PCOAB Chairman William McDonough said the guidance is intended to help public companies and their auditors comply with internal-controls requirements through 56 questions and answers and a 14-page policy statement from the oversight board.
Congress tightened internal-controls rules in 2002 as part of a sweeping package of corporate-accounting reforms, requiring public companies to conduct an annual assessment, subject to a review by the company’s outside auditor. Significant problems that don’t get fixed must be reported to investors and the Securities and Exchange Commission (SEC). Companies that went through the review process last year complained it was time-consuming and costly, and that auditors took an overly conservative one-size-fits-all approach.
According to the PCOAB materials, the agency had set out to “correct the misimpression that certain provisions of (the auditing rules) need to be applied in a rigid manner that discourages auditors from exercising the judgment necessary to conduct an internal control audit in a manner that is both effective and cost-efficient.”
To properly plan and perform an effective audit, the agency said auditors should:
- integrate their audits of internal controls with their audits of the client’s financial statements, so that evidence gathered and tests conducted in the context of either audit contribute to completion of both audits
- exercise judgment to tailor their audit plans to the risks facing individual audit clients, instead of using standardized “checklists” that may not reflect an allocation of audit work weighted toward high-risk areas
- use a top-down approach that begins with company-level controls, to identify for further testing only those accounts and processes that are relevant to internal control over financial reporting
- take advantage of the significant flexibility that the standard allows to use others’ work
- have direct and timely communication with audit clients when they seek auditors’ views on accounting or internal control issues before those clients make their own decisions on such issues, implement internal control processes under consideration, or finalize financial reports.
In a prepared statement Monday, McDonough said the internal-control reviews and audits have the potential to significantly improve corporate-financial reports. “At the same time, it is equally clear to us that the first round of internal control audits cost too much,” he said.
The SEC Weighs In
Meanwhile separately issued, guidance from the SEC staff covered about a half-dozen issues and stressed the need for corporate managers to take a reasonable, risk-based approach and not allow the process to overshadow the purpose of assessing the adequacy of controls a company has in place to ensure financial reports are accurate. Controls may be as simple as requiring multiple signatures on checks for large sums, to complex automated systems to track inventory, the agency said.
The SEC said at least some of the problems came about because of the “mechanical, and even overly cautious, way in which those rules and standards apparently have been applied in many cases.”
Asserted the SEC: ” Both management and external auditors must bring reasoned judgment and a top-down, risk-based approach to the 404 compliance process. A one-size fits all, bottom-up, check-the-box approach that treats all controls equally is less likely to improve internal controls and financial reporting than reasoned, good faith exercise of professional judgment focused on reasonable, as opposed to absolute, assurance.”
Also, high-risk areas should get the greatest attention, according to the SEC. Every step or aspect of a control may not need to undergo testing, or need testing every year, the SEC said.
For small and overseas companies, the guidance offered little new information but said the SEC staff is continuing to assess the effects the rules will have on such companies. “We want to make clear that these actions are not the end of the process,” the SEC commissioners said.