PCAOB Issues Report On First Year Implementation of AS5
Earlier today, the Public Company Accounting Oversight Board issued a report on the first year of implemenation of Auditing Standard No. 5 (AS5), An Audit of Internal Control Over Financial Reporting That is Integrated With An Audit of Financial Statements. (PCAOB press release http://www.pcaobus.org/News_and_Events/News/2009/09-24.aspx ; PCAOB report http://www.pcaobus.org/Inspections/Other/2009/09-24_AS5_4010_Report.pdf .) As noted in PCAOB's press release:
PCAOB Acting Chairman Dan Goelzer said: “This report finds that, in the engagements our inspection teams looked at, auditors generally focused on the areas that presented more significant audit risk. While we are encouraged by the first-year implementation of AS No. 5, there is still room for improvement, and we will continue to review and assess the effectiveness of firms’ integrated audit procedures in 2009.”
PCAOB Director of the Division of Registration and Inspections, George Diacont, said: This report discusses six areas in which auditors may be able to make further improvements in their integrated audits, and I encourage auditors to use this report to do so.”
The PCAOB's report, based on information obtained through inspections, notes:
"The inspectors' observations varied both across and within the firms. In each of the areas that inspectors reviewed, inspectors observed instances of inappropriate application of the standard. In general, the areas where inappropriate application was most frequently observed were risk assessment, the evaluation of entity-level controls, and the nature, timing, and extent of the controls testing. Although the observations described in this report were derived from the performance of various engagement teams at certain firms – who constitute a subset of the auditors who performed integrated audits in 2007 and early 2008 – the Board believes that the observations described in this report can benefit auditors generally, whether they are experienced in performing integrated audits or are performing their first such audits."
Among topics discussed in the report is Use of Work of Others. Highlights include (reformatted/bulleted for emphasis):
o AS No. 5 provides that the auditor may use the work of others to reduce his or her own work, but the extent to which the auditor does so should depend on the risk associated with the controls being tested, as well as on the competence and objectivity of the individuals performing the work. In the selected areas of the engagements reviewed, the inspectors observed that auditors generally used the work of others in a manner that was related to their assessments of the degree of risk associated with the controls being tested, particularly in lower-risk areas. Similarly, the auditors' use of the work of others in the majority of instances reviewed was consistent with the auditors' assessment of the competence and objectivity of those individuals....
o The inspectors also identified several instances that presented further opportunities for the auditors to use the work of others when the assessed level of risk was lower, including when testing certain system reports and application controls.
o The inspectors observed other instances, though, where the extent of the auditor's use of the work of others to reduce the auditor's own work was greater than was appropriate under AS No. 5 considering the level of risk associated with the control being tested (e.g., in the area of controls over journal entries, which generally would be considered higher risk because of the risk of management override or other risk of fraud).
o In certain instances, the auditors performed few or no procedures to assess the competence of the others relative to the task being performed, or they did not adequately assess the objectivity of the others, particularly where the work was performed by company personnel other than internal auditors.
o In addition, the inspectors observed numerous instances where the extent of the auditors' retesting of the work of others was seemingly unrelated to the risks involved (e.g., a uniform approach to retesting of 20 percent of the controls tested).
Is SEC Report Soon To Follow?
Issuance of this report by the PCAOB, leads me to believe that perhaps the SEC's Study of the Costs and Benefits of reporting under the current SEC & PCAOB rules implementating Sarbanes-Oxley Section 404 is not far behind (I remind you of the disclaimer on the right side of this blog, http://financialexecutives.blogspot.com/ this is my personal opinion only).
Specifically, the SEC announced last year (June 20, 2008 press release http://www.sec.gov/news/press/2008/2008-116.htm ): "that it received Office of Management and Budget (OMB) approval ... to proceed with data collection for a study of the costs and benefits of Section 404 implementation, focusing on the consequences for smaller companies and the effects of the Section 404 auditor attestation requirements. The results of the study are expected to become available during the extension period. With the extension, smaller companies will now be required to provide the attestation reports in their annual reports for fiscal years ending on or after Dec. 15, 2009. " See our Sept. 11 blog post http://financialexecutives.blogspot.com/2009/09/sarbanes-oxley-fair-valu... for further details.
FEI's research affiliate, the Financial Executives Research Foundation, has published various reports on Sarbanes-Oxley implementation. See, e.g. SOX 404 Optimization: Operational Trends http://www.financialexecutives.org/eweb/DynamicPage.aspx?site=_fei&webco... published Nov. 2008. (Note: 1.0 CPE available for this report.) Read more about FERF and its publications at http://www.ferf.org .
Separately, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) has issued various publications over the past few years which entities implementating Sarbanes-Oxley Section 404 (and other entities not subject to Sarbox, but implementing similar requirements under AICPA guidance or other best practices) may find helpful, including Guidance for Smaller Public Companies, and Guidance on Monitoring Internal Control Systems. Visit http://www.coso.org for further information (executive summaries to all COSO publications are available by free download on COSO's website.)