New PCAOB Standard Allows Auditors to Use the Work of Others and Walkthroughs
Walkthroughs can help auditors understand likely sources of potential misstatements and help in selecting controls to test. While a walkthrough will frequently be the best way of attaining these goals, noted the Board, the auditor's focus should be on the objectives, not on the mechanics of the walkthrough. And in some cases, other procedures may be equal or more effective means of a achieving them.
Under the new AS5, a sound walkthrough envisions the auditor following the transaction from origination through the company’s processes, including information systems, until it is reflected in the company’s financial records, using the same documents and IT that company personnel use. Walkthrough procedures usually include a combination of inquiry, observation, inspection and re-performance of controls. (AS5, paragraph 37)
In performing a walkthrough, at the points at which important processing procedures occur, the auditor questions the company's personnel about their understanding of what is required by the procedures and controls. These probing questions, combined with the other walkthrough procedures, allow the auditor to gain a sufficient understanding of the process and to be able to identify important points at which a necessary control is missing or not designed effectively. Additionally, probing beyond the single transaction used as the basis for the walkthrough allows the auditor to understand the different types of significant transactions handled by the process. (AS5, paragraph 38)
The standard lists a number of objectives that a walkthrough can help attain, including identifying management controls to address potential misstatements or detect or prevent misstatements. Another objective is to understand the flow of transactions related to relevant assertions. (AS5, paragraph 34).
Using Work of Others
AS 5 also allows the outside auditor to use the work of others to obtain evidence about the design and operating effectiveness of controls and eliminates the principal evidence provision. Recognizing that issuers might employ personnel other than internal auditors to perform activities relevant to management's assessment of internal controls, the standard also allows the auditor to use the work of company personnel other than internal auditors, as well as third parties working under the direction of management or the audit committee.
Consistent with the standard’s risk-based approach, the extent to which auditors may use the work of others depends on the risk associated with the control being tested. As the risk decreases, so does the need for auditors to perform the work themselves. Conversely, in higher risk areas, such as controls addressing fraud risks, using the work of others would be limited if such work could be used at all. Similarly, the impact of the work of others on the auditor's work also depends on the relationship between the risk and the competence and objectivity of those who performed the work. As the risk decreases, the necessary level of competence and objectivity decreases as well.
Importantly, AS5 eliminates the principal evidence provision formerly contained in AS2. The principal evidence provision required that the auditor’s own work be the principal evidence for the auditor’s opinion. This provision limited the use of the work of others.