public company accounting oversight board - update
TRANSCRIPT
Public Company Accounting Oversight Board - Update
SEC Financial Reporting ConferenceCenter for Corporate Reporting and Governance
Greg FletcherPublic Company Accounting Oversight Board
September 19, 2005
2
CaveatCaveat
The opinions I express are my own,
and do not necessarily represent the views
of the PCAOB, its members
or its staff.
3
Why are we here
the long version…
4
5
or… the short version…
6
7
What is the PCAOB? What is the PCAOB?
Private sector regulator for auditors of companies publicly traded in the US, created by Sarbanes-Oxley Act
Board has mandate to “protect the interests of investors and further the public interest in the preparation of informative, accurate, and independent audit reports” of public companies
Overseen by the SEC Independent from the accounting profession
8
Core Areas of ResponsibilityCore Areas of Responsibility
Registration
Inspection
Investigation and Enforcement
Standard Setting
9
RegistrationRegistration
The foundation for PCAOB to perform its functions of inspection and enforcement
All U.S. accounting firms that prepare or issue audit reports on U.S. public companies, or play a substantial role, must register with the Board
Foreign firms with those responsibilities also must register
1,534 firms have registered; 599 are foreign firms
10
InspectionsInspections
Inspections assess a firm’s compliance with the Act, the Board’s and the SEC’s rules and with professional standards.
Regular inspections must take place annually for firms that audit more than 100 U.S. public companies.
All other firms must be inspected once every 3 years.
Inspection reports contain public and nonpublic sections.
11
Professional StandardsProfessional Standards
The Sarbanes-Oxley Act directs the Board to establish auditing, attestation, quality control, ethics, and independence standards
In April 2003, Board decided to form a staff to develop auditing and related professional practice standards
Previously, was the responsibility of the AICPA Also in April 2003, PCAOB adopted AICPA
standards as its interim standards
12
Key Points of AS #2Key Points of AS #2
Auditors must evaluate and report whether internal controls provide reasonable assurance that transactions are properly recorded in conformity with GAAP
Auditors must evaluate and report on management’s assessment of internal control over financial reporting
Auditors should use risk-based approach Auditors may place reliance on the work of internal
auditors Auditors must communicate material weaknesses and
significant deficiencies to audit committees
13
PCAOB Implementation GuidancePCAOB Implementation Guidance
Released 5 sets of questions and answers related to AS #2June 23, 2004 26 Q&AsOctober 6, 2004 3 Q&AsNovember 22, 2004 7 Q&As January 21, 2005 1 Q&A May 16, 2005 18 Q&As
Extent of testing, using work of others, evaluating deficiencies, multi-location audits, and other
14
Response to First Year ImplementationResponse to First Year Implementation
Issued May 16 Q&A and accompanying Board statement of policy
Specifically addressed concernsTop down and risk-based approachScope and extent of testingUsing work of others
15
May 16 Q&AMay 16 Q&A
Top-down approach Auditor performs procedures to understand
ICFR and identify controls to test in sequential manner
Focus early on matters, such as company-level controls (CLC), that can affect later scoping decisions
Eliminate from consideration, accounts with remote likelihood of material misstatement
16
May 16 Q&AMay 16 Q&A
Top-down approach (continued)Identify, understand, and evaluate
design effectiveness of CLCIdentify significant accounts at financial
statement or disclosure levelIdentify assertions relevant to each
significant account
17
May 16 Q&AMay 16 Q&A
Top-down approach (continued) Identify significant processes and major
classes of transactions Identify points where error or fraud could occur Identify controls that prevent or detect error or
fraud Link controls with significant accounts and
assertions
18
May 16 Q&AMay 16 Q&A
Risk assessment Significant accounts Use risk factors in paragraph 65
to eliminate from consideration accounts with remote likelihood of containing material misstatement
Relevant assertions Assertions that do not present meaningful risk of material misstatement are not relevant and should not be tested
Using work of others As risk factors decrease in significance, need for auditor to perform own work decreases
19
May 16 Q&AMay 16 Q&A
Risk assessment effect on nature, timing, and extent --As risk associated with control decreases:
Nature Persuasiveness of evidence needed decreases Inquiry, observation, inspection of documents, and
reperformance of control are types of audit procedures Walkthroughs are a combination of the procedures and can
serve as tests of design and operating effectiveness
Timing Testing can be done farther from as-of date
Extent Extensiveness of testing should decrease
20
May 16 Q&AMay 16 Q&A
Benchmarking automated application controls Auditor may conclude that automated application
control continues to be effective, without repeating the prior year testing of application if: General controls over program changes, access to programs,
and computer operations are effective and continue to be tested; AND
The auditor verifies that the automated application control has not changed since he or she last tested the application control
Auditor should consider importance of the effect of related files, tables, data, and parameters on the consistent and effective and effective functioning of the automated application control
21
May 16 Q&AMay 16 Q&A
Self-assessments of controlAuditors can use management’s self-
assessment of controls in certain circumstances
Auditor cannot use an assessment made by the same personnel who are responsible for performing the control
22
May 16 Q&AMay 16 Q&A
Self-assessments of control (cont’d)Auditor should evaluate the self-
assessments using the guidance in AS#2 for evaluating the work of others
For work performed by others, auditor should evaluate their:Objectivity Independence
23
May 16 Q&AMay 16 Q&A
Testing controls as of an interim dateAuditor should determine what additional
evidence to obtain concerning the operation of the control for the remaining period (paragraph 100 of AS#2)
As factors listed in paragraph 100 decrease in significance, evidence can be less persuasive and updating procedures less extensive
24
May 16 Q&AMay 16 Q&A
Testing controls as of an interim date (cont’d)
Factors to considerSpecific controls tested prior to as-of date
and results of testsPersuasiveness of evidence of operating
effectiveness obtained at interim dateLength of remaining periodPossibility of significant changes in ICFR
after the interim date
25
PCAOB Policy StatementPCAOB Policy Statement
Integrate audits of internal control with audits of financial statements
Exercise judgment to tailor audit plans to the risks facing individual clients
Use a top-down approach that begins with company-level controls
Use the flexibility of the standard to use the work of others as provided
Engage in direct and timely communication with audit clients
26
Determining when it is appropriate for auditor to provide accounting advice requires professional judgment
Auditor should be concerned primarily about instances in which the company completed financial statements and disclosures without recognizing potential material misstatement
Engage in direct and timely communication Engage in direct and timely communication with audit clientswith audit clients
27
Auditors may provide audit clients with technical advice on the proper application of GAAP, including updates on recent FASB developments
Companies may provide and discuss with the auditor preliminary drafts of accounting memos, spreadsheets, and other working papers
Engage in direct and timely communication Engage in direct and timely communication with audit clientswith audit clients
28
Rules/Standards Approved By Board Rules/Standards Approved By Board on July 26on July 26
Independence and tax services Standard for reporting on
whether a previously reported material weakness continues to exist (Auditing Standard No. 4)
Awaiting SEC approval
29
Ethics and Independence Rules - Ethics and Independence Rules - OverviewOverviewRules cover three areas
Core ethics and independence requirementsSpecific services that impair the auditor's
independenceContingent feesTax transactionsTax services to persons in a financial reporting
oversight roleAdditional communication requirements with
audit committees as they relate to permissible tax services
30
Core ethics and independence Core ethics and independence requirementsrequirements
Codify principle that persons associated with a registered firm may not cause the firm to violate relevant laws, rules, and standards Rule 3502 – A person associated with a registered
public accounting firm shall not cause that firm to violate the Act, rules of the Board, provisions of applicable securities laws and SEC rules, or professional standards due to an act or omission the person knew, or was reckless in not knowing, would directly and substantially contribute to such violation.
31
Core ethics and independence Core ethics and independence requirementsrequirements
Introduce a foundation for the independence component of the Board’s independence rulesRule 3520 – A registered firm and it's
associated persons must be independent of its audit client throughout the audit and professional engagement period. Must also satisfy all applicable independence criteria.
32
Prohibited ServicesProhibited Services
Identification of certain impairments to independenceRule 3521 – Contingent FeesRule 3522 – Tax TransactionsRule 3523 – Tax Services for Persons in a
Financial Reporting Oversight Role
33
Contingent FeesContingent Fees Rule 3521 – A registered public accounting firm
is not independent of its audit client if the firm, or affiliate, during the audit and engagement period, provides any service or product to the audit client for a contingent fee or a commission, or receives from the audit client, directly or indirectly, a contingent fee or commission. Contingent fee defined as any fee established for the sale
of a product, or performance of any service pursuant to an arrangement, in which no fee will be charged unless a specified finding or result is attained, or in which the amount of the fee is dependent upon the finding or result of such product or service
34
Tax TransactionsTax Transactions Rule 3522 – A registered public accounting firm is
not independent of its audit client if the firm, or affiliate, during the audit and engagement period, provides any non-audit service to the audit client related to marketing, planning, or opining in favor of the tax treatment of a transaction that is a - Confidential transaction Aggressive tax position transaction - that was initially
recommended, directly or indirectly, by the firm and a significant purpose of which is tax avoidance, unless the proposed tax treatment is at least more likely than not to be allowable under applicable tax laws
Listed transaction
35
Tax Services to Persons in FRORTax Services to Persons in FROR
Rule 3523 – A registered public accounting firm is not independent of its audit client if the firm, or affiliate, during the audit and engagement period, provides any tax service to a person in a financial reporting oversight role at the audit client or their immediate family member Financial Reporting Oversight Role (FROR) means a
role in which a person is in a position to, or does, exercise influence over the contents of the financial statements or anyone who prepares them
36
Additional Communications RequirementsAdditional Communications Requirements
Rule 3524 – In connection with seeking audit committee pre-approval to perform for an audit client any permissible tax service, a registered public accounting firm shall –
Describe, in writing, to the audit committee the scope of the service, the fee structure for the engagement, and other certain information
Discuss with the audit committee the potential effects of the services on the auditor’s independence
Document the substance of the discussion with the audit committee
37
Effective DatesEffective Dates
Rules 3501, 3502 and 3520 – effective 10 days after SEC approval
Rule 3521 and 3522 – effective December 31, 2005 or 10 days after SEC approval
Rule 3523 – effective June 30, 2006 or 10 days after SEC approval
Rule 3524 - effective December 15, 2005 or 10 days after SEC approval. In cases of pre-approval by policies and procedures, the rule will not apply to any tax service provided by March 31, 2006
38
2004 Internal Control Reports2004 Internal Control ReportsWhat do these companies have in common?What do these companies have in common?
Fannie Mae AIG GE Kroger MCI Goodyear
Delphi Eastman Kodak Outback Steakhouses Denny’s Blockbuster Panera Bread
39
2004 Internal Control Reports2004 Internal Control Reports
14% of accelerated filers reported material weakness in internal controls
53% of MWs due to material financial statement adjustments found by auditor—most prevalent Tax accounting (27%), Revenue recognition (25%), Inventory/cost of sales (19%) Lease accounting (17%)
Source: Audit Analytics, May 18, 2005
40
Auditing Standard No. 4Auditing Standard No. 4
Reporting on Whether a Previously Reported Material Weakness Continues to Exist
Voluntary report Standard would permit a company to hire an auditor to
determine if a material weakness no longer exists, as of a specified date
Objective is to express an opinion on whether a previously reported material weakness continues to exist
Will be effective as of the date of SEC approval
41
Auditing Standard No. 4Auditing Standard No. 4
Conditions for auditor performance
Auditor has audited the company's financial statements and internal control over financial reporting (ICFR) in accordance with AS #2 as of the date of company's most recent annual assessment of ICFR OR
Auditor has been engaged to perform an audit of the financial statements and internal control over financial reporting in accordance with AS #2 in the current year and has a sufficient basis for performing engagement
42
Auditing Standard No. 4Auditing Standard No. 4
Conditions for management Management accepts responsibility for effectiveness of
ICFR Management evaluates the effectiveness of specific
control(s) that it believes addresses the MW using the same control criteria and control objective(s)as used in most recent annual assessment of ICFR
Management asserts that the specific control(s) identified is effective in achieving the control objective
Management supports its assertion with sufficient evidence, including documentation
Management presents a written report that will accompany the auditor's report that contains elements described in paragraph 48 of this standard
43
Auditing Standard No. 4Auditing Standard No. 4
Auditor must Obtain understanding of and evaluate
management's evidence supporting its assertion that specified controls related to MW Are designed and operated effectively That controls achieve the company's stated
control objective(s) consistent with control criteria Identified material weakness no longer exists
Auditor should identify and test all controls necessary to achieve the stated control objective
44
Auditing Standard No. 4Auditing Standard No. 4
Auditor should evaluate operating effectiveness of specified control by determining whether specified control operated as designed and whether person performing the control possesses necessary authority and qualifications to perform control effectively
If auditor determines that management has not supported assertion with sufficient evidence, auditor cannot complete the engagement because a condition for engagement completion would not be met
45
Auditing Standard No. 4Auditing Standard No. 4
Auditor's evaluation of management's reportAuditor should evaluate whether: Management has properly stated its
responsibility for establishing and maintaining effective ICFR
Control criteria used by management is suitable Material weakness, stated control objectives,
and specified controls have been properly described
Management's assertions, as of date specified in management's report, are free of material misstatement
46
Auditing Standard No. 4Auditing Standard No. 4
Auditor's report If auditor determines that previously reported
MW continues to exist, he or she is not required to issue a report
If the auditor does not issue report, he or she must communicate, in writing, to audit committee conclusion that the MW continues to exist
If auditor identifies MW that has not been previously communicated to audit committee in writing, auditor must communicate that MW, in writing, to audit committee
47
Future Standard-SettingFuture Standard-Setting
Responsibility for fraud detectionCommunications with audit
committeesAssessing audit riskEngagement quality reviewAuditing related party transactionsAuditing fair value measurementsConfirmation process
48
Keeping Current with PCAOB Standards Keeping Current with PCAOB Standards ActivitiesActivities
www.pcaobus.org Inspection reportsDisciplinary proceedings Interim standardsProposed and final standardsStaff Q&AStanding Advisory Group (SAG)Live and archived webcasts
49
Questions?Questions?