Perhaps the most hated rule to come out of the Sarbanes-Oxley Act is dead. Well, almost. On Thursday, the Public Company Accounting Oversight Board voted unanimously to replace its controversial internal-control auditing standard with Auditing Standard No. 5. Critics of the original standard shouldn’t celebrate just yet, however. AS5 requires the Securities and Exchange’s approval, which will likely not happen for at least another month.
The PCAOB’s Auditing Standard No. 2 is the rule largely blamed for creating excessively high audit fees for companies complying with the Sarbanes-Oxley Act. Indeed, since auditors began using AS2, companies have complained that common interpretations of the standard wrought burdensome audits by promoting work for work’s sake and encouraging a rigid checklist approach.
At their meeting on Thursday, PCAOB board members admitted that AS2 caused “angst” among corporate managers who used the standard as de-facto guidance for evaluating their internal controls. The PCAOB’s new standard and the SEC’s newly adopted guidelines for management should alleviate the high auditing bills and frustration that occurred during the first years of Sarbox compliance, according to the regulators and audit firms. The changes should also make compliance with 404 easier for small companies that have yet to do so.
The PCAOB will submit its new, principles-based rule, AS5, to the SEC for approval on Friday. If the SEC decides to approve AS5 after going through a public-comment process — which could take at least 35 days — audit firms will no longer reference the original internal-control rule.
The PCAOB is encouraging early adoption of the rule as soon as the SEC approves it. If the SEC — which as the PCAOB oversight body needs to approve all of the board’s standards — gives the OK, audit firms would have to reference the standard for audits of internal control for fiscal years ending on or after November 15, 2007. While early adoption isn’t required, audit firms will have to use the SEC’s and PCAOB’s new definition of material weakness during the transition period (defined as having a reasonable possibility of leading to a material misstatement that will not be prevented or detected on a timely basis).
Approval by the SEC should come easily — the commission’s staff has worked closely with the PCAOB staff in revising the standard since the public comment period for AS5 ended in late February. In fact, when discussing AS5 on Thursday, PCAOB chairman Mark Olson used one of the same terms Cox had used the day before. AS5 will “right-size” the audits of internal controls and eliminate unnecessary work, Olson said.
To accomplish that goal, AS5 requires auditors to take a top-down, risk-based approach and focus on only those areas that could lead to a material misstatement. The PCAOB also eliminated several “unnecessary” procedures, made the standard scalable for companies of all sizes and complexity; and simplified the text. Most important, according to many critics of AS2, the new standard eliminates the requirement of auditors to opine on the adequacy of management’s process on evaluating internal controls (the SEC also officially eliminated that requirement in its changes to Section 404 on Wednesday).
The PCAOB staff members said they had retained all of the goals of the AS5 draft in their final version but made several changes based on the 175 comment letters received and mandates from the SEC. Therefore, in many ways AS5 differs from what the public saw when the PCAOB first introduced the standard in December. The changes were mostly minor, such as matching up terms with the SEC’s management guidance (for example, replacing the term “company level controls” with “entity level controls”). The staff also worked on making the standard less prescriptive in tone since commentators noted nearly 250 instances where the AS5 draft used mandatory terms, such as “must” or “should,” which suggested “the proposal was not as principles based as advertised,” noted PCAOB chief auditor Thomas Ray. Other changes included:
• Putting a discussion of fraud risk and fraud-risk controls at the beginning of the standard. “This should make clear to auditors the importance of assessing fraud risk throughout the audit process,” Olson said, adding, “While even the strongest of internal-control frameworks cannot provide absolute assurance that fraud will be prevented or detected, a strong control environment should help to reduce instances of fraud.”
• Highlighting why auditors should conduct a walkthrough rather than requiring them to conduct a specific review. “Auditors should focus on the objectives and not the mechanics of the walkthrough,” said PCAOB deputy chief auditor Laura Phillips, who is leaving the PCAOB later this year.
Audit firms have already incorporated the basic principles of AS5 into their work. Doing so has eliminated redundant and unnecessary work and cut costs for issuers, said John Fodera, a director at audit firm Eisner. A55 eliminates the excessive work that was used under AS2 and encourages “substance over form” while still getting auditors to uncover material weaknesses, he told CFO.com.
Despite coming to the end of focusing the staff’s energy on just one auditing standard, the PCAOB still has its work cut out for dealing with the audits of internal controls. The staff is compiling feedback from audit firms to craft guidance customized for the internal-control audits of small companies. A draft will be ready for the public soon and will likely be finalized by the end of the year, according to Ray.