PCAOB Small Business Forum Slides the Big Four accounting firms. zIn 2004, the 8 U.S. firms auditing more than 100 U.S. public companies were inspected and also 90 smaller firms. zIn

PCAOB Forum on Auditing in the Small Business Environment

Bill GradisonBoard Member

October 20, 2005Boston, Massachusetts

2

Today’s Presenters

Mary Sjoquist, Special Counsel to Board Member GradisonPaul Bijou, Deputy Director, Inspections; NYBella Rivshin, Assistant Chief Auditor; DCKayla Gillan, Board Member; DC

3

PCAOB Staff

Alan Feldman, Manager of Inspections; NYTed Shapiro; Assoc. Director of Inspections; NYMary Moore Hamrick, Director of Government Relations; DCJoanne Hindman O’Rourke, Special Advisor; DC

Michael Shore, Public Affairs; DCGreg Killen, Human Resources; DCDebra Bradley, Human Resources; NY Julie Mills, Executive Assistant; DCMargaret Totten, Executive Assistant; DC

4

Additional Resource

[email protected]

5

Caveat

Although much of the information that will be provided to you has been made public by the Board via Releases and the like, there

also will be views expressed that are those of the speaker alone, and do not

necessarily reflect the views of the Board, its members or staff. Therefore, unless it is

clear that the Board has authorized the statement, you should not attribute it to the

Board or staff.

6

PCAOB Mission

The Board’s mandate is to “protect the interests of investors and further the public interest in the preparation of informative, accurate, and independent audit reports” of public companies.

The Board has a unique regulatory structureOperates as a private, non-profit corporation – NOT

a governmental organizationSEC has oversight authority over the Board

PCAOB Overview

Mary M. SjoquistSpecial Counsel


8

The PCAOB in a Nutshell

Registration DisciplineInvestigationsInspections

Standards

9

Registration

Registration SystemFoundation for the Oversight Board’s jurisdiction

No firm may participate in the audit of any US-traded company w/o being registered with the PCAOB

US domiciled firms: October 22, 2003Non-US firms: July 19, 2004

First time that all firms’ data will be compiled in one location

All clients, associated auditors, foreign affiliatesQuality control proceduresCertain pending criminal or civil proceedings

10

Registered Firms as of October 6, 2005

Total registered—1557U.S. registered firms—938Foreign registered firms—619Firms with 100 or more public company clients—10U.S. Firms with more than 1 but 5 or fewer public company clients—approximately 560

11

Inspections

Inspections assess a firm’s compliance with the Act, the Board’s and the SEC’s rules and with professional standards.Regular inspections must take place annually for firms that audit 100 or more U.S. public companies.All other firms must be inspected once every 3 years.

12

Inspections

In 2003, the Board conducted limited inspections of the Big Four accounting firms.In 2004, the 8 U.S. firms auditing more than 100 U.S. public companies were inspected and also 90 smaller firms.In 2005, we expect to complete the inspections of 8 large U.S. firms and one large Canadian firm and more than 250 smaller firmsThe public portion of the 2003 reports and those reports that have been issued to date on 2004 and 2005 inspections of smaller accounting firms are available on the Board’s website at www.pcaobus.org.

13

Inspection Reports

The reports contain both public and nonpublic portions. Nonpublic portions address quality control issues and may discuss criticisms of, and potential defects in, the firm’s quality control systems.Firms have 12 months to correct any such defects or face public disclosure of the Board’s findings.The entire report is provided to the SEC and appropriate state regulators.Possible violations of securities laws are referred to the appropriate authorities.

14

Investigation and Enforcement

The Board may investigate possible violations of the Sarbanes-Oxley Act, the Board’s rules, the securities laws related to audit reports and professional standards.

Previously (except in the case of SEC actions) controlled by the profession.Limited to investigating possible violations by registered accounting firms and associated persons.Also look at the accuracy of audit client financial statements and may refer potential violations by issuers which come to our attention to others with appropriate jurisdiction.Prompted by inspections, referrals from other regulatory agencies, public announcements or filings or tips.

15

Professional Standards

Previously controlled by the profession Now, exclusive authority of PCAOB (subject to SEC approval)Includes: auditing and related attestation standards, quality control, ethics and independenceExcludes: accounting standardsApril 16, 2003, PCAOB adopted AICPA standards as its interim standards

PCAOB uses an open processSimilar to normal regulatory rule-making processStanding Advisory Group (“SAG”)Roundtables on selected issuesAd hoc task forces

16

Professional Standards (cont)

Some standards were mandated or implied by SOXStandards Adopted by the Board

AS # 1 – Reference to PCAOB StandardsAS # 2 – Internal Control (Sec. 404 (b))

Applicable July 15, 2006 for FPRAS # 3 – Audit DocumentationAS # 4 --Reporting on Whether a Previously Reported Material Weakness Continues to Exist—Pending SEC approval

Rules Related to Auditing StandardsMust versus ShouldIndependence Rules—Pending SEC approval

17

Future Standard-Setting

Communications with Audit CommitteesEngagement Quality ReviewAuditing related party transactionsAssessing audit riskAuditing fair value measurements and disclosuresQuality controlConfirmation process

Paul BijouPaul BijouDeputy Director, InspectionsDeputy Director, Inspections

October 20, 2005October 20, 2005

PCAOB Inspection ProcessWhat Can be Expected Before, During

and After the Inspection Process

19

A Few Highlights…..2003

January 6 Doors open in DC HeadquartersJune 26 First Inspectors begin 2003 “Limited Inspections”

2004May 3 “Regular” Inspections commence

- Large Firms > 100 Issuer clients- Small Firms

July 19 Foreign registration applications are due (as of March 2, 2005 approximately 552 registration applications have been approved by the Board)

August 26 Reports on 2003 Limited Inspections issued

2005March 8 International inspections commenceMay 2 Inspections commence (small and large firms)

20

PCAOB Offices

Washington, DCWashington, DCNew York, NYNew York, NYAtlanta, GAAtlanta, GADallas, TexasDallas, TexasSan Mateo, CASan Mateo, CAOrange County, CAOrange County, CADenver, CO Denver, CO Chicago, IL Chicago, IL

21

Mission of Northeast Region Inspection Office

Integrate into National PCAOB mission of inspecting the Large Firms (> 100 Issuer clients)

Inspect the Small Firms in the Northeast Region

Support Small Firm Inspection Process in other PCAOB Offices

Support other PCAOB initiatives

22

- Northeast Region -Small Firms Registered

Number of Firms by State

Connecticut 5Maine 2Massachusetts 13New Hampshire 2New Jersey 33New York 87Rhode Island 2Vermont 1

Total 145

23

Inspection Process

– Initial contact with firm– Inspection commencement date determined– Formal letter issued with document request– One week prior to start date

Engagements selected for review

– Quality control assessment and engagement reviews– Comment forms prepared, reviewed by firm, and responded to– Draft report prepared by Inspection Staff– Draft report is reviewed by Board of PCAOB– Board makes draft report available to firm– Firm has 30 days to respond to draft report– Board issues final report to firm and the SEC

24

Document Request (Not all inclusive)

Firm demographic information

List of individuals who manage the firm and their biographies.

Firm’s quality control policies and procedures, including current year’s internal inspection and/or peer review results.

Firm’s policies covering independence, including policies regarding non-audit services, fee arrangements and business ventures, alliances, and arrangements with issuer audit clients.

25

Document Request (Continued)

List of concurring reviewers outside of the firm.

Engagement partner and concurring reviewer for each issuer client.

List of former issuer audit clients that "changed auditors" from your firm.

List of issuer audit clients that restated their financial statements.

26

Quality Control Assessment

Tone at the topIndependenceQuality control (internal programs and peer review results)Concurring partner reviews Client acceptance and retentionTrainingAudit methodologyWork of other auditorsAlternative practice structure

27

Engagement Reviews

Meet with engagement partner

Review of audit workpapers

Comment forms issued, reviewed by the firm, and responded to

28

Issues Identified in All Types of Issuers

Audit of fair valuesRelated party issuesProhibited loansRevenue recognitionAuditing of expensesIndependenceGoing concern/development stage designationControl of issuer use of reportsUnderstanding of contractual arrangements/substance of transactionsPrincipal auditor

29

Questions?

Bella RivshinAssistant Chief Auditor


Auditing Internal Control Over Financial Reporting

31

The Internal Control Standard

PCAOB Auditing Standard No. 2 – An Audit of Internal Control Over Financial

Reporting Performed in Conjunction with An Audit of Financial Statement

32

Effective Dates

Effective for audits of public companies with fiscal years ending on or after November 15, 2004 for accelerated filers

Effective for audits of foreign private issuers with fiscal years ending on or after July 15, 2006

Effective for audits of non-accelerated public companies with fiscal years ending on or after July 15, 2007

33

What We Will Cover● Summary of §404 Reporting to Date● §404 & AS2 – Update of Recent Activities● Small Business Issues● PCAOB Staff Q&A on AS2 (May 16, 2005)● Lunch ● AS2 Implementation Issues● Brief Overview of AS4 ● Reference Sources● Questions & Answers (throughout)

34

Summary of §404 Reporting to Date

Total §404 Reports as of August 31st

§404 Reporting by Industry

Material Weaknesses Reported

By Accounting Area

By Internal Control Issue

35

Summary of §404 Reporting(as of August 31, 2005)

100%3,230

0.01Issuers receiving a disclaimer of opinion

13.8444Issuers with ineffective internal control over financial reporting

86.2%2,785Issuers receiving unqualified opinion on internal control

PercentageNumber

Source: Audit Analytics

36

§404 Reporting Results by Industry(as of August 31, 2005)


Information Technology Consumer Discretionary Financials Industrials Health Care Materials Energy Telecommunication Services Utilities Consumer Staples

15% 17%

27%

19%

22%

Based on 444 issuers reporting ineffective control over financial reporting

37

Material Weaknesses by Accounting Area



0%

2%

4%

6%

8%

10%

12%12%

Tax

12%

Revenue

9%

Inventory

9%

Liabilities

7%

Leases

6%

Depreciation

38

Material Weaknesses by I/C Issue



30%

18%

14% 14%

7% 7%

0%

5%

10%

15%

20%

25%

30%

Documentation

Adjustments

Restatement

Personnel

Reconcilations

Segregation

39

April 13 – SEC roundtable held to discuss implementation issuesThe majority of participants felt the principles are sound

60 experts testified – issuers, auditors and investors

215 letters received by the SEC

May 16 – PCAOB & SEC issued additional guidanceJune 8 & 9 – PCAOB Standing Advisory Group (SAG) discussion on implementation issuesJuly 26 – PCAOB adopted new Auditing Standard No. 4 on Reporting on Whether a Previously Reported Material Weakness Continues to Exist (Discussed briefly at end of session)September 21 – SEC amends the effective date for non-accelerated filers to July 15, 2007

Update on Recent Activities

40

PCAOB Policy Statement – Issued May 16, 2005

Integrate audits of internal control with audits of financial statementsExercise judgment to tailor audit plans to the risks facing individual clients

Small companies do not need the same types of controls or the same audit process as do large multi-nationals The PCAOB inspections will be consistent with this policy statement, and will not second-guess good faith exercises of audit judgment

Use a top-down approach that begins with company-level controlsUse the flexibility of the standard to use the work of others as providedEngage in direct and timely communication with audit clients

41

PCAOB Staff Q&A on AS No. 2 –Issued May 16, 2005

Top-down approach (Q&A 38)Risk-based approach (Q&A 39-40)Scope and extent of testing (Q&A 41-53)

Nature, timing, and extent of testingAuditor’s work vs. management’sReliance on prior year’s workBenchmarking – IT related

Using the work of others (Q&A 54)Auditor’s quarterly responsibilities (Q&A 55)

42

SEC Staff Statement on ICFR –Issued May 16, 2005

Purpose of ICFRReasonable assurance, risk-based, and scope of testing and assessmentEvaluating internal control deficienciesDisclosures about material weaknessesInformation technology issuesCommunications with auditorsIssues related to small business and foreign private issuers.

43

June SAG Meeting – Next Steps

AS2: need more experience (including non-accelerated filer experiences) before determining whether to re-open the standard

Unless the SEC’s Advisory Committee on Smaller Public Companies recommends otherwise

Guidance: weigh the costs that might be required to revise AS2 systems only recently developed, against the benefits that additional clarification might provide

44

Small Business Issues

Relative Cost of ImplementationAS2 Application in the Small Business EnvironmentSmall Business Initiatives Underway

45

Smaller companies typically do not have the same level of controlsTime and personnel pressures from both management and the auditor One-size-fits-all audit approaches are not appropriate“Small companies do not need the same types of controls or the same audit process as do large multi-nationals”1

1– Dan Goelzer, PCAOB Board Member, April 29, 2005

Relative Cost of Implementation

46

No small business exemption in statute or auditing standardCurrent standard relies on COSO frameworkEnd result: one-size does not fit all. Auditors must exercise judgment: ● Less complex business = internal controls that are less complex ● May require less documentation● Amount of auditor’s work is affected by quality of management’s

assessment as well as the quality and quantity of company documentation.

● Specific internal control issues at smaller public companies● Segregation of duties● Expertise/experience of accounting personnel● Independence of board● Expertise of audit committee members● Tone at the top and/or entrepreneurial style of management

AS2 Application in the Small Business Environment

Small Business Initiatives Underway

COSO Small Business Advisory GroupSEC Advisory Committee on Smaller Public Companies

48

COSO Small Business Advisory Group

January 2005 – COSO launches new guidance initiative for small public companies - Implementing the COSO Control Framework in Smaller Companies

Will coordinate with the SEC Advisory Committee on Smaller Public Companies

Guidance will demonstrate how small companies can most efficiently and effectively implement the COSO frameworkKey features

Approximately 25 essential principles for effective internal control over financial reportingGuidance for addressing common issues for smaller public companies, such as segregation of dutiesMany examples

Exposure draft in Fall 2005 (see www.coso.org)

49

SEC Advisory Committee on Smaller Public Companies

December 2004 – SEC Advisory Committee on Smaller Public Companies formed to assess current regulatory system for smaller companiesCommittee discussing numerous issues beyond Section 404Solicited responses to 29 Questions related to SOXAugust 18 - SEC Advisory Committee on Smaller Public Companies submitted two resolutions to the SEC

Recommended to amend the effective date for non-accelerated filers to July 15, 2007

Recommended that smaller public companies not be subject to further acceleration of due dates for annual and quarterly reports

Last meeting held on October 14 in New York (www.sec.gov)

50

Agenda Recap● Summary of §404 Reporting to Date● §404 & AS2 – Update of Recent Activities● Small Business Issues● PCAOB Staff Q&A on AS2 (May 16, 2005)● Lunch ● AS2 Implementation Issues ● Brief Overview of AS4● Reference Sources● Questions & Answers (throughout)

51

Overview of AS2 Requirements1. Planning the audit (¶39)

2. Evaluating the management’s assessment (¶40-46)

3. Obtaining an understanding of I/C (¶47-87)

4. Evaluating the effectiveness of both the design and operation of I/C (¶88-126)

5. Forming an opinion on effectiveness of I/C (¶127-141)

6. Reporting the results (¶162-199)

7. Required communications (¶142-144 & 207-214)

52

PCAOB Staff Q&A on AS No. 2 –Issued May 16, 2005

Top-down approach (Q&A 38)Risk-based approach (Q&A 39-40)Scope and extent of testing (Q&A 41-53)

Nature, timing, and extent of testingAuditor’s work vs. management’sReliance on prior year’s workBenchmarking – IT related

53

Top-down Approach (Q&A 38)Auditor performs procedures to understand ICFR and identify controls to test in sequential mannerFocus early on matters, such as company-level controls (CLC), that can affect later scoping decisionsEliminate from consideration, accounts with remote likelihood of material misstatementIdentify, understand, and evaluate design effectiveness of CLC

54

Top-down Approach (Q&A 38)Identify significant accounts at financial statement or disclosure levelIdentify assertions relevant to each significant accountIdentify significant processes and major classes of transactionsIdentify points where error or fraud could occurIdentify controls that prevent or detect error or fraudLink controls with significant accounts and assertions

55

Risk-based Approach (Q&A 39-40)

Significant accounts Use risk factors in paragraph 65 to eliminate from consideration accounts with remote likelihood of containing material misstatementRelevant assertions Assertions that do not present meaningful risk of material misstatement are not relevant and should not be testedUsing work of others As risk factors decrease in significance, need for auditor to perform own work decreases

56

Scope and Extent of Testing (Q&A 43)

As risk associated with control decreases:Nature – persuasiveness of evidence needed decreases

Inquiry, observation, inspection of documents, and re-performance of control are types of audit proceduresWalkthroughs are a combination of the procedures and can serve as tests of design and operating effectiveness

Timing – testing can be done farther from as-of dateExtent – extensiveness of testing should decrease

57


Benchmarking automated application controls:

Auditor may conclude that automated application control continues to be effective, without repeating the prior year testing of the application if:

General controls over program changes, access to programs, and computer operations are effective and continue to be tested ANDThe auditor verifies that the automated application control has not changed since s/he or she last tested the application control

Should consider related files, tables, data, and parameters on the consistent and effective functioning of the automated application control

58


When evaluating management’s assessment, the auditor should consider that:

Management has a broader array of procedures to achieve reasonable assurance for its assessment of internal controls over financial reporting

For example, management might be able to determine that controls operate effectively through its ongoing monitoring activities

59


While AS2 states that the auditor should not use management “self-assessment” of controls as part of their evidence, the auditor should consider that:The term “self-assessment” may be used by some to have a broader meaning that includes different types of procedures performed by various parties

AS2 assumes a narrower meaning of self-assessment as testing done by the same personnel who are responsible for performing the control.Auditors cannot use an assessment made by the same personnel who are responsible for performing the control

Auditors can use management’s self-assessment of controls in certain circumstances

60


When evaluating management’s assessment, the auditor should consider that:

The extent of management’s testing does not have to be as extensive as the auditors

Nature and timing of management’s tests are determined independently of the auditor’s scope of testing

The procedures management performs might be different than the auditor’s procedures

Management has a broader array of procedures available

61

Scope and Extent of Testing (Q&A 50-51)

In structuring tests throughout the year the auditor should consider that:

The lower the overall risk associated with a given control, the less extensive the auditor’s updating procedures need to beThe more persuasive the evidence obtained at an interim date, the less extensive the updating procedures need to beThe updating procedures should be less extensive if the updating period of time is shorter.The more stable the control environment the less extensive the updating procedures need to be

62

Lunch Break

63

Agenda Recap● Summary of §404 Reporting to Date● §404 & AS2 – Update of Recent Activities● Small Business Issues● PCAOB Staff Q&A on AS2 (May 16, 2005)● Lunch ● AS2 Implementation Issues● Brief Overview of AS4● Reference Sources● Questions & Answers (throughout)

64

Implementation Issues—Discussion of Seven Key Issues

1. Audits of companies with ineffective internal control

2. Using COSO Criteria3. Management documentation and tests of

controls4. Auditor’s use of the work of others5. Evaluating deficiencies in internal control6. Reporting on internal control7. Integrating audits of internal control and

audits of financial statements

65

1. Audits of Companies with Ineffective Internal Control

Why perform an audit of internal control on a company whose internal control is obviously ineffective?

● Section 404 of the Act● SEC’s implementing rules● Auditing Standard No. 2

● Requires the auditor to obtain sufficient competent evidence about the design and operating effectiveness of controls over all relevantfinancial statement assertions related to all significant accounts and disclosures in the financial statements.

● States that the auditor must plan and perform the audit to obtain reasonable assurance that all deficiencies that, individually or in the aggregate, could be material weaknesses are identified.

● Benefits of reporting to investors

66

2. Using COSO Criteria

COSO Internal Control-Integrated FrameworkApplies to organizations of all sizesSpecial considerations for small to mid-sized entities

67

The COSO Framework

"Internal control consists of five interrelated components. These are derived from the way management runs a business and are integrated with the management process."

– Committee of Sponsoring Organization of the Treadway Commission; 1987

1. Control Environment

2. Risk Assessment

3. Control Activities

4. Information and Communication

5. Monitoring

68

COSO Small Business Considerations

Control environmentSegregation of dutiesInformation technology controlsDocumentation

69

3. Management Documentation and Tests of Controls

● Small businesses: less formal policies and procedures (fewer documented controls).

● Tests of controls● Inquiry and observation should be

supplemented with other evidence.● Inspection of documents used or generated

by a control.●Reperformance of controls.●Consider effects of other evidence.

70

4. Auditor’s Use of the Work of Others

Examples from Auditing Standard No. 2● Internal auditors providing assistance under

the direction of the independent auditors.

● Internal auditors or third parties independently testing management’s assessment activities.

● Internal auditors, other company personnel, or third parties participating in management’s assessment activities.

71

Auditor’s Use of the Work of Others

● Subject to the guidelines:● An auditor may use the work of others to

reduce the extent of work he/she would otherwise perform.

● The auditor has flexibility in determining the extent to which the work of others will be used.

72

Guidelines for Using the Work of Others

Boundaries● Principal evidence: The auditor’s own work must

provide the principal evidence for the auditor’s opinion.

● Control environment: Auditor should not use the work of others to reduce the auditor’s work on controls in the control environment, including controls that are established to prevent and detect fraud that is at least reasonably possible to result in material misstatement of the financial statements.

● Walkthroughs: Auditor should perform his or her own walkthroughs of major transaction classes.

73

Guidelines for Using the Work of Others

Required procedures● In determining the extent to which the auditor

may use the work of others, he/she should:

● Evaluate the nature of the related controls

● Evaluate the competence and objectivity of the other party

● Evaluate the materiality, risk, & subjectivity of the item being tested

● Test some of the work performed by the other party.

74

Auditor’s Use of the Work of Others

Consider staff guidance in the following Staff Q&As

NOs. 20-22, 36, and 54

75

5. Evaluating Deficiencies: Control Deficiency Defined

A control deficiency exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis(paragraph 8)

76

Internal Control Deficiency

Evaluate significance of deficiency based on –

Likelihood that deficiency, or combination, could result in a misstatementMagnitude of potential misstatement resulting from the deficiency, or combination of deficiencies

77

Evaluating Internal Control Deficiencies

Incorporation of familiar concepts:● FASB Statement No. 5 on likelihood

● Remote (chance of occurring is slight)● Reasonably possible● Probable

● SAB No. 99 on magnitude or materiality● Consideration of quantitative and qualitative

factors● Aggregation of multiple misstatements● Concept of “clearly immaterial””

78


A deficiency is considered a significant deficiency or material weakness if, either individually or in the aggregate, after considering compensating controls, the following criteria are met

MaterialANDMore than remote

Material weakness

More than inconsequential

ANDMore than remote

Significant deficiency

InconsequentialORRemoteControl deficiency

Potential Magnitude of Misstatement

Likelihood of Misstatement

Classification of Deficiency

79

Strong Indicators of Material Weaknesses

● Restatements to correct a misstatement.● Auditor identification of a material

misstatement. ● Fraud by senior management (any

amount). ● Significant deficiencies remain

uncorrected after a reasonable period. ● Ineffective control environment.

—Auditing Standard No. 2, Paragraph 140

80

Strong Indicators of Material Weaknesses

● Ineffective oversight by audit committee (or equivalent).

● Ineffective regulatory compliance function where violations could materially affect the reliability of financial reporting (complex, regulated entities).

● Ineffective internal audit or risk assessment function (large or highly complex organizations).


81

Significant Deficiencies

Deficiencies in the following areas ordinarily are at least significant deficiencies:

● Controls over the selection and application of accounting policies in conformity with GAAP.

● Antifraud programs and controls.● Controls over non-routine and non-systematic

transactions. ● Controls over the period-end financial reporting

process, including controls over procedures used to–● Enter transaction totals into the general ledger.● Initiate, authorize, record, and process journal entries into the

general ledger.● Record recurring and nonrecurring adjustments to the

financial statements.


82


Consider staff guidance in the following Staff Q&As

NOs. 11-15, 28, and 32-35Implementation tools

83

6. Auditor’s Report on Internal Control

● Report on management’s assessment

● Report on the effectiveness of internal control

84

Example Reporting Scenarios

Auditor’s opinion on

AdverseUnqualifiedInternal control not effective

Material weakness identified by management and auditor

UnqualifiedUnqualifiedInternal control effective

No material weakness identified

Effectiveness of ICOFR

Management’s assessment

Management’s reportSituation

85


Issue adverse opinions on both management’s assessment and internal control.

Company has one or more material weaknesses, but management’s assessment indicates internal control is effective

• Communicate to management and the audit committee.

• Disclaim opinions.• Consider possible additional

auditor responsibilities

Management fails to fulfill its responsibilities regarding the internal control assessment

Auditor’s ReportSituation

86


• Communicate to management and the audit committee.

• Disclaim opinions, and disclose material weakness.

• Consider possible additional auditor responsibilities

Same as above, except that management has not sufficiently attempted to fulfill its responsibilities.

• Treat as a material weakness and report accordingly.

• Probably conclude that management has fulfilled their responsibilities, so audit opinion can be rendered.

Material accounts processed by a service organization (under contract since 2001). Management has attempted to fulfill its assessment responsibilities relative to the service organization but without success.

Auditor’s Report…Situation

87

7. Integrating Audits of Internal Control into Audits of Financial Statements

● The auditor should perform substantive procedures for all relevant assertions related to all significant accounts and disclosures.

● For any identified control deficiencies, the auditor should evaluate the effect on the nature, timing, and extent of substantive procedures.

● The auditor’s procedures must include reconciling the financial statements to the accounting records.

● The auditor should examine material adjustments made by the company during the course of preparing the financial statements.

88

● Regarding substantive analytical procedures:● The auditor should either (1) test the design and

operating effectiveness of controls over financial information used, or (2) perform other procedures to support the completeness and accuracy of the underlying information

● The auditor should also evaluate the risk of management override of controls.

● For significant risks of material misstatement, substantive analytical procedures alone are unlikely to be sufficient.

7. Integrating Audits of Internal Control into Audits of Financial Statements (cont)

89

Agenda Recap● Summary of §404 Reporting to Date● §404 & AS2 – Update of Recent Activities● Small Business Issues● PCAOB Staff Q&A on AS2 (May 16, 2005)● Lunch ● AS2 Implementation Issues● Brief Overview of AS4● Reference Sources● Questions & Answers (throughout)

90

AS#4: Reporting on Whether a Previously Reported Material Weakness Continues to Exist

Adopted by PCAOB July 26, 2005 Effective as of date of SEC approval (currently under consideration)

Objective is to express an opinion on whether a previously reported material weakness continues to exist as of a specified date.Engagement is optional. Management can make cost-effectiveness judgmentCould be performed any time during yearConsistent with AS#2

91

Auditing Standard No. 4

Conditions for auditor:Auditor has audited the company's financial statements and internal control over financial reporting (ICFR) in accordance with AS #2 as of the date of company's most recent annual assessment of ICFR, orAuditor has been engaged to perform an audit of the financial statements and internal control over financial reporting in accordance with AS #2 in the current year and has a sufficient basis for performing engagement

92


Conditions for management:Management accepts responsibility for effectiveness of ICFRManagement evaluates the effectiveness of specific control(s) that it believes addresses the MW using the same control criteria and control objective(s) as used in most recent annual assessment of ICFR

Management asserts that the specific control(s) identified is effective in achieving the control objective

Management supports its assertion with sufficient evidence, including documentation

Management presents a written report that will accompany the auditor's report that contains elements described in paragraph 48 of this standard

93


If the auditor determines that the previously reported material weakness continues to exist, s/he is not required to issue a report

If the auditor does not issue a report, s/he must communicate, in writing, to audit committee his conclusion that the material weakness continues to exist

If the auditor identifies a material weakness that has not been previously communicated to the audit committee, auditor must communicate that material weakness, in writing, to audit committee

94

Reference Sources

www.pcaobus.orgAuditing Standard No. 2Staff Questions and AnswersPCAOB Conforming Amendments

95

Questions

96

Appendix

Brief Overview of AS2 Requirements

97

Overview of AS2 Requirements1. Planning the audit (¶39)

2. Evaluating the management’s assessment (¶40-46)

3. Obtaining an understanding of I/C (¶47-87)

4. Evaluating the effectiveness of both the design and operation of I/C (¶88-126)

5. Forming an opinion on effectiveness of I/C (¶127-141)

6. Reporting the results (¶162-199)

7. Required communications (¶142-144 & 207-214) (Note: The following 11 slides relate to these seven steps; presentation will not cover these in depth.)

98

1) Planning the Audit (¶39)

The audit of internal control must be properly planned and supervisedIn the planning phase the auditor should consider:

Prior knowledge of the company’s system of internal controlIndustry knowledge with respect to financial reporting practices, economic conditions, laws and regulations and technological changes.Company knowledge with respect to its organization, operating characteristics, capital structure and distribution methodsRecent changes in operations or in internal controlsPreliminary judgments about materiality, risk, etc.The number of significant business locations or units

99

2) Evaluating Management’s Assessment (¶40-46)

Auditor determines basis on which management reaches its conclusion on control effectiveness

Such as the COSO framework, which includes (1) control environment;(2) risk assessment; (3) control activities; (4) information & communication; and (5) monitoring

Uses this knowledge and understanding of management’s assessment process in planning his/her audit work

More reliable management’s assessment, the less costly the auditor’s work needs to be

Review of management’s documentation of the system is a major component of evaluating the work

100

3) Obtaining an Understanding of I/C (¶47-87)

Auditor must gain an understanding of the design of the controls and operating effectiveness

Inquiry of company personnel and review of management’s assessment process

Two aspects of understanding the design and operation of controls:

Walkthroughs for major classes of transactions

The role of the audit committee

101

Walkthroughs

The auditor should perform one “walkthrough” for each major class of transactions

Walkthrough traces the transaction from its origination all the way through its inclusion into the financial statements.

Walkthroughs confirm the auditor’s understanding of:The flow of the transactionDesign of the controls surrounding the transaction (including all five components of the COSO framework)Completeness of the transactionEffectiveness of the controls surrounding the transactionThe fact that the controls are in place

102

The Role of the Audit Committee

Audit committee is an important element of the COSO framework addressing two of the five components

Control environment and monitoring

The auditor should consider:Independence of the audit committee members

Clarity of audit committee’s charter

Understanding of responsibilities

Involvement and interaction with all parties

Quality of questions and understanding of responses

103

4) Evaluating the Effectiveness of Both the Design and Operation of I/C (¶88-126)

Testing is the heart of the auditControls that are identified as addressing key assertions in thefinancial statements for all significant accounts should be testedIncludes interviews, observations, document reviews, and reperformanceTesting should vary from year to year

But the auditor must obtain evidence for all relevant assertionsfor all significant accounts every year

Reliance on the “work of others” (covered in more depth later)Extent of reliance depends on both competence and objectivityDepends on materiality, risk and subjectivity of accountWork must be tested by the auditorNature of control is important to considerPrincipal evidence must be obtained by the auditor

104

5) Forming an Opinion on Effectiveness of Internal Control (¶127-141)

The auditor must form an opinion on the effectiveness of controls and whether deficiencies exist

All deficiencies should be reported in writing to management

All significant deficiencies must be reported in writing to management and the audit committee

The existence of a material weakness requires the issuance of an adverse opinion on internal control

Auditor will also report on whether s/he or she agrees with management’s assessment of internal control

105

6) Reporting the Results (¶162-199)

The auditor must include two opinions:1. Opinion on management’s assessment

If a material weakness is found, management’s report cannot conclude that internal control is effectiveIf management and the auditor disagree on whether there is a material weakness, the auditor would render an adverse opinion on management’s assessmentThe auditor’s opinion is on management’s assessment – not on management’s process for assessing.

106

6) Reporting the ResultsThe auditor must include two opinions:2. Opinion on the effectiveness of internal control over

financial reportingThe auditor is permitted to express an unqualified opinion on effectiveness only if enough testing was done and no material weaknesses were foundIf management did not fulfill their responsibilities regarding their assessment, the auditor must disclaim an opinionExistence of a material weakness requires an adverse opinion

107

7a) Communication—Management’s communication requirements ¶142–144

Written representation acknowledging management’s responsibilityStatement that an assessment has been performedStatement of management’s conclusionStatement that all deficiencies have been disclosed to the auditorDescription of any material fraud or fraud involving senior management

108

7b) Communication—Auditor’s communication requirements ¶207–214

Must communicate in writing all significant deficiencies and material weaknesses to bothmanagement and the audit committeeIf significant deficiencies or material weaknesses exist because of ineffective oversight over financial reporting by the audit committee, the communication (in writing) must be to the board of directorsAll deficiencies must be reported to management and should be reported in writing

Auditor Independence

Kayla J. GillanBoard Member


110

Objectives

Brief refresher regarding existing rules and lawsSynopsis of New PCAOB Ethics And Independence Rules Concerning Independence, Tax Services, And Contingent Fees (Release No. 2004-15)

Adopted July 26, 2005Currently under SEC consideration

111

Core PrinciplesCore Principles

Facts & Facts & CircumstancesCircumstances

Per SePer SeProhibitionsProhibitions

Client Client CommunicationsCommunications

Auditor Independence: Overview

112




Congress & Congress & CourtsCourts

SECSEC PCAOBPCAOB

Auditor Independence: Core Principles

113

Congress & CourtsCongress & Courts• ’33 and ’34 Acts

• Industry-specific laws regarding public companies

• U.S. v. Arthur Young

SECSEC• 2000 General Guidance (effective 2/5/01):

• Mutual or conflicting interest?• Audit own work?• Act as management or employee of client?• Advocate for client?

• “Independence is a state of mind”

Core Principles: Existing Guidance

114





Auditor Independence: Facts & Circumstances

115

• An accountant will not be deemed to be independent if:

• the accountant is not capable of exercising objective and impartial judgment on all issues encompassed within the engagement, or

• a reasonable investor with knowledge of all relevant facts and circumstances would conclude that the accountant is not so capable

• Look at all relevant circumstances and relationships between the accountant and the audit client

Auditor Independence: Facts & Circumstances

116




Auditor Independence: Per Se Prohibitions

Other Other ProhibitionsProhibitions

Prohibited Prohibited NonNon--Audit Audit ServicesServices

117




Other Other ProhibitionsProhibitions

ExistingExisting

Prohibited Services

New PCAOB New PCAOB RuleRule

118

Existing Prohibited Non-Audit Services

Bookkeeping or other services related to the accounting records or financial statements of the audit clientFinancial information system design and implementationAppraisal or valuation services, fairness opinions, or contribution-in-kind reportsActuarial services

Internal audit outsourcing servicesManagement functionsHuman resourcesBroker-dealer, investment adviser, or investment banking servicesLegal servicesExpert services unrelated to the audit

119

Bookkeeping Services

The auditor is prohibited from –Maintaining or preparing the audit client's accounting recordsPreparing the audit client's financial statements that are filed with the SEC or that form the basis of financial statements filed with the SECPreparing or originating source data underlying the audit client's financial statements

120

Management Functions

The auditor is prohibited from acting, temporarily or permanently, as a director, officer, or employee of an audit client, or performing any decision-making, supervisory, or ongoing monitoring function for the audit client

121

Other Independence ProhibitionsFinancial interests in audit clientBusiness relationships with audit clientEmployment relationships with audit clientContingent fee arrangementsAudit client hiring an audit engagement team member within a certain timeframe into a financial reporting oversight role Partner rotation on the audit engagementPartner compensation for selling non-audit services

122




Auditor Independence: Client Communications

Existing New PCAOB Rule

123

Audit Committee PreAudit Committee Pre--ApprovalApproval●Registered public accounting firms are required

to obtain pre-approval of all non-audit services (not otherwise prohibited)• For example - tax compliance services, due-

diligence for potential acquisition, services related to a public offering, royalty audits.

Existing Client Communication Requirements

124

July 26, 2005 New Rules

Three distinct topics –Core ethics and independence requirementsSpecific services that impair the auditor's independence

Contingent feesTax transactionsTax services to officers in a financial reporting oversight role

Additional communication requirements with audit committees as they relate to permissible tax services

125

Individuals

Firms, CPAs &AssociationsAcademics

State Boards

InstitutionalInvestorsAttorneys

Companies &AssociationsMisc.

805 Comment Letters

126

●●Rule 3502Rule 3502: Codify ethical responsibility for an associated person not to cause his/her registered firm to violate the Act, Board rules, applicable securities laws, or professional standards

●Based on:• Knowing or reckless behavior• That directly and substantially

contributes to the firm’s violation• Effective: 10 days after SEC approval

New Core Principles

127

●●Rule 3520Rule 3520: A registered firm (and its associated persons) must be independent of its audit client throughout the audit and professional engagement period. Must also satisfy all applicable independence criteria.●Effective: 10 days after SEC approval

New Core Principles

128

New Prohibited Services

Rule 3521 – Contingent FeesRule 3522 – Tax TransactionsRule 3523 – Tax Services for Executives in a Financial Reporting Oversight Role

129

Prohibited Service – Contingent Fees

Rule 3521Rule 3521 – A registered public accounting firm is not independent of its audit client if the firm, or any affiliate of the firm, during the audit and professional engagement period, provides any service or product to the audit client for a contingent fee or a commission, or receives from the audit client, directly or indirectly, a contingent fee or commission.

Effective: For fee agreements that have not been paid in their entirety, converted to an acceptable fee arrangement or unwound, the later of 12/31/05 or 10 days after SEC approval

130

Contingent Fees: Definitions

Any fee established for the sale of a product or the performance of any service pursuant to an arrangement in which no fee will be charged unless a specified finding or result is attained, or in which the amount of the fee is otherwise dependent upon the finding or result of such product or serviceA fee is not a "contingent fee" if the amount is fixed by courts or other public authorities and is not dependent on a finding or result

131

Prohibited Service – Tax Transactions

Rule 3522 Rule 3522 – a registered public accounting firm is not independent from an audit client if the firm provides services related to marketing, planning, or opining in favor of the tax treatment of a transaction this is:• a confidential transaction as defined by the new Rule 3501

(which restates the US Treasury Department Regulations)• based on an aggressive interpretation of applicable tax laws and

regulations• includes listed transactions as defined by US Treasury

Department regulationsEffective for services not completed by the audit firm by the later of 12/31/05 or 10 days after SEC approval

132

Prohibited Service – Tax Services to Officers

Rule 3523Rule 3523 – A registered public accounting firm is not independent of its audit client if the firm, or any affiliate of the firm, during the audit and professional engagement period, provides any tax service to an executive in a financial reporting oversight role at the audit client

Financial Reporting Oversight Role means a role in which a person is in a position to or does exercise influence over the contents of the financial statements or anyone who prepares them

Includes executives in a FROR at material affiliatesExcludes directors (when their oversight role is solely because of their membership on the board or audit committee)Restriction includes expatriate tax services to these types of executives

Effective: will not apply to tax services being provided pursuant to an engagement in process (i.e., engagement documents complete) at the time the SEC approves the rules, provided that such services are completed on or before the later of June 30, 2006 or ten days after the date that the SEC approves the rules.

133

New Client Communications Rule

Rule 3524 – In connection with seeking audit committee pre-approval to perform for an audit client any permissible tax service, a registered public accounting firm shall –

provide to the audit committee certain information, including a written description of the engagement, its fee, and potential effects on the auditor’s independencediscuss these issues with the audit committee, anddocument the substance of the discussion

Effective: tax services not pre-approved before the later of 12/21/05 or 10 days after SEC approval.

In situations in which the tax services were pre-approved by policy or procedures, then applies to services provided on or after April 1, 2006.

134

Paul BijouPaul BijouDeputy Director, InspectionsDeputy Director, Inspections

October 20, 2005October 20, 2005

PCAOB Inspection Reports

136

Inspection Reports

Draft inspection reports are issued once fieldwork is complete and after the inspection team’s findings and related inspection report have been reviewed

Comment forms provide the foundation of the inspection report Firms have 30 days to respond to our draft inspection reports

137

Inspection Reports

The small firm inspection report usually has four sections

Part I is publicPart I provides overview of firm size, legal structure and summary of inspection results

All or portions of Part IV may be publicPart IV includes a copy of the firm’s response to the draft report, if received

138

Inspection Reports

The small firm inspection report has four sections (continued)

Parts II and III are nonpublicPart II details the inspection findings and quality control issues Part III discusses (1) a firm’s responsibility to address the criticisms and potential defects described in Part II of the report and (2) if the firm fails to address these criticisms and potential defects to the Board’s satisfaction within a 12 month period, then the Board will make Part II publicly available.

139

Inspection Report

Final Inspection Report After the 30-day response period expires and the report is approved by the Board, the final inspection report will be issued

The final inspection report is provided to the firm, the SEC and the appropriate state regulatorsThe public portions of inspection reports are posted on the PCAOB website, including the public part of firm responses.

140

Bella RivshinAssistant Chief Auditor


Audit Documentation

142

Auditing Standard No. 3 – Audit Documentation

Effective for audits of financial statements with fiscal years ending on or after November 15, 2004A deficiency in audit documentation is a departure from the standards of the PCAOB

143

Auditing Standard No. 3 – Audit Documentation

For relevant financial statement assertions, auditors must document

procedures performed, evidence obtained, and conclusions reached (par. 6).

144

Experienced Auditor

Documentation must have sufficient clarity and completeness so that an experienced auditor, having no previous connection with the engagement, must be able to understand the work performed, evidence obtained and conclusions

An experienced auditor has a reasonable understanding of audit activities and has studied the company’s industry as well as the A&A issues relevant to the industry. (Par. 6)

145

Engagement Completion Document

All significant findings or issues to be documented in an engagement completion document (par. 13)

146

Engagement Completion Document

Examples of significant findings or issuesinclude:

Significant matters involving selection, application, and consistency of GAAPAudit adjustmentsDisagreements among engagement team membersSignificant difficulty in applying auditing proceduresAny matters that could result in modification of auditor’s report

147

Audit Documentation

If there is insufficient documentation in the w/ps, auditor must demonstrateprocedures performed, evidence obtained, and conclusions reached (par. 9)

Auditor must have persuasive other evidenceOral evidence, alone, is not sufficient and may be used only to clarify other written evidence

148

Deficiency in Audit Documentation

What if procedures, evidence, and conclusions are not adequately documented in the w/ps on a timely basis? (par. A59)

Primary source of evidence should be documented when procedures performedDocumentation added well after completion of audit usually of lesser qualityAgain, any oral explanation can clarify other written evidence and should consider the credibility of person giving oral explanation

149

Deficiency in Audit Documentation(continued)

If there is a failure to perform and document, auditor to comply with AU sec. 390 (par. 9)

Any documents added, due to performance of additional procedures, must indicate the date they were added, the name of the person who prepared them, and the reason for adding them (par. 16)Previous audit documentation cannot be discarded

150

Multi-Location Audits

The office of the firm issuing the auditor’s report must ensure all audit documentation prepared and retained (par. 18)

151

Multi-Location Audits (continued)

Certain documentation related to the work performed by other auditors must be obtained prior to the report release date. Such documentation includes:

Engagement completion documentSchedule of audit adjustmentsSignificant deficiencies/material weaknessesMatters to be communicated to the audit committee

152

Definitions of Dates

Two new dates defined in this standard –

Report release date – the date the auditor grants permission to use the auditor’s report in connection with the issuance of the F/S (par. 14)Documentation completion date – 45 days after the report release date (par. 15)

153

45-Day Period to Assemble Work Papers

During this period auditor can:Discard superseded drafts of memoranda; financial statements; and other documentsDiscard duplicates of documentsCorrect minor edits in the work papers

154

Keeping Current with PCAOB Standards Activities

www.pcaobus.orgInterim StandardsProposed and final standardsStaff Q&AStanding Advisory Group (SAG)Live and archived webcasts

155

Documents

PCAOB Small Business Forum Slides the Big Four accounting firms. zIn 2004, the 8 U.S. firms auditing more than 100 U.S. public companies were inspected and also 90 smaller firms. zIn