The Public Company Accounting Oversight Board (the “Board” or “PCAOB”) voted unanimously on December 19, 2006 to propose for public comment a new standard, An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements that would supersede its Auditing Standard No. 2 (AS No. 2).
“Today’s proposal is the result of the PCAOB’s experience with the first two years of auditors’ implementation of the internal control provisions of the Sarbanes-Oxley Act,” said PCAOB Chairman Mark Olson. “The Board’s goal has been to apply the feedback we’ve received and our observations of implementation to create an auditing standard that†preserves the intended benefits without resulting in unnecessary effort and costs. We believe the new standard will result in audits that are more efficient, risk-based and scaled to the size and complexity of each company. We look forward to comments on the proposal.”
The proposed standard is, per the PCAOB, designed to focus the auditor on the matters “most important” to internal control, eliminate “unnecessary procedures”, simplify and shorten the standard by “reducing detail and specificity”, and make the audit more scalable for smaller and less complex companies.
Most news articles and blogs have focused on the main provisions:
· Reiteration of the emphasis on only the most important controls and the importance of risk assessment;
· A revision in the definitions of “significant deficiency” and “material weakness”, as well as the “strong indicators” of a “material weakness”;
· A clarification of the role of materiality, including interim materiality, in the audit;
· Deletion of the requirement to evaluate management’s internal control evaluation process;
· Permission to consider knowledge obtained during previous audits;
· Direction to the auditor to tailor the audit to reflect the attributes of smaller and less complex companies;
· Permission to refocus the multi-location testing requirements on risk rather than coverage; and
· A recalibration of the walkthrough requirement.
Later posts here may pick up on elements of these provisions, especially as more public comments, due February 26, 2007, come in. But, in general, these changes are auditors’ technical issues and not issues I have an interest in or aptitude for. My interest is in two other provisions that were thrown into this set of proposals.
These two proposals appear as sort of “pork barrel” proposals, similar to the kinds of additional provisions tacked onto a long piece of tax legislation in the US Congress. Everyone gets caught up analyzing the technical tax issues and budget impact and never really focuses on the extra line that pays for a new naval base in the middle of a cornfield.
The “pork barrel” elements of this proposed standard are Proposed Auditing Standard – Considering and Using the Work of Others, and a proposed new independence rule, Proposed Rule 3525 – Audit Committee Pre-approval of Services Related to Internal Control.
The proposed standard, Considering and Using the Work of Others, would supersede AU sec. 322 and the direction currently contained in AS No. 2 regarding using the work of others. Among other things, the proposed standard would:
• Allow the auditor to use the work of others, and not just internal audit, for both the internal control audit and the financial statement audit, eliminating a barrier to integration of the two audits, and
• Encourage greater use of the work of others by requiring auditors to evaluate whether and how to use the work of others to reduce their testing;
• Require the auditor to understand the relevant activities of others and determine how the results of that work may affect the audit,
• Provide a single framework for using the work of others based on the auditor’s evaluation of the combined competence and objectivity of others and the subject matter being tested; and
• Eliminate the explicit principal evidence provision previously included in AS No. 2.
The proposal is intended to reduce the work and therefore the fees of the Big 4 audit firms with regard to Sarbanes-Oxley. The high auditor (and other fees) required to meet Sarbanes-Oxley requirements has been a major complaint of the business community. Most fees paid to audit firms increased substantially after Sarbanes-Oxley, with the justification by the audit firms being the additional work required by AS No. 2.
Many large public companies have one Big 4 firm as their auditor and another one as their internal audit co-source/outsource partner. In some cases, this second firm, the internal audit co-source/outsource partner was also the one who supported the company on SOx related activities such as documentation of processes, identification of key controls and testing of those controls, either as a stand-in for management or as support to internal audit. In many companies, during the initial stages of Sarbanes-Oxley, Internal Audit (or the second Big 4 firm as outsourcer) played a significant role in SOx projects and the related work. This is because Internal Audit, in many cases, was still reporting directly to the CFO (not the Audit Committee) and the CFO, as head of accounting/finance functions, bore the responsibility of initial SOx activities.
However, after issuance of AS No. 2, it became more apparent that the CFO and the finance/accounting functions were intended to be the target of SOx, the object of the review, and therefore were not in the best place to objectively run these initiatives. The accounting/finance function should continue to do the bulk of the work, since they know their processes best and the CFO has to sign off with the CEO on the effectiveness of the controls (SOx Section 302), but the relationship to the internal audit function, the external auditors, and the audit committee was intended to be more arms-length and objective per AS No. 2. Therefore, some adjustments started to take place.
All firms, especially the Big 4, experienced significant constraints (and still do) in hiring and retaining the types of resources needed to do Sarbanes-Oxley work. The Big 4 were focused on the external audit activities and increased their ranks with those activities as a priority. Although some of them had just started to develop more independent and larger Internal Audit Services practices, there just weren’t enough qualified resources to go around. Many non-Big 4 firms appeared on the scene to take advantage of this phenomenon, most notably Jefferson Wells International, a division of Manpower and Protiviti, a division of Robert Half International. These two and other non-accounting firm consulting/staff augmentation firms (for example, the Deloitte spinoff, Resources Global Professionals) focused on internal audit, risk management, IT audit, security, and finance/accounting staffing and made a fortune supporting companies directly and, in many cases, by subcontracting to the larger firms, including the Big 4. This phenomenon will be discussed in another post.
Suffice to say that the Big 4 had to consider and use the work of others when performing their external audit activities, but they didn’t like it much. They would have liked to do more of the work themselves (if they had had the staff and if no one had cared about independence) but they just didn’t have enough staff, especially in IT Audit. And, the Big 4 firms are snobs. When it comes to depending on the work of others, it was generally understood amongst the firms that only another Big 4 firm’s work had a chance to be accepted by a Big 4 external auditor.
A lot of companies spent a lot of time and money trying to get the work done on time and expecting the Big 4 firms to accept it and mitigate their effort and fees, but in many cases they wouldn’t do it. The Big 4 leaned on AS No. 2, which said that someone who is “competent and objective” must perform the work. (They also pointed out the “principal evidence” requirement from AS No. 2 when justifying to their clients and to other firms why they had to re-do much of the work themselves. This concept is also to be repealed by AS No. 5.) They interpreted these standards very strictly. This was partly due to their desire to do as much work and reap as much of the fee as legally possible, the “share of the wallet” concept. And this was also due to concerns about liability. However, the urge to do more of the work was mitigated by the fact that they just didn’t and still don’t have the bandwidth.
The second proposal, the revised “independence” rule, could have a significant impact on the structure and practice of the audit firms with regard to their delivery of audit services. The independence rules imposed by AS No.2 restricted a company’s auditors to the external audit only, for the most part. This was what I call the “AA/Enron rule”, designed to eliminate the kind of situation that allowed AA to provide not only audit services to Enron but consulting and internal audit outsourcing services that significantly outpaced the external audit in fees generated and, some say, in the influence they had on how the external audit was conducted.
Proposed Rule 3525 – Audit Committee Pre-approval of Services Related to Internal Control – relates to the auditor’s provision of internal control-related non-audit services and would replace direction currently contained in AS No. 2 regarding independence and internal control-related services. The PCAOB’s stated intention is to ensure that audit committees are provided information relevant for them to make an informed decision on how the performance of internal control-related services may affect auditor independence. The new rule is also intended to allow audit committees to pre-approve the provision of internal control-related services by their independent auditor on an ad hoc basis or approved “pursuant to committee-approved policies and procedures.”
So in the first proposed rule, the PCAOB is allowing the Big 4 to be more flexible in using the work of “others.” In the second rule, the PCAOB is saying that these “others” may, in some cases, now be the company’s independent external auditor themselves and that they no longer have to get explicit Audit Committee approval to do so.
The Big 4 firms have been chomping at the bit to be able to do more of the work. Although they still need to be cognizant of independence issues, they can get around them by using different teams (such as their consulting arms) to design controls versus test them or audit them. The Enron scandal prompted the rule in AS No.2 that restricted the independent auditor from many other consulting services, including acting as the company’s internal auditor. AS No.2 requires explicit approval from the Audit Committee for any non-audit services which were still allowed and required the specific breakdown in fees in the company’s reports to the SEC. AS No.5 seeks to repeal this transparency and accountability and allow companies to go back to using their audit firms to do “internal control related non-audit services”.
This direction will be interpreted by the Big 4 as favorably as necessary to get a bigger “share of the wallet” and companies will allow it, since they didn’t like the extra Audit Committee approval requirements and exposure that came with telling everyone how much they spent on their external auditor in non-audit activities. I expect that if this rule is approved, everything that is paid to the external audit firm that can be construed as relating to completing the external audit, including any external auditor participation in what is necessary for management to fix prior issues and make their representation to the external auditors on the effectiveness of their internal controls, will be lumped together in one line item.
What does this mean for the Big 4 firms? Well, first it means more latitude in how they serve their audit clients. Many companies have set a strict, non-elastic budget for their external audit under AS No.2 and haven’t been budging from this cap, even when they asked the audit firm to do something more. The amount was approved by the Audit Committee, published in minutes and cast in stone. They avoided any effort and exposure associated with going back to their Audit Committee for something more. So if a firm was allowed to do an additional piece of “non-audit internal control related” consulting, such as a Quality Assurance Review of the company’s internal audit function, then that amount was deducted from the audit fee so the total stayed the same. The Big 4 basically backed off of selling anything else (or servicing their audit clients in any broader relationship development way) since the fees available were capped.
Second, it means that the firms that pulled their Internal Audit Services practices out of External Audit, under the assumption that they needed to keep these business development and service delivery teams separate under AS No.2, will probably roll them back into the External Audit practices. Why have a separate practice, separate overhead and duplicate staff especially in areas such as IT audit and security (tough people to find anyway, let alone for two different sides of the house) when you can reemphasize full, broader service to existing annuity, external audit clients?
The Big 4 will let the independent firms such as Jefferson Wells, Protiviti and the regional boutique staffing firms have the crumbs, the staffing-type engagements. And in many cases both the companies and the firms will have to concede that they still have to allow other non-Big 4 vendors to do some of the work in order to get all the work done. But I expect that if AS No.5 is approved with a roll back of this “independence” requirement, the Big 4 will close ranks and go after as much of the work as possible in their existing audit clients and these companies will let them do it.