Auditors mostly did a good job of complying with Auditing Standard No. 5 during 2008, the standard’s first full year of effectiveness, the Public Company Accounting Oversight Board said in a report released Thursday. But the PCAOB also revealed in its review of how 250 audits conformed to the new standard — which governs auditor attestations of internal controls over financial reporting — that some auditors fell short in many different ways.
The review sought to determine how well the audits — all performed by one of the eight largest U.S. public accounting firms — furthered the PCAOB’s objectives for AS5, which replaced the more cumbersome AS2. The main objectives were focusing auditors’ efforts on the most important audit components, based on the risks posed; eliminating unneeded audit procedures; and scaling the audit to the size and complexity of the business.
The audit oversight board evaluated six areas of AS5 implementation. After looking, for example, at whether auditors adequately assessed risk in determining which accounts and disclosures were significant and which controls to test, the board wrote, “In the majority of the engagements reviewed, the inspectors did not identify deficiencies in the auditors’ assessment of risk.” Similarly positive statements were made about the five other reviewed aspects of AS5 compliance.
At the same time, the inspectors found instances of failure in all six areas. For risk assessment, those included cases in which auditors didn’t identify variability in risk levels at a company’s different locations. Also, some audits did not consider how deficient controls could affect their risk evaluations.
A second area reviewed, actually a subset of the first, was the assessment of fraud risk. In a minority of audits, the board found failure to do more rigorous testing in areas of greater risk, and failure to test compensating controls when the ones that were tested didn’t completely address an identified risk. And some audits didn’t evaluate all processes of period-end financial reporting or appropriately test the risk that management could override the results.
The board also evaluated auditors’ use of the work of others to cut down on their own work, a practice that AS5 specifically allows. But in some cases, the use of outside work was greater than appropriate given the risk level for the control being tested. And some audits didn’t sufficiently assess the competency or objectivity of others’ work, particularly when the work was performed by company personnel other than internal auditors.
Next the PCAOB reported its findings on auditors’ choice of the most important entity-level controls to test and the appropriate degree of testing for each. The board said it found significant variance in auditors’ effectiveness there. One failure inspectors found was not evaluating entity-level controls beyond those associated with the control environment and period-end financial reporting. Some auditors told the inspectors they didn’t do so because the issuer had not.
A further deficiency regarding entity-level controls was identifying controls apparently designed to operate very precisely but failing to obtain enough audit evidence of the controls’ effectiveness. There were also situations in which auditors failed to consider how well an entity-level control addressed the risk of a financial-statement assertion, and others in which the auditor judged a control not precise enough to address the risk of an assertion but reduced the testing of process-level controls for that assertion anyway.
Other auditing aspects covered by the PCAOB inspection were the nature, timing, and extent of controls testing and the evaluation of control deficiencies.