May 16, 2005
No Rule Changes from SEC or PCAOB - Clarification in Implementation
May 16, 2005: Update on Today’s Statements from the SEC and PCAOB with respect to Internal Control Reporting Requirements – Issues Central Review and Commentary
As promised in Washington in April 2005 both the Public Company Accounting Oversight Board (PCAOB) and the U.S. Securities and Exchange Commission (SEC) today they have clarified their guidance with respect to internal control reporting requirements and the consequence for Section 404 activities of the Sarbanes-Oxley Act of 2002 being undertaken by both accelerated and non-accelerated filers.
Issues Central Inc. – Our Preliminary Conclusions with respect to PCAOB Guidance:
Auditors have to use the judgment that is designated in Audit Standard #2. Extreme conservatism increased the cost but not the quality of audits.
No new rules are needed. The Auditing Standards are accurate and pertinent. Risk based approach to audits has been the standard for a long time and this needs to be applied to Section 404/302 audits.
The PCAOB rules provide latitude and encourage judgment by auditors and this was not properly exercised. The PCAOB will work through inspections to improve the quality of audits to get this right.
Costs will be driven down by improved quality of audits not the repeal of Sarbanes-Oxley.
Auditors should be working closely with their clients to assist in complex accounting treatments. Financial Information should be shared between registrant and auditor to increase the quality of reporting.
Key highlights of today’s commentary are as follows:
Highlights of the PCAOB’s “Additional Staff Guidance on Internal Control”:
The PCAOB did not make any new rules, just clarified what they already have outlined in Audit Standard #2.
Integrated audits (Section 404/302) should be done for most registrants moving forward. This should aid consistency and drive down costs and duplication experienced in the first year filings for Accelerated Filers. It will also improve the quality of the audits.
Audit plans were not tailored to fit a company and were implemented in a very rigid checklist format. This is not required nor endorsed by the auditing standards. This was the result of poor planning and training by audit firms.
A top down risk based approach per COSO is what is designated to test those areas that are more risky and not put much time or review into mundane low risk areas. Entity level controls are key to this type of approach.
Auditors have to exercise judgment and this is key to the auditing standards.
Auditors should work with their clients in assisting in complex accounting treatments in frank and open ways.
Costs were too high because auditors did not use the work of others as they are allowed to do in the standards. They can in fact use the work of others and actually use company staff such as internal auditors to assist their review and testing work.
PCAOB will conduct inspections of external audit firm’s audits to determine if they were conducted in a professional and proper manner. Where they find problems, they will “demand improvements”.
For more details please visit http://www.pcaob.us.org/
Issues Central Inc. – Our Preliminary Conclusions with respect to SEC Statement:
The SEC wants to drive costs down for compliance with Section 404 by increasing the quality of management’s assessments of internal controls and the external auditor review. Management should be focused on a ‘Top Down” entity level controls review to provide reasonable assurance of internal controls. A risk based COSO approach is the way to comply with the Act and reduce the amount of low value testing on low risk processes.
Management has to step up and take responsibility for the scope and management of their assessments. Management has the power to designate and manage their own review and must work with their external auditors but fashion their own reasonable assessment.
The use of mitigating and compensating controls to provide reasonable assurance of internal controls is permissible and part of well functioning controls. Over emphasis on IT controls that have little to do with financial reporting is unnecessary and does not prove compliance.
The exorbitant costs of many Year 1 404 filings were mainly due to poor planning and improper project scoping and therefore did not in many cases even accomplish the spirit of the Sarbanes-Oxley Act. The Act is working and this clarification on implementation should help companies in their either first or second year certifications.
Highlights of the SEC’s “Statement on the Implementation of Internal Control Reporting Requirements”:
Risk based – top down approach is important in all companies but has special importance in small companies because management presumably has more direct control over transactions/financial reporting than in larger organizations. Management may have very effective communication and monitoring controls that allows less detailed testing of transactions.
Mitigating or compensating controls are important and valid in evaluation of overall internal control reviews.
Weaknesses that are not re-mediated prior to year end must be reported and fully disclosed and should be explained such that investors can evaluate with complete information.
More attention should be given to significant accounts that have high risk rather than a “check the box” regimen with “one size fits all” approach.
Scoping should utilize quantitative and qualitative items for inclusion and exclusion.
Testing can be done all during the year for internal controls not just at the end of the year. This is because many controls work in a continuous manner not just a snapshot approach. Each year of review can have a different focus.
Clearly one area that was addressed was the lack of use of client documentation and even client staff to cut audit costs. This was a huge area of unnecessary cost overruns for accelerated filers.
Section 404 never stated that a separate framework had to be used for IT controls. In fact the SEC was quite surprised that companies were spending an inordinate effort on IT controls that may not in some cases actually affect financial reporting.
IT controls need only be tested if they affect financial reporting. The approach of including all IT controls is neither necessary nor beneficial to Section 404 compliance.
In the future, audits are most likely going to be integrated Section 404/302 in order to cut duplication and increase the effectiveness of audits.
There will be guidance for smaller companies but they will have to comply with Section 404. “Section 404 is too important not to get right…” (reference: SEC 2005-74.htm page 2 of 3).
The SEC reiterates that the regulations state “reasonable assurance” not “absolute assurance” that internal controls are operating effectively.
“Management should use its own experience and informed” judgment to design an assessment process…: Management has to own its project and not look for external auditors to call the shots for management’s attestation.
Auditors have to allow “a reasonable zone of conduct” for companies for implementation of Section 404.
External Auditors can and should consult with their clients about complex accounting treatments. Auditors cannot make management’s decisions for them, but definitely should assist in the proper use of GAAP etc. This is even to the point of registrants providing auditors draft financial statements for review.
For more details please visit http://www.sec.gov/
For more information on Issues Central, Inc. and the Sarbanes-Oxley Compliance Playbook™, geared to the compliance efforts of mid to emerging public filers, please call 1.800.410.6681 or go to http://www.issuescentral.com/
As promised in Washington in April 2005 both the Public Company Accounting Oversight Board (PCAOB) and the U.S. Securities and Exchange Commission (SEC) today they have clarified their guidance with respect to internal control reporting requirements and the consequence for Section 404 activities of the Sarbanes-Oxley Act of 2002 being undertaken by both accelerated and non-accelerated filers.
Issues Central Inc. – Our Preliminary Conclusions with respect to PCAOB Guidance:
Auditors have to use the judgment that is designated in Audit Standard #2. Extreme conservatism increased the cost but not the quality of audits.
No new rules are needed. The Auditing Standards are accurate and pertinent. Risk based approach to audits has been the standard for a long time and this needs to be applied to Section 404/302 audits.
The PCAOB rules provide latitude and encourage judgment by auditors and this was not properly exercised. The PCAOB will work through inspections to improve the quality of audits to get this right.
Costs will be driven down by improved quality of audits not the repeal of Sarbanes-Oxley.
Auditors should be working closely with their clients to assist in complex accounting treatments. Financial Information should be shared between registrant and auditor to increase the quality of reporting.
Key highlights of today’s commentary are as follows:
Highlights of the PCAOB’s “Additional Staff Guidance on Internal Control”:
The PCAOB did not make any new rules, just clarified what they already have outlined in Audit Standard #2.
Integrated audits (Section 404/302) should be done for most registrants moving forward. This should aid consistency and drive down costs and duplication experienced in the first year filings for Accelerated Filers. It will also improve the quality of the audits.
Audit plans were not tailored to fit a company and were implemented in a very rigid checklist format. This is not required nor endorsed by the auditing standards. This was the result of poor planning and training by audit firms.
A top down risk based approach per COSO is what is designated to test those areas that are more risky and not put much time or review into mundane low risk areas. Entity level controls are key to this type of approach.
Auditors have to exercise judgment and this is key to the auditing standards.
Auditors should work with their clients in assisting in complex accounting treatments in frank and open ways.
Costs were too high because auditors did not use the work of others as they are allowed to do in the standards. They can in fact use the work of others and actually use company staff such as internal auditors to assist their review and testing work.
PCAOB will conduct inspections of external audit firm’s audits to determine if they were conducted in a professional and proper manner. Where they find problems, they will “demand improvements”.
For more details please visit http://www.pcaob.us.org/
Issues Central Inc. – Our Preliminary Conclusions with respect to SEC Statement:
The SEC wants to drive costs down for compliance with Section 404 by increasing the quality of management’s assessments of internal controls and the external auditor review. Management should be focused on a ‘Top Down” entity level controls review to provide reasonable assurance of internal controls. A risk based COSO approach is the way to comply with the Act and reduce the amount of low value testing on low risk processes.
Management has to step up and take responsibility for the scope and management of their assessments. Management has the power to designate and manage their own review and must work with their external auditors but fashion their own reasonable assessment.
The use of mitigating and compensating controls to provide reasonable assurance of internal controls is permissible and part of well functioning controls. Over emphasis on IT controls that have little to do with financial reporting is unnecessary and does not prove compliance.
The exorbitant costs of many Year 1 404 filings were mainly due to poor planning and improper project scoping and therefore did not in many cases even accomplish the spirit of the Sarbanes-Oxley Act. The Act is working and this clarification on implementation should help companies in their either first or second year certifications.
Highlights of the SEC’s “Statement on the Implementation of Internal Control Reporting Requirements”:
Risk based – top down approach is important in all companies but has special importance in small companies because management presumably has more direct control over transactions/financial reporting than in larger organizations. Management may have very effective communication and monitoring controls that allows less detailed testing of transactions.
Mitigating or compensating controls are important and valid in evaluation of overall internal control reviews.
Weaknesses that are not re-mediated prior to year end must be reported and fully disclosed and should be explained such that investors can evaluate with complete information.
More attention should be given to significant accounts that have high risk rather than a “check the box” regimen with “one size fits all” approach.
Scoping should utilize quantitative and qualitative items for inclusion and exclusion.
Testing can be done all during the year for internal controls not just at the end of the year. This is because many controls work in a continuous manner not just a snapshot approach. Each year of review can have a different focus.
Clearly one area that was addressed was the lack of use of client documentation and even client staff to cut audit costs. This was a huge area of unnecessary cost overruns for accelerated filers.
Section 404 never stated that a separate framework had to be used for IT controls. In fact the SEC was quite surprised that companies were spending an inordinate effort on IT controls that may not in some cases actually affect financial reporting.
IT controls need only be tested if they affect financial reporting. The approach of including all IT controls is neither necessary nor beneficial to Section 404 compliance.
In the future, audits are most likely going to be integrated Section 404/302 in order to cut duplication and increase the effectiveness of audits.
There will be guidance for smaller companies but they will have to comply with Section 404. “Section 404 is too important not to get right…” (reference: SEC 2005-74.htm page 2 of 3).
The SEC reiterates that the regulations state “reasonable assurance” not “absolute assurance” that internal controls are operating effectively.
“Management should use its own experience and informed” judgment to design an assessment process…: Management has to own its project and not look for external auditors to call the shots for management’s attestation.
Auditors have to allow “a reasonable zone of conduct” for companies for implementation of Section 404.
External Auditors can and should consult with their clients about complex accounting treatments. Auditors cannot make management’s decisions for them, but definitely should assist in the proper use of GAAP etc. This is even to the point of registrants providing auditors draft financial statements for review.
For more details please visit http://www.sec.gov/
For more information on Issues Central, Inc. and the Sarbanes-Oxley Compliance Playbook™, geared to the compliance efforts of mid to emerging public filers, please call 1.800.410.6681 or go to http://www.issuescentral.com/
