By Dmitri D. Shiry, CPA
Section 404 of the Sarbanes-Oxley Act was designed to have a long life. Like anything with an extended life cycle, it seems the regulation is growing and maturing with age.
Auditing Standard No. 5 (AS 5), a new rule from the PCAOB, may change how Section 404 is perceived by corporate America and acted upon by management and auditing firms.
Make no mistake, the spirit of Section 404 is a permanent thing. The law exists to safeguard the investing public by helping to ensure that a public company’s internal controls for financial reporting are up to task. But AS 5, along with other just-released guidance from the SEC, could usher in a new era of flexibility and scalability in how the law is interpreted and carried out.
The premise behind AS 5, coupled with new SEC guidance, is that Section 404 compliance needs to become more of a top-down, risk-based activity. Compliance, therefore, would enable auditors and management to exercise more judgment in focusing on the most critical elements of the audit process, thereby eliminating excessive steps. The hope is a risk-based approach will curb the time and costs in complying with Section 404, a burden that many pundits say is affecting the competitiveness of U.S. markets.
The new standards recognize that past audits of internal controls often took an approach that involved more work performed than necessary, resulting in overkill. The purpose of AS 5 is to focus the audit from the top-down, starting with entity-level controls and stopping when the assertion is met. Those are the big picture elements, but what does a risk-based approach look like at the execution level? The following are some of the key facets.
A focus on fraud - The new rules put a stronger emphasis on the detection of fraud. This may seem curious considering the genesis of the Sarbanes-Oxley Act in 2002. Nevertheless, the former standards didn’t place as strong a spotlight on fraud relative to other types of financial reporting risks. An eye toward fraud will be more ingrained in both the planning and execution of the audit.
Eliminating the evaluation of management’s evaluation - Under the new rules, external auditors no longer have to evaluate and report on management’s process for evaluating internal controls. They only have to issue an opinion in their audit report on the effectiveness of internal controls for financial reporting. This change could reduce a layer of unnecessary work, assuming auditors can effectively audit internal controls without evaluating management’s evaluation process.
Making walkthroughs more of a stroll - Walkthroughs are when an auditor follows the path of an individual transaction, from origination to its reflection in the financial records. The new standard gives auditors more leeway in achieving the same objective without actually having to do the walkthrough, including use of a client’s internal staff or other outside resources who can perform the walkthrough under supervision of the auditor.
Creating more flexibility with multiple locations - When it comes to companies with multiple locations or business units, the new, risk-based approach gives auditors more flexibility in determining which locations need internal controls testing. Auditors are no longer bound by requirements related to coverage ratios. They can eliminate locations or units that don’t represent an appropriate level of risk to the financial statements.
Leveraging existing work - AS 5 eliminates some restrictions on where, and to what extent, auditors can use the work of other sources in assessing internal controls. This includes the work of a company’s internal audit department and other sources within the company. Risk will be the governing factor. For controls carrying low risk, auditors can use findings from other sources as principal evidence for the auditor’s opinion. For controls representing higher risk, including those related to fraud, auditors will be less able to use these findings as a sole source of evidence to substantiate operational effectiveness of the controls.
These are just a few of several changes that will arise from AS 5. They underscore an attempt to make internal control audits more feasible for public companies of all sizes and scale.
How well the new rules fare under actual implementation remains to be seen. We’ll find out as companies start closing the books for 2007, the first year for the new standard. On balance, though, AS 5 may have the right stuff to help Section 404, still a relatively new law, mature to adulthood.
Dmitri D. Shiry, CPA, is a partner with Deloitte Tax LLP in Pittsburgh, and is a member of the Pennsylvania CPA Journal Editorial Board. He can be reached at dshiry@deloitte.com.
Copyright 1998-2007 PICPA. All rights reserved. Contact journal@picpa.org for reprint permission