certain control environment controls, have an important, but indirect, effect on the likelihood that a misstatement will be detected or prevented on a timely basis. These controls might affect the other controls the auditor selects for testing and the nature, timing, and extent of procedures the auditor performs on other controls.
- Some entity-level controls monitor the effectiveness of other controls. Such controls might be designed to identify possible breakdowns in lower-level controls, but not at a level of precision that would, by themselves, sufficiently address the assessed risk that misstatements to a relevant assertion will be prevented or detected on a timely basis. These controls, when operating effectively, might allow the auditor to reduce the testing of other controls.
- Some entity-level controls might be designed to operate at a level of precision that would adequately prevent or detect on a timely basis misstatements to one or more relevant assertions. If an entity-level control sufficiently addresses the assessed risk of misstatement, the auditor need not test additional controls relating to that risk.
I see this area of entity-level controls as ripe for further innovation and development. The discussion in AS5, and the similar discussion in the SEC management guidance, is fairly high-level and should present both management and auditors with considerable room for judgment to implement and take advantage of the effects of well-designed entity-level controls.
In aligning AS5 with management guidance, we also recognize that management's assessment and the auditor's audit are complementary, but different, processes. Management, of course, is responsible for implementing and maintaining effective internal control over financial reporting, and for performing an annual assessment of its effectiveness. The auditor is required to provide an independent opinion on the effectiveness of the company's controls. Because of these different responsibilities and roles, the way in which management and the auditor will obtain the evidence needed to support their assessment and audit, respectively, will differ.
Focus on the Most Important Matters
When the Board proposed a revised internal control auditing standard in December of last year, it stated that the proposed new standard was a principles-based standard designed to focus the auditor on the most important matters. The enhancements made to the proposal in arriving at the new AS5 have the effect of further helping auditors to focus on the objectives of the internal control audit and on what is most important to effective internal control over financial reporting.
So, what are those things that are most important? One of them is the prevention or timely detection of fraudulent financial reporting, and we received some very thoughtful comment in this area. As one commenter stated, "ensuring adequate controls that prevent senior management from cooking the books must be a focus of control assessment."
In the proposed auditing standard that became AS5, the Board provided direction on the auditor's evaluation of whether the company's controls sufficiently address identified risks material misstatement due to fraud and the risk of management override of other controls. In finalizing the new standard, we enhanced and repositioned that direction within the standard to further clarify that the focus on fraud is an integral part of the identification and testing of entity-level and other company controls.
Additionally, we strengthened the direction on certain other higher-risk areas of internal control, for example, the control environment. AS5 specifically states that the auditor should assess –
- Whether management's philosophy and operating style promote effective internal control over financial reporting;
- Whether sound integrity and ethical values, particularly of top management, are developed and understood; and
- Whether the Board or audit committee understands and exercises oversight responsibility over financial reporting and internal control.
In summary, by focusing the auditor's attention on those matters that are most important to effective internal control, this new internal control auditing standard presents another significant opportunity strengthen the financial reporting process.
No doubt, you are anxious to implement the new standard as soon as possible!
Subject to approval by the SEC, Auditing Standard No 5, the related independence rule, and the conforming amendments to the Boards existing standards will be effective for audits of fiscal years ending on or after November 15, 2007, at which time AS2 will be superseded. Early adoption is permitted at any point after SEC approval, subject to the transition provisions outlined in the Board's Release that accompanies the new auditing standard.
Thank you for your attention. It has been a pleasure to address you this afternoon.