Improving How Auditing Standards Are Issued
A Proposal for Revising the Process Based on PCAOB Auditing Standard 2

By John E. McEnroe and Mark Sullivan

E-mail Story
Print Story
NOVEMBER 2007 - On July 25, 2007, the SEC approved the Public Company Accounting Oversight Board’s (PCAOB) new standard on auditing internal control over financial reporting, Auditing Standard 5 (AS5), which replaces the existing Auditing Standard 2 (AS2). This was the most recent major undertaking in a series of steps related to the implementation of section 404 of the Sarbanes-Oxley Act (SOX), which required that covered companies include in their annual reports a report on internal control. Implementation of AS2 was problematic, and the broad consensus was that something went wrong with the process. Some critics may well be motivated by a desire for less-restrictive internal controls. Unquestionably, however, many parties recognize the importance of effective internal controls but believe that the implementation of SOX section 404 under AS2 has been more costly or less effective than it could have been. In light of this, the perceived difficulties in AS2’s implementation call for an examination of the implementation process and a suggestion for a revised promulgation procedure for future auditing standards issued by the PCAOB.

Rulemaking Process

Each department of the federal government has general authority under the U.S. Code to issue regulations that govern the administration of that department (5 USC 301). Rulemaking authority over the implementation of specific legislation, however, is typically authorized within that legislation, or the applicable section of the U.S. Code. SOX section 103(a)(1) gave authority to the newly created PCAOB to do the following:

[B]y rule, establish … and amend or otherwise modify or alter, such auditing and related attestation standards, such quality control standards, and such ethics standards to be used by registered public accounting firms in the preparation and issuance of audit reports, as required by this Act or the rules of the Commission, or as may be necessary or appropriate in the public interest or for the protection of investors.

SOX section 107(b)(2) gave the SEC the authority to approve or disapprove rules proposed by the PCAOB. Rules approved by the PCAOB but not approved by the SEC would ordinarily not come into effect [15 USC 78s(b)].

PCAOB rules, which include auditing standards, must first go through an approval process at the PCAOB, then a further approval procedure at the SEC. The PCAOB would ordinarily include the following steps in its process (

  • Consultation with its Standing Advisory Group and other groups interested in the development of auditing standards;
  • Recommendation by the board’s staff and approval of a proposed standard by the board at an open meeting;
  • Publication of the proposed standard and solicitation of public comment;
  • Recommendation by the board and approval of a final standard by the board, taking appropriate consideration of any comments received; and
  • Transmission of the standard to the SEC for consideration.

Once submitted to the SEC, the proposed standard is published in the Federal Register; interested parties are given an opportunity to provide written data, views, and arguments concerning the proposed standard; and the SEC, taking into account those views, either approves or disapproves the standard [section 19(b) of the Securities Act of 1934]. Additional statutory requirements relate to the standards for the SEC’s review, but in general there are no other restrictions imposed by law on the implementation of new rules. In fact, the governing language in the U.S. Code [15 USC 78w(a)] gives great flexibility to the SEC in its rulemaking procedures.

Exhibit 1 presents a flowchart developed by the PCAOB to describe the rulemaking process.

Development of AS2

In April 2003, the PCAOB adopted preexisting professional standards as its interim standards, including an auditing standard governing an auditor’s attestation on internal control (, p. 5). The board then convened a roundtable on July 29, 2003, to discuss issues related to the evaluation of internal control. Taking into account the comments at the roundtable, the PCAOB determined that the existing standard was inadequate and, on October 7, 2003, the board unanimously proposed AS2 and submitted that proposed standard, along with a related briefing paper, for public review. During the exposure period, the board received 193 written comments on the proposed standard. After analyzing the comments, the board approved a revised version of AS2, and forwarded it to the SEC on March 9, 2004.

On April 8, 2004, the SEC announced receipt of the standard and solicited comments from the public. The announcement was published in the Federal Register on April 16, 2004. Thirty-one letters were submitted from a variety of international and domestic sources: industry, public accounting firms, and professional associations. Many of the concerns involved the PCAOB’s definitions of such internal control concepts as “significant deficiency,” “reasonable assurance,” and “material weakness.” In general, the commenters desired more workable operational definitions of these terms. They also wanted more implementation guidance and they recommended specific changes, such as a one-year deferral period for subsidiaries acquired during the year. Several organizations opposed enactment of the standard, a major concern being the cost of compliance. After reviewing the comments, however, the SEC approved the standard without revision on June 17, 2004. The SEC acknowledged the nature of the comment letters and the source of the opposition. The SEC’s stated reason for not revising the standard to incorporate any suggestions was this: “The PCAOB gave careful consideration to the issues raised by these commenters in the course of revising the proposed standard prior to its adoption by the Board.” The implication is that all these issues would have been considered prior to the release of the April 8, 2004, document, and that the 31 comment letters contained redundant information.

The adoption of AS2 created the need for certain conforming amendments to the previously adopted interim PCAOB standards. The SEC approved the conforming amendments on November 17, 2004. Companies considered accelerated filers under Securities Exchange Act Rule 12b-2 were required to comply with the internal control reporting and disclosure requirements of SOX section 404 for fiscal years ending on or after November 15, 2004. Slightly more than 2,300 companies included an internal control report mandated by section 404 in their annual reports to the SEC in 2004 (according to Approximately 2,650 companies included the internal control report in 2005.

The process of developing and implementing AS2 allowed for substantial consideration by the members and staff of the PCAOB and the SEC. In addition, the final standard benefited from two rounds of public comment, first at the PCAOB and then at the SEC. Nevertheless, with the benefit of two years of experience, the process seems to have received substantially more criticism than praise. It is legitimate to question whether the process could have been improved.

The authors examined this question by doing the following:

  • They used the major revisions incorporated in AS5 as indicators of the major problem areas that have arisen from the original AS2. They also examined the original SEC comment letters on AS2 to determine whether the problems that arose after implementation had been anticipated beforehand.
  • They propose a modification that would be a substantial improvement over the existing process, examining the potential costs and benefits associated with their proposal.

A Comment on the Comment Letters

It is impossible to argue that the process of developing AS2 would have been improved by the elimination of the period for public comment. On the other hand, it is possible to maintain that the public comments themselves are not an adequate substitute for the knowledge gained by experience with the implementation of a new standard.

Exhibit 2 lists the major categories of issues that the PCAOB addressed in the development of AS5 as a replacement for AS2. In areas where it was ambiguous whether a comment addressed a particular issue, the authors assumed the comment should be interpreted broadly. By this measure, the comment letters addressed, at least minimally, many but not all of the issues that were ultimately determined to merit revision. Nevertheless, many problem areas were not mentioned at all in the comment letters, and even those that were mentioned were apparently not considered to justify a revision of the then–proposed AS2. That suggests to the authors that although the comment letter process is a valuable component of the implementation process, more is needed.

A Proposal to Modify the Implementation Process

As described below, AS2 was implemented in stages. The authors believe that the problems associated with the original AS2 could have been discovered in a much more cost-effective way had the proposal been implemented in more extended stages, over, say, three years, with a limited group of large companies required to comply earlier than smaller registered companies.

The newly enacted AS5 is a very different document from the original AS2, specifically because corporate officers, auditors, and members of the PCAOB and SEC learned much while firms were struggling to comply with the original AS2. As mentioned above, a modest phased implementation plan was used with AS2. That is, “accelerated filers” were required to comply with AS2 for years ending on or after November 15, 2004. Smaller companies that were classified as not “accelerated filers,” as well as foreign companies, initially had their deadline for compliance with AS2 delayed and, in fact, subsequent SEC pronouncements have further deferred the compliance date. This delay has permitted the SEC to modify the standard somewhat to accommodate the special requirements of certain foreign issuers. This type of staged implementation appears to be specifically contemplated in the statute authorizing the general issuance regulations by the SEC. That is, the statute indicates that the commission “may for such purposes classify persons, securities, transactions, statements, applications, reports, and other matters within their respective jurisdictions, and prescribe greater, lesser, or different requirements for different classes thereof” (

The authors believe that the SEC and PCAOB have probably not gone as far as they should have in implementing a phased compliance system. A company was deemed to be an “accelerated filer” for purposes of the implementation of AS2 if it had a “public float” of greater than $75 million. (The definition of accelerated filers was revised in 2005 to include a new category called “large accelerated filers.” That new definition affected periodic filing deadlines but not the effective dates for AS2.) Slightly more than 2,300 companies included assurance opinions in their 2004 annual reports, according to Sarbanes-Oxley: Financial and Accounting Disclosure Information, a website maintained by Karl Nagel & Co. ( It is not possible to say with any precision what percentage of total U.S. market capitalization is represented by those 2,300 companies, but there are estimates that the Standard & Poor’s (S&P) 500 account for 75% of the market capitalization of all U.S. listed companies, and that the Russell 1000 index accounts for more than 90% of the U.S. market.

If the SEC had decided, for example, that in the first year of implementation, 90% of the U.S. securities market should benefit from AS2, then approximately 1,000 companies could have been required to comply in the first year. Then, approximately 1,300 companies—the balance of those companies actually classified as “accelerated filers” under AS2—could have been given another year before compliance was required. This would have allowed them to use information obtained during the first year of implementation by larger companies to develop their own compliance processes. In addition, the SEC and the PCAOB would have had a year to provide additional guidance during the phase-in period, which would have benefited companies in the second tier. Of course, nothing would have prevented early adoption by any of those companies had they chosen that option.

The case for a phased adoption process is made stronger when the constraints on public accounting firms are taken into account. It seems likely that most of the companies included in the AS2 accelerated filers group draw from the same pool of audit firms that specialize in public companies. Furthermore, it seems obvious that the process would have been smoother if, rather than implementing AS2 for all of the accelerated filers in the same year, the auditors could have learned from one or two years of implementation at their largest clients (the 1,000 largest) before applying the new standard to smaller clients (the next-largest 1,300).

Available figures indicate that a larger percentage of smaller firms (as measured by revenues) received qualified internal control reports from their auditors ( So, one could argue that a phased adoption starting with larger companies would have deferred addressing serious problems that existed with smaller companies. On the other hand, borrowing an idea from AS5, perhaps the SEC and the PCAOB should at least initially focus on those companies with the greatest risk exposure in terms of market capitalization before pushing a new standard on smaller companies less able to bear the burden.

Available figures indicate that audit and audit-related fees for SEC filers rose from an average of about $1.3 million in 2004 to about $3.3 million in 2005 ( While these figures relate to the entire audit and audit-related services, it seems likely that a large portion of the increase related to compliance with AS2. Presumably much of the increased cost of these audits could have been reduced if auditors had had the opportunity to apply the knowledge they acquired in the first or second year of a phased implementation to the audits they performed in the second or third year.

The cost associated with implementation cannot be measured solely in increased audit fees. While measuring these costs with certainty is difficult, many commentators have suggested that companies are increasingly choosing to make their initial public offering outside of the United States in part to avoid compliance with AS2. While that phenomenon, if true, cannot easily be measured as an additional cost of SOX, it probably has some adverse effect on the competitiveness of U.S. capital markets. Had the implementation proceeded more smoothly, it would have been easier to argue that the benefits of better internal controls compensate for the additional cost of implementing those controls.

A Proposal

The authors’ proposal for improving the manner by which the PCAOB promulgates audit standards involves an organic implementation and refinement process. After the current system of due-process review and comment of the PCAOB’s exposure drafts and the SEC’s subsequent approval, a smaller number of companies, perhaps the S&P 500 or the Russell 1000, would be required to adhere to the standards as of the date designated by the SEC. This would result in coverage of a very significant portion of the total market capitalization of all U.S. public companies. Then, after those companies have learned from their experience with a given standard, and the PCAOB has made any necessary adjustments after the initial release of the auditing standard (perhaps in the second or third year), the remainder of the companies subject to the standard would also be required to comply. This would permit many smaller public companies to benefit from the experience of the largest companies, presumably resulting in better audits, and perhaps lower audit fees, than would have otherwise occurred. Given these advantages, as well as those cited above, the authors hope that the PCAOB and the SEC consider this proposed revision of the model for issuing major auditing standards.

John E. McEnroe, DBA, is a professor of accountancy and MIS; and Mark Sullivan, PhD, is an associate professor of accountancy and MIS; both at the School of Accountancy and Management Information Systems at DePaul University, Chicago, Ill.




















The CPA Journal is broadly recognized as an outstanding, technical-refereed publication aimed at public practitioners, management, educators, and other accounting professionals. It is edited by CPAs for CPAs. Our goal is to provide CPAs and other accounting professionals with the information and news to enable them to be successful accountants, managers, and executives in today's practice environments.

©2009 The New York State Society of CPAs. Legal Notices