AS5: Clarification or Confusion?

On paper, a new standard proposed by the Public Company Accounting Oversight Board appears to address the concerns of companies that felt auditors spent too much time scrutinizing their internal controls and technology systems. Critics of the existing and much-contested Auditing Standard No. 2 have said it encourages auditors to spend hours questioning issues that have little relevance to financial statements, particularly with regard to the computer systems and software that are involved in producing those statements.

Yet it's not clear whether a new standard will change that behavior for the better.

The proposed standard, which some PCAOB board members have begun referring to as AS5, clarifies that audits should concentrate only on those areas most likely to lead to a financial misstatement. In addition, external auditors would be allowed to rely on assessment work done by others, such as internal auditors, and would no longer evaluate management's process, eliminating some "unnecessary procedures." AS5 was introduced last month for a 70-day comment period.

One of the PCAOB's goals, says chairman Mark Olson, is cheaper auditing bills. But AS2 critics aren't so sure that will happen. They worry that the new standard — An Audit of Internal Control Over Financial Reporting That Is Integrated With an Audit of Financial Statements — still could confuse auditors and prompt continued wary and overly conservative behavior. And they're far from certain that the new standard will address what was widely perceived as misguided audits of corporate IT systems.

While senior financial executives think the new standard is at least "a step in the right direction," says James Clendenen, engagement director for Parson Consulting, a financial-management consultancy, "the question is what will actually happen in the real world." Given the conservative nature of audit firms, he wonders if they will accept the increased risk that might come from making more judgment calls.

At the same time, some finance executives worry that the changes might actually make external auditors more powerful. Both the Securities and Exchange Commission's Section 404 revision and the PCAOB's proposal for AS5 give external auditors and management more latitude in how to attest to and assess internal controls. But, say critics, companies that want auditors to rely on work the company has performed in-house (thereby reducing external audit hours) may defer to their audit firms about how such work should be done. In a letter asking various members of Congress to halt adoption of AS5, Dennis Stevens, director of internal audit for the Alamo Group, worried that the result will be a "subtle shift of responsibility from management to the external auditor." Worse, wrote Stevens, if management's own evaluation of internal controls is dictated by what it thinks auditors will find acceptable, the result will be "essentially the same situation that has existed for the past three years."

The PCAOB says its proposed standard promotes a top-down, risk-based approach to auditing that encourages both management and auditors to use their professional judgment. But that, too, could result in confusion — and contention — between auditors and issuers, says Clendenen. For example, the new standard changes the definitions of significant deficiency and material weakness from a "more than remote likelihood" that a misstatement will occur to a "reasonable possibility." Each auditing firm will have to revisit how it understands this definition, and it could become more aggressive in its interpretation, Clendenen told CFO.com.

"I think the PCAOB intended to have management and the auditors more on the same page; however, this will probably have the opposite effect," he says. And while the answer may be that companies need to communicate more with their auditors about what's required, the independence requirements of Sarbox may continue to chill that relationship.

The new standard may make companies bolder, although that won't necessarily thaw relations with external auditors. If auditors examine low-risk areas or begin nitpicking, "you may have to say, 'No, that's not what we're here to do. We are looking at specific financial-statement line items that are material, that are important, and those controls that are most significant,'" says Eric Keller, CEO of software company Movaris and former CFO of several other companies, including enterprise application service provider Corio.

Lines of communication between audit firms and companies haven't been ideal. Since Sarbox's inception, companies have complained that it's hard to get answers from their audit firms. Those dealing with the Big Four firms have reported that their queries seem to go in a black hole as the local partners wait to hear from a national office. The new standard might not create a fix for that wait. "The local partners will have an ability to get more involved, but the question is, are they comfortable enough to stick their neck out and make a statement and not rely on a somewhat nameless, faceless management office to make a key decision about their client?" asks Clendenen.

• 1
• 2
• next »