Print | Reprint

A Behind-the-Curtain Look at AS5

By Tammy Whitehouse — February 26, 2008

high-profile former member of the Public Company Accounting Oversight Board has provided a frank glimpse into the bureaucratic clashes over Auditing Standard No. 5—including revelations that the Securities and Exchange Commission fought aggressively to gut AS5’s main provisions.

RELATED RESOURCES PCAOB Auditing Standard No. 5 on Financial Reporting (May 24, 2007) SEC Management Guidance on Section 404 (June 20, 2007) Related Coverage Audit Firms Warned: Put AS5 to Good Use (Dec. 18, 2007) PCAOB Criteria for Overseas Cooperation (Dec. 11, 2007) PCAOB AS5 Guidance for Small Companies (Oct. 23, 2007) Despite AS5, Fears Still Abound (Oct. 2, 2007) How Small Companies Can Use AS5 (Sept. 18, 2007) Planning for Your First AS5 Audit (Aug. 28, 2007) How the Audit Firms Are Implementing AS5 (Aug. 21, 2007) AS5 in Hand, More Companies to Act Alone (Aug. 7, 2007) AS5 Approved: No 404 Delay; Guidance Coming (July 31, 2007) The Top 10 List For Implementing AS5 (June 7, 2007)

In an exclusive interview with Compliance Week, Kayla Gillan says the SEC “pushed, pushed, pushed, and really tried very hard to get something different than what [the PCAOB] ended up producing.” The Commission lobbied so hard to eliminate the central requirement that auditors examine a company’s internal controls—a provision the PCAOB ultimately retained—that Gillan feared the PCAOB’s role under Sarbanes-Oxley might be undermined.

Gillan left the PCAOB in December, after serving five years on the Board. She is now chief administrative officer at RiskMetrics Group. She made her comments in an interview with Compliance Week earlier this month.

The SEC and PCAOB spent nearly two years working on ways to refine Auditing Standard No. 2, the original standard auditing firms used to see whether companies’ internal control systems passed muster with Section 404 of the Sarbanes-Oxley Act. Eventually they decided to scrap AS2 entirely, in favor of AS5. Unveiled last year, AS5 still requires auditors to test the effectiveness of a company’s internal controls, but it also encourages auditors to take more of a risk-based approach and rely on the work of others more often.

Gillan

Gillan says the SEC staff wanted a much different outcome than what the PCAOB adopted, advocating a number of approaches that would have given the auditor a diminished role in the internal control reporting process.

“Some people at the SEC wanted the auditors to really only look at the process that companies go through to assess [internal controls] and not actually look at the controls themselves,” she said. “That would have been in my mind not only a much narrower scope of review but potentially even a misleading opinion to investors. At one point they wanted auditors to only look at the denied controls and not whether or not they were actually operating effectively. At one point they wanted to really significantly reduce the amount of information the auditors were required to give to the audit committee on controls that were less than material weaknesses.”

Gillan says the PCAOB was united in its mission to retain the full audit of internal control required in the original standard. AS5 now directs auditors to follow a more risk-based approach in the internal control audit and eliminates an AS2 requirement for auditors to report on management’s assessment process, but otherwise retains the audit opinion as part of the reporting process.

For its part, the SEC established new guidance for companies on how they should assess their internal controls; it also gave smaller companies two more years when they won’t be required to get an audit opinion on their internal control report.

The SEC “pushed, pushed, pushed, and really tried very hard to get something different than what [the PCAOB] ended up producing.” — Kayla Gillan, Board Member, PCAOB

Regardless of what guidance the SEC has given, many financial reporting executives say the standard auditors use matters more—because, at the end of the day, auditors can threaten a negative opinion if the company objects to their demands for testing. A steady chorus of critics maintains that even with AS5, auditors still push too hard to do their own testing and don’t embrace the “rely on the work of others” spirit AS5 espouses.

Battle Lines

The Sarbanes-Oxley Act establishes the SEC as overseer of the PCAOB. Gillan, however, says the SEC goes too far in directing how the PCAOB sets auditing standards. “I think the law was set up so that the PCAOB should make independent decisions,” she says. “The SEC, through staff and some commissioners, has been trying to undercut what I think Congress intended.”

Gillan says the SEC exerted considerable pressure to reduce the internal control audit requirements. “During the entire rewrite of AS2 coming up to AS5, the SEC pushed, pushed, pushed, and really tried very hard to get something different than what we ended up producing,” she says. “I think it’s to the PCAOB’s credit that they stayed very strong in what they thought was the right approach.”

Gillan worries that where SEC exerts such force, auditing standards may reflect the will of the SEC more than the PCAOB, without the public knowing who made the decision. “The SEC has the absolute right as an overseer to overturn [PCAOB] decisions if their broader, public policy directives tells them they should,” she says. “However, in that case, it’s the SEC who is accountable for that decision, and not the PCAOB.”

REPORTING ON INTERNAL CONTROL Below is an excerpt from Auditing Standard No. 5 that lists what the auditor’s report on the audit of internal control over financial reporting must include: A. A title that includes the word independent; B. A statement that management is responsible for maintaining effective internal control over financial reporting and for assessing the effectiveness of internal control over financial reporting; C. An identification of management’s report on internal control; D. A statement that the auditor’s responsibility is to express an opinion on the company’s internal control over financial reporting based on his or her audit; E. A definition of internal control over financial reporting as stated in paragraph A5; F. A statement that the audit was conducted in accordance with the standards of the Public Company Accounting Oversight Board (United States); G. A statement that the standards of the Public Company Accounting Oversight Board require that the auditor plan and perform the audit to obtain reasonable assurance about whether effective internal control over financial reporting was maintained in all material respects; H. A statement that an audit includes obtaining an understanding of internal control over financial reporting, assessing the risk that a material weakness exists, testing and evaluating the design and operating effectiveness of internal control based on the assessed risk, and performing such other procedures as the auditor considered necessary in the circumstances; I. A statement that the auditor believes the audit provides a reasonable basis for his or her opinion; J. A paragraph stating that, because of inherent limitations, internal control over financial reporting may not prevent or detect misstatements and that projections of any evaluation of effectiveness to future periods are subject to the risk that controls may become inadequate because of changes in conditions, or that the degree of compliance with the policies or procedures may deteriorate; K. The auditor’s opinion on whether the company maintained, in all material respects, effective internal control over financial reporting as of the specified date, based on the control criteria. Source PCAOB’s Auditing Standard No. 5 (May 24, 2007).

When asked to comment on Gillan’s remarks, SEC spokesman John Nester said the staffs of both agencies “work in a productive and cooperative process to provide high-quality audit standards in our markets.” For the SEC to oversee the PCAOB properly, he said, “the staff meets regularly with the PCAOB staff to discuss and provide input on the PCAOB’s standard-setting activities.”

Olson

In a statement to Compliance Week, PCAOB Chairman Mark Olson said that auditing standards and rules often deal with issues “about which reasonable people can disagree.” Olson said it makes sense to keep the SEC apprised of significant issues as they arise, given Sarbanes-Oxley’s requirement that the SEC give final approval for all PCAOB standards.

“There is no doubt that the PCAOB members and SEC commissioners take their respective responsibilities to adopt and approve the Board’s standards and rules very seriously,” Olson said. “Due to the extensive interest in the revisions to AS2 … it was inevitable that extensive interaction took place between the staffs of the SEC and the PCAOB during the development stage. … While at times there were differences of opinion, the differences were ironed out in a professional manner.”

Michael Oxley, the former Congressman who helped write the legislation (and now an attorney of counsel at the law firm Baker Hostetler) says the rewrite of AS5 was necessarily a “collaborative effort” between the SEC and PCAOB. “There was a lot of give and take, back and forth, which is healthy,” he says. “At the end of the day, the SEC is the ultimate authority.”

Stacey

Carol Stacey, a former top accountant at the SEC and now a vice president for the SEC Institute, says the relationship between SEC and PCAOB is unusual: “Congress gave one person the pen and said to the other party, ‘Make sure they did it right,’” she explains. “It forces the two to work together to make sure the SEC is comfortable with the standard when it gets to them so they can vote on it.”

The dynamics around AS2, so roundly despised in capital markets, created additional tension, she says. “There was so much unhappiness with AS2, it probably caused the SEC to be more involved than they normally would, in making sure the revised standard came out in a way that everyone could be happy with. Both sides wanted to get it right. Nobody wanted to write it a third time.”

Pat Woodbury, a former staff attorney with the PCAOB in enforcement, says tension between the PCAOB and SEC long predates last year’s revision of AS5. She believes it stems from the creation of a new body to perform duties that historically had been the domain of the SEC. “There was this sense for most cases that we were taking them away from SEC enforcement,” she says. “They weren’t really happy about it.”

Woodbury has some sympathy for Gillan’s concern that the SEC may take too much of a direct role in writing standards. “The way I read Sarbanes-Oxley, it’s oversight, not participation,” she says. “They don’t have a seat on the PCAOB board.”

---