Today's meeting brings to a close the current chapter in the most far-reaching standard setting project the PCAOB has undertaken in the four and a half years it has been in operation. In conjunction with management assessments, internal control audits under Auditing Standard No. 2 have had a profound effect on both public company financial reporting and on the way that audits are conducted. Companies have identified and corrected thousands of previously-undetected deficiencies, and controls are undoubtedly stronger and better understood today than before Section 404 reporting took effect.
At the same time, this process has proven highly controversial. Last December, the Board proposed to replace Auditing Standard No. 2, with a more risk-focused and principles-based approach to internal control auditing. The proposal the Board published for comment sought to focus the auditor on the matters most important to control effectiveness; to eliminate unnecessary requirements and procedures; and to make the standard more workable for smaller companies.
I think it is fair to say that the predominant view of the 175 comments the Board received was that we were on the right track. Of course, the comments contained numerous – and often contradictory – recommendations for additional changes. Some people thought we had gone too far in affording greater flexibility to tailor the audit to the issuer; others argued that we had not gone far enough. But, the general concepts on which the new standard rests enjoyed wide support.
Based on the comments, we have made some important further changes that were not originally incorporated in the proposal. The staff has already discussed many of these. I would like to briefly highlight five that are, in my view, particularly noteworthy.
- The new standard retains as its organizing principle the top-down concept -- under which the auditor focuses on entity-level controls and works downward, planning the audit so that testing of lower level controls is influenced by the strengths and weaknesses of those above. But it emphasizes that the approach is more one of reasoning than work sequence, and that the auditor needs to use judgment, not follow a roadmap.
- The final standard underscores that walkthroughs – the process by which the auditor traces a transaction from cradle to grave through the company's reporting system – are, not an end in themselves, but a means to attaining an understanding of likely sources of misstatement. This change reduces the risk that walkthroughs will become just another step that must be performed without much understanding as to why the work is being done.
- The new standard requires the auditor to communicate to the audit committee control deficiencies identified during the audit that are less severe than material weaknesses, but important enough to merit the attention of those responsible for the company's financial reporting. This replaces the approach in AS No. 2, which relied on the auditor's ability to make difficult determinations about the application of abstract phrases like "more than remote" and "more than inconsequential" to deficiencies. The standard puts the emphasis on the auditor's professional judgment and expertise.
- Similarly, the final standard rephrases the discussion of circumstances that are indicators of material weaknesses. The new version should increase the likelihood that material weaknesses will serve as an early warning system, rather than merely as after-the-fact acknowledgments that something has gone wrong.
- The final standard, like the proposal, affords the auditor greater latitude to use the results of testing performed by the company's internal audit or other staff. However, that goal is accomplished by referring the auditor to the familiar criteria in the existing auditing standard on use of the work of others, rather than by creating a new standard with new criteria.
I believe these are positive changes and that, taken as a whole, the package the Board is considering today will preserve the benefits of internal control auditing, while at the same time focus auditor energy and resources on the mountains, rather than the molehills, of internal control. I am also optimistic that we have created a framework that can be applied to smaller, less complex companies in a way that matches costs and benefits.
However, as I emphasized in my comments last December, there are limits to what we can accomplish through a new auditing standard. How a standard is implemented matters as much as how it is written. The Board has said that it will use its inspection program to make sure this standard is implemented in a way that is consistent with the Board's objectives. We have also undertaken to develop guidance for internal control audits of smaller companies. Our success in making good on those promises will be critical, especially as the SEC brings smaller companies – the non-accelerated filers – into the internal control reporting and auditing regime.
I want to conclude by joining my colleagues in thanking the staff of the Chief Auditor's Office, particularly Tom Ray, Laura Phillips, and Sharon Virag, for their hard work and dedication. I don't think any of them joined the Board's staff to devote their careers to internal control auditing, but the commitment, enthusiasm, and sound judgment that they have brought to this project have been of immense value – not just to the Board – but to the investing public. Special thanks go to Laura Phillips, who has been part of our Chief Auditor's staff since almost the beginning and who has recently announced that she is going to be leaving the Board for the corporate world. It's been a privilege and a pleasure to work with you, Laura, and we will miss you.