PCAOB PROPOSED INTERNAL CONTROL AUDIT STANDARD

Transcription

1 PCAOB PROPOSED INTERNAL CONTROL AUDIT STANDARD Lorraine Magrath, Troy University Troy Campus Eddy J. Burks, Troy University Troy Campus ABSTRACT Two complete annual financial reporting cycles have been completed since the Public Companies Accounting Oversight Board (PCAOB) began requiring that auditors apply the provisions of Auditing Standard No. 2 (AS No. 2), An Audit of Internal Control Over Financial Reporting that is Integrated with an Audit of Financial Statements. The PCAOB has determined two significant effects since implementation of AS No. 2: (1) the audit of internal control has produced significant benefits and (2) the benefits have come at a significant cost. The significant costs of implementation have prompted the PCAOB to evaluate AS No.2 and to propose a new auditing standard. This paper summarizes the proposed standard and significant differences between AS No. 2 and the proposed standard. INTRODUCTION The Public Companies Accounting Oversight Board (PCAOB) issued An Audit of Internal Control Over Financial Reporting that is Integrated with an Audit of Financial Statements (AS No. 2) in June AS No. 2 implemented requirements of Section 404 of the Sarbanes Oxley Act by requiring that financial statement issuers include an assessment of internal controls as well as an auditor s report on that assessment in their annual reports. After completion of two full annual financial reporting cycles under AS No. 2, the PCAOB is re-evaluating the standard to determine if the requirements of that standard cause auditors to perform unnecessary audit procedures (PCAOB). After issuance of AS No. 2, the PCAOB monitored its implementation and determined that the standard had two significant effects: (1) the audit of internal control has produced significant benefits and (2) the benefits have come at a significant cost. The benefits of the implementation of AS No. 2 include improvement in audit committee oversight and higher quality and more transparent financial reporting. The costs associated with implementation of AS No. 2 include greater effort on the part of management and auditors in ensuring the assessment and associated audit report are prepared in accordance with the PCAOB s requirements. Specifically, the PCAOB indicates that it has heard a consistent message that compliance with the internal control provisions of the Act has required greater effort and resulted in higher costs than expected (PCAOB). The significant costs of implementation of AS No. 2 have caused the PCAOB to evaluate the standard to determine if the provisions invite auditors to perform unnecessary procedures. The PCAOB s evaluation resulted in a proposal for a new

2 auditing standard on internal control over financial reporting that would supersede AS No. 2. PROPOSED STANDARD According to the PCAOB, the proposed standard has four primary objectives: (1) to focus the audit on matters most important to internal control, (2) eliminate unnecessary procedures, (3) scale audits for smaller companies, and (4) simplify the requirements. The first objective of the proposed standard, focusing on the most important internal control matters, would be accomplished by (1) directing auditor attention to the most important internal controls, (2) emphasizing the importance of risk assessment, (3) revising the definition of significant deficiency, (4) revising the definition of material weakness, and (5) clarifying the role of materiality in the audit. The second objective, eliminating unnecessary procedures, would be accomplished by (1) removing the requirement to evaluate management s process, (2) permitting consideration of prior audit knowledge, (3) focusing the multi-location requirement on risk, (4) removing barriers to the work of others, and (5) recalibrating the walkthrough requirement. The third objective, scaling the requirements for smaller companies, would institute procedures directing auditors to consider the attributes and complexities of smaller companies. The fourth objective, simplification of requirements, would be accomplished by reducing detail, reflecting the sequential flow of an audit of internal controls, and improving readability. SIGNIFICANT CHANGES Implementation of the proposed standard and the resulting attainment of the objectives outlined previously will be accomplished by replacing AS No. 2 with a new standard. In this section, the four objectives of the proposed standard and the significant changes between the proposed standard and AS No. 2 that are necessary to accomplish the objectives are discussed. Focusing the Audit on the Matters Most Important to Internal Control The PCAOB has indicated that many issuers have said that the internal control audit under the guidance of AS No. 2 is too focused on the detailed, process-level aspects of internal control. In addition, the PCOAB has indicated that many issuers fail to identify the material weaknesses that are early indicators of problems rather than material weaknesses that have already resulted in a material misstatement. The PCAOB has determined that the ability to detect important problems will be enhanced by using a top-down audit approach which stresses risk assessment. When using the top-down approach, auditors identify the controls to test by starting at the top

3 (financial statements and company-level controls) and linking these controls to significant accounts, relevant assertions, and significant processes where other important controls exist. The top-down approach differs from the guidance in AS No. 2 in that it focuses on controls that are important to the auditor s conclusion, moving the focus from individual transaction-based controls to overall entity-based controls. Thus, if the company/entity-level controls are strong and link directly to process-level controls or if the controls are precise enough to prevent or detect material misstatements to relevant assertions, the auditor may be able to reduce the testing of controls at the process level. The emphasis on a top-down approach emphasizes the importance of obtaining an understanding of company-level controls at the beginning of the audit process. In addition to the top-down approach, the PCAOB encourages a focus on internal controls that are important to fraud prevention and detection. As a result, the proposed standard requires that auditors evaluate the control environment and controls over the period-end financial statement close process. The proposed standard also requires that auditors address the risk of management override to internal controls. Emphasizing the Importance of Risk Assessment The proposed standard emphasizes the importance of risk assessment in the audit. The PCAOB believes that focusing auditor attention to the areas of greatest risk will produce a more effective audit and reduce the risk that a material misstatement will be undetected. In addition, using risk assessment appropriately enhances efficiency by diverting attention from controls that, even if deficient, would not present a reasonable risk of material misstatement in the financial statements. The proposed standard requires risk assessment at each of the decision points in a top-down approach. Thus, the auditor s identification of significant accounts and relevant assertions requires an understanding of the related risks and how those risks affect the auditor s decision making. The proposed standard describes the risk factors that auditors should assess. According to the PCAOB, AS No. 2 indicates that the absence of misstatements detected by substantive procedures performed in a financial statement audit do not provide evidence that controls are effective. In contrast, the proposed standard directs auditors to consider the results of substantive procedures performed in the financial statement audit when determining the overall risk related to a control. The proposed standard also indicates that control effectiveness cannot be inferred by the absence of material misstatements. To obtain evidence about whether a control is effective, the control must be directly tested. Clarifying the Role of Materiality in the Audit

4 The concept of materiality is key to the audit of internal control. However, PCAOB has determined that several aspects of AS No. 2 have been interpreted by auditors as directing the auditors to search for all potential defects in internal controls, regardless of the effect on financial reporting. The proposed standard clarifies that the auditor should plan and perform the audit of internal control using the same materiality measures used to plan and perform the audit of the financial statements. Eliminating Unnecessary Procedures In the proposed standard, the PCOAB suggests eliminating the requirement that auditors evaluate the process management used to evaluate internal controls. The current Securities and Exchange Commission rules require that management base its evaluation of internal controls on a suitable framework. AS No. 2 requires that auditors evaluate the process by which management applied the suitable framework and determine if management s evaluation process provided sufficient evidence for a conclusion. Many issuers believe that auditors are retesting controls tested by management for the sole purpose of concluding on management s evaluation process. Others believe that auditors are dictating how management should perform its evaluation, sometimes resulting in unnecessary effort and costs. As a result of its evaluation of AS No. 2 implementation, the PCAOB states in the proposed standard its belief that the auditor should obtain an understanding of management s evaluation process as a start to understanding company-level controls. However, the PCAOB s proposed standard eliminates the requirement that auditors evaluate management s annual internal control evaluation process. Further, the proposed standard would require that auditor s express only one opinion on internal control the opinion of the auditor on the effectiveness of the company s internal control over financial reporting. The proposal eliminates the separate opinion on management s assessment. Recalibrating the Walkthrough Requirement A walkthrough is performed to gain an understanding of the company and its controls, determine any changes from prior years, and evaluate the design of internal controls. Typically, in performing a walkthrough, the auditor follows a transaction from its origin through the information system, including presentation on financial reports. Walkthroughs are beneficial because they require that the auditor interact with those responsible for internal controls and because walkthroughs give the auditor the opportunity to learn about the operations of the companies they audit. In AS No. 2, auditors are required to complete walkthroughs for all major classes of transactions. Many issuers have expressed concern over the amount of time and effort required for the walkthroughs. Although the PCAOB believes that walkthroughs are essential to every audit of internal controls, they have listened to issuers and, in the proposed standard, have reduced the number of required walkthroughs.

5 The proposed standard would require a walkthrough for each significant process, rather than for each major class of transactions within significant processes. The major example the PCAOB gives is with respect to both internet and brick-and-mortar sales. A walkthrough of at least one transaction would be required if an issuer generates revenue through retail sales, but not if the issuer also generates internet sales handled by the same significant process under the same risk structure. The PCAOB suggests that during the walkthrough, the auditor would consider the different risks for different transaction types and determine how the company s internal controls address those risks. The proposed standard clarifies that the auditor is not required to follow a separate transaction through each minor variance in the significant process and is intended to make walkthroughs more efficient. In addition, the proposed standard would allow the auditor to use the direct assistance of others when performing the walkthrough. Although the PCAOB believes that walkthroughs are effective only when the auditor is significantly involved, it recognizes that walkthroughs will be more efficient if auditors are allowed to use the direct assistance of supervised, sufficiently competent, and objective individuals. Scaling the Audit for Smaller Companies The proposed standard recognizes that a company s size and complexity are important when determining procedures an auditor should perform. The PCAOB believes that the significant changes eliminating unnecessary audit work for all companies will affect smaller companies. Specific changes, which include focusing the audit on the most important controls, focusing on company-level controls, and using risk assessment to determine necessary evidence, should make the audit of internal controls more suitable for smaller companies. In addition, the attention to company-level controls The proposed standard includes a section that would require auditors to evaluate the size and complexity of a company in planning and performing the audit and includes a provision that identifies smaller companies, based on the SEC s Advisory Committee on Smaller Public Companies recommendations. CONCLUSIONS The PCAOB has four primary objectives it intends to achieve with the issuance of the proposed standard An Audit of Internal Control Over Financial Reporting that is Integrated with an Audit of Financial Statements: (1) to focus audits on matters most important to internal control, (2) to eliminate unnecessary procedures, (3) to scale audits for smaller companies, and (4) to simplify reporting and auditing requirements. This paper has briefly summarized the proposed statement and has indicated significant differences between AS No. 2, the current standard for audits of internal control.

6

7 REFERENCES PCAOB, Public Company Accounting Oversight Board, Release No , An Audit of Internal Control Over Financial Reporting that is Integrated with an Audit of Financial Statements, December 2006 (