Auditors could do a better job of integrating audits, applying a focused top-down approach, testing risk-level assertions, and using the work of others, according to a Public Company Accounting Oversight Board study of the second year of implementation of Auditing Standard No. 2.
In a 13-page report issued today, the PCAOB noted four other areas where there could be improvement: reducing needless testing of management’s processes, doing more work testing automated controls, installing monitoring systems to test for audit efficiency, and discussing obstacles to efficiency with their issuer clients.
During a Wednesday hearing with the Senate Committee on Small Business & Entrepreneurship, PCAOB Chairman Mark Olson also acknowledged that audit firms could be more efficient in their audits of internal controls and said that external auditors often interpreted AS2 as requiring them to be overly cautious. The PCAOB has found that in some cases “the auditing firms were still going to the original standard and not considering the subsequent guidance,” adding, “That’s why we are replacing AS2.”
In the report, the board said it had conducted its review through portions of about 275 audits during 2006, finding that “progress was made in improving the efficiency of internal control audits.” (It defined efficiency as achieving the objectives of board standards “with the least expenditure of effort and resources.”) Improvements “resulted from the easing of time constraints that auditors and issuers faced in the first year,” and from changes that auditors made in their methodologies and staff training.
Inspectors “found evidence that most firms had made progress in integrating their audits,” the board said, as well as in taking a top-down approach that focused “their testing and evaluation on the relevant company-level controls.” Generally, it said, “auditors used the work of others more in the second year of implementing AS No. 2 than in the first year.”
But the PCAOB devoted most of today’s report to detailing areas that could use improvement, although it didn’t cite specific cases of auditor shortcomings.
Where problems with integration were noted, the PCAOB said that “in certain engagements, auditorsÂÂ planned and performed essentially separate audits of internal control and of the financial statements.” Effective integration helps the two types of audits contribute to the completion of each other, it said.
“When properly executed, a ‘top-down’ approach directs auditors to focus on controls over accounts, disclosures, and assertions that present a reasonable possibility of material misstatement,” the PCAOB said. But in some cases in which a top-down approach was eschewed, auditors “tested and evaluated the company-level controls early in the audit [and] the auditors had not altered their tests of controls at the process, transaction, or application levels to the extent supported by the results of their tests of the company-level controls.”
As for problems in auditing risk evaluations, some auditors “failed to vary the nature, timing, or extent of testing commensurate with the level of risk at the assertion level”—meaning that “all assertions for a given significant account” were assessed “without considering the related level of risk.” That approach wastes time on testing controls even though company assertions do not “present a meaningful risk of a potential material misstatement of the financial statements.”
Although AS2 allows auditors to use the work of others if it “corresponds directly with the auditor’s assessment of the risk associated with particular controls and the competence and objectivity of the persons performing the work,” such third-party information was sometimes not employed. According to the review, “an auditor who appropriately uses the work of others can achieve the objectives of the audit while not duplicating effort in lower-risk areas, and also is better able to focus his or her own efforts on higher-risk controls.”
The board expressed confidence that with more experience in implementing internal-control reporting requirements, “the process will continue to improve.” The Securities and Exchange Commission and PCAOB together are undertaking to improve the standard’s clarity and ease of use, they say. A new version, AS5, is expected to be approved by the SEC in late May or early June.