At an open meeting on April 4, 2007, the Securities and Exchange Commission (SEC), members of the Public Company Accounting Oversight Board (PCAOB) and the Government Accountability Office (GAO) discussed public comments with respect to the SEC’s proposed interpretive guidance for management regarding the evaluation of internal control over financial reporting required by Section 404 of the Sarbanes-Oxley Act of 2002 (Sarbanes-Oxley Act) and the PCAOB’s proposed auditing standard for Section 404. The open meeting represents a continuation of the process announced in May 2006 by the SEC and PCAOB to make compliance with the reporting requirements of Section 404 more efficient and cost effective while increasing reliability on companies’ financial statements. The proposed SEC guidance is intended to assist companies of all sizes in their annual evaluations in a more efficient and effective manner consistent with Section 404. The PCAOB proposed auditing standard is intended to assist auditors of companies of all sizes in their assessment of companies’ internal control over financial reporting as well as the auditors report on that assessment. The text of the proposed rules and interpretive guidance are available on the SEC’s and the PCAOB’s websites.
The focus of the SEC’s proposed guidance is to provide a top-down, risk-based evaluation of internal control over financial reporting so that management and the auditors would be able to focus attention on those internal controls that present the greatest risk of a material financial misstatement. Under the proposed amendments to Exchange Act Rules 13a-15(c) and 15d-15(c), a company that performs its annual evaluation of the effectiveness of its internal control over financial reporting in accordance with interpretive guidance would satisfy its evaluation requirement. In addition, the proposed amendments would be similar to a non-exclusive safe-harbor in that they would not require management to conduct the evaluation in accordance with the interpretive guidance, but such guidance would provide certainty for management that chose to follow it.
The PCAOB’s proposed revision of its auditing standards is intended to align those standards with the guidance provided to management by the SEC. The proposed auditing standards are primarily designed to focus the audit on the key risk-based factors, eliminate unnecessary procedures, scale the audit for smaller companies and simplify the requirements of auditors. The proposed auditing standards would allow integration between the financial audit and audit of the internal controls. In addition, the proposed auditing standards would, under certain circumstances, allow an auditor to rely on the work of others.
PCAOB Discusses Comments Relating to Key Areas of the Proposed Auditing Standards
In response to the PCAOB’s proposed auditing standards, the PCAOB received approximately 170 comments. Mark W. Olson, Chairman of the PCAOB, presented the key areas of focus of those comments.
• Aligning the proposed auditing standards and the SEC’s proposed guidance for management. Management’s evaluation of internal control over financial reporting and the auditors’ assessment of management’s evaluation are distinct, yet complementary steps in compliance with Section 404 and each has different perspectives and objectives. Without additional alignment, management may, in effect, begin to use the proposed auditing standards as the new management standard.
• The scalability of audit. The comments noted that the audits should be scalable for smaller companies, both in size and complexity. Mr. Olson furthered that focus and emphasized that in a risk-based approach, scalability relates to all companies, noting that companies of all sizes can have unique aspects and a risk-based approach should not be a stand-alone approach for smaller companies. The risk-based approach will lead to a tailoring of audits specific to each company, regardless of size or complexity.
• Flexibility in audits. Several comments focused on providing more flexibility in the auditing standards, including lessening the prescriptive language of the proposed standards. Although the amount of proposed mandatory auditing procedures was reduced from the current auditing standards, proposed and current documentation and evidentiary requirements could be an impediment to a more efficient and cost effective audit.
GAO Focuses on Top-Down, Risk-Based Approach
In a presentation to the SEC, Jeffrey Steinhoff, managing director for Financial Management and Assurance of the GAO, placed additional emphasis on a top-down, risk-based approach to both management’s evaluation and the auditors’ assessment of management’s evaluation. Mr. Steinhoff noted that, if done properly, this approach could maximize efficiency and effectiveness with needed flexibility rather than adopting a set of overly prescriptive requirements pursuant to a “one-size fits all” standard. In addition, the emphasis should be on management as a first line of defense in detecting and preventing fraud. The auditors’ professional judgment should complement management with heightened sensitivity to those areas most at risk for fraud.
Mr. Steinhoff noted that the overarching goal is investor protection and that to achieve that goal, coordination among regulators is paramount. The coordination should extend to regulators nationally and internationally, as well as across all industries. Any differences among standards should be noted and the reasons for such differences should be fully articulated.
SEC Approves Resolving Key Issues Between the SEC’s Proposed Guidance and the PCAOB’s Proposed Auditing Standards
The SEC’s commissioners endorsed the recommendations of the agency’s professional staff to create a more effective and efficient compliance with Section 404 of the Sarbanes-Oxley Act. The SEC staff should continue to work closely with the PCAOB to make the internal control provisions of Section 404 more efficient and cost effective. The SEC focused it staff on the following areas:
• Closely align the SEC’s proposal and the PCAOB’s proposal, particularly with regard to prescriptive requirements, definitions and terms. The SEC staff noted that its proposed guidance is more principles-based than the PCAOB’s proposed auditing standards, which the staff believes is preferable since it allows management to use judgment in tailoring its evaluation of internal control to a company’s specific attributes. The SEC agreed to work with the PCAOB to identify and eliminate prescriptive language where possible, ensure that objectives are clearly stated and harmonize the key terms and definitions among the proposals.
• Improve scalability and tailoring of audits based on company size and complexity. The SEC staff emphasized that scalability does not suggest separate auditing standards for companies of different sizes, but rather a need to allow an auditor to consider the unique circumstances of a smaller company and to tailor the auditing procedures accordingly. Scalability is achieved with judgment-based standards rather than a focus on technical requirements. To the extent that this concept is unclear, and to aid auditors in scaling its audits, the proposed auditing standards should contain illustrative examples.
• Encouraging auditors to exercise professional judgment regarding the procedures and tests required for a Section 404 audit, particularly in risk assessment. Auditors should be allowed to use professional judgment in determining the extent and method of testing internal control, including rotational testing and increased walkthroughs, based on specific attributes for each company and a risk assessment of the likelihood of a significant or material financial misstatement.
• Allow auditors to follow a principles-based approach to determining when and to what extent the auditor can use the work of others. Auditors should be permitted to use the work of others, including management and supervisory staff, if the provider of the work product has an established level of competence and objectivity. The SEC agreed to work with the PCAOB to modify the requirements and to provide principles-based definitions of competence and objectivity to ensure that auditors are comfortable in determining when they can use the work of others.
Under the Sarbanes-Oxley Act, PCAOB audit standards must first be approved by the SEC and cannot take effect without a vote of the SEC. The SEC expects that the new PCAOB standard will be submitted for SEC review by the end of May or early June 2007, in time for the 2007 financial statement audits.