In late July, the SEC (Securities &
Exchange Commission) approved the
PCAOB’s (Public Company Accounting Oversight Board) Auditing Standard No. 5
(AS5) An Audit of Internal Control Over
Financial Reporting That is Integrated with
an Audit of Financial Statements, which
replaces Auditing Standard No. 2 (AS2). In
addition to approving AS5, earlier this year,
the SEC itself issued guidance for publicly traded companies complying with Sarbanes-Oxley Section 404.
The goals of the guidance from the SEC
and PCAOB are to focus management’s
assessment and the audit of internal controls over financial reporting on the high-risk areas in a company and eliminate
unnecessary procedures that have been
performed under the prior standard.
Explicit and practical guidance on scaling
the process and ultimately simplifying the
rules for public companies is provided,
says Andrew De Silva from Resources
Smart Business spoke with DeSilva
about the new time- and cost-efficient
changes and how these changes benefit
publicly traded companies if implemented
Who stands to benefit from the new guidance?
All publicly traded companies should
benefit from AS5, but the level of benefit
will directly correlate to the level of effort
put forth by each company in adopting the
new guidance. Benefits may include reducing the amount of work previously performed by internal management and the
amount of time external auditors spent
under the old AS2, lowering total Sarbanes-Oxley costs.
AS5 allows the external auditors to use
the work of company personnel other than
internal auditors, as well as outside third
parties working under the direction of
management, as long as this work is performed by competent and objective persons. Management can use this to distribute some of the testing to internal personnel or third parties and, by working with
the external auditor and planning how to
leverage this work, reduce the cost of the
What must companies do to make this auditing standard successful?
Companies must put forth the initial
effort to perform an adequate risk assessment in order to drive the scope of the
work. With the new guidance’s emphasis
on the use of a top-down, risk-based
approach, management will be able to
focus on the risk areas specific to their
individual company’s environments and
circumstances. The new guidance directs
management’s and external auditors’ focus
to those material areas where a misstatement is likely to occur. This should eliminate some of the unnecessary procedures
performed under AS2.
Under the top-down, risk-based approach, management has the opportunity
to determine areas of focus and higher risk
by identifying significant accounts at the
consolidated financial statement level.
Additionally, by implementing this approach, management can leverage entity-level controls to effectively reduce or even
eliminate the need to document and test
process- and transaction-level controls.
The new guidance also allows management to look for areas where monitoring
activities can replace detailed testing. The
level of documentation and testing should match the level of risk in a particular area.
This can significantly reduce the effort
What should management of public companies be doing now?
If they have not done so already, companies should begin the process of using a
top-down, risk-based approach. This
should enable them to reduce the overall
scope and reduce the level of activity in
low-risk areas, which will save both time
Attention should be focused on the greatest areas of risk. It is critical for companies
to identify effective entity-level controls
and leverage those controls to reduce the
testing of controls at the process and transaction level.
The increased documentation and
reliance of entity-level controls, if done
effectively, will significantly reduce Sarbanes-Oxley costs for most, if not all, companies. It is crucial for management to
communicate with auditors. Collaboration
with the external auditors is critical to
achieving continuous efficiencies and cost
effectiveness throughout the Sarbanes-Oxley process.
How can outside resources be utilized by
companies that may need help?
Professional services firms are typically
engaged when companies do not have the
internal staff or experience to adequately
handle the workload associated with a
compliance effort, such as Sarbanes-Oxley.
Some companies may go the route of the
traditional consulting firms to alleviate
internal pressures by pushing the project
ownership, control and risk outside the
organization. Other companies may wish
to maintain control of the Sarbanes-Oxley
compliance effort within their management team, but may still utilize a firm, such
as Resources Global, to bring in experienced professionals who work from the
inside out to assist with the effort on a project basis.
ANDREW DE SILVA is a client service manager with Resources
Global Professionals. Reach him at (412) 263-3306 or [email protected].