In late July, the SEC (Securities & Exchange Commission) approved the PCAOB’s (Public Company Accounting Oversight Board) Auditing Standard No. 5 (AS5) An Audit of Internal Control Over Financial Reporting That is Integrated with an Audit of Financial Statements, which replaces Auditing Standard No. 2 (AS2). In addition to approving AS5, earlier this year, the SEC itself issued guidance for publicly traded companies complying with Sarbanes-Oxley Section 404.
The goals of the guidance from the SEC and PCAOB are to focus management’s assessment and the audit of internal controls over financial reporting on the high-risk areas in a company and eliminate unnecessary procedures that have been performed under the prior standard. Explicit and practical guidance on scaling the process and ultimately simplifying the rules for public companies is provided, says Andrew De Silva from Resources Global Professionals.
Smart Business spoke with DeSilva about the new time- and cost-efficient changes and how these changes benefit publicly traded companies if implemented properly.
Who stands to benefit from the new guidance?
All publicly traded companies should benefit from AS5, but the level of benefit will directly correlate to the level of effort put forth by each company in adopting the new guidance. Benefits may include reducing the amount of work previously performed by internal management and the amount of time external auditors spent under the old AS2, lowering total Sarbanes-Oxley costs.
AS5 allows the external auditors to use the work of company personnel other than internal auditors, as well as outside third parties working under the direction of management, as long as this work is performed by competent and objective persons. Management can use this to distribute some of the testing to internal personnel or third parties and, by working with the external auditor and planning how to leverage this work, reduce the cost of the external audit.
What must companies do to make this auditing standard successful?
Companies must put forth the initial effort to perform an adequate risk assessment in order to drive the scope of the work. With the new guidance’s emphasis on the use of a top-down, risk-based approach, management will be able to focus on the risk areas specific to their individual company’s environments and circumstances. The new guidance directs management’s and external auditors’ focus to those material areas where a misstatement is likely to occur. This should eliminate some of the unnecessary procedures performed under AS2.
Under the top-down, risk-based approach, management has the opportunity to determine areas of focus and higher risk by identifying significant accounts at the consolidated financial statement level. Additionally, by implementing this approach, management can leverage entity-level controls to effectively reduce or even eliminate the need to document and test process- and transaction-level controls.
The new guidance also allows management to look for areas where monitoring activities can replace detailed testing. The level of documentation and testing should match the level of risk in a particular area. This can significantly reduce the effort required.
What should management of public companies be doing now?
If they have not done so already, companies should begin the process of using a top-down, risk-based approach. This should enable them to reduce the overall scope and reduce the level of activity in low-risk areas, which will save both time and money.
Attention should be focused on the greatest areas of risk. It is critical for companies to identify effective entity-level controls and leverage those controls to reduce the testing of controls at the process and transaction level.
The increased documentation and reliance of entity-level controls, if done effectively, will significantly reduce Sarbanes-Oxley costs for most, if not all, companies. It is crucial for management to communicate with auditors. Collaboration with the external auditors is critical to achieving continuous efficiencies and cost effectiveness throughout the Sarbanes-Oxley process.
How can outside resources be utilized by companies that may need help?
Professional services firms are typically engaged when companies do not have the internal staff or experience to adequately handle the workload associated with a compliance effort, such as Sarbanes-Oxley. Some companies may go the route of the traditional consulting firms to alleviate internal pressures by pushing the project ownership, control and risk outside the organization. Other companies may wish to maintain control of the Sarbanes-Oxley compliance effort within their management team, but may still utilize a firm, such as Resources Global, to bring in experienced professionals who work from the inside out to assist with the effort on a project basis.
ANDREW DE SILVA is a client service manager with Resources Global Professionals. Reach him at (412) 263-3306 or email@example.com.