On paper, a new standard proposed by the Public Company Accounting Oversight Board appears to address the concerns of companies that felt auditors spent too much time scrutinizing their internal controls and technology systems. Critics of the existing and much-contested Auditing Standard No. 2 have said it encourages auditors to spend hours questioning issues that have little relevance to financial statements, particularly with regard to the computer systems and software that are involved in producing those statements.
Yet it’s not clear whether a new standard will change that behavior for the better.
The proposed standard, which some PCAOB board members have begun referring to as AS5, clarifies that audits should concentrate only on those areas most likely to lead to a financial misstatement. In addition, external auditors would be allowed to rely on assessment work done by others, such as internal auditors, and would no longer evaluate management’s process, eliminating some “unnecessary procedures.” AS5 was introduced last month for a 70-day comment period.
One of the PCAOB’s goals, says chairman Mark Olson, is cheaper auditing bills. But AS2 critics aren’t so sure that will happen. They worry that the new standard — An Audit of Internal Control Over Financial Reporting That Is Integrated With an Audit of Financial Statements — still could confuse auditors and prompt continued wary and overly conservative behavior. And they’re far from certain that the new standard will address what was widely perceived as misguided audits of corporate IT systems.
While senior financial executives think the new standard is at least “a step in the right direction,” says James Clendenen, engagement director for Parson Consulting, a financial-management consultancy, “the question is what will actually happen in the real world.” Given the conservative nature of audit firms, he wonders if they will accept the increased risk that might come from making more judgment calls.
At the same time, some finance executives worry that the changes might actually make external auditors more powerful. Both the Securities and Exchange Commission’s Section 404 revision and the PCAOB’s proposal for AS5 give external auditors and management more latitude in how to attest to and assess internal controls. But, say critics, companies that want auditors to rely on work the company has performed in-house (thereby reducing external audit hours) may defer to their audit firms about how such work should be done. In a letter asking various members of Congress to halt adoption of AS5, Dennis Stevens, director of internal audit for the Alamo Group, worried that the result will be a “subtle shift of responsibility from management to the external auditor.” Worse, wrote Stevens, if management’s own evaluation of internal controls is dictated by what it thinks auditors will find acceptable, the result will be “essentially the same situation that has existed for the past three years.”
The PCAOB says its proposed standard promotes a top-down, risk-based approach to auditing that encourages both management and auditors to use their professional judgment. But that, too, could result in confusion — and contention — between auditors and issuers, says Clendenen. For example, the new standard changes the definitions of significant deficiency and material weakness from a “more than remote likelihood” that a misstatement will occur to a “reasonable possibility.” Each auditing firm will have to revisit how it understands this definition, and it could become more aggressive in its interpretation, Clendenen told CFO.com.