Post–Sarbanes-Oxley Audit Planning
Perceptions of Internal Control Assessments and Other Institutional Considerations

By Jennifer Blaskovich and Natalia Mintchik

E-mail Story Print Story

The authors surveyed external auditors from two of the Big Four firms. The purpose was to examine factors that affect audit efforts as managers and auditors try to meet the demands of section 404. Specifically, the survey addressed auditors’ reactions to management personnel who engage consultants to assist in section 404 compliance. The authors also gathered information on other institutional factors that impact audit planning decisions in the section 404 environment. The findings provide relevant information to regulators as they continue to reevaluate the requirements of section 404, and to auditors as they incorporate a novel type of audit evidence into their audit programs.

Background

After three years of experience with the provisions of SOX, the Public Company Accounting Oversight Board (PCAOB), auditors, and corporate America remain locked in debate over the most efficient ways to achieve SOX’s intended benefits. A main source of contention is SOX section 404, which has been widely criticized for the excessive costs of compliance. In response, on May 24, 2007, the PCAOB adopted a new auditing standard: An Audit of Internal Control Over Financial Reporting That Is Integrated with an Audit of Financial Statements (AS5). AS5 replaces the relevant guidance in Auditing Standard 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statements (AS2). In AS5, the PCAOB consistently emphasizes the need to eliminate efforts that do not enhance audit quality. The board also suggests that higher-than-expected compliance costs have resulted in part because the prior standards may have encouraged auditors to perform unnecessary procedures and duplicative testing due to a lack of integration between the audit of internal control and the audit of financial statements.

Another factor in the excessive cost of section 404 compliance might be management’s fear of failure. Prior studies have documented not only a decline in share price of companies that report material weaknesses, but also a negative impact on the careers of the executives responsible. Accordingly, it is in management’s best interest to ensure that internal controls meet the rigorous standards of SOX before the external auditors begin their evaluation. This reality has encouraged an increasing number of organizations—as many as 60%, according to one survey—to hire consultants independent of the external auditors to assist with section 404 compliance. That percentage might increase further when section 404 becomes effective for small companies, which are unlikely to have sufficient resources and expertise in the area of internal controls. This practice has been referred to as a “party of three” or “double audit” situation and adds yet another layer of cost to section 404 compliance.

AS5 demonstrates that the PCAOB recognizes the duplication of efforts among different parties as a major source of post-SOX audit inefficiencies, and takes action to resolve the issue. In particular, AS5 reveals a significant shift in the PCAOB philosophy regarding the appropriate extent of auditors’ reliance on the work of others. AS2 reflected the initial PCAOB approach, stressing that the auditors’ own work must serve as “principal evidence for the auditor’s opinion” in the internal control audit. In contrast, AS5 emphasizes “removing barriers to using the work of others” and completely eliminates the principal-evidence provision for integrated audits of the financial statements and internal control over financial reporting. In addition, contrary to Statement of Auditing Standards (SAS) 65, The Auditor’s Consideration of the Internal Audit Function in an Audit of Financial Statements (AU section 322), which limits external auditors’ reliance in the audit of financial statements on the work of internal auditors, AS5 explicitly includes “company personnel (in addition to internal auditors), and third parties working under the direction of management or the audit committee” in the list of subjects whose work external auditors might consider as audit evidence in the process of an integrated audit. The suggestion of a single, unified framework “for the auditor’s decisions about using the work of others … as audit evidence” (PCAOB Release 2006-007, p. 22), and an explicit reference in this framework to third parties working under the direction of management, imply the PCAOB’s awareness of the growing use of external consultants for SOX section 404 compliance and confirm the board’s willingness to remove potential barriers to achieve a fully integrated and efficient audit.

Overall, the PCAOB explicitly encourages “greater use of the work of these others by requiring auditors to evaluate whether and how to use their work to reduce auditor testing” and points out: “When the auditor duplicates high-quality, relevant work that already has been performed by competent and objective individuals, he or she risks increasing effort without enhancing quality” (PCAOB Release 2006-007, p. 21). The PCAOB suggests that external auditors should consider three important factors in determining whether reliance on the work of others is warranted in each particular case: 1) the nature of the subject matter being tested, 2) the competence of the persons performing the testing, and 3) the objectivity of the persons performing the testing. These factors are widely accepted in auditing literature. It is not clear, however, to what extent the factors are applicable to the auditors’ decision whether to rely on the work of external consultants. Unlike internal auditors, external consultants work under the direction of management. Unlike company personnel, external consultants are employees of a separate legal entity or are self-employed. In addition, the involvement of external consultants is not explicitly regulated by current standards, and the decision to involve the external consultants represents a voluntary managerial choice. Therefore, management’s motivation for engaging the external consultant, or auditors’ perception of such motivation, might play an important role in auditors’ decisions whether to rely on this particular type of audit evidence.

This raises several important questions. Do auditors believe that the involvement of an external consultant demonstrates a legitimate managerial interest to assess the state of internal controls? Or do they view it more as a signal of problems with the organization’s internal controls that would, in fact, increase auditor skepticism? Furthermore, is it plausible to speculate that corporate management might hire external consultants to reconfigure the company’s information processes in an “audit-minded” manner to hide potential deficiencies? While this last motivation might seem too extreme, even regulators recognize the potential risks present when a person in a “financial oversight role” has too much information about the methods and techniques of the audit process. For example, the SEC’s recent independence rules prescribe that the independence of the audit firm is impaired in the current fiscal year if a member of the audit engagement accepts a “financial reporting oversight role” with the audit client without observing a specified “cooling-off” period. As one reason for this rule, the SEC mentions the threat that the former employee’s “familiarity with the firm’s audit process and the audit partners and employees of the firm will enable him or her to affect the audit as it progresses” [SEC Rule No. 56 (2001)]. Further exploration of auditors’ perceptions in this area is warranted.

To gain insight into these questions, the authors conducted a survey regarding auditors’ perceptions of an external consultant’s involvement in management’s assessment of internal controls. The authors also asked auditors about other factors, such as client and institutional characteristics, that influence auditors’ planning decisions in the post-SOX environment.

Ninety-two auditors from two Big Four firms completed the survey. Thirty-four auditors from one firm completed the survey materials during a training session in the presence of the authors. Responses from 58 auditors from the other firm were obtained through cooperation with a contact partner, who distributed and later collected the survey materials. The participants included partners (3%), senior managers (14%), managers (13%), seniors (38%), and staff (32%). Participants were roughly evenly split by gender (49% were female), 62% of the participants had a master’s degree or higher, and 75% of the participants held CPA licenses.

Analysis and Findings

Exhibit 1 presents evidence on auditors’ attitudes toward the involvement of an external consultant in management’s assessment of internal controls. The engagement of a consultant reflects positively on management. The majority of respondents (62%) agreed that the involvement of a consultant signals legitimate managerial interest in assessing the state of internal controls. Only 13% of the respondents disagreed with this statement, with 25% neutral. Most did not believe that external consultants raise questions about management, because 74% of respondents disagreed or strongly disagreed that external advisers’ involvement implies a managerial intent to hide problems. Some auditors, however, do believe that such involvement is more likely in the presence of initial internal control deficiencies. Half (50%) of the respondents agreed or strongly agreed with the statement that the involvement of external advisers implies management is concerned about potential internal control weaknesses. Just under a quarter (23%) of the respondents disagreed or strongly disagreed with this statement, while the remaining 27% were neutral.

As a whole, results suggest that external auditors perceive the involvement of the external consultant as a positive reflection on management that may result in some reduction of the audit risk for external auditors.

Exhibit 2 summarizes auditors’ responses to the importance of various client and institutional factors in their assessment of budgeted audit hours for a hypothetical engagement. The authors focused on budgeted audit hours because they offer the most direct reflection of the effort that auditors perceive to be necessary when they are planning the engagement. In addition, the PCAOB explicitly cited the objective of reducing audit hours when proposing the new standards.

The survey results indicate, perhaps not surprisingly, that traditional factors such as management integrity and the quality of the internal audit team are extremely important in auditors’ budget decisions. More than 50% of the respondents labeled those factors as very important, while most of the other respondents referred to them as somewhat important.

With all the current attention on corporate governance, it is surprising that auditors did not assign the same level of importance to the quality of the audit oversight committee. Only 30% of the respondents described this factor as very important to their budget decision, and 46% of the respondents referred to it as somewhat important. Such results suggest that budgeted audit hours reflect not just concerns about audit effectiveness, but also reveal a peculiarity of the audit process. Unlike the internal audit function that provides concrete evidence which auditors can rely upon, the strength of the audit committee provides only psychological comfort. Auditors may perceive less risk when governance is strong, but it does not appear to translate into reduced budgets. After all, even if auditors have no specific concerns about corporate governance, they are still required to employ a significant amount of resources to conduct routine audit procedures and document their results.

Furthermore, although a risk-based approach is the focus of current audit methodology, institutional factors appear to remain influential in auditors’ decisions. The survey results highlight the importance of institutional factors, such as the presence of inexperienced staff in need of on-the-job training, a shortage of experienced auditors, personal time constraints, and the hours needed to follow through on each procedure specified in the program. More than 70% of the respondents labeled those factors as very important or somewhat important. Specifically, 77% of respondents perceived the shortage of experienced auditors as a very important or somewhat important factor in their budget decisions. Similarly, 76% of respondents viewed the need to devote at least some time to each procedure specified in the program as very important or somewhat important. In other words, auditors consider these institutional factors to be almost as important to their budget decisions as are client characteristics, such as the quality of the audit oversight committee.

Implications

Although excessive compliance costs have been a major criticism of SOX section 404, this survey indicates that opportunities for reduction of unnecessary effort do exist. In the discussion surrounding the adoption of AS5, the PCAOB specifically expressed an interest in whether the proposed changes will reduce audit hours. The authors’ findings imply that the PCAOB’s new standards encouraging auditors to rely to a greater degree on the work of others may contribute to achieving this objective. Auditors view an external consultant as a legitimate attempt by management to identify and remedy internal control weaknesses. Thus, if corporate management hires external consultants to assist in the assessment of internal control, relevant evidence not available to the auditor prior to SOX is generated. The PCAOB appears ready to allow auditors to rely on this evidence to reduce procedures performed in the internal control audit. Audit firms can benefit from the PCAOB’s emerging philosophy by supporting the newly proposed standards. Specific firm guidelines can then be developed and implemented to use the work of external consultants as evidence and to eliminate redundancies in the audit process.

An interesting finding that both regulators and audit firms should address is the influence nonclient factors have on auditors’ planning decisions. Auditors’ conservative inclination to exercise an approach consistent with the prior year, and to devote at least some time to each procedure specified in the program, contradicts a risk-based approach. Granted, the prespecified audit program and prior-year documentation serve as a good starting point. This route may not, however, direct auditors to the most important areas of risk and associated controls. Stressing the importance of a risk-based approach to all members of the audit team is critical to the successful reduction of unnecessary and costly procedures.

Unfortunately, the authors’ survey indicates that the shortage of available and experienced personnel continues to present a problem for the profession. Although staffing and time constraints have always played a role in budgeting, the new environment may exacerbate the issue. In the past, the relatively routine substantive testing that comprised a major part of the external audit was performed by inexperienced auditors. As current guidance has moved the focus of testing away from substantive testing and toward tests of controls, the question of whether inexperienced auditors are prepared to meet these demands remains unanswered. Do they have the skills and training to adequately perform this function? Are experienced auditors, accustomed to assigning substantive tests to new staff, reluctant to fully utilize that staff in the controls-focused approach? If not, the increased workload on the experienced auditors may prove unreasonable. It is unclear how this will affect overall audit costs, audit firms’ training policies, and demands on the qualifications of future inexperienced auditors.

Analyzing Influential Factors

In conclusion, the authors summarize their survey findings by answering the questions posed earlier. Yes, auditors have a positive view of a client’s use of external consultants, and appear willing to rely on this work to reduce testing. Corporate management’s use of consultants does appear to offer an opportunity for reducing unnecessary audit effort. Nevertheless, the importance placed on other client characteristics by the auditors in the survey implies that management may reap greater rewards by investing in a strong internal audit function. Regardless of whether the “other” is a consultant or an internal auditor, the PCAOB may well accomplish its goal of reducing audit hours through AS5. Finally, although auditors are appropriately influenced by client characteristics, institutional factors and personnel concerns strongly affect audit hours. These issues must be addressed by each audit firm and the profession as a whole before the goal of a truly integrated and efficient audit can be realized.

©2008 The New York State Society of CPAs. Legal Notices