AS5 Comes to the Rescue

In late July, the SEC gave its official stamp of approval to a much-anticipated change in the auditing landscape. Amidst abundant chatter in the accounting world, PCAOB Auditing Standard No. 5, "An Audit of Internal Control over Financial Reporting That Is Integrated with An Audit of Financial Statements," was issued to replace Auditing Standard No. 2, which governed audits of internal controls over financial reporting. The new auditing standard, often referred to by the less cumbersome name "AS 5," is intended to improve the efficiency and effectiveness of internal control audits while also cutting audit costs, especially for smaller public companies.

For readers who have remained out of the Sarbanes-Oxley loop, Section 404 mandates that management must assess and report on the effectiveness of the company's internal controls over financial reporting, and the external auditor must attest to management's internal control assessment. Auditing Standard No. 5 lays out the requirements and provides guidance for auditors who are engaged to perform an audit of management's assessment of the internal controls that's integrated with an audit of the financial statements as required by SOX.

So, what does the new standard do that AS 2 didn't? According to the SEC, AS 5 will improve the internal control auditing process in several key ways.

First, the new standard has been stripped down -- it's less than half the length of its predecessor -- primarily through a great reduction in the amount of mandatory instructions for auditors. The new standard's "less prescriptive" approach allows auditors to focus their efforts on those areas that they judge as most critical to forming an opinion on the entity's internal control environment. Without so many "shoulds," auditors will be able to return to the important concepts of risk and materiality in performing their engagements, rather than worrying about completing a checklist of rules.

Additionally, AS 5 acknowledges that differences in size and complexity of organizations should translate into differences in how audit engagements are approached. Thus, the new standard specifically includes instructions for auditors on how to apply its provisions in audits of smaller or less complex companies. This "scalability" allows auditors to tailor the audit engagement to the specific circumstances of the organization by adjusting the amount, nature, and targets of the tests they perform.

Auditing Standard No. 5 also explicitly prompts auditors to keep their focus on those matters that are most important to the objective of the audit -- that is, to form and issue an opinion on the effectiveness of the organization's financial controls. The standard directs auditors to pay the most attention to areas that present the greatest risk that the internal controls will fail to prevent or detect any material misstatements in the company's financial statements and reminds them not to spend time seeking out immaterial weaknesses in the financial reporting process.

Finally, the standard provides broad principles for auditors to follow in determining when and how to best use the work of others during the course of the internal control audit engagement. Auditors are explicitly permitted to use the work of the client company's own personnel in completing audit tasks and are directed to apply their professional judgment in relying on work performed by others based on their assessment of the objectivity and competence of those performing the work.

Will AS 5 successfully reduce the costs of Section 404 compliance and make internal control audits more efficient and effective? Only time will tell. The new standard is effective for fiscal years ending on or after Nov. 15, 2007. Practitioners affected by the new standard and parties interested in more information should read the text in full at www.pcaobus.com.

EXECS GIVE CONFLICTING SOX FEEDBACK 

Several studies have been released that show conflicting information on both the costs and benefits of SOX compliance. A study of 172 large, public companies conducted by Financial Executives International (FEI) found that the Section 404 compliance costs for 2006 decreased by 23 percent over the previous year. Additionally, according to the study, total compliance costs have dropped 35 percent since 2001, the first year SOX took effect. The survey also revealed that the portion of compliance costs related to audit fees remained virtually unchanged from 2005 to 2006.

"The Cost of Being Public in the Era of Sarbanes-Oxley," a report presenting the results of a survey conducted by Foley & Lardner LLP, presents a slightly different story. Like the FEI study, the Foley & Lardner survey indicated that the overall costs to comply with SOX decreased in 2006. However, the study also revealed that the out-of-pocket costs incurred by public companies in their SOX compliance efforts increased during the same period. In the 2006 fiscal year, companies with annual revenue of more than $1 billion experienced a 12 percent rise in these costs, which included audit fees, board compensation, and legal fees. Smaller companies -- those with less than $1 billion in annual revenue -- were hit slightly harder, with a 13 percent increase in out-of-pocket costs. The study also contradicted the findings of the FEI study with regard to trends in audit fees: The results of the Foley & Lardner survey revealed a 5 percent increase in audit fees during the 2006 fiscal year for all companies polled. (For more information on these and other survey results, please see the full report at www.foley.com/files/tbl_s31Publications/FileUpload137/3736/Foley2007SOXstudy.pdf.)

The results are also mixed on just how beneficial the requirements of Sarbanes-Oxley compliance are proving to be. A nationwide telephone survey of 1,000 investors conducted by the Center for Audit Quality found that 79 percent of investors are more confident in companies' financial information as a result of Sarbanes-Oxley. Also, 62 percent of those surveyed believe that the requirements of SOX should be left fundamentally as they are, with two-thirds of investors indicating that they would be concerned if the rules were lessened at all. Additionally, more than three quarters stated that several key components of the Act -- namely, independent audit committees, PCAOB involvement, and Section 404 internal controls testing and audits -- have been positive or effective. (More information about the study is available at www.thecaq.org.)

Similarly, according to a survey by Pepperdine University's Graziadio School of Business and Management, 57 percent of investors believe that the restrictions placed on companies by SOX are about right, while nearly one third (32 percent) feel it didn't go far enough. Only 8 percent of the survey respondents indicated that SOX's requirements went too far. (http://bschool.pepperdine.edu/research/investorsurvey)

In contrast, the Financial Executives International survey revealed that 78 percent of companies believe the costs of SOX compliance outweigh the benefits. The companies polled were similarly pessimistic on how well compliance is achieving the intended goals of the Sarbanes-Oxley Act: 46 percent believe that financial statements are more accurate as a result of SOX's requirements; 48 percent believe that financial reports are more reliable, and 34 percent believe that Section 404 compliance has helped prevent or detect fraud. However, even with the majority view that the benefits don't justify the costs, 60 percent of the companies did indicate that compliance with SOX's internal control provisions has increased investor confidence in their financial statements.

Author's note: With the fifth anniversary of the passage of the Sarbanes-Oxley Act behind us and the adoption of Auditing Standard No. 5, the time has come to end the regular SOX Update column. Rest assured that if and when any big news occurs in the world of Sarbanes-Oxley, we'll cover it here. Thank you for your interest in this column. I've enjoyed writing it and have been overwhelmed by the positive feedback I've received from readers.

Andi McNeal, CFE, CPA, is the research program manager for the ACFE.

[Some links may no longer be available. —Ed.]

The Association of Certified Fraud Examiners assumes sole copyright of any article published on www.Fraud-Magazine.com or ACFE.com. Permission of the publisher is required before an article can be copied or reproduced.