The Public Company Accounting Oversight Board (PCAOB) issued and approved Auditing Standard No. 5 (AS5) in June 2007; the SEC approved it the following month. Rich Bellucci, partner and SEC practice leader at Burr Pilger Mayer, says that the new standard brings the possibility of lower audit fees anywhere from 5 to 10 percent but only for the prepared.
“After hearing about AS5, many companies assumed their fees would decrease,” he says. “But if they are not proactive in their risk assessment and the design of their processes or how and when they pull their information together, they are not going to see that fee reduction.”
In fact, he cautions, “The ability to achieve cost savings from AS5 depends on management’s focus and preparation. Companies that wait too long to prepare will see that the amount of time and energy they invest internally, as well as the extra effort required of their auditors, may even increase their costs.”
Smart Business spoke to Bellucci for more on what companies should know about AS5.
What are the origins of AS5, and what is its purpose?
Following the Sarbanes-Oxley Act of 2002, the PCAOB issued Auditing Standard No. 2. The rule was the PCAOB’s first attempt to provide guidance on how companies and auditors should audit internal controls. It was restrictive and essentially led to audit firms doing more work than anyone intended. Wanting to comply, audit firms began auditing cycles that were not relevant to financial reporting. This led to a large increase in fees. Several companies lobbied the PCAOB to devise something simpler.
The PCAOB came back with AS5. Under AS5, auditors are empowered to complete a more risk-based audit, focusing on the most important matters first and being able to rely on the work of internal audit or third-party providers. This should translate into a more streamlined, less complicated process, reducing the hours spent completing an integrated audit and potentially lowering fees.
Whom did AS5 affect, and how were they affected?
AS5 affected public companies that are considered accelerated filers by the SEC and whose year-end was on or after Nov. 15, 2007.
Under AS5, auditors are given more leeway in how they perform their audit. AS5 removes many of the required procedures and allows auditors to use their judgment to perform a top-down, risk-based integrated audit. Auditors can now focus on the high-risk areas and not be as concerned with areas that have a lesser effect on financial reporting. They are now encouraged to place more reliance on the work of others as long as those performing the work are deemed competent and objective in the judgment of the auditors. Auditors must obtain sufficient evidence to support their opinion, but their own audit work is no longer required to be the principal form of evidence.
Companies and auditors can now focus on what is important: risk and materiality. AS5 also contains multiple notes throughout the document explaining how to apply the principles to smaller, less-complex companies. AS5 allows a company’s control systems to achieve the intended objective of improving the quality of financial reporting without unnecessary effort.
How did the first year of AS5 go?
Overall, the adoption of AS5 went well. The greatest benefit was seen by those companies that adopted and followed AS5’s guidelines as early as possible and focused on the top-down, risk-based approach. Historically, companies have not taken this approach, failing to evaluate and document their reliance on their entity-level controls to the extent encouraged under AS5.
Those companies that documented and tested controls early in the process saw the biggest benefit from AS5, both in the reduced amount of work by the company and the amount of work auditors performed. Another big benefit was the ability to move away from some of the required steps and focus on the aspects of the audit that really mattered. Lastly, the ability to rely on the work of others helped as well.
What can be done to make the process smoother, more efficient and cost effective?
The smartest thing companies can do is to prepare as early as possible. For a calendar-year company, starting in the fourth quarter is too late. You need to begin scoping the project in June or July and identifying top-level controls to get the most benefit. Companies that are prepared enable auditors to determine where the risks are and focus their attention on those areas.
If auditors get the control work late in the process, they are unable to reduce their substantive testing but still have to test internal controls. Additionally, if companies are going to utilize consultants to assist in testing and documentation, they need to make sure the consultants have the appropriate background, are competent and understand what they are being asked to do. Finally, companies should make sure that they and their auditors are on the same page: An open dialogue between the company and the auditor will lead to a more efficient audit.
RICH BELLUCCI is a partner and SEC practice leader at Burr Pilger Mayer. Reach him at (408) 961-6300 or email@example.com.