Auditors, issuers struggle with 404

If you've had problems applying Auditing Standard No. 2, the Public Company Accounting Oversight Board says you're not alone.The board has known of widespread difficulties applying the new standard, "An Audit of Internal Control over Financial Reporting Performed in Conjunction with an Audit of Financial Statements," since audit firms first began grappling with its complex and often undefined demands.

The board has subsequently been monitoring performance, and it has detected a host of problems.

"The board found that both firms and issuers faced enormous challenges in the first year of implementation, arising from the limited timeframe that issuers and auditors had to implement [Sarbanes-Oxley Act] Section 404; a shortage of staff with prior training and experience in designing, evaluation and testing control; and related strains on available resources," the report stated.

The report of problems caught few by surprise, since many of the problems had been dealt with in a May 16, 2005, pronouncement issued by the PCAOB and the Securities and Exchange Commission.

That document clarified some shortcuts that auditors could take when their audit process indicated limited risks.

Neil Goldenberg, a partner with the New York-based CPA firm of Eisner, came aboard from KPMG early in 2004 specifically to help Eisner develop a strategy for complying with AS 2. "I think a lot of the problems had to do with the compression of time that both companies and auditors had to go through this first year," he said. "Their reviews were done early in 2005, before a lot of the anecdotal evidence had trickled through the firms."

Public accountants are more comfortable with audits under AS 2, but many internal auditors and company managers are still unsure how to document the integrity of internal controls and who's going to do it.

"Don't expect a lot in 2005," said David Richards, president of the Institute of Internal Auditors. "The guidance from the SEC came in the middle of the year. By then a lot of companies had already begun doing what they were going to do, so it was too late to change their approach. The audit firms have had more time to react. Some of the SEC suggestions were not simple fixes, so it isn't necessarily going to be 'one-two-three-I'm-done.'"

The PCAOB report, which was issued at the end of November, termed last year's problems "inefficiencies." Among the more efficient processes that could be implemented are:

* Integrating audits of internal control with audits of financial statements;

* Applying a "top-down approach" that begins by evaluating company-level controls and using findings to focus subsequent evaluations;

* Testing in accordance with risk;

* Performing walkthroughs by following a single transaction through an entire process;

* Using the work of others, to the extent permitted;

* Evaluating compensating controls when control deficiencies are found; and,

* Testing controls over the preparation of disclosures.

Richards said that integrating audits of internal control and financial statements seems like a good idea from an external auditor's point of view, but the efficiency created on the outside means new complications on the inside.

"When you talk about integrating the two audits - doing it once, rather than twice - that's easier said than done," Richards said. "It's desirable to do it that way, but when you get down in the weeds and try to figure out the specific steps that you're going to coordinate... a lot more has to be thought through. The objectives of the two audits are totally different."

Richards also expressed concern that internal auditors are often expected to test internal controls. Unless they are given additional resources for the additional work, other internal testing will go undone.

Clarifications, definitions

The PCAOB report did more than identify problems - it clarified certain issues. "More than remote," the report stated, means "at least reasonably possible." A "strong indicator" of a material weakness is not a material weakness, but a circumstance requiring heightened scrutiny. In that an objective of an audit of internal control is to identify material weaknesses, it need not be designed to detect weaknesses that are less than material.

The report noted that problems at many audit firms and their clients were compounded when companies had to improve their internal controls before auditors could get to work. The tighter window of audit opportunity made it more difficult to audit those systems, especially for auditors feeling their way through a process that was not only new, but not clearly defined.

The report called on auditors to apply more judgment in assessing companies for risk and devising appropriate audits. "Ineffective use of standardized firm tools may have contributed to audit engagement teams' failure to vary the scope and extent of testing in response to the assessed risks ...," the report stated. "Auditors must recognize, however, that these tools cannot replace sound auditor judgment applied to the facts and circumstances of each audit.

The report also called for judgment in the evaluation of such terms as "probable," "reasonably possible" and "remote." It suggested "an exercise of judgment, based on an assessment of what constitutes reasonable assurance under the circumstances, not on the mechanical application of a predetermined probability formula."

Lillian Ceynowa, director of the American Institute of CPAs' Center for Public Company Audit Firms, agreed that between the guidance issued on May 16 and the recent PCAOB report, auditors have a much clearer sense of what to do and how to do it. "Audit firms are more confident, they've been through it, they've established their champion experts, and now the more experienced people can teach the less experienced," Ceynowa said. "They've got a year under their belts."

The PCAOB also clarified and effectively loosened the rules on using "the work of others" to assess and improve internal controls, thus simplifying the work of auditors. In fact, Eisner has become one of the "others" that help their non-audit clients prepare for Section 404 audits.

"Sometimes we get hired by smaller companies, and sometimes surprisingly large companies, that don't have the internal function to assess and audit internal control," Goldenberg said. "They aren't auditors and they don't want to be auditors, but we are, so we can go in and take an objective look at the controls of the company and provide them with a good package for testing their controls."

For reprint and licensing requests for this article, click here.
Audit Regulatory actions and programs Accounting standards
MORE FROM ACCOUNTING TODAY