While hopes are high that Auditing Standard 5 will sharply reduce audit costs, no one knows for sure. And success at multinational giants won’t necessarily carry over to smaller companies.
The corporate financial reporting world is holdings its collective breath as companies begin to talk to their auditors about Auditing Standard 5 (AS5), the tool that is supposed to whittle down excessive Sarbanes-Oxley auditing costs. The Public Company Accounting Oversight Board (PCAOB) developed AS5 to replace the reviled Auditing Standard 2 (AS2), the very prescriptive standard that had guided outside auditors as they did their attestations of corporate evaluations of internal controls over financial reporting.
Companies and auditors alike had argued that AS2 forced companies to test too many insignificant controls for fear of having overlooked what the auditor, looking into each tiny crevice in each corner of the corporate books, would later deem important minutia during its attestation audit.
The transition to a “principles-based” AS5 for integrated audits conducted for fiscal years ending on or after Nov. 15, 2007, and the associated management guidance approved in July by the U.S. Securities and Exchange Commission (SEC), allows companies to break the chains of AS2 and, ideally, embrace the new “risk-based, top-down” approach ushered in with much ballyhooing by both the PCAOB and SEC. But no one really knows whether AS5 will actually lower Sarbanes-Oxley Section 404 auditing costs significantly. Hopes are high. Yet significant skepticism abounds, too.
Greg Starr, middle-market practice director, Accounting Management Solutions Inc., explains that AS5 enhances management’s ability to rely on effective entity-level fraud prevention and computer controls. The auditor gains an enhanced ability to rely on the work of others and to include consideration of its previous experience with the client.
This new path leads down a road to what SEC Chief Accountant Conrad Hewitt describes as “tailoring and scaling of evaluations and audits according to the relevant facts and circumstances.”
“While auditors and companies are still grappling with AS5, we are clearly moving in the right direction,” Starr states. “Although true savings have yet to be seen, there is a strong indication the revised standard will have a positive impact both practically and economically.”
Big Four auditors also sound a note of caution on costs. Craig Crawford, partner in charge of the audit group at the Department of Professional Practice at KPMG, says, “The standard is sound. It effectively achieves its stated objectives.” But, he adds, “Professional audit fees are influenced by many variables, one of which is auditor effort associated with the internal control element of an integrated audit. Changes in accounting standards, changes in a company’s operations, acquisitions and dispositions — these come into play, too.”
AS5’s impact on companies will probably have a lot to do with company size, the complexity of its financial statement and who its outside auditor is. Arnie Hanish, executive director, finance, and chief accounting officer at Eli Lilly & Co. and chairman of
However, there have been a few dissenters in the issuer community who suggest AS5 is, at least as a reform, weak gruel. Michael G. Oxley, Nasdaq‘s vice chairman and co-author of Sarbanes-Oxley, says, “While AS5 represents improvement over the previous standard, it does not go far enough to help decrease regulatory complexity and reduce the risk for overzealous auditing. We must take bolder steps to make our markets more attractive and competitive.”
Bethany Sherman, a spokeswoman for Nasdaq, says its internal auditors have told the Nasdaq board that AS5 will not bring a reduction of Section 404 audit costs. “And though our companies think AS5 is a good thing, they say it will not substantively reduce their auditing costs, either,”
While its actual impact will not be clear for some time, AS5’s objective is clear as a freshly Windexed window. The idea is to allow companies to focus on ensuring they have internal controls that will catch material weaknesses and for outside auditors to test only those “high-risk” controls. Those hopes may, in fact, be fulfilled. “The markets, on balance, think we got the words right,” emphasizes Mark Olson, chairman of the PCAOB. “That doesn’t mean we got all the words exactly the way everyone wanted.”
In fact, there are perhaps 10 key areas within AS5 where the PCAOB (either on its own or at the SEC’s insistence) denied additional relief or clarification in a way sought by corporations and auditors, leaving some companies convinced that while Section 404 auditing costs may go down, they will still be higher than necessary.
For example, the PCAOB declined to allow “rotational” testing of those internal controls deemed to be, as a result of the “scoping” AS5 is supposed to promote, of much lower risk. PCAOB also declined to ax “walkthroughs,” which are technically not required, but are described in AS5 as “frequently the most effective way of achieving objectives,” making them a requirement in everything but name.
The PCAOB’s initial draft of AS5 had nearly 250 “shoulds” and “musts” dictating things the auditor had to do. The final version cuts that number a little. Robert Kueppers, deputy chief executive officer of Deloitte & Touche, agrees the board moderated some of those dictates, and that AS5 permits auditors to use much more judgment in completing their work.
Qualification Sets Unclear
An example of that is AS5’s allowing auditing firms to decide when to depend on testing done by company personnel who are not internal auditors. This was a marquee issue. But AS5 provides no real guidance on what qualifications a corporate executive has to have before his or her testing can be relied on by the outside auditor. Olson states that auditors need to insure that the corporate officials they rely on are objective and independent. But he quickly admits that would be the subject of a “very idiosyncratic evaluation.”
The definition of “materiality” — which is really an SEC decision — leaves a lot to the imagination; so does the definition of “fraud.” For example, the language in AS5 on detecting fraud is short of what was asked for by people like Lilly’s Hanish. He had asked the PCAOB to “define the specific types of fraud that should be considered to be an indicator of a material weakness (i.e., management fraud — senior management intentional manipulation of financial statements, versus employee fraud — inappropriate expense reporting).”
Hanish admits, “That was not changed as much as I had hoped it would be. What you don’t want to do is give auditors an open check to look for fraud — looking for a needle in a haystack. That is very costly.”
Nonetheless, Hanish believes it is important to acknowledge that the PCAOB responded very well to some of the public outcry and criticism of AS2. However, he adds that the ultimate success or failure of AS5 will only be determined after the first round of PCAOB inspections under the new standard, which won’t happen for at least a year.
Any 404 audit savings companies achieve in the first year of AS5 will have to be ratified by the PCAOB’s inspection process, which will either endorse or reject the “judgment” used by auditors on the “scoping” that underpins the new, “principles-based” era. “In my view, the PCAOB will respect the auditor’s judgment if that judgment is made in good faith, is well-reasoned and properly documented,” says Deloitte’s Kueppers.
Olson says the PCAOB is aware that the inspection process can cast a pall over an auditor’s work. “We are spending a lot of time meeting with the accounting profession, at this point, the eight largest firms,” explains Olson. “We are helping them to challenge their methodology in making the transition from AS2 to AS5 as aggressively as we did in [considering what improvements could be made in] going from AS2 to AS5.”
Kueppers says Deloitte is doing a lot of work with its partners, instructing them how to modify their audit approach to comport with AS5. In addition, PCAOB inspectors are on premise at some Deloitte locations talking about audits done last year under AS2, and how they might be done differently under AS5. “It is an active and natural dialogue,” he says.
Meanwhile, on the key question of whether AS5 and the management guidance will reduce corporate testing and external audit costs associated with Section 404, there can only be speculation. “I have had numerous conversations within the CCR and at the PCAOB,” offers Hanish. “What we are seeing really depends on two things, the nature of the company and its current controls, as well as who their auditing firm is.”
Hanish breaks the Big Four into three camps. One company already was “out in front” on taking a “top-down” approach to AS2. Two of the other Big Four firms took a very conservative approach to AS2, he argues, and the third was in the middle between the leader and the other two. In the first year of Section 404 implementation, Lilly’s auditing costs increased 28 percent. That compared with increases of 50 percent and up for companies being audited by the other three majors.
Hanish expects to see some reductions in Lilly’s internal corporate testing costs, particularly from reduced testing at foreign locations, where the nature of the business, size of locations and financial staff in place result in lower risk. This will probably be true for many other
In the past, Lilly sent internal auditors to do internal control testing at certain foreign locations that were in scope. Now, because of the “top-down, risk-based” mandate of AS5 and the SEC guidance, Lilly has pulled back on testing at some foreign locations and has moved to a variable approach based on a set of criteria. “At some of those locations, based on a risk analysis and prior-year results, for example, we do desktop testing,” he explains. “At some other locations, we may only use a self-assessment questionnaire.”
Positive reviews by Fortune 500 companies, if in fact they are forthcoming over the next year, won’t be the final word on the success of AS5. It is one thing for a Fortune 500 company to comply. It will be another thing for the 6,000 public companies with less than $75 million in public equity — the so-called non-accelerated filers. They have not had to do the Section 404 management reports, much less have those reports audited.
Their first reports are due in March 2008, and their first audits are required on their first financial statements for the fiscal year ending after Dec. 14, 2008. PCAOB inspections of those small company audits won’t be public for a year after that. Only then will it be clear whether AS5’s tailoring, scaling and scoping will be as transformational as advertised by the SEC.