SEC Okays Controls Rule, Pledges to Eye Auditors

Now that AS2 has been "put out of its misery," the Securities and Exchange Commission will work closely with the PCAOB in its inspections.
Sarah JohnsonJuly 25, 2007

The Securities and Exchange Commission has adopted a new auditing rule to replace the standard largely blamed for the costly and excessive work that arose out of the internal-controls provision of the Sarbanes-Oxley Act. At the same time, the SEC staff promised to closely monitor how auditors put the rule, Auditing Standard No. 5, into effect.

The commissioners’ unanimous vote was expected, following the joint work the SEC took with the Public Company Accounting Oversight Board to replace Auditing Standard No. 2 with the new rule. The PCAOB approved AS5 in May, leaving it up the SEC, its oversight body, to give the final approval.

During an open meeting on Wednesday, the commissioners and the SEC staff praised the new standard for encouraging auditors to take a top- down, risk-based approach to their attestations of companies’ internal controls over financial reporting.

Drive Business Strategy and Growth

Drive Business Strategy and Growth

Learn how NetSuite Financial Management allows you to quickly and easily model what-if scenarios and generate reports.

Still, the SEC folks acknowledged some companies’ fears that auditors would still apply a checklist mentality to their work and look at controls that have no chance of spawning a possible material misstatement if they’re flawed. “The SEC and the PCAOB expect changes in the behavior of those individuals responsible for conducting internal-control audits,” said SEC Chairman Christopher Cox.

Since companies started complying with the internal-control provisions of Sarbox, many have said the auditing rule gave accountants cover to do work for work’s sake in order to hike their fees. Addressing that criticism, the PCAOB rewrote the internal-controls auditing standard, making it simpler and easier to tailor to the needs of smaller and less complex companies.

Companies with a public float below $75 million will start complying with the management portion of Sarbox’s Section 404 starting at the end of this year, while their auditors will file their corresponding opinions one year later.

Before the SEC released guidance for management to follow Section 404 earlier this year, companies had been relying on the auditing standard to fulfill their 404 requirements. Commissioner Paul Atkins echoed a typical complaint of small companies that the wealth of changes to the internal-control rules by regulators this year should entitle them to another delay for complying.

But John White, director of the SEC’s Division of Corporation Finance, said the decision to further delay the auditor attestation report could itself be delayed while the commissioners review how efficiciently audiots of larger companies use AS5.

The SEC and PCAOB are each working on guides for smaller companies on how to deal with the internal-control provisions, and they expect the documents to be available by the end of the year. The SEC’s economic analysis division is also working on a long-awaited revision to a cost-benefit analysis of the internal-control regulations.

Further, the SEC will keep an eye on how the PCAOB trains its staff in how to inspect audit firms. That will include looking over the PCAOB’s revised training manual, inspection reports, and working papers, said Conrad Hewitt, the SEC’s chief accountant. “We will be working closely with the PCAOB, management, and others to monitor the implementation of this new standard,” he said.

Most of the 37 comment letters sent to the SEC for AS5 over a 35-day period were supportive of AS5–including ones submitted by the Big Four audit firms. As one of the three public-company finance executives who weighed in with feedback, Peter Bridgman, senior vice president and controller for PepsiCo, said, the standard was clearer and more concise than AS2. AS5 could cut audit fees because the standard no longer requires auditors to opine on management’s process for the evaluation of their internal controls, just the internal controls themselves, proponents of the new standard said.

Not all the comments about AS5 have been positive. Earlier this week, Nasdaq sent out a press release calling for further changes and quoted one of the lead legislators behind Sarbox, Michael Oxley, who is the stock market’s vice chairman. Nasdaq said “materiality” should be better defined in the rule and the PCAOB should create a so-called ombudsman office that would serve as an advocate for companies “that feel their internal controls are being over-audited.” Said Oxley: “While AS5 represents improvement over the previous standard, it does not go far enough to help decrease regulatory complexity and reduce the risk for overzealous auditing.”

At the hearing, Atkins implied that the standard could contain clearer guidance and questioned if auditors had enough guidance on how to judge a what a “material weakness” entails. Zoe-Vonna Palmrose, SEC deputy chief accountant for auditing and professional-practice issues replied that the standard is purposely more principles-based than AS2 and that the SEC is looking at the term “materiality” in a broader context outside of auditing standards.

Before giving his support, Atkins admitted the standard wasn’t perfect. But it was good enough for his vote. “We might not be completely happy with it but happy to at least put AS2 out of its misery,” he said.

The SEC also voted unanimously on a definition for the term “significant deficiency” in their rules. Under the new definition, a significant deficiency in internal control over financial reporting “is less severe than a material weakness, yet important enough to merit attention by those responsible for oversight of a registrant’s financial reporting.”