Statement on the New Standard Concerning the Audit of Internal Control
A motion has been made and seconded, so the question before the Board is whether to adopt the new standard for the audit of internal control over financial reporting and the related rule and conforming amendments presented to us today by staff.
Before I ask my fellow Board members for their comments, I want to express my sincere gratitude to Tom Ray, Laura Phillips, Sharon Virag, Sam Guzman, Dima Andriyenko, Gordon Seymour, Jacob Lesser, and all the other staff involved in this important initiative, for their hard work over the past year on the new standard. As we moved from the proposal stage to a final standard, these individuals have maintained a remarkably high-level of commitment.
I would also like to recognize the commitment of my fellow Board members. Each Board member has invested a tremendous amount of time in the effort to develop the final standard. Each has been engaged on every important issue involved. The Board dialogue has helped to illuminate issues of significance and develop viable solutions. I would like to thank each of you for your role in crafting this standard.
The standard that the Board will consider today reinforces the Board's expectation that the integrated audit be conducted in a manner that eliminates procedures that are unnecessary to an effective audit of internal control and increases the likelihood that material weaknesses will be found before they allow material misstatements to occur. The new standard should drive important improvements in the audit of internal control.
In my view, the standard, rule and related amendments that Tom Ray and his team have just described meet the objectives set forth in the four-point plan issued by the Board in May 2006. Importantly, the package before us today is also responsive to the comments received on the proposals and the guidance provided by the SEC. I would like to acknowledge the important and open dialogue we have had with Chairman Cox and the SEC Commissioners, and the value the SEC staff has added to this initiative.
Earlier this morning, I mentioned some of the important benefits of internal control over financial reporting and the accompanying audit. To preserve these benefits, throughout the process of replacing Auditing Standard No. 2, we have been careful to retain the fundamental principles that are essential to an effective internal control audit. By doing so, we have maintained our focus on the need for — and right of — investors to receive fairly stated financial statements and complete and accurate disclosure about the effectiveness of internal control.
Key Aspects of the Final Standard
Before turning the discussion over to my colleagues, I would like to highlight four aspects of the final standard that, in my opinion, will make a genuine difference and promote a balanced approach to the audit of internal control over financial reporting:
(1) A principles-based approach
In my view, principles-based audit standards are necessary to assure that the auditor, at every step of the audit process, can take into account the individual facts and circumstances of a particular company. Depending on the nature of the audit client and its control environment, the auditor may utilize different combinations of procedures. A principles-based standard gives the auditor room to exercise judgment in determining what specific procedures are required in order to obtain sufficient evidence. We have made an effort in developing AS 5 to provide appropriate room for judgment, which is underscored by the top-down approach to the audit process. At the same time, the standard provides a sufficient framework to assure that an audit performed in accordance with its requirements will be effective. A principles-based standard has the flexibility to be scaled for an audit of a global company spanning several continents or a very small company.
(2) Scalability
Scalability, in my mind, is closely tied to the principles-based approach. When developing the proposal, the Board placed significant emphasis on assuring the scalability of the internal control audit. I strongly support the approach to scalability reflected in the final standard.
By incorporating the discussion of scaling concepts throughout the standard, rather than in one specific section, we have strengthened the impact of scaling. That is, the top-down, risk-based approach is fundamentally designed so that an auditor will tailor the audit to the specific profile of a company. Smaller, that is, non-accelerated, filers are still in the preparatory stage for complying with internal control requirements. I believe they will benefit from the scalability built into AS5, which will be reinforced by the guidance on auditing internal control in smaller companies that will be issued later this year.
(3) Fraud controls
Every company has an inherent level of fraud risk, and auditors must be cognizant of that risk in each audit. The proposed standard on auditing internal control discussed fraud controls and the auditor's procedures related to these controls among the testing concepts included near the end of the standard. Based on comments received, there are several changes to the standard that Tom Ray and his team have just outlined.
I strongly support the added emphasis we have given to fraud risk and anti-fraud controls in the final standard. This should make clear to auditors the importance of assessing fraud risk throughout the audit process. I support the move to incorporate the auditor's fraud risk assessment — required in the financial statement audit — into the auditor's planning process for the audit of internal control. This is another important way to promote audit quality and improve integration with the financial statement audit.
While even the strongest of internal control frameworks cannot provide absolute assurance that fraud will be prevented or detected, a strong control environment should help to reduce instances of fraud. This emphasis on fraud controls in the internal control audit ultimately enhances investor protection.
(4) Aligning with the SEC Management Guidance
Yesterday, the SEC adopted guidance to help management evaluate internal control for purposes of its annual assessment. Management's assessment and the audit of internal control are distinct, yet complementary, steps in the Section 404 process of providing assurance to investors about the reliability of companies' internal control. Many of our commenters emphasized the importance of these steps being more closely aligned. While management's process and the audit should work together, management and the auditor have different perspectives on the company's internal controls, and the assessment and audit have different objectives under Section 404.
Therefore, I support the changes proposed by staff to better align AS 5 and the SEC's management guidance. It is essential that general concepts necessary to an understanding of internal control are described in the same way. I am pleased, therefore, by the decision to use the same definitions and terminology where relevant.
Implementation
Our work will not end today. We are well-aware that adopting a balanced standard is only part of our overall initiative. Equally important is sound implementation once the Board adopts a final standard. In the coming months, the Board and staff from Standards and Inspections will work closely with audit firms on effective implementation of AS 5. Our inspection program will be adjusted to be consistent with the new standard.
Our intention in acting today is to have the new standard in place in time for the 2007 audits. We will continue to watch AS 5 implementation carefully, in part, because companies and the controls they use will evolve, and auditors will gain more experience and identify better, more effective ways to carry out their audits of internal control.
As with other standards, we must keep current so that our expectations remain reasonable. The new standard's principles-based approach provides room for companies and auditors to evolve, and the Board will work closely with its inspections staff to assure that we remain informed and allow for innovation.
In sum, I support the adoption of the new standard as presented to the Board today. It directs auditors on how to right-size the audit of internal control, which is expected to eliminate unnecessary work. At the same time, it safeguards the important objectives of Section 404. I encourage those involved in the financial reporting process to hear our message today and move forward to implement the PCAOB's new audit standard, as well as the SEC's management guidance, in a manner that enhances governance over financial reporting and provides greater assurance to investors that financial reporting is fair and accurate.
I will now turn to my fellow Board Members for any discussion.