News

PCAOB Guidance on SOX 404

News Brief
May 17, 2005

By: Cydney Posner

As promised, the PCAOB also issued guidance on SOX 404, including a Policy Statement and a staff Q&A.

See: News ReleaseStaff Q&A and Policy Statement.

Many of the basic points addressed by the PCAOB are similar to those expressed by the SEC in its guidance. Like the SEC, the PCAOB bemoans the lack of common sense and judgment in the application of its standards and attempts to dispose of some of the paralyzing "misconceptions" that have arisen in the course of the recent implementation of the internal control requirements.

The Policy Statement considers several of the auditing practices that may be ineffective and describes how the PCAOB intends to

supervise implementation of Auditing Standard No. 2 through both guidance and inspections. The Q&A clarifies provisions in AS 2, seeking in particular to "correct the misimpression" that AS 2 imposes a rigidity that constrains professional judgment and prevents the conduct of an audit in a manner that is both effective and cost-efficient.

Policy Statement

The Policy Statement identifies several general areas of concern, including primarily cost, lack of focus on higher risk areas, failure to use the work of others sufficiently, failure to fully integrate the audit of internal control with the audit of the financial statements and the reluctance of auditors to provide guidance to clients on accounting issues for fear of compromising independence or triggering a material weakness finding.

The Policy Statement states that, to properly plan and perform an effective audit under AS 2, auditors should:

  • "integrate their audits of internal control with their audits of the client's financial statements, so that evidence gathered and tests conducted in the context of either audit contribute to completion of both audits;
  • exercise judgment to tailor their audit plans to the risks facing individual audit clients, instead of using standardized "checklists" that may not reflect an allocation of audit work weighted toward high-risk areas (and weighted against unnecessary audit focus in low-risk areas);
  • use a top-down approach that begins with company-level controls, to identify for further testing only those accounts and processes that are, in fact, relevant to internal control over financial reporting, and use the risk assessment required by the standard to eliminate from further consideration those accounts that have only a remote likelihood of containing a material misstatement;
  • take advantage of the significant flexibility that the standard allows to use the work of others; and
  • engage in direct and timely communication with audit clients when those clients seek auditors' views on accounting or internal control issues before those clients make their own decisions on such issues, implement internal control processes under consideration, or finalize financial reports."
The Integrated Audit Concept. An integrated audit combines an audit of internal control with the audit of the financial statements, resulting in a single coordinated process. In an integrated audit, the auditor's examination of internal control is validated by the findings in the audit of the financial statements, and the auditor's conclusions about internal control help the auditor better plan and conduct the audit of the financial statements. The PCAOB views the two processes as mutually reinforcing and more cost-effective, but one that requires the auditor to plan and conduct his or her work with both audits in mind, something which evidently was not achieved successfully this past year.

The Importance of Professional Judgment. Like other auditing standards,AS 2 is not prescriptive, yet many auditors were reluctant to use the professional judgment that they would use in other contexts to tailor audit plans to particular clients and particular industries, or to focus on areas with a higher risk of misstatement: "Those auditors have instead used a one-size-fits-all audit plan driven by standardized checklists that may have little to do with the unique issues and risks of the particular client's financial reporting processes. This is a disappointing development indicative of poor training and audit planning."

The Top-down Approach and Role of Risk Assessment. AS 2 requires a top-down approach. The auditor must focus first on company-level controls and then on significant accounts, which lead the auditor to significant processes and, finally, individual controls at the process, transaction or application levels. The intent is that, as the auditor gains knowledge with each step, he or she will be steered toward the most relevant and higher risk areas within the next succeeding level of controls and away from those with less potential to have a material impact on the financials. Using a risk-based approach requires the auditor to consider the overall risk related to each significant identified account to determine whether he or she should alter the nature, timing and extent of testing of the controls over that specific account. In addition, the auditor should consider the nature, frequency and importance of the specific control being tested to determine whether further revisions to the testing strategy are required. Finally, as part of the auditor's risk assessment, he or she should consider the strength of the company-level controls; strong company-level controls should lead the auditor to do less work than he or she otherwise would have performed and enable the auditor to rely to a greater degree on the work of others.

Using the Work of Others. By applying a top-down, risk-based approach, an auditor should be able to identify areas where it is appropriate to rely on the work of others, particularly lower risk areas. Although AS 2 requires the auditor to obtain the principal evidence supporting his or her opinion as to whether internal control is effective overall, it also provides significant flexibility. The principal evidence provision is primarily qualitative, requiring that the auditor perform sufficient auditing to reach his or her own, independent opinion and not merely pass along the judgments and opinion of others. According to the PCAOB, this requirement has two implications: first, that the auditor should perform more work directly in high-risk areas and seek to use the work of others in areas of lesser risk, and second, that in evaluating whether the auditor has met the principal evidence test, the auditor should ascribe more weight to the work he or she performs in high-risk areas.

The Auditor's Ability to Provide Advice to Audit Clients. The PCAOB expressed its concern about a "misconception" that, as a result of AS 2, companies may no longer seek advice from their auditors on difficult accounting and internal control issues, especially as manifested in the recent development that auditors have been unwilling to provide accounting advice to their audit clients or have encouraged audit clients to finish their assessments of internal control and financial statements before the auditor begins audit work. "Such practices are neither necessary nor advisable." Although AS 2 states that an auditor's detection of a material misstatement in financial statements is a "strong indicator" of a material weakness in internal control, nothing in AS 2 precludes the auditor from consulting on accounting and internal control questions or reviewing draft financial statements: "Determining when it is appropriate for the auditor to provide accounting advice requires professional judgment and common sense. Auditors may not, of course, make accounting decisions for their clients, and management may not abandon its responsibility for quality financial reporting and simply rely on auditors to catch errors. Where management makes its own informed decisions regarding how applicable accounting principles apply to its company's circumstances, however, the auditor may discuss freely with management the meaning and significance of those principles." The PCAOB argues that sharing of draft financials and other information is necessary. The line should be drawn at the point of completed financials: "in determining the point at which the auditor must draw the line for purposes of identifying when a deficiency exists, the auditor should be concerned primarily about instances in which the company completed its financial statements and disclosures without recognizing a potential material misstatement. If it is clear that all applicable controls have not yet operated, then a conclusion as to whether a material misstatement in draft financial statements demonstrates a control deficiency would be premature.

"Auditors may also provide audit clients technical advice on the proper application of GAAP, including offering suggestions for management's consideration to improve disclosure and financial statement quality and giving updates on recent developments with accounting standards-setters. In addition, management may provide and discuss with the auditor preliminary drafts of accounting research memos, spreadsheets, and other working papers in order to obtain the auditor's views on the assumptions and methods selected by management. Although the auditor may determine that some of these communications need to be made in writing, timely and open communication will often be best accomplished orally." Auditors should instead be concerned about misapplications that occur outside of the consultation process, "such as during a quarterly review, or after management has completed its financial statements and disclosures, in which case the auditor would have to consider whether management's failure to recognize the potential misapplication of applicable accounting principles constitutes a significant deficiency or material weakness."

The Board's Approach to Oversight of Implementation of Auditing Standard No. 2. In conducting its inspections, the PCAOB will look for audits that suffer from poor planning and risk assessment, such as the absence of tailoring of procedures to suit the circumstances or focusing the audit on low-risk areas. In addition, auditors will need to justify their performance when it does not comport with the principles described above: Although the PCAOB does not intend to insert itself into auditor's billing practices, it will demand changes if an auditor has approached the audit in a "way that is mechanistic and does not reflect the application of professional judgment to the specific risks associated with the audit client's financial reporting system…."

Staff Q&A

The Q&A goes into a bit more depth (perhaps more than you really wanted to know) on some of the issues discussed by the SEC and PCAOB.

Top-down approach. In a top-down approach to auditing internal control over financial reporting, the auditor performs procedures in a sequential manner, starting with company-level controls and then delving into significant accounts, significant processes and individual controls at the process, transaction or application levels. Below is the sequence as described by the staff:

Top-down Approach Sequence (AS 2 paragraphs)

  • Identify, understand, and evaluate the design effectiveness of company-level controls (Paragraphs 52 through 59)
  • Identify significant accounts, beginning at the financial-statement or disclosure level (Paragraphs 60 through 67)
  • Identify the assertions relevant to each significant account (Paragraphs 68 through 70)
  • Identify significant processes and major classes of transactions (Paragraphs 71 through 78)
  • Identify the points at which errors or fraud could occur in the process (This identification occurs during the identification of significant accounts, relevant assertions, and significant processes, and is confirmed by performing walkthroughs as described in paragraphs 79-82)
  • Identify controls to test that prevent or detect errors or fraud on a timely basis (Paragraphs 83 through 87)
  • Clearly link individual controls with the significant accounts and assertions to which they relate (Paragraph 84)
Company-level controls include:
  • controls within the control environment, such as tone at the top, organizational structure, commitment to competence, human resource policies and procedures;
  • management's risk assessment process;
  • centralized processing and controls, such as shared service environments;
  • controls to monitor other controls, including activities of the internal audit function, the audit committee and self-assessment programs; and
  • the period-end financial reporting process.
Because of the pervasiveness of company-level controls, testing and evaluation of those controls are likely to affect the auditor's strategy for testing at other levels.

Risk-based Approach. Risk assessment pervades the entire process of auditing internal control. A direct relationship exists between the degree of risk that a material weakness could exist in a particular area of the company's controls and the amount of audit attention the auditor should devote to that area. Risk assessment is particularly significant in four areas:

  • Significant accounts. Using the risk factors identified in AS 2, the auditor can evaluate whether an account is significant or may be eliminated from further consideration (unless the auditor later identifies indications of a higher level of risk) because there is only a remote likelihood of that it will contain misstatements that could cause the financial statements to be materially misstated.
  • Relevant assertions. The auditor identifies relevant assertions related to significant accounts by evaluating the risk that the assertions could be misstated. If that risk is not "meaningful," the assertion should not be identified as a relevant assertion and does not need to be tested.
  • Nature, timing and extent of tests of controls. When less risk is associated with the control, the auditor may test the control less extensively and farther from the "as-of" date.
  • Using the work of others. AS 2 describes several risk factors that the auditor should evaluate when considering whether to rely on the work of others. As these factors decrease in significance, the need for the auditor to perform his or her own work on those controls decreases.
Scope and Extent of Testing. Quantitative measures alone are not determinative of whether an account should be identified as significant.

If an account is determined to be significant based on both qualitative and qualitative measures, the auditor should design a testing strategy based on risk assessment. The auditor may be able to reduce or eliminate testing of controls for some components. (The example cited is the petty cash component of the financial statement line item "cash and cash equivalents," which rarely presents a more than remote risk that the financial statements could be materially misstated.) The auditor is not required to test all the controls that management tested just

because management described them as key or significant. Rather, the auditor need test only those controls that the auditor identifies as controls over relevant assertions related to significant accounts; i.e., the focus is first on determining significant accounts and then on the particular controls.

Level of Persuasiveness. Theauditor may reduce the level of testing in low-risk areas, including the level of persuasiveness of the evidence required. The staff has ranked the typical procedures in order of persuasiveness, from lowest to highest: inquiry, observation, inspection of relevant documentation and reperformance of the application of the control. The auditor may also perform walkthroughs, which ordinarily consist of some combination of these procedures, as tests of design and operating effectiveness. Inquiry alone is generally not sufficient; otherwise, the auditor has significant latitude to determine the nature of the work.

Timing and Extent. As the risk associated with the control increases, the testing should be performed closer to the as-of date, although the auditor still may test those controls as of an interim date and correspondingly adjust the nature and extent of the roll-forward procedures to be more extensive. When determining the extent of testing the auditor should perform on a given control, the auditor should evaluate (1) the nature of the control, (2) the frequency of operation, and (3) the importance of the control. The nature and importance of the control are directly related to risk assessment. Strong company-level controls that have a direct impact on lower-level controls may also allow the auditor to decreasing the level of testing.

Each year should stand on its own. In general, to render an opinion as of the date of management's assessment, the auditor needs to test controls every year. This type of evidence is needed regardless of whether controls were previously found to be effective or whether those controls have changed because, even if nothing significant has changed, controls that were effective last year may not be effective this year due to error, complacency or other inherent limitations. However, the statement that "each year's audit must stand on its own" does not mean that audit knowledge obtained in prior years should be ignored. The auditor should use previous knowledge about the company's internal control to inform risk assessments for the current-year's audit, for example, by allowing the auditor to reduce sample size. In addition, the statement does not preclude the use of a benchmarking strategy for testing automated application controls and IT general controls. IT controls continue to perform a given control until changed and are less subject to human failures, which allows the auditor to "benchmark" or "baseline" these controls; i.e., if general controls over program changes, access to programs and computer operations are effective and continue to be tested, and if the auditor verifies that the automated application control has not changed since the last test of the application control, the auditor need not repeat the prior year's specific tests of that control. The Q&A includes a list of factors that the auditor should consider in determining whether to use a benchmarking strategy. Generally, the more important the control, the less suitable it is for benchmarking. In addition, the benchmark needs to be reestablished from time to time.

The auditor is also permitted to "alternate tests of controls," which relates to using the work of others and other variations in testing from year to year. "The statement that each year's audit must stand on its own is a guiding principle, and one that permits significant flexibility in varying the nature, timing, and extent of work in particular areas from year to year." For example, the auditor may vary from year to year the extent to which he or she uses the work of others in a particular area. Each year's audit must stand on its own, but each year's audit does not have to include the same scope of testing. Varying the nature, timing and extent of testing may also help to introduce unpredictability.

Management's Assessment. Auditors must recognize, in evaluating management's assessment, that management has a broader array of procedures to achieve reasonable assurance than do the auditors. For example, management might be able to determine that controls operate effectively through its direct and ongoing monitoring of the operation of controls or by performing regular management and supervisory activities, monitoring adherence to policies and procedures and performing other routine actions. An auditor should not use management's "self-assessment" of controls as part of the auditor's evidence supporting his or her opinion; however, the term is narrowly defined to mean an assessment made by the same personnel who are responsible for performing the control. Therefore, not all work labeled as "self-assessment" is precluded. When the self-assessment is being performed by management personnel who are not the same personnel responsible for performing the control, the auditor should evaluate this work using the standards for using the work of others —evaluating the nature of the controls subjected to the work of others and the competence and objectivity of the individuals who performed the work. The auditor should evaluate whether management's overall assessment process includes periodic, objective validation of the effectiveness of self-assessments in individual areas, such as testing by internal auditors, to verify the effectiveness of self-assessments. Management's self-assessment process, however, should include a rational approach for determining how frequently and extensively to verify the effectiveness of self-assessment.

As management has different tools available for performing its assessment, the auditor should not evaluate the adequacy of management's assessment by simply comparing, on a control-by-control level, whether management's testing was at least as extensive as that conducted by the auditor. "The work that management performs in connection with its assessment can have a significant effect on the nature, timing and extent of the work of the auditor. The more extensive and reliable management's assessment is, the less extensive and costly the auditor's work will need to be."

Integrated Audit/ Interim Testing. In an integrated audit of internal control and the financial statements, the auditor would seek to accomplish the objectives of both audits simultaneously: to obtain sufficient evidence to support (1) his or her opinion on internal control as of year-end, and (2) a control risk assessment of "low" for purposes of the financial statement audit. A control risk assessment of low would allow the auditor to reduce the amount of audit work that otherwise would have been necessary to opine on the financial statements. If the control risk is designated as other than low for relevant assertions, the auditor must document the reasons for that assessment. According to the staff, this documentation requirement reflects the expectation that the benefits associated with an integrated audit ordinarily will best be achieved by the auditor testing controls over a period of time, although that may not be appropriate, for example, if a material weakness is remediated late in the year. If the auditor performs testing as of an interim date, he or she must perform roll-forward procedures to year end. As the nature and risk associated with the control become more significant, the necessary updating procedures become more extensive, and more persuasive evidence is required. If exceptions were noted, a higher risk is necessarily involved. Other factors include the persuasiveness of evidence obtained at the interim date, timing of the interim testing and the possibility that changes have occurred, In addition, for controls over significant nonroutine transactions, controls over accounts or processes with a high degree of subjectivity or judgment in measurement or controls over the recording of period-end adjustments (all areas of higher risk), the auditor should perform tests of controls closer to or at the as-of date rather than at an interim date. The Q&A provides specific examples of roll-forward procedures for different controls.

Changes to IT. The staff maintains that it would be inappropriate for the auditor to conclude, as a rule, that management should not implement changes to IT for some arbitrary period of time before year-end. However, the company may need to implement temporary controls. To evaluate the effect that a change to the company's IT has on internal control, the auditor should evaluate the company's controls over program development and program changes over the specific planned change to IT, as well as any temporary controls in place during the conversion period.

Absence of Documentation Not Determinative. Thereis no presumption that a control is ineffective solely because there is no documentation evidencing the operation of the control. That type of presumption might create a "sign-and-file" mentality, i.e., that a signature or other evidence of the performance of a control might become more important than the performance of the control itself. Rather, the auditor must be satisfied that the control operated effectively.

Using the Work of Others. The auditor must obtain the principal evidence supporting his or her opinion. That determination is primarily qualitative. The auditor should perform more work himself or herself in areas that represent higher risk and should ascribe more weight to work he or she performs in higher-risk areas. The staff clarifies that the directions in AS 2 that the auditor perform the walkthroughs himself or herself or that the auditor not use the work of others to reduce the amount of work that he or she performs on controls in the control environment reflect the high degree of risk associated with these areas.

Auditor's Responsibilities With Respect to Management's Certification Disclosures.  The procedures that the auditor is required to perform on a quarterly basis are ordinarily limited to inquiry and observation and an evaluation of the implications of any misstatements identified by the auditor during the auditor's required review of interim financial information. There is no requirement for a quarterly audit of internal controls. Rather, the staff views the auditor's responsibilities related to management's quarterly certifications on internal control as analogous to an interim review of the company's financial statements. For example, inquiries and observations would be limited to members of management who would be expected to have knowledge about significant changes. Similarly, if management plans to disclose remediation of a previously reported material weakness, the auditor's procedures would be limited to inquiry and observation; the auditor is not required to test the design or operating effectiveness of remediated controls beyond inquiry and observation.

This content is provided for general informational purposes only, and your access or use of the content does not create an attorney-client relationship between you or your organization and Cooley LLP, Cooley (UK) LLP, or any other affiliated practice or entity (collectively referred to as “Cooley”). By accessing this content, you agree that the information provided does not constitute legal or other professional advice. This content is not a substitute for obtaining legal advice from a qualified attorney licensed in your jurisdiction and you should not act or refrain from acting based on this content. This content may be changed without notice. It is not guaranteed to be complete, correct or up to date, and it may not reflect the most current legal developments. Prior results do not guarantee a similar outcome. Do not send any confidential information to Cooley, as we do not have any duty to keep any information you provide to us confidential. This content may be considered Attorney Advertising and is subject to our legal notices.