Compliance with the rules promulgated by the Securities and Exchange Commission (SEC) under the Sarbanes-Oxley Act of 2002 (SOX) and the related Public Company Accounting Oversight Board (PCAOB) auditing standards have been a costly and time-consuming endeavor for many companies. The recent changes to SEC rules and PCAOB auditing standards signal a significant change in the approach to compliance subject companies and their external auditors will employ.
Typical complaints shared by companies complying with SOX under former SEC rules and PCAOB Auditing Standard No. 2 include:
High costs of compliance - in dollars and resources;
Time and money unnecessarily spent on areas of minimal risk;
External auditors not using the work of others;
External auditors focusing too rigidly on attaining arbitrary audit coverage percentages and quantitative factors in determining which areas will be subject to audit procedures; and
Difficulty applying the definitions of significant deficiency and material weakness in real-world situations.
This article summarizes the primary changes effectuated under Auditing Standard No. 5 (AS5), An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements, adopted by the PCAOB on May 25, 2007. Additionally, this article provides insight as to how such changes are likely to affect companies' SOX compliance efforts.
The central tenets of AS5 include:
Directing the external auditor to the most important controls and emphasizing the importance of risk assessment;
Eliminating procedures that are unnecessary to achieve the intended benefits - for instance, eliminating the requirement to evaluate management's own evaluation process and clarifying that an internal control audit does not require an opinion on the adequacy of management's process;
Making the audit clearly scalable to fit the size and the complexity of any company; and
Simplifying the text of the standard - the Board's new standard is shorter and easier to read. For instance, AS5 eliminates the previous standard's discussion of materiality, thus clarifying that the external auditor's evaluation of materiality for purposes of an internal control audit is based on the same long-standing principles applicable to financial statement audits.
Under AS5, companies and their external auditors will likely spend additional time up front assessing and documenting risk on an entity-level basis, and less time and effort subsequently testing individual control activities at the process level. A robust risk assessment that clearly documents where the heightened areas of risk reside at both the account and process levels, and which clearly integrates an analysis of relevant quantitative and qualitative factors in arriving at such conclusions will foster two-way communication between the company and their external auditors. The goal of the risk assessment process will be to focus the subsequent compliance and audit efforts on the most important controls and tailor the procedures to the unique attributes to the company at hand.
All companies face their own unique challenges complying with SOX, and a robust risk assessment should enable such companies and their external auditors to agree upon approaches to difficult issues, such as adequate segregation of duties. Under the guise of focusing on the controls that matter most and scaling the approach to the company's unique attributes, one suggested approach for mitigating the risks associated with inadequate segregation of duties at a process level is to overlay a level of detailed monitoring activities, particularly within the financial reporting processes. Such monitoring activities can include the review of account analyses, detailed review of budget to actual performance, and the like. In other words, a company can use adequately designed detailed monitoring activities to overcome certain inherent risks associated with operational issues they face due to resource constraints. By focusing on controls that matter most, such as detailed monitoring activities, companies will be able to test one adequately designed detailed monitoring activity, for instance, instead of any number of process-level control activities, and retain the ability to adequately mitigate the risk of misstatement to an acceptably low level.
Under paragraph 108 of PCAOB Auditing Standard No. 2, the external auditor's own work must provide the "principal evidence for the auditor's opinion." Audit firms have often been reluctant to rely too much on the work of others due to the concern that they would not be able to adequately provide and document the principal evidence for their opinion. Under AS5 the principal evidence provision has been eliminated and this issue effectively becomes moot, since external auditors are explicitly permitted to use the work of others in the internal control audit. Subject companies and their external auditors should develop and agree upon an early consensus regarding the reliance on the work of others by the external auditors.
The PCAOB's adoption of AS5 as it relates to using the work of others represents a change from the auditing standards originally proposed by the PCAOB on December 19, 2006. Instead of adopting the proposed standard on considering and using the work of others, the Board retained AU sec. 322, The Auditor's Consideration of the Internal Audit Function in an Audit of Financial Statements . Since external auditors are explicitly permitted to use the work of others as detailed in AS5, the adoption of a separate standard regarding the same subject matter was unnecessary.
Companies should clearly document the competence and objectivity of the team that is performing the compliance work, and present the results of such documentation as early as possible during the project. Co-sourced or outsourced compliance efforts typically increase a company's ability to drive greater reliance on the work performed by the third party consulting firm because the relevant competency and objectivity are built into the individual third party service team and the consulting firm itself. In order to further bolster the objectivity associated with the third party consulting firm, consider having the firm engaged directly by the Audit Committee. Under such arrangements, the third party consulting firm would work with management on a day-to-day basis and periodically report directly to the Audit Committee. Although this arrangement requires a greater level of engagement by the Audit Committee, the benefits of such active engagement typically add significant value to the compliance effort and overall control environment of the company.
On May 23, 2007, the SEC indicated via press release that "The new [PCAOB] auditing standard will be subject to Commission approval in the coming months after its adoption by the PCAOB and, if approved, is expected to be effective no later than for calendar year 2007 audits, with early adoption encouraged." It is anticipated that the SEC will approve AS5.
Eric S. Martinez is Managing Director of the Risk Management Practice in the New York office of RSM McGladrey, Inc.