PCAOB & SEC Issue Internal Controls Auditing Guidance

The Public Company Accounting Oversight Board (PCAOB) issued additional guidance on the implementation of Auditing Standard No. 2 (AS No. 2) on Monday, May 16, 2005. The new guidance represents the PCAOB’s response to concerns raised during the Roundtable on Implementation of Internal Control Reporting Provisions held on April 13, 2005 and consists of both a Board Policy Statement and a series of staff questions and answers. Both focus on the scope of internal control audits and how much internal control testing is required. In addition, the guidance strives to correct the perception that provisions of Auditing Standard No. 2 must be rigidly applied leaving no room for the auditor to exercise judgment.

“It is clear to us that the internal control assessment and audit process has the potential to significantly improve the quality and reliability of financial reporting,” PCAOB Chairman William J. McDonough said. “At the same time, it is equally clear to us that the first round on internal control audits cost too much. Through the guidance we issue today, as well as our upcoming inspections, we are committed to seeing the AS No. 2 is implemented in a manner that captures the benefits of the process without unnecessary and unsustainable costs.”

According to the Board Policy Statement [1], in order to properly plan and perform an internal controls audit, auditors should:

• Integrate internal control and financial statement audits in such a way that the evidence gathered and tests used in the course of either audit can be applied toward the completion of both audits.
  
• Tailor audit plans to the risks facing each client rather than relying on standardized “checklists”.
  
• Utilize a top-down approach beginning with company-level controls, in order to identify areas relevant to internal controls that need further testing and to eliminate those areas that, based on risk assessments, have little likelihood of containing material misstatements.
  
• Take advantage of the flexibility of AS No. 2 to use the work of others.
  
• Communicate with audit client’s in a direct and timely manner when the client seeks the auditor’s views on internal control issues, particularly prior to the client making decisions, implementing processes or finalizing financial reports.

Also on Monday, the Securities and Exchange Commission (SEC) issued a complementary Commission Statement on Implementation of Internal Control Reporting Requirements [2]. The Statement recognizes that implementation of AS No. 2 has resulted in significant cost increases, some of which may have been excessive or unnecessary. Public accounting firms are urged to recognize a zone of acceptable and reasonable conduct that is acceptable in the implementation of Section 404 of the Sarbanes-Oxley Act (SOX).