In a detailed report, the Public Company Accounting Oversight Board stated that companies and accounting firms “faced enormous challenges” in their first year of implementing Section 404 of the Sarbanes-Oxley Act, which requires companies to document their internal controls.
Among the challenges, stated the PCAOB, were strains on available resources; a shortage of staff with prior training and experience in designing, evaluating, and testing controls; and limited time to implement Section 404. “These challenges were compounded in cases in which companies needed to make significant improvements in their internal control systems to make up for deferred maintenance of those systems,” added the board.
The PCAOB issued its report in the course of monitoring the implementation of Auditing Standard No. 2, the Sarbanes-Oxley requirement that external auditors must attest to and report on their clients’ assessment of internal controls.
“While our inspections identified several opportunities for auditors to improve audit quality and efficiency, the board remains confident that auditors will be able to perform more effective and efficient audits in future years,” said outgoing PCAOB chairman William J. McDonough, in a statement. “These improvements are already appearing as auditors and their clients gain experience and as challenges that were unique to the first year’s implementation abate.”
McDonough’s statement “is a recognition that there has been more caution than necessary” on the part of auditors, said Peter J. Romeo, a former chief counsel at the Securities and Exchange Commission’s corporation finance division, according to the Los Angeles Times. Romeo, now a partner with the law firm Hogan & Hartson, reportedly added that auditors “overreacted” after they were “burned so badly” by corporate accounting scandals during the past few years. “The pendulum swung all the way over to the other side. Now it needs to return to the middle where it belongs.”
According to the PCAOB, audits were not as efficient as they should be because some auditorsÂ
• did not integrate their audits of internal control with their audits of financial statements; consequently, the amount of reliance placed on controls in establishing the nature, timing, and extent of financial-statement audit work was limited
• did not effectively apply a top-down approach
• did not alter the nature, timing, and extent of their testing to reflect the level of risk
• performed inefficient and sometimes ineffective walkthroughs of major classes of transactions because they used different transactions to test each control separately, rather than walking a single transaction through the entire process. In addition, some auditors did not ask sufficiently probing questions of the company’s personnel to gain a complete understanding of the transaction process
• did not use the work of others to the extent permitted by
Auditing Standard No. 2.