Editor: Lee, please remind our readers about your firm's practice and services that you perform for clients.
Smith: Amper, Politziner & Mattia is a regional CPA firm with a growing number of public clients, offering auditing and consulting services in the tri-state area of New York, New Jersey and Connecticut. We offer consulting to specialty groups: bankruptcy, insurance, healthcare, as well as internal-audit and technology-risk services.
Editor: And what clients do you serve with your audit services?
Smith: We have a wide variety of public companies including life-science companies, banks, and insurance companies as well as manufacturing companies. We also have a small number of nonprofit companies for which we perform internal audit work.
Editor: Would you provide our readers with a brief history of the challenges that small companies have faced when attempting to comply with Sarbanes-Oxley?
Smith: Sarbanes-Oxley's Section 404 imposed a considerable hardship on small companies because of the costs involved. The related effort to comply with the requirements of the Act and the attendant AS2 seemed in many cases to outweigh the benefits that accrued. Typically, small companies have internal controls, as do all companies - otherwise, they could not operate. In a smaller environment where fewer people have a more hands-on approach to their business, the need for documentation of all those controls and the emphasis on segregation of duties seemed a bit of overkill.
Editor: How have the PCAOB and the SEC lightened their burden?
Smith: The PCAOB and the SEC have passed Auditing Standard Number 5, and what AS5 does is really two things. It takes away from the external auditor the audit responsibilities of opining on management's process of internal control evaluation. Instead, what the external auditor has to do now is opine on management's disclosure as to the effectiveness of those internal controls. Additionally, the company is urged to use a top-down risk-based approach - for understanding the overall risks in a company, how the company itself manages those risks. What that has done is provide the company with the ability to structure and streamline internal controls on a relative basis.
Editor: What did the PCAOB mean by a "top-down" risk approach?
Smith: This has to do with identifying the most significant risks for the company and identification of which controls to test. This approach follows the same approach for the financial statement audit whereby the auditor determines the areas of focus through the identification of significant accounts and disclosures and significant assertions by the company. Under this proposed standard the auditor would identify major classes of transactions and significant processes before identifying the controls to test.
Editor: In what way does the new standard reduce the amount of audit work required for smaller companies?
Smith: The standard includes a section on scaling the audit for smaller, less complex companies. In the final version the PCAOB included a section on entity level or company wide controls that companies rely upon. The importance of these controls was specifically recognized, and the auditors will be allowed to rely upon these controls.
Editor: When is the effective date for AS5?
Smith: The PCAOB has determined that Auditing Standard No.5, Rule 3525 and its conforming amendments will be effective, subject to SEC approval, for audits of fiscal years ending on or after November 15, 2007. The effective date for most companies would be for their fiscal year ending December 31, 2008.
Editor: Where do you think management should first focus its attention under the new standard?
Smith: Management should focus its attention on documenting their process. That is, documenting their thought process to answer the questions: What is the risk structure within the company? What do the controls look like? Evaluate from the top down using its financial statements to determine what its internal control structure is. And then begin the documentation process by documenting what the entity-level (i.e., company-level) controls are which serve as a framework around their entire internal control environment.
Editor: Does a non-accelerated company need to engage an outside auditor to opine on its controls prior to the delivery of its 10-K?
Smith: They do not. What the company is required to do is to begin its evaluation of its system of internal control. The company does not have to have an auditor opine on the effectiveness of internal controls until 2008, but the company should begin the process of internal evaluation now. Certainly if there are any material weaknesses that are found in an audit or by management, they are required to be disclosed earlier.
Editor: Would it be a good idea for a company to bring in its outside auditors now so that they have the proper framework for monitoring those controls?
Smith: It is always good to begin the process early to understand what your control structure is and then to confirm that it meets the standards of your external auditor. Early evaluation of controls will allow time to find, remediate or correct any findings.
Editor: Do you feel that AS5 is leading in the direction of a principles-based accounting system rather than one that is rules-based?
Smith: Yes. AS5 is certainly trying to really determine what the principles are for ferreting out significant risks and material issues through the ascertainment that internal controls are in place and provide a warning that companies need to constantly evaluate those internal controls. It gets away from a check-list mentality that each and every control needs testing with each audit by external auditors.
Editor: Do you think this emphasis on a hierarchy of internal controls under AS5 comes closer to identifying the basic risks of the company?
Smith: All companies are very aware of what the risks are in their business. What AS5 does is allow the company to do a self-evaluation and work with its auditor on defining what those risks are and how those risks can be mitigated.
Editor: My understanding is that the PCAOB recommends that management be allowed to use outside consultants, who are sufficiently objective and competent, whose reports might be relied upon by outside auditors so as to obviate the necessity of the auditor having to look "under every stone." Is that correct?
Smith: Certainly management of a company is very close to the company and sometimes too close to evaluate all controls over all of the risks, a case often of seeing the trees rather than the forest. Some of the consultants have become very good at determining what the risks are and how to cover those risks without re-creating the wheel and without going into too detailed documentation. Any work that a consultant does is on behalf of management for management, and management needs to understand what the consultant does when presenting that report to the external auditor. AS5 permits the outside auditor to use the work of consultants and others in the company to obtain evidence about the design and operating effectiveness of controls.
Editor: In what way can a company set up an entity-wide mechanism so that the auditors year after year do not have to test every one of a company's controls?
Smith: Beginning in year one, a company should do a fairly complete inventory of controls, at the same time determining the risks in all areas. From that determination, I suggest putting in specific controls for specific risks as well as entity-level controls. The PCAOB in a statement even suggests that some entity-level controls might operate at a level of precision that they could eliminate the risk of a misstatement that would affect the financial statements. Hopefully with that evaluation and a discussion with your external auditor a company can get past an annual 100% review of the internal controls.
Editor: Do you believe that these changes are sufficient to alleviate the burdens that small companies faced under AS2?
Smith: A phenomenal amount has been written about Sarbanes and the overreaction resulting in excesses of detailed transaction review. AS5 tries to bring the level down to reasonableness - that companies should have internal controls that investors can rely on and that internal controls and their oversight should be rationalized. I believe that AS5 is a good change for companies and for the internal and the external auditors. AS5 was designed to increase the likelihood that material weaknesses in companies' internal controls could be identified before they caused a misstatement of the financial statements as well as steer the auditors away from performing procedures that are unnecessary.
Editor: Do you think there is still room for improvement?
Smith: I think we have to take a look at the application of AS5 and how the internal auditors, management, and the external auditors reasonably apply that rule.
Editor: Do you think that companies' costs will be reduced?
Smith: I believe they will. Companies must put together a thorough risk assessment and document their level of controls (which many have not yet done). Then companies need to monitor what has been documented and monitor changes to the control environment. Companies must also monitor their consultants, monitor their auditors, and come up with a reasonable basis for their conclusions and do reasonable testing.
Editor: What is the role of the internal auditor in all this? Should internal auditors continually monitor and test their company's controls?
Smith: What we have seen with accelerated filer companies, who have been through this now for their third year, is that the audit requirements have improved the control environment in most companies, they have created more awareness of internal controls, and companies are instituting continuous monitoring and continuous management of the internal control structure, which we believe is helping companies operate effectively and more efficiently.