News

PCAOB meeting re AS5

News Brief
December 19, 2006

By: Cydney Posner

This morning, the PCAOB voted to propose for public comment a new, principles-based auditing standard on internal control, AS5 (which will replace AS2 and related interpretations), together with certain other related proposals. Click here for the proposal. There will be a 70-day comment period.

Focus on Risk.The most important matters are those that present the greatest risk that a company’s internal controls will fail to detect or prevent a material misstatement in its financial statements. Auditors are directed to the most important controls and the importance of risk assessment is emphasized. In particular, the changes:

  • More clearly focus auditors on identifying control weaknesses before they result in material misstatements in the financial statements.
  • Require auditors to use a top-down approach, beginning with the financial statements and company-level controls, and to identify for further testing only those controls that are, in fact, important to the effective functioning of a company's internal control. Auditors are advised to focus on those controls that really address the risks, not every control. (Effectiveness of controls does not require perfection.)
  • Emphasize the importance of a company’s control environment and how it can affect the risk of financial reporting fraud or other material failure.
  • Emphasize higher risk stages of financial statement preparation, such as the period-end close process.
Eliminate Unnecessary Procedures. In particular, the changes:

  • Clarify that an internal control audit is limited to an evaluation of whether, in the auditor’s opinion, the company’s internal control is effective. Consistent with the change recently proposed by the SEC, the audit would not include an opinion on the adequacy of management’s process.
  • Permit auditors to use experience gained in previous years’ audits to make audits in subsequent years more efficient. Significant controls would still need to be tested annually, but the extent of testing could be reduced based on the experience of prior years.
  • Clarify how auditors should use risk assessment to eliminate from further consideration those accounts that are unlikely to contain a material misstatement.
  • Requireauditors to consider whether and how to use the work of others, instead of doing certain procedures themselves. The PCAOB is proposing a new auditing standard, to supersede AU 322, intended to encourage greater use of the work of internal auditors, management and others by requiring auditors to evaluate whether and how to use the work of others to reduce auditor testing in an integrated audit of financial statements and internal control or in an audit of financial statements alone. This proposed standard would require the auditor to understand the relevant activities of these others and to determine how the results of that work may affect the audit. In addition, the standard would provide a single framework based on the auditor's evaluation of the combined competence and objectivity of others and the subject matter being tested. (The more competent and objective the source, the more the source's work can be used. For example, the nature of the compensation paid to internal auditors or others may need to be examined.) The explicit "principal evidence" provision of AS2 would be eliminated.
Incorporate Guidance on Efficiency. The PCAOB's May 16 guidance has been incorporated into the proposed new standard to promote improvements in efficiency.

Guidance on Scaling the Audit to Fit the Size and Complexity of the Company. The proposed new standard provides direction to help the auditor anticipate the various differences in smaller company internal control and to direct the auditor to tailor the audit for smaller companies. The standard will allow auditors to determine how best to obtain reasonable assurance by evaluating each company's size and complexity (e.g., the number of employees, lines of business, etc.), make a judgment about how those attributes will affect internal control and then adjust accordingly.

Simplified Standard. AS5 is intended to be shorter, easier to understand and more clearly scalable to audits of companies of all sizes and complexity. Among the changes are:

  • Reduced granularity. (Although there are apparently two pages on benchmarking of IT controls.)
  • Redefined key terms. The existing definitions tell much of the story of the problems with AS2; commentators have noted that the definitions could easily "lead to auditor concerns about internal control based on hypothetical situations that have not occurred and are not very likely to occur." Under the proposed new standard, the current problematic definitions of "material weakness" and " significant deficiency" would be replaced:
    • Instead of using a "more than remote" test as a threshold of likelihood of resulting in a misstatement, the new definition of material weakness would use a "reasonable possibility" test; and
    • Instead of a "more than inconsequential' test, the new definition of significant deficiency would use a "significant" test.
    • In place of the reference to significant deficiencies in the definition of material weakness, the proposed standard uses the term "control deficiency." The current reference within the definition to significant deficiency raised concern that auditors were performing audits "at a level of detail necessary to ensure that their procedures identify all significant deficiencies, rather than only all material weaknesses. The objective of an audit of internal control is to obtain reasonable assurance as to whether material weaknesses exist."
  • Clarification that the auditor’s evaluation of materiality for purposes of an internal control audit is based on the same long-standing principles applicable to financial statement audits. As to scoping of the audit, "materiality" may be determined in relation to annual financial information; then interim information would be used to evaluate materiality.
  • Consolidation of the PCAOB's standards on using the work of others in internal control audits and in financial statement audits into one new standard, so as to better facilitate integration of the two audits.
  • Revision of strong indicators of a material weakness. The proposal makes clear that strong indicators should bias the auditor toward a conclusion that a material weakness exists, but do not require the auditor to reach that conclusion. To reaffirm the degree of judgment required to make these evaluations, the proposal would eliminate the requirement to consider the described circumstances as at least significant deficiencies. While, under the proposed new standard, a restatement would continue to be a strong indicator of a material weakness, there would be latitude for the auditor to conclude that it did not even represent a significant deficiency (for example, if the restatement is just the result of a interpretive difference regarding a difficult analytical accounting issue.) The proposed standard also would clarify how the auditor should evaluate whether uncorrected significant deficiencies reflect a material weakness. AS2 considered significant deficiencies that have been communicated to management and the audit committee and remain uncorrected after a reasonable period of time to be a strong indicator of a material weakness. The proposed standard focuses on the control environment by providing that these uncorrected significant deficiencies could indicate that the company's control environment may be ineffective. If, after an evaluation, the auditor determines that the company's control environment is, in fact, ineffective, "the ineffective control environment—not the uncorrected significant deficiencies—would be a strong indicator of a material weakness."
  • The new standard would refocus the multi-location testing requirements on risk rather than coverage and recalibrate the walkthrough requirement.
Other proposals include a revision of the independence requirement (currently is embedded in AS2), which requires the auditor to seek specific preapproval by the audit committee of any internal control-related service. The new standard would require preapproval on either an ad hoc basis or based on committee-approved policies and procedures. In addition, the date of completion of the audit will change from the date of completion of the field work to a date no earlier than the date the auditor has obtained sufficient competent evidence to support the opinion.

This content is provided for general informational purposes only, and your access or use of the content does not create an attorney-client relationship between you or your organization and Cooley LLP, Cooley (UK) LLP, or any other affiliated practice or entity (collectively referred to as “Cooley”). By accessing this content, you agree that the information provided does not constitute legal or other professional advice. This content is not a substitute for obtaining legal advice from a qualified attorney licensed in your jurisdiction and you should not act or refrain from acting based on this content. This content may be changed without notice. It is not guaranteed to be complete, correct or up to date, and it may not reflect the most current legal developments. Prior results do not guarantee a similar outcome. Do not send any confidential information to Cooley, as we do not have any duty to keep any information you provide to us confidential. This content may be considered Attorney Advertising and is subject to our legal notices.