PCAOB releases long-awaited AS5 revising implementation of SOX 404

It's been a busy day. In addition to the NYSE and Euronext merger (see here), and the Thai market falling through the floor (see here), the Public Company Accounting Oversight Board today released a revision to its vilified Audit Standard 2 with a new Audit Standard 5. The proposals are designed to take much of the sting out of how Section 404 of the Sarbanes-Oxley Act is implemented. A copy of the proposed AS5 can be found on the PCAOB's website here.

SOX 404, of course, is a provision of the Sarbanes-Oxley Act that mandates that the management of public companies not just provide investors with a statement about the strength of the company's internal controls (the systems the company uses to track how the company is spending its money and make sure managers are stealing it), but that the company's independent auditor attest to this management statement. Following the collapse of the accounting firm Arthur Andersen, auditors have been extremely reluctant to make such attestations without thorough (and expensive) testing of company internal controls.

The new AS5 (which has been in the works for some time -- see here) has two components. The first is a complete revision of AS2 that:

• Directs the auditor to the most important controls and emphasize the importance of risk assessment;


• Revise the definitions of significant deficiency and material weakness, as well as the "strong indicators" of a material weakness;


• Clarify the role of materiality, including interim materiality, in the audit;


• Remove the requirement to evaluate management's process;


• Permit consideration of knowledge obtained during previous audits;


• Direct the auditor to tailor the audit to reflect the attributes of smaller and less complex companies;


• Refocus the multi-location testing requirements on risk rather than coverage; and


• Recalibrate the walkthrough requirement.

In addition, the PCAOB is revising certain provisions of AS2 regarding when an audit firm can rely on the work of others when assessing a company's internal controls. According to the PCAOB, the new provisions would:

• Allow the auditor to use the work of others, and not just internal audit, for both the internal control audit and the financial statement audit, eliminating a barrier to integration of the two audits;


• Encourage greater use of the work of others by requiring auditors to evaluate whether and how to use the work of others to reduce their testing;


• Require the auditor to understand the relevant activities of others and determine how the results of that work may affect the audit;


• Provide a single framework for using the work of others based on the auditor's evaluation of the combined competence and objectivity of others and the subject matter being tested; and


• Eliminate the principal evidence provision previously included in AS No. 2.

The PCAOB's press release announcing the proposal can be read here. The various PCAOB board members' statements (as well as the briefing paper I'm cribbing all this from) can be read here.

Despite what some had urged, the new AS5 does not exclude small companies from having to have auditors attest to their internal controls, but it does try to make the internal controls testing "scalable," so that audit firms will not have to apply exactly the same standards to small companies as they might for large issuers. This actually follows the (somewhat surprising) recommendations of the Committee for Capital Markets Regulation (see here).

The new AS5 proposal comes less than a week after the SEC also released "management guidance" designed to provide companies with cover should they not do everything audit firms would like them to in testing their internal controls. (See this post here. The SEC management guidance can be read here.)

The SEC also published a press release praising the PCAOB for its work, which you can read here.