New England Biz Law Update
In the wake of the new Guidance issued by the Securities and Exchange Commission and the PCAOB’s new Auditing Standard No. 5, there has been much debate as to whether these changes provide useful guidance, will result in cost savings, or will reverse the trend of companies availing themselves of foreign securities markets or going private.
I asked Kevin W. O’Connell ([email protected]), a principal in PricewaterhouseCoopers LLP’s Boston office, to assess the impact these changes will have on reporting companies.
SEC Watch: The SEC now defines “material weakness” as significant deficiencies creating the reasonable possibility of material misstatement. Absent objective measurements, in what way will auditors classify deficiencies differently from the prior standard (more than a “remote likelihood” of misstatement)?
O’Connell: When assessing the severity of a deficiency, company management and the independent auditor consider the likelihood that the company’s controls will fail to prevent or detect a misstatement of an account balance or disclosure. They also assess the magnitude of the potential misstatement. In evaluating any deficiency, management and the independent auditor are required to use well-reasoned professional judgment in assessing quantitative materiality and qualitative risk factors, including:
The new definition requires the same level of professional judgment, but clarifies the strength of evidence to consider when determining the existence of a material weakness.
SEC Watch: Companies must report significant deficiencies to the audit committee and to auditors. What is the standard for knowing whether something is merely a significant deficiency (less than a material weakness), absent quantitative and qualitative standards in the proposed SEC rule?
O’Connell: A significant deficiency can be defined as a deficiency that is less severe than a material weakness, determined through the application of professional judgment and assessment of the risk factors noted above, yet important enough to merit attention by those responsible for oversight of the company’s financial reporting. One of the common assessment factors is whether the deficient control has additional complementary, redundant, or compensating controls that mitigate the risk of material financial misstatement and achieve the same control objectives.
SEC Watch: For larger companies already complying with 404, do you anticipate any changes in practice? Any impact on compliance costs?
O’Connell: AS 5 is a principles-based standard that emphasizes the effectiveness of a “top-down” approach focusing on only those controls needed to prevent and detect material misstatements in financial statements. Although this will not significantly change companies’ compliance framework or methodology, it provides them with an opportunity to reassess the relevance of all previous in-scope risks and controls, and determine whether certain controls can be removed to achieve efficiency while maintaining effectiveness.
Companies have historically taken a conservative approach to identifying, documenting, and testing internal controls, and in many cases, included redundant operational or compliance controls with no relevance to the financial statements. These controls can be removed from scope and do not have to be tested.
Also, AS 5 emphasizes the importance of entity-level controls in a top-down approach by identifying three broad categories of entity-level controls and discussing their respective impact on the nature, timing, and extent of testing. The three categories are: (1) controls that have an important but indirect impact on the likelihood that a misstatement will be detected or prevented on a timely basis (e.g., the control environment); (2) controls that may not operate at the level of precision necessary to eliminate the need for testing of other controls but may reduce the required level of testing of other controls (e.g., controls that monitor the operation of other controls); and (3) controls that operate at a level of precision that, without the need for other controls, sufficiently address the risk of misstatement to a relevant assertion.
The impact of entity-level controls on the nature, timing and extent of testing has generated significant debate among auditors, management and other constituents. We believe the three categories of entity-level controls included in AS 5 are useful points to consider on a principles-based continuum that might be used to evaluate the impact of effective entity-level controls on the nature, timing and extent of testing of transaction or process level controls.
Controls that operate at a level of precision that, without the need for other controls, sufficiently address the risk of misstatement to a relevant assertion may eliminate the need to test other controls related to that risk.
It will be important for management and auditors to carefully consider the design of such controls, including the level of precision at which they operate, to determine whether the controls operate with the level of consistency and rigor to prevent or detect material misstatements on a timely basis. In some cases, we anticipate that management may determine it is necessary to enhance the design of these controls to achieve this objective.
Finally, AS 5 also allows the independent auditor to rely more upon the testing of company management and/or Internal Audit, potentially reducing the amount of independent testing required and costs of compliance.
SEC Watch: For newly compliant smaller companies, does AS5 promise materially lower CPA fees when auditors review a company’s compliance? Will real savings be achieved when this “principles-based” approach is applied, with emphasis on scaling and greater latitude in relying upon the compliance determinations made by others?
O’Connell: As history dictates, compliance costs are the highest for companies in Year 1 in establishing, documenting, testing, and evaluating an adequate controls framework. Compliance costs, including independent auditor fees, decline in subsequent years as management’s efforts move from discovery, training, and implementation phases to continuous self-sustaining maintenance and evaluation phases.
AS 5 addresses the lessons learned from the past three years through the following objectives: (1) focus the internal control audit on the most important matters; (2) eliminate procedures that are unnecessary to achieve the intended benefits; (3) make the audit clearly scalable to fit the size and complexity of any company; and (4) simplify the text of the standard.
Rather than a “one-size-fits-all” compliance standard, company management and their independent auditors are allowed to use a risk-based approach in exercising more well-reasoned, professional judgment as to the scope and sufficiency of internal controls over financial reporting. Assuming that newly compliant companies have robust controls frameworks in place, they should realize savings in time and resources (compared to what otherwise would have been the case under prior Auditing Standard No. 2) by primarily focusing on those controls designed to prevent or detect material misstatements to relevant assertions in the financial statements.
