Public Company Accounting Oversight Board - Update

SEC Financial Reporting ConferenceCenter for Corporate Reporting and Governance

Greg FletcherPublic Company Accounting Oversight Board

September 19, 2005

2

CaveatCaveat

The opinions I express are my own,

and do not necessarily represent the views

of the PCAOB, its members

or its staff.

3

Why are we here

the long version…

4

5

or… the short version…

6

7

What is the PCAOB? What is the PCAOB?

Private sector regulator for auditors of companies publicly traded in the US, created by Sarbanes-Oxley Act

Board has mandate to “protect the interests of investors and further the public interest in the preparation of informative, accurate, and independent audit reports” of public companies

Overseen by the SEC Independent from the accounting profession

8

Core Areas of ResponsibilityCore Areas of Responsibility

Registration

Inspection

Investigation and Enforcement

Standard Setting

9

RegistrationRegistration

The foundation for PCAOB to perform its functions of inspection and enforcement

All U.S. accounting firms that prepare or issue audit reports on U.S. public companies, or play a substantial role, must register with the Board

Foreign firms with those responsibilities also must register

1,534 firms have registered; 599 are foreign firms

10

InspectionsInspections

Inspections assess a firm’s compliance with the Act, the Board’s and the SEC’s rules and with professional standards.

Regular inspections must take place annually for firms that audit more than 100 U.S. public companies.

All other firms must be inspected once every 3 years.

Inspection reports contain public and nonpublic sections.

11

Professional StandardsProfessional Standards

The Sarbanes-Oxley Act directs the Board to establish auditing, attestation, quality control, ethics, and independence standards

In April 2003, Board decided to form a staff to develop auditing and related professional practice standards

Previously, was the responsibility of the AICPA Also in April 2003, PCAOB adopted AICPA

standards as its interim standards

12

Key Points of AS #2Key Points of AS #2

Auditors must evaluate and report whether internal controls provide reasonable assurance that transactions are properly recorded in conformity with GAAP

Auditors must evaluate and report on management’s assessment of internal control over financial reporting

Auditors should use risk-based approach Auditors may place reliance on the work of internal

auditors Auditors must communicate material weaknesses and

significant deficiencies to audit committees

13

PCAOB Implementation GuidancePCAOB Implementation Guidance

Released 5 sets of questions and answers related to AS #2June 23, 2004 26 Q&AsOctober 6, 2004 3 Q&AsNovember 22, 2004 7 Q&As January 21, 2005 1 Q&A May 16, 2005 18 Q&As

Extent of testing, using work of others, evaluating deficiencies, multi-location audits, and other

14

Response to First Year ImplementationResponse to First Year Implementation

Issued May 16 Q&A and accompanying Board statement of policy

Specifically addressed concernsTop down and risk-based approachScope and extent of testingUsing work of others

15

May 16 Q&AMay 16 Q&A

Top-down approach Auditor performs procedures to understand

ICFR and identify controls to test in sequential manner

Focus early on matters, such as company-level controls (CLC), that can affect later scoping decisions

Eliminate from consideration, accounts with remote likelihood of material misstatement

16

May 16 Q&AMay 16 Q&A

Top-down approach (continued)Identify, understand, and evaluate

design effectiveness of CLCIdentify significant accounts at financial

statement or disclosure levelIdentify assertions relevant to each

significant account

17

May 16 Q&AMay 16 Q&A

Top-down approach (continued) Identify significant processes and major

classes of transactions Identify points where error or fraud could occur Identify controls that prevent or detect error or

fraud Link controls with significant accounts and

assertions

18

May 16 Q&AMay 16 Q&A

Risk assessment Significant accounts Use risk factors in paragraph 65

to eliminate from consideration accounts with remote likelihood of containing material misstatement

Relevant assertions Assertions that do not present meaningful risk of material misstatement are not relevant and should not be tested

Using work of others As risk factors decrease in significance, need for auditor to perform own work decreases

19

May 16 Q&AMay 16 Q&A

Risk assessment effect on nature, timing, and extent --As risk associated with control decreases:

Nature Persuasiveness of evidence needed decreases Inquiry, observation, inspection of documents, and

reperformance of control are types of audit procedures Walkthroughs are a combination of the procedures and can

serve as tests of design and operating effectiveness

Timing Testing can be done farther from as-of date

Extent Extensiveness of testing should decrease

20

May 16 Q&AMay 16 Q&A

Benchmarking automated application controls Auditor may conclude that automated application

control continues to be effective, without repeating the prior year testing of application if: General controls over program changes, access to programs,

and computer operations are effective and continue to be tested; AND

The auditor verifies that the automated application control has not changed since he or she last tested the application control

Auditor should consider importance of the effect of related files, tables, data, and parameters on the consistent and effective and effective functioning of the automated application control

21

May 16 Q&AMay 16 Q&A

Self-assessments of controlAuditors can use management’s self-

assessment of controls in certain circumstances

Auditor cannot use an assessment made by the same personnel who are responsible for performing the control

22

May 16 Q&AMay 16 Q&A

Self-assessments of control (cont’d)Auditor should evaluate the self-

assessments using the guidance in AS#2 for evaluating the work of others

For work performed by others, auditor should evaluate their:Objectivity Independence

23

May 16 Q&AMay 16 Q&A

Testing controls as of an interim dateAuditor should determine what additional

evidence to obtain concerning the operation of the control for the remaining period (paragraph 100 of AS#2)

As factors listed in paragraph 100 decrease in significance, evidence can be less persuasive and updating procedures less extensive

24

May 16 Q&AMay 16 Q&A

Testing controls as of an interim date (cont’d)

Factors to considerSpecific controls tested prior to as-of date

and results of testsPersuasiveness of evidence of operating

effectiveness obtained at interim dateLength of remaining periodPossibility of significant changes in ICFR

after the interim date

25

PCAOB Policy StatementPCAOB Policy Statement

Integrate audits of internal control with audits of financial statements

Exercise judgment to tailor audit plans to the risks facing individual clients

Use a top-down approach that begins with company-level controls

Use the flexibility of the standard to use the work of others as provided

Engage in direct and timely communication with audit clients

26

Determining when it is appropriate for auditor to provide accounting advice requires professional judgment

Auditor should be concerned primarily about instances in which the company completed financial statements and disclosures without recognizing potential material misstatement

Engage in direct and timely communication Engage in direct and timely communication with audit clientswith audit clients

27

Auditors may provide audit clients with technical advice on the proper application of GAAP, including updates on recent FASB developments

Companies may provide and discuss with the auditor preliminary drafts of accounting memos, spreadsheets, and other working papers

Engage in direct and timely communication Engage in direct and timely communication with audit clientswith audit clients

28

Rules/Standards Approved By Board Rules/Standards Approved By Board on July 26on July 26

Independence and tax services Standard for reporting on

whether a previously reported material weakness continues to exist (Auditing Standard No. 4)

Awaiting SEC approval

29

Ethics and Independence Rules - Ethics and Independence Rules - OverviewOverviewRules cover three areas

Core ethics and independence requirementsSpecific services that impair the auditor's

independenceContingent feesTax transactionsTax services to persons in a financial reporting

oversight roleAdditional communication requirements with

audit committees as they relate to permissible tax services

30

Core ethics and independence Core ethics and independence requirementsrequirements

Codify principle that persons associated with a registered firm may not cause the firm to violate relevant laws, rules, and standards Rule 3502 – A person associated with a registered

public accounting firm shall not cause that firm to violate the Act, rules of the Board, provisions of applicable securities laws and SEC rules, or professional standards due to an act or omission the person knew, or was reckless in not knowing, would directly and substantially contribute to such violation.

31

Core ethics and independence Core ethics and independence requirementsrequirements

Introduce a foundation for the independence component of the Board’s independence rulesRule 3520 – A registered firm and it's

associated persons must be independent of its audit client throughout the audit and professional engagement period. Must also satisfy all applicable independence criteria.

32

Prohibited ServicesProhibited Services

Identification of certain impairments to independenceRule 3521 – Contingent FeesRule 3522 – Tax TransactionsRule 3523 – Tax Services for Persons in a

Financial Reporting Oversight Role

33

Contingent FeesContingent Fees Rule 3521 – A registered public accounting firm

is not independent of its audit client if the firm, or affiliate, during the audit and engagement period, provides any service or product to the audit client for a contingent fee or a commission, or receives from the audit client, directly or indirectly, a contingent fee or commission. Contingent fee defined as any fee established for the sale

of a product, or performance of any service pursuant to an arrangement, in which no fee will be charged unless a specified finding or result is attained, or in which the amount of the fee is dependent upon the finding or result of such product or service

34

Tax TransactionsTax Transactions Rule 3522 – A registered public accounting firm is

not independent of its audit client if the firm, or affiliate, during the audit and engagement period, provides any non-audit service to the audit client related to marketing, planning, or opining in favor of the tax treatment of a transaction that is a - Confidential transaction Aggressive tax position transaction - that was initially

recommended, directly or indirectly, by the firm and a significant purpose of which is tax avoidance, unless the proposed tax treatment is at least more likely than not to be allowable under applicable tax laws

Listed transaction

35

Tax Services to Persons in FRORTax Services to Persons in FROR

Rule 3523 – A registered public accounting firm is not independent of its audit client if the firm, or affiliate, during the audit and engagement period, provides any tax service to a person in a financial reporting oversight role at the audit client or their immediate family member Financial Reporting Oversight Role (FROR) means a

role in which a person is in a position to, or does, exercise influence over the contents of the financial statements or anyone who prepares them

36

Additional Communications RequirementsAdditional Communications Requirements

Rule 3524 – In connection with seeking audit committee pre-approval to perform for an audit client any permissible tax service, a registered public accounting firm shall –

Describe, in writing, to the audit committee the scope of the service, the fee structure for the engagement, and other certain information

Discuss with the audit committee the potential effects of the services on the auditor’s independence

Document the substance of the discussion with the audit committee

37

Effective DatesEffective Dates

Rules 3501, 3502 and 3520 – effective 10 days after SEC approval

Rule 3521 and 3522 – effective December 31, 2005 or 10 days after SEC approval

Rule 3523 – effective June 30, 2006 or 10 days after SEC approval

Rule 3524 - effective December 15, 2005 or 10 days after SEC approval. In cases of pre-approval by policies and procedures, the rule will not apply to any tax service provided by March 31, 2006

38

2004 Internal Control Reports2004 Internal Control ReportsWhat do these companies have in common?What do these companies have in common?

Fannie Mae AIG GE Kroger MCI Goodyear

Delphi Eastman Kodak Outback Steakhouses Denny’s Blockbuster Panera Bread

39

2004 Internal Control Reports2004 Internal Control Reports

14% of accelerated filers reported material weakness in internal controls

53% of MWs due to material financial statement adjustments found by auditor—most prevalent Tax accounting (27%), Revenue recognition (25%), Inventory/cost of sales (19%) Lease accounting (17%)

Source: Audit Analytics, May 18, 2005

40

Auditing Standard No. 4Auditing Standard No. 4

Reporting on Whether a Previously Reported Material Weakness Continues to Exist

Voluntary report Standard would permit a company to hire an auditor to

determine if a material weakness no longer exists, as of a specified date

Objective is to express an opinion on whether a previously reported material weakness continues to exist

Will be effective as of the date of SEC approval

41

Auditing Standard No. 4Auditing Standard No. 4

Conditions for auditor performance

Auditor has audited the company's financial statements and internal control over financial reporting (ICFR) in accordance with AS #2 as of the date of company's most recent annual assessment of ICFR OR

Auditor has been engaged to perform an audit of the financial statements and internal control over financial reporting in accordance with AS #2 in the current year and has a sufficient basis for performing engagement

42

Auditing Standard No. 4Auditing Standard No. 4

Conditions for management Management accepts responsibility for effectiveness of

ICFR Management evaluates the effectiveness of specific

control(s) that it believes addresses the MW using the same control criteria and control objective(s)as used in most recent annual assessment of ICFR

Management asserts that the specific control(s) identified is effective in achieving the control objective

Management supports its assertion with sufficient evidence, including documentation

Management presents a written report that will accompany the auditor's report that contains elements described in paragraph 48 of this standard

43

Auditing Standard No. 4Auditing Standard No. 4

Auditor must Obtain understanding of and evaluate

management's evidence supporting its assertion that specified controls related to MW Are designed and operated effectively That controls achieve the company's stated

control objective(s) consistent with control criteria Identified material weakness no longer exists

Auditor should identify and test all controls necessary to achieve the stated control objective

44

Auditing Standard No. 4Auditing Standard No. 4

Auditor should evaluate operating effectiveness of specified control by determining whether specified control operated as designed and whether person performing the control possesses necessary authority and qualifications to perform control effectively

If auditor determines that management has not supported assertion with sufficient evidence, auditor cannot complete the engagement because a condition for engagement completion would not be met

45

Auditing Standard No. 4Auditing Standard No. 4

Auditor's evaluation of management's reportAuditor should evaluate whether: Management has properly stated its

responsibility for establishing and maintaining effective ICFR

Control criteria used by management is suitable Material weakness, stated control objectives,

and specified controls have been properly described

Management's assertions, as of date specified in management's report, are free of material misstatement

46

Auditing Standard No. 4Auditing Standard No. 4

Auditor's report If auditor determines that previously reported

MW continues to exist, he or she is not required to issue a report

If the auditor does not issue report, he or she must communicate, in writing, to audit committee conclusion that the MW continues to exist

If auditor identifies MW that has not been previously communicated to audit committee in writing, auditor must communicate that MW, in writing, to audit committee

47

Future Standard-SettingFuture Standard-Setting

Responsibility for fraud detectionCommunications with audit

committeesAssessing audit riskEngagement quality reviewAuditing related party transactionsAuditing fair value measurementsConfirmation process

48

Keeping Current with PCAOB Standards Keeping Current with PCAOB Standards ActivitiesActivities

www.pcaobus.org Inspection reportsDisciplinary proceedings Interim standardsProposed and final standardsStaff Q&AStanding Advisory Group (SAG)Live and archived webcasts

49

Questions?Questions?