As 2006 draws to a close, public companies subject to the internal control assessment and auditing requirements mandated by Section 404 of the Sarbanes-Oxley Act of 2002 (SOX) received last week mixed news about the audit component of those requirements in coming years. The good news is that the Public Company Accounting Oversight Board (PCAOB) concluded that its current audit standard for internal control over financial reporting—Auditing Standard No. 2 (AS No. 2)—is too expensive and burdensome and that it should be replaced by a substantively revised (and streamlined) standard. The PCAOB’s conclusion is based on its analysis of the costs and benefits of AS No. 2 (both substantial) for the two annual auditing cycles since its adoption. The less-than-good news is that, although the PCAOB’s proposals for substantive relief are now released for comment, adoption of a final proposal is expected not to occur until late in 2007. Consequently, auditors for many public companies (particularly those with calendar year ends) will have to continue to comply with the rigorous requirements of AS No. 2 for another audit cycle. Nonetheless, the PCAOB’s proposed new standards, which appear to reflect a great deal of thoughtful work by the PCAOB and its staff, ultimately should provide significant benefits both to public companies currently subject to Section 404 and to smaller companies that will be required to comply with Section 404 in the future.

Following on the heels of additional Section 404 relief from the Securities and Exchange Commission (SEC) earlier this month in the form of extended compliance deadlines and proposed interpretive guidance,1 the PCAOB, on December 19, proposed two new standards and other, related, rulemaking steps including:

  • A new, and more focused, standard for audits of internal control over financial reporting to replace AS No.2;
  • A new auditing standard providing auditors greater latitude in considering and using the work of others in performing integrated audits of financial statements and internal controls; A new rule clarifying the information that an auditor must provide to an audit committee when seeking pre-approval to perform internal audit-related services outside of an audit; and
  • A variety of related amendments, including a potentially significant change providing that the date of an audit report (and the date on which an auditor’s responsibility for events affecting financial statements ends) should be no earlier than the date on which the auditor has obtained sufficient evidence to support its opinion, in place of the current rule that the date of the audit report generally should be the date of completion of the auditor’s field work.

Replacing AS No. 2

The proposed new auditing standard on internal control over financial reporting is a principles- and riskbased standard designed to improve upon AS No. 2 by focusing the auditor on the most important internal controls, thereby increasing the likelihood that material weaknesses will be identified before they result in material misstatements in financial statements. The proposed standard seeks to eliminate unnecessary audit requirements, provide guidance to auditors on how to make audits scalable for smaller and less complex companies, and simplify and shorten the text of the standard itself. (The proposed standard is less than half the length of AS No. 2.)

Consistent with its top-down approach, the proposed standard seeks to recalibrate the sensitivity of internal control audits by:

  • Revising the definitions of “significant deficiency” and “material weakness” to measure likelihood of occurrence in terms of “reasonable possibility” rather than the more stringent “more than remote likelihood,” to facilitate identification of only those most likely to lead to a material financial statement misstatement;
  • Reformulating the definition of “material weakness” without reference to “significant deficiency” to focus the auditor on the existence of material weaknesses, rather than less severe significant deficiencies;
  • Redefining the significance of circumstances deemed, under the standard, to be “strong indicators” of internal control problems (such as management fraud or a restatement to correct a prior financial statement misstatement) by defining such circumstances as strong indicators of material weaknesses but removing the requirement that they be considered at least significant deficiencies, thus focusing the auditor on the more serious material weaknesses (and permitting an auditor to conclude, in proper circumstances, that such strong indicators in fact are indicative of neither a material weakness nor a significant deficiency);
  • Clarifying that if management has evaluated uncorrected significant deficiencies and reasonably determined not to correct them, an auditor may conclude that the control environment is effective, on the basis of the auditor’s evaluation of the control environment and management’s reasons for not correcting;
  • Clarifying that an auditor should apply the same materiality measures to a company’s internal control audit that it applies to an audit of that company’s annual financial statements; and
  • Requiring that evaluation of whether a control deficiency is a significant deficiency or a material weakness, for materiality purposes, includes consideration of the possibility of misstatement to both annual and interim financial statements.

The proposed new standard would encourage efficiency in the auditing process by:

  • Focusing the auditor on the most important internal controls and emphasizing risk assessment;
  • Eliminating unnecessary procedures;
  • Removing the requirement that the auditor evaluate management’s process;
  • Permitting consideration of knowledge obtained during previous audits;
  • Directing that the audit be scaled to reflect the size and complexity of the company;
  • Refocusing multi-location testing requirements on risk rather than coverage; and
  • Scaling back the walkthrough requirement.

Comment Period

The PCAOB’s proposals are subject to a comment period ending February 26, 2007. Any final PCAOB standard adopted will be subject to SEC approval.