The PCAOB staff members said they had retained all of the goals of the AS5 draft in their final version but made several changes based on the 175 comment letters received and mandates from the SEC. Therefore, in many ways AS5 differs from what the public saw when the PCAOB first introduced the standard in December. The changes were mostly minor, such as matching up terms with the SEC’s management guidance (for example, replacing the term “company level controls” with “entity level controls”). The staff also worked on making the standard less prescriptive in tone since commentators noted nearly 250 instances where the AS5 draft used mandatory terms, such as “must” or “should,” which suggested “the proposal was not as principles based as advertised,” noted PCAOB chief auditor Thomas Ray. Other changes included:
• Putting a discussion of fraud risk and fraud-risk controls at the beginning of the standard. “This should make clear to auditors the importance of assessing fraud risk throughout the audit process,” Olson said, adding, “While even the strongest of internal-control frameworks cannot provide absolute assurance that fraud will be prevented or detected, a strong control environment should help to reduce instances of fraud.”
• Highlighting why auditors should conduct a walkthrough rather than requiring them to conduct a specific review. “Auditors should focus on the objectives and not the mechanics of the walkthrough,” said PCAOB deputy chief auditor Laura Phillips, who is leaving the PCAOB later this year.
Audit firms have already incorporated the basic principles of AS5 into their work. Doing so has eliminated redundant and unnecessary work and cut costs for issuers, said John Fodera, a director at audit firm Eisner. A55 eliminates the excessive work that was used under AS2 and encourages “substance over form” while still getting auditors to uncover material weaknesses, he told CFO.com.
Despite coming to the end of focusing the staff’s energy on just one auditing standard, the PCAOB still has its work cut out for dealing with the audits of internal controls. The staff is compiling feedback from audit firms to craft guidance customized for the internal-control audits of small companies. A draft will be ready for the public soon and will likely be finalized by the end of the year, according to Ray.