PCAOB Approves Internal Control Standard

PCAOB Approves Internal Control Standard
Auditors' Testing and Evaluating Takes a Wide Scope

Continued from the Home Page

The PCAOB approved its Auditing Standard No. 2, “An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statements,” during an open meeting on March 9.

The standard requires auditors to form an opinion on management’s assessment of a company’s internal controls that, under the Sarbanes-Oxley Act, must be included with financial statements. To form an opinion, auditors now must evaluate and test management’s internal control process, the work performed by others (i.e., internal auditors) and the effectiveness of the controls.

The PCAOB received 193 comment letters following the staff’s presentation of the proposal last October. According to the PCAOB, some objected to the amount of work called for in the standard, suggesting that the scope of the internal control audit be limited to evaluating testing performed by management itself. But the PCAOB decided to maintain the broader assessment as a way to increase confidence in financial statements.

“The third piece of the Sarbanes-Oxley Act of 2002 is its emphasis of improving internal control as a means of restoring credibility to financial reporting in the United States,” PCAOB Chief Auditor Douglas Carmichael said.

“We continue to believe that the auditor must evaluate both the management’s assessment process and the effectiveness of internal control directly,” he said. “An auditing process that was strictly limited to what management has done just wouldn’t give the high level of assurance that management’s conclusion was correct.”

Looking to COSO and SAS 65

While the board stuck to the standard’s original intent for a wide scope for the audit of internal controls, staff recommended changes in areas that commentators objected to.

During the meeting, Deputy Chief Auditor Thomas Ray said the staff removed a section from the original proposal on how internal control audits could differ for small- and medium-sized companies. Commentators said the appendix implied a more lax requirement for scrutiny among smaller companies, while others said the appendix was not detailed enough. The standard now refers auditors to the “work of COSO (the Committee of Sponsoring Organizations of the Treadway Commission), the most widely used internal control framework,” Ray said.

Ray also asked the board to revamp an earlier provision setting out controls for where and how an auditor may use the work of others. The original proposal relied on two principles for using others’ work in an internal audit. First, the auditor’s work must provide the “principal evidence” before using other people’s work. Second, the auditor must follow three categories that limit where and when an auditor could rely on other people’s work for evidence.

Ray said the principles were intended to give auditors flexibility in relying on internal auditors and others to form an opinion without making them overreliant on others’ work.

But commentators disagreed with one or both of the principles, especially one of the three categories that prohibited auditors from using anyone else’s work at all. Others argued that the principles negated the concepts of the Statement of Auditing Standards (SAS) 65, which was already incorporated in the PCAOB’s interim rules and concern internal audit.

The board modified the standard to bring controls on evaluating the work of others in line with SAS 65. The categories of controls were revised to focus the auditor’s attention on the nature of the work being done by others, evaluating the objectivity of those doing that work, and testing their work, giving the auditor a basis for judging the quality of the work. But, under the final standard, it is still up to the auditor to provide the principal evidence.

The final standard also includes provisions, with guidance, for auditors to complete walkthroughs of transactions, from initial recordings to the impact on the financial statement. The final proposal significantly reduces the number of areas where walkthroughs are required.

After the Vote

Members of the board said they understood that the new requirements would have a cost impact on companies, but that this was a necessary part of building trust with the public.

“With this vote the board fulfills one of its specific obligations under the Sarbanes-Oxley Act, but the board is doing much more,” PCAOB Chairman William McDonough said. “These requirements are tough and they will entail extra work and cost but the goal of the requirement cannot demand anything less.”

Board member Kayla Gillan agreed, adding that the benefits far outpaced the cost and that the board had received letters from heads of investment and pension funds showing their support.

Board members warned against price gouging, adding that the costs for audits of large companies will not be the same for small- to mid-sized companies.

“I believe this is an attempt to go in the direction of recapturing the public trust,” George Victor, chairman of the New York State Society of CPAs’ SEC Practice Committee, said. “But we have a long way to go. We can’t guarantee there won’t be any fraud anymore; no audit will guarantee there is no fraud….but it’s certainly a step in the right direction.”

Though the PCAOB approved the standard, as of this writing the Securities Exchange Commission, which has the final say under Sarbanes-Oxley, has yet to sign off on it.

To view the entire text of the standard, go to www.pcaobus.org and click on the “Standards” link on the left side of the page.