The Public Company Accounting
Oversight Board (PCAOB) issued and
approved Auditing Standard No. 5 (AS5) in June 2007; the SEC approved it the
following month. Rich Bellucci, partner
and SEC practice leader at Burr Pilger
Mayer, says that the new standard brings
the possibility of lower audit fees — anywhere from 5 to 10 percent — but only for
the prepared.
“After hearing about AS5, many companies assumed their fees would decrease,”
he says. “But if they are not proactive in
their risk assessment and the design of their
processes or how and when they pull their
information together, they are not going to
see that fee reduction.”
In fact, he cautions, “The ability to achieve
cost savings from AS5 depends on management’s focus and preparation. Companies
that wait too long to prepare will see that
the amount of time and energy they invest
internally, as well as the extra effort
required of their auditors, may even
increase their costs.”
Smart Business spoke to Bellucci for
more on what companies should know
about AS5.
What are the origins of AS5, and what is its
purpose?
Following the Sarbanes-Oxley Act of 2002,
the PCAOB issued Auditing Standard No. 2.
The rule was the PCAOB’s first attempt to
provide guidance on how companies and
auditors should audit internal controls. It
was restrictive and essentially led to audit
firms doing more work than anyone intended. Wanting to comply, audit firms began
auditing cycles that were not relevant to
financial reporting. This led to a large
increase in fees. Several companies lobbied
the PCAOB to devise something simpler.
The PCAOB came back with AS5. Under
AS5, auditors are empowered to complete a
more risk-based audit, focusing on the most
important matters first and being able to
rely on the work of internal audit or third-party providers. This should translate into
a more streamlined, less complicated
process, reducing the hours spent completing an integrated audit and potentially lowering fees.
Whom did AS5 affect, and how were they
affected?
AS5 affected public companies that are
considered accelerated filers by the SEC
and whose year-end was on or after Nov. 15,
2007.
Under AS5, auditors are given more leeway in how they perform their audit. AS5
removes many of the required procedures
and allows auditors to use their judgment
to perform a top-down, risk-based integrated audit. Auditors can now focus on the
high-risk areas and not be as concerned
with areas that have a lesser effect on financial reporting. They are now encouraged to
place more reliance on the work of others
as long as those performing the work are
deemed competent and objective in the
judgment of the auditors. Auditors must
obtain sufficient evidence to support their
opinion, but their own audit work is no
longer required to be the principal form of
evidence.
Companies and auditors can now focus
on what is important: risk and materiality.
AS5 also contains multiple notes throughout the document explaining how to apply
the principles to smaller, less-complex
companies. AS5 allows a company’s control systems to achieve the intended objective
of improving the quality of financial reporting without unnecessary effort.
How did the first year of AS5 go?
Overall, the adoption of AS5 went well.
The greatest benefit was seen by those
companies that adopted and followed AS5’s
guidelines as early as possible and focused
on the top-down, risk-based approach.
Historically, companies have not taken this
approach, failing to evaluate and document
their reliance on their entity-level controls
to the extent encouraged under AS5.
Those companies that documented and
tested controls early in the process saw the
biggest benefit from AS5, both in the
reduced amount of work by the company
and the amount of work auditors performed. Another big benefit was the ability
to move away from some of the required
steps and focus on the aspects of the audit
that really mattered. Lastly, the ability to
rely on the work of others helped as well.
What can be done to make the process
smoother, more efficient and cost effective?
The smartest thing companies can do is to
prepare as early as possible. For a calendar-year company, starting in the fourth quarter
is too late. You need to begin scoping the
project in June or July and identifying top-level controls to get the most benefit.
Companies that are prepared enable auditors to determine where the risks are and
focus their attention on those areas.
If auditors get the control work late in the
process, they are unable to reduce their
substantive testing but still have to test
internal controls. Additionally, if companies are going to utilize consultants to
assist in testing and documentation, they
need to make sure the consultants have the
appropriate background, are competent
and understand what they are being asked
to do. Finally, companies should make sure
that they and their auditors are on the same
page: An open dialogue between the company and the auditor will lead to a more
efficient audit.
RICH BELLUCCI is a partner and SEC practice leader at Burr Pilger Mayer. Reach him at (408) 961-6300 or [email protected].
