SEC approves PCAOB Auditing Standard No. 5
The Commission expects the new auditing standard, in combination with the Commission's new management guidance, will make Section 404 audits and management evaluations more risk-based and scalable to company size and complexity.
"In approving Auditing Standard No. 5, the Commission has strengthened investor protection by refocusing resources on what truly matters to the integrity of financial statements. This is an exceptionally positive step for both investors and for America's capital markets," said SEC Chairman Christopher Cox. "This standard and the Commission's interpretive guidance for management represent the culmination of two years' work by the Commission and the PCAOB and our respective staffs to make the implementation of Section 404 more effective and efficient. I want to thank everyone involved for their hard work in responding to and addressing the concerns created by the unduly expensive and inefficient Auditing Standard No. 2."
The Commission unanimously approved the Public Company Accounting Oversight Board's (PCAOB) proposed Auditing Standard No. 5, An Audit of Internal Control Over Financial Reporting That is Integrated With An Audit of Financial Statements (Auditing Standard No. 5), a related independence rule, and conforming amendments (File No. PCAOB-2007-02). The Commission also adopted a definition of the term "significant deficiency."
Auditing Standard No. 5 will replace PCAOB Auditing Standard No. 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statements (Auditing Standard No. 2). It provides the new professional standards and related performance guidance for independent auditors to attest to, and report on, management's assessment of the effectiveness of internal control over financial reporting under Section 404(b) of the Sarbanes-Oxley Act of 2002. Examples of some of the improvements that have been made by the PCAOB's new auditing standard that will replace Auditing Standard No. 2 include:
1. Auditing Standard No. 5 is less prescriptive.
The mandatory requirements (i.e., the "shoulds") that exist in Auditing Standard No. 2 have been significantly reduced in Auditing Standard No. 5. That means the auditor can focus on performing tests in those areas where, in the auditor's judgment, it's actually necessary.
Management and audit committees now can engage in a more meaningful dialogue with their auditors to ensure that auditors are focused on what matters - risk and materiality - and not on rote compliance with a rulebook.
Auditing Standard No. 5 is less than half the length of Auditing Standard No. 2 and is easier to read.
2. Auditing Standard No. 5 makes the audit scalable - so it can change to fit the size and complexity of any company.
There are notes throughout the new standard explaining how to apply the principles to smaller or less complex companies. Under the new standard, companies' control systems won't have to be designed to fit the audit standard, but rather to achieve the intended objective of improving the quality of financial statements.
For example, the standard explains that for audits of smaller and less complex companies, the auditor can appropriately reduce the amount of internal control testing. The auditor can consider alternative controls - for example, if management's ability to segregate duties is limited; and the auditor can also use inquiry, combined with other procedures such as observation or reperformance - for example, when the operation of controls by management results in limited or no documentation trail.
3. Auditing Standard No. 5 directs auditors to focus on what matters most - and eliminates unnecessary procedures from the audit.
It directs auditors to those areas that present the highest risk, such as the financial statement close process and controls designed to prevent fraud by management. It emphasizes that the auditor is not required to scope the audit to find deficiencies that don't constitute material weaknesses. It also allows auditors to use knowledge accumulated in previous years' audits to reduce testing.
Auditing Standard No. 2 included detailed requirements for the auditor to evaluate management's evaluation process. The new standard clarifies that management's process is not the focus of the audit. Rather, the audit is focused on the effectiveness of a company's internal control over financial reporting. As a result, it will eliminate auditors requiring companies to do work that isn't necessary.
4. Finally, Auditing Standard No. 5 includes a principles-based approach to determining when and to what extent the auditor can use the work of others.
A principles-based approach allows auditors to apply professional judgment in determining the extent to which they'll use the work of others. The new standard itself expressly permits auditors to use, in the internal control audit, testing and other internal control work performed by persons other than internal auditors. This principles-based approach is in fact based on the auditor's consideration of the objectivity and competence of those performing the work. These two factors are the most important considerations in the auditor's determination of when and to what extent the auditor can use the work of others.
"By providing interpretive guidance to companies and by working with the PCAOB on the development of Auditing Standard No. 5, the Commission has replaced the current inefficient system of 404 implementation with an approach that allows for tailoring and scaling of evaluations and audits according to the relevant facts and circumstances. Still, Auditing Standard No. 5 provides for effective and meaningful internal control evaluations and audits to protect investors," said SEC Chief Accountant, Conrad Hewitt. "We expect the implementation to remove unnecessary, expensive and inefficient procedures that don't make good use of investors' money and distract attention from what's important. Auditing Standard No. 5 should help to bring cost in line with benefits for investors."
"The Commission's approval of Auditing Standard No. 5 represents the last major step in the roadmap the Commission laid out just over a year ago for improving the rules and guidance implementing Section 404 for public companies of all sizes," said John White, Director of the SEC's Division of Corporation Finance. "The cooperative efforts and hard work of the Commission, the PCAOB, and their staffs have provided investors and our capital markets the improvements to the implementation of Section 404 that they deserve. We can now turn our attention to ensuring a successful implementation and the excepted reductions in costs."
The Commission also approved PCAOB Rule 3525, which further implements Section 202 of the Act's pre-approval requirements by requiring auditors to take certain steps as part of seeking audit committee pre-approval of internal control related non-audit services. Finally, the conforming amendments approved by the Commission, update the PCAOB's other auditing standards.
Auditing Standard No. 5, PCAOB Rule 3525, and the Conforming Amendments will be effective and required for integrated audits conducted for fiscal years ending on or after Nov. 15, 2007. However, earlier adoption is permitted and encouraged. The Commission's recent amendments to Regulation S-X become effective on Aug. 27, 2007 and the Commission will begin accepting the single auditor's attestation report on the effectiveness of internal control over financial reporting prescribed in Auditing Standard No. 5 in timely filings received starting on that date.
The Commission also adopted a definition of significant deficiency to define this term as a deficiency, or a combination of deficiencies, in internal control over financial reporting that is less severe than a material weakness, yet important enough to merit attention by those responsible for oversight of the registrant's financial reporting. This definition is used in the context of evaluating the required communications under both Sections 302 and 404 of SOX and the SEC's implementing rules.
The Commission is also taking this opportunity to express again its appreciation to its Advisory Committee on Smaller Public Companies, the Public Company Accounting Oversight Board, and the hundreds of investors, companies, auditors, and others who responded to the Commission's and PCAOB's various requests for comments regarding audits of internal control over financial reporting. Our efforts in improving Section 404 implementation were considerably aided by the helpful insights and suggestions provided.