PCAOB Finds Mixed Results in Review of First Year Revised Internal Control
Auditing Standard
While
auditors generally applied the new standard for internal control reporting to
focus on the areas presenting more significant audit risk, a PCAOB report found
deficiencies in some engagement teams' implementation of certain aspects of the
standard. The report is based on PCAOB inspections that examined portions of
approximately 250 audits of internal control over financial reporting by the
eight largest domestic registered firms in 2007 and 2008. Auditing Standard No.
5 became effective for audits for fiscal years ending on or after November 15,
2007 and replaced Auditing Standard No. 2. The period covered by the report was
a transition period for both auditors and preparers of financial statements.
The organizing principle of AS5 is the top-down concept, under
which the auditor focuses on entity-level controls and works downward, planning
the audit so that the testing of lower level controls is influenced by the
strengths and weaknesses of those above. Board inspectors found that the
auditors' work in this area could have been more effective.
For example, some auditors did not evaluate entity level controls
beyond those associated with the control environment and the period-end
financial reporting process. Some auditors identified entity level controls that
appeared to be designed to operate with a high degree of precision, but failed
to obtain sufficient audit evidence of their operating effectiveness. There also
were instances where the auditors identified and tested entity-level controls
and found them to be designed and operating with a high degree of precision, but
did not alter their tests of process-level controls in response to that
assessment.
When selecting the controls to test, some auditors did not
consider the assessed level of risk, or the controls selected were not designed
to address the risk of misstatement to the relevant assertions. Inspectors also
observed situations where auditors failed to appropriately test a relevant
control or, in some cases, at all. In other instances, auditors tested certain
controls without testing the system-generated data on which the tested controls
depended. Inspectors also observed instances where the evidence gathered by the
auditor was insufficient to support a conclusion that the controls were
operating effectively, yet the audit team relied on the supposed effectiveness
of those controls to reduce the scope of other audit procedures.
Under AS5, auditors must also evaluate the severity of each
control deficiency which comes to their attention to determine whether the
deficiencies individually, or in combination, are material weaknesses as of the
date of management's assessment. Inspectors found that some auditors
inappropriately based their conclusions about the severity of control
deficiencies solely on the materiality of the identified errors in the financial
statements. Some auditors failed to consider relevant risk factors when
evaluating the severity of identified control deficiencies.
AS5 provides that auditors may use the work of others to reduce
their own work, but the extent to which the auditor does so should depend on the
risk associated with the controls being tested, as well as on the competence and
objectivity of the others. Inspectors found, in some instances, that the extent
of the auditor's use of the work of others to reduce the auditor's own work was
greater than was appropriate under AS5 considering the level of risk associated
with the control being tested, such as controls over journal entries. Inspectors
also found that some auditors performed few or no procedures to assess the
competence of the others relative to the task being performed, or they did not
adequately assess the objectivity of the others, particularly where the work was
performed by company personnel other than internal auditors.