By James Hamilton, J.D., LL.M.
Working in close alignment with the SEC’s management guidance, the PCAOB has adopted a new auditing standard for internal controls to replace the current prescriptive and rules-based Auditing Standard No. 2. Embodying a principles-based, risk-based approach, the new Auditing Standard No. 5 is designed to increase the likelihood that material weaknesses in internal control will be found before they result in misstatement of a company’s financial statements, while at the same time eliminating unnecessary procedures. The final standard also focuses the auditor on the procedures necessary to perform a high quality audit tailored to the company’s facts and circumstances.
As part of the Board’s commitment to the effective implementation of the new standard, the inspection program will be adjusted to assure that it is consistent with the new standard and its principles-based approach. The PCAOB is also continuing to develop for auditors of smaller public companies tailored guidance for applying the new standard as outlined in its four-point plan of May 2006.
AS5 must still be approved by the SEC. Gordon Seymour, PCAOB General Counsel, has indicated that the Board will submit AS5 to the SEC for approval tomorrow, May 25. And PCAOB Chief Auditor Thomas Ray believes that the SEC will move expeditiously to approve the new standard. He is confident of that based on remarks by SEC officials.
Importantly, the new standard focuses the audit on those areas that present the greatest risk that a company’s internal control will fail to prevent or detect a material misstatement in the financial statements. It does so by focusing on material weaknesses and emphasizing the importance of auditing higher risk areas, such as the financial statement close process and controls designed to prevent management fraud. At the same time, it provides auditors a range of alternatives for addressing lower risk areas, such as by demonstrating how to calibrate the nature, timing and extent of testing based on risk, as well as how to incorporate knowledge accumulated in previous years’ audits into the auditors’ assessment of risk and use the work performed by internal auditors.
The organizing principle of AS5 is the top-down concept, under which the auditor focuses on entity-level controls and works downward, planning the audit so that testing of lower level controls is influenced by the strengths and weaknesses of those above. But it emphasizes that the approach is more one of reasoning than work sequence, and that the auditor needs to use judgment, not follow a roadmap.
The final standard underscores that walkthroughs, the process by which the auditor traces a transaction from cradle to grave through the company’s reporting system, are not an end in themselves, but rather a means to attaining an understanding of likely sources of misstatement. This change reduces the risk that walkthroughs will become just another step that must be performed without much understanding as to why the work is being done.
The new standard also requires the auditor to communicate to the audit committee control deficiencies identified during the audit that are less severe than material weaknesses, but important enough to merit the attention of those responsible for the company’s financial reporting. This replaces the approach in AS No. 2, which relied on the auditor’s ability to make difficult determinations about the application of abstract phrases like “more than remote” and “more than inconsequential” to deficiencies.