On paper, a new standard proposed by the Public Company Accounting Oversight Board appears to address the concerns of companies that felt auditors spent too much time scrutinizing their internal controls and technology systems. Critics of the existing and much-contested Auditing Standard No. 2 have said it encourages auditors to spend hours questioning issues that have little relevance to financial statements, particularly with regard to the computer systems and software that are involved in producing those statements.
Yet it’s not clear whether a new standard will change that behavior for the better.
The proposed standard, which some PCAOB board members have begun referring to as AS5, clarifies that audits should concentrate only on those areas most likely to lead to a financial misstatement. In addition, external auditors would be allowed to rely on assessment work done by others, such as internal auditors, and would no longer evaluate management’s process, eliminating some “unnecessary procedures.” AS5 was introduced last month for a 70-day comment period.
One of the PCAOB’s goals, says chairman Mark Olson, is cheaper auditing bills. But AS2 critics aren’t so sure that will happen. They worry that the new standard — An Audit of Internal Control Over Financial Reporting That Is Integrated With an Audit of Financial Statements — still could confuse auditors and prompt continued wary and overly conservative behavior. And they’re far from certain that the new standard will address what was widely perceived as misguided audits of corporate IT systems.
While senior financial executives think the new standard is at least “a step in the right direction,” says James Clendenen, engagement director for Parson Consulting, a financial-management consultancy, “the question is what will actually happen in the real world.” Given the conservative nature of audit firms, he wonders if they will accept the increased risk that might come from making more judgment calls.
At the same time, some finance executives worry that the changes might actually make external auditors more powerful. Both the Securities and Exchange Commission’s Section 404 revision and the PCAOB’s proposal for AS5 give external auditors and management more latitude in how to attest to and assess internal controls. But, say critics, companies that want auditors to rely on work the company has performed in-house (thereby reducing external audit hours) may defer to their audit firms about how such work should be done. In a letter asking various members of Congress to halt adoption of AS5, Dennis Stevens, director of internal audit for the Alamo Group, worried that the result will be a “subtle shift of responsibility from management to the external auditor.” Worse, wrote Stevens, if management’s own evaluation of internal controls is dictated by what it thinks auditors will find acceptable, the result will be “essentially the same situation that has existed for the past three years.”
The PCAOB says its proposed standard promotes a top-down, risk-based approach to auditing that encourages both management and auditors to use their professional judgment. But that, too, could result in confusion — and contention — between auditors and issuers, says Clendenen. For example, the new standard changes the definitions of significant deficiency and material weakness from a “more than remote likelihood” that a misstatement will occur to a “reasonable possibility.” Each auditing firm will have to revisit how it understands this definition, and it could become more aggressive in its interpretation, Clendenen told CFO.com.
“I think the PCAOB intended to have management and the auditors more on the same page; however, this will probably have the opposite effect,” he says. And while the answer may be that companies need to communicate more with their auditors about what’s required, the independence requirements of Sarbox may continue to chill that relationship.
The new standard may make companies bolder, although that won’t necessarily thaw relations with external auditors. If auditors examine low-risk areas or begin nitpicking, “you may have to say, ‘No, that’s not what we’re here to do. We are looking at specific financial-statement line items that are material, that are important, and those controls that are most significant,'” says Eric Keller, CEO of software company Movaris and former CFO of several other companies, including enterprise application service provider Corio.
Lines of communication between audit firms and companies haven’t been ideal. Since Sarbox’s inception, companies have complained that it’s hard to get answers from their audit firms. Those dealing with the Big Four firms have reported that their queries seem to go in a black hole as the local partners wait to hear from a national office. The new standard might not create a fix for that wait. “The local partners will have an ability to get more involved, but the question is, are they comfortable enough to stick their neck out and make a statement and not rely on a somewhat nameless, faceless management office to make a key decision about their client?” asks Clendenen.
The Technology Question
Another key concern for companies is whether the new standard will actually change the way auditors address IT-related controls. At the 2005 roundtable about Sarbox’s Section 404, participants said IT-control weakness may not have a bearing on the integrity of financial statements. And others have argued that auditors don’t have the expertise to properly make a judgment on computer systems, leaving them to focus more on documentation than on whether the controls are effective. Indeed, in one infamous incident, Thornburg Mortgage complained to the SEC that its auditor accused it of a deficiency because its installation of up-to-date antivirus software hadn’t been documented.
When the board released AS5 for public comment, the PCAOB reiterated that auditors need to focus on areas that are of high risk; places where a material weakness could lead to a misstatement. “The auditor’s testing of IT controls — those general IT controls and application controls — follows the same risk framework as any other control,” said PCAOB deputy chief auditor Laura Phillips. “That ought to be helping the auditor identify which controls are most important and are of the highest risk, and therefore merit the most attention.”
AS5 does not offer a solution to the question of auditors’ experience, say observers. Since so much of evaluating a company’s internal controls as they relate to IT is subjective, it’s especially hard for a young CPA with little or no technology experience to make an appropriate judgment, says Rod Scott, a former Caterpillar IT manager who now teaches seminars about Sarbox and auditing. “I don’t know that a risk-based approach is going to work in those cases,” he told CFO.com.
This issue is especially true at companies that still have outdated systems, says Brad Couch, a Sarbox consultant and former IT executive at Eagle Global Logistics. “Almost all auditors over the last three years who are doing technology auditing don’t understand how a mainframe works,” he told CFO.com.
At the December 19 PCAOB board meeting to introduce the new standard, board member Daniel Goelzer asked the staff to explain how the revamped standard would meet the various requests made last April by the SEC’s Advisory Committee on Smaller Companies. The committee had suggested that the SEC ask the PCAOB to explain how smaller companies could reduce compliance costs related to IT controls, “a significant source of internal control compliance costs, consistent with the underlying risks.” In response, Sharon Virag, the PCAOB’s assistant chief auditor, outlined the changes the audit firm overseer has made in this area, including the following:
• The staff omitted many references to IT controls because, she said, “we want the auditor to focus on those controls that are important for effective internal control regardless of where they’re at.” Deleting those references, however, could have the opposite effect and lead to confusion for those companies that had been relying on the original standard for guidance, Clendenen says.
• The new standard states that “automated controls are generally lower risk if the relevant IT general controls are effective.”
• The new standard incorporates benchmarking guidance put out by the PCAOB last May. Basically, it allows auditors to trust that an off-the-shelf application that works efficiently one year will work the next.
“If general controls over program changes, access to programs, and computer operations are effective and continue to be tested, and if the auditor verifies that the automated application control has not changed since the auditor established a baseline” — meaning the last time the control was tested — “the auditor may conclude that the automated application control continues to be effective without repeating the prior year’s specific tests of the operation of the automated application control,” the revised standard says. “The nature and extent of the evidence that the auditor should obtain to verify that the control has not changed may vary depending on the circumstances, including depending on the strength of the company’s program change controls.”
The PCAOB predicts that the earliest AS5 would be adopted — if accepted by the SEC after its own public comment period — would be the latter half of 2007. The changes are a step in the right direction in clarifying where auditors should focus their attention, but the proposed standard won’t appease every complaint about AS2, Keller says. “The regulating agencies have given solid, sane guidance that it’s all about internal controls over financial reporting, and it’s not about internal control over other things.”