AS5 for the Little Guys

The PCAOB issues its small company guidance on AS5, the auditing standard for assessing internal controls—and it's chock full of examples.
Marie LeoneOctober 17, 2007

The Public Company Accounting Oversight Board issued new guidance on Wednesday for auditors that count smaller companies as clients.

The 52-page document provides information and practical examples about how auditors should apply Auditing Standard 5 to smaller companies. AS5 is the standard that governs the audits of internal controls over financial reporting at public companies.

The PCAOB staff is seeking public comment on the guidance, which should be received no later than December 17. However, PCAOB’s Chief Auditor Tom Ray told that the board is encouraging auditors to “read and use” the guidance now, as it is a staff document and does not alter the tenets of AS5.

Drive Business Strategy and Growth

Drive Business Strategy and Growth

Learn how NetSuite Financial Management allows you to quickly and easily model what-if scenarios and generate reports.

“The guidance has nothing to do with changing AS5,” said Ray, noting that the comments collected during the next few months may be used to enhance the guidance, but the document but should be regarded as a companion piece to AS5 that is ready to use.

The guidance was developed with help from audit firms that have already performed internal control audits on the smallest accelerated filers using AS2, the precursor to AS5. Accelerated filers are public companies with a market capitalization of more than $75 million that were required to meet the internal control requirements of Sarbanes-Oxley Act (Section 404) prior to 2007. Auditors have until 2008 before they have to comply with AS5.

The guidance addresses several key issues that many small-company executives claimed were too costly because auditors were applying large-company testing methodology to their internal controls. As a result, the guidance lays out auditing principles and approaches for evaluating entity-level controls, assessing the risk of management override, evaluating segregation of duties, auditing information technology controls, considering financial reporting competencies, and obtaining sufficient evidence when a company has less formal documentation.

Similar to AS5, the guidance takes a principles-based approach to auditing, calling on auditors to use more judgment, rather than bright-line rules when testing and attesting to the effectiveness of internal controls. But in light of recent corporate accounting scandals that dragged audit firms into the fray—the most notable being the demise of Arthur Andersen—auditors have become skittish about making judgment calls for fear that the PCAOB and Securities and Exchange Commission will second guess their decisions. Nevertheless, Ray confirms that the guidance fosters principles over rules.

In general, the guidance acknowledges that in most smaller companies’ internal controls are controlled by senior management, says PCAOB associate chief auditor Keith Wilson. That means that AS5 “has to be placed in the context of a smaller, less complicated company,” explains Wilson.

For example, auditors should understand that “evidence doesn’t always mean documentation,” asserts Wilson. “They have to be able to tailor audit procedures to the evidence that is there.” To that end, the guidance provides an example of a small manufacturer that makes large, periodic purchases of specialty components. The company has established procedures for initiating, authorizing, and recording the purchases, but lacks detailed manuals that outline purchasing policies and procedures.

In that case, the PCAOB says, the auditor should inspect copies of completed purchase forms and related documents to understand the flow of the transaction, and then follow up by questioning employees involved in the purchase to trace the recording of the transaction as it moves through the accounting system.

In another example, the guidance brings up a case in which a small company hires a tax expert to review the CFO’s work on a tax provision. As part of the internal controls audit, the auditor must evaluate whether management has the competency to ensure that transactions are properly recorded. Calling in a third-party tax expert may indicate that the CFO lacks the proper tax knowlege. However, with limited resources, it would be costly for a small company to hire a full-time tax manager.

The guidance suggests that the auditor use the following approach: The auditor should observe that management identified risks to financial reporting by hiring the tax expert. Then the auditor should inspect any correspondences between the company and tax expert, as well as the tax schedules; evaluate the controls over the tax work in terms of accuracy and completeness; and assess whether the tax expert has the necessary skills to perform the job correctly.

While it is difficult to gauge whether auditors are ready to implement AS5 in small-company audits, Wilson point out that “there is a high level of interest from these auditors” regarding the PCAOB’s guidance. As a result, a PCAOB-sponsored training program for auditors that work with smaller companies is in the works, slated to take place sometime next year. Meanwhile, the PCAOB inspectors that evaluate audit firms have already been exposed to the new guidance, as some of them were privy to the issues and complaints coming from auditors that already have had to apply AS2 to smaller clients.