Public Company Accounting Oversight Board Update

1
Public Company Accounting Oversight Board -
Update

• SEC Financial Reporting Conference
• Center for Corporate Reporting and Governance
• Greg Fletcher
• Public Company Accounting Oversight Board
• September 19, 2005

2
Caveat

• The opinions I express are my own,
• and do not necessarily represent the views
• of the PCAOB, its members
• or its staff.

3

• Why are we here
• the long version

4
(No Transcript)
5

• or the short version

6

7
What is the PCAOB?

• Private sector regulator for auditors of
  companies publicly traded in the US, created by
  Sarbanes-Oxley Act
• Board has mandate to protect the interests of
  investors and further the public interest in the
  preparation of informative, accurate, and
  independent audit reports of public companies
• Overseen by the SEC
• Independent from the accounting profession

8
Core Areas of Responsibility

• Registration
• Inspection
• Investigation and Enforcement
• Standard Setting

9
Registration

• The foundation for PCAOB to perform its functions
  of inspection and enforcement
• All U.S. accounting firms that prepare or issue
  audit reports on U.S. public companies, or play a
  substantial role, must register with the Board
• Foreign firms with those responsibilities also
  must register
• 1,534 firms have registered 599 are foreign
  firms

10
Inspections

• Inspections assess a firms compliance with the
  Act, the Boards and the SECs rules and with
  professional standards.
• Regular inspections must take place annually for
  firms that audit more than 100 U.S. public
  companies.
• All other firms must be inspected once every 3
  years.
• Inspection reports contain public and nonpublic
  sections.

11
Professional Standards

• The Sarbanes-Oxley Act directs the Board to
  establish auditing, attestation, quality control,
  ethics, and independence standards
• In April 2003, Board decided to form a staff to
  develop auditing and related professional
  practice standards
• Previously, was the responsibility of the AICPA
• Also in April 2003, PCAOB adopted AICPA standards
  as its interim standards

12
Key Points of AS 2

• Auditors must evaluate and report whether
  internal controls provide reasonable assurance
  that transactions are properly recorded in
  conformity with GAAP
• Auditors must evaluate and report on managements
  assessment of internal control over financial
  reporting
• Auditors should use risk-based approach
• Auditors may place reliance on the work of
  internal auditors
• Auditors must communicate material weaknesses and
  significant deficiencies to audit committees

13
PCAOB Implementation Guidance

• Released 5 sets of questions and answers
  related to AS 2
• June 23, 2004 26 QAs
• October 6, 2004 3 QAs
• November 22, 2004 7 QAs
• January 21, 2005 1 QA
• May 16, 2005 18 QAs
• Extent of testing, using work of others,
  evaluating deficiencies, multi-location audits,
  and other

14
Response to First Year Implementation

• Issued May 16 QA and accompanying Board
  statement of policy
• Specifically addressed concerns
• Top down and risk-based approach
• Scope and extent of testing
• Using work of others

15
May 16 QA

• Top-down approach
• Auditor performs procedures to understand ICFR
  and identify controls to test in sequential
  manner
• Focus early on matters, such as company-level
  controls (CLC), that can affect later scoping
  decisions
• Eliminate from consideration, accounts with
  remote likelihood of material misstatement

16
May 16 QA

• Top-down approach (continued)
• Identify, understand, and evaluate design
  effectiveness of CLC
• Identify significant accounts at financial
  statement or disclosure level
• Identify assertions relevant to each significant
  account

17
May 16 QA

• Top-down approach (continued)
• Identify significant processes and major classes
  of transactions
• Identify points where error or fraud could occur
• Identify controls that prevent or detect error or
  fraud
• Link controls with significant accounts and
  assertions

18
May 16 QA

• Risk assessment
• Significant accounts Use risk factors in
  paragraph 65 to eliminate from consideration
  accounts with remote likelihood of containing
  material misstatement
• Relevant assertions Assertions that do not
  present meaningful risk of material misstatement
  are not relevant and should not be tested
• Using work of others As risk factors decrease in
  significance, need for auditor to perform own
  work decreases

19
May 16 QA

• Risk assessment effect on nature, timing, and
  extent
• --As risk associated with control decreases
• Nature Persuasiveness of evidence needed
  decreases
• Inquiry, observation, inspection of documents,
  and reperformance of control are types of audit
  procedures
• Walkthroughs are a combination of the procedures
  and can serve as tests of design and operating
  effectiveness
• Timing Testing can be done farther from as-of
  date
• Extent Extensiveness of testing should decrease

20
May 16 QA

• Benchmarking automated application controls
• Auditor may conclude that automated application
  control continues to be effective, without
  repeating the prior year testing of application
  if
• General controls over program changes, access to
  programs, and computer operations are effective
  and continue to be tested AND
• The auditor verifies that the automated
  application control has not changed since he or
  she last tested the application control
• Auditor should consider importance of the effect
  of related files, tables, data, and parameters on
  the consistent and effective and effective
  functioning of the automated application control

21
May 16 QA

• Self-assessments of control
• Auditors can use managements self-assessment of
  controls in certain circumstances
• Auditor cannot use an assessment made by the same
  personnel who are responsible for performing the
  control

22
May 16 QA

• Self-assessments of control (contd)
• Auditor should evaluate the self-assessments
  using the guidance in AS2 for evaluating the
  work of others
• For work performed by others, auditor should
  evaluate their
• Objectivity
• Independence

23
May 16 QA

• Testing controls as of an interim date
• Auditor should determine what additional evidence
  to obtain concerning the operation of the control
  for the remaining period (paragraph 100 of AS2)
• As factors listed in paragraph 100 decrease in
  significance, evidence can be less persuasive and
  updating procedures less extensive

24
May 16 QA

• Testing controls as of an interim date (contd)
• Factors to consider
• Specific controls tested prior to as-of date and
  results of tests
• Persuasiveness of evidence of operating
  effectiveness obtained at interim date
• Length of remaining period
• Possibility of significant changes in ICFR after
  the interim date

25
PCAOB Policy Statement

• Integrate audits of internal control with audits
  of financial statements
• Exercise judgment to tailor audit plans to the
  risks facing individual clients
• Use a top-down approach that begins with
  company-level controls
• Use the flexibility of the standard to use the
  work of others as provided
• Engage in direct and timely communication with
  audit clients

26
Engage in direct and timely communication with
audit clients

• Determining when it is appropriate for auditor to
  provide accounting advice requires professional
  judgment
• Auditor should be concerned primarily about
  instances in which the company completed
  financial statements and disclosures without
  recognizing potential material misstatement

27
Engage in direct and timely communication with
audit clients

• Auditors may provide audit clients with technical
  advice on the proper application of GAAP,
  including updates on recent FASB developments
• Companies may provide and discuss with the
  auditor preliminary drafts of accounting memos,
  spreadsheets, and other working papers

28
Rules/Standards Approved By Board on July 26

• Independence and tax services
• Standard for reporting on whether a previously
  reported material weakness continues to exist
  (Auditing Standard No. 4)
• Awaiting SEC approval

29
Ethics and Independence Rules - Overview

• Rules cover three areas
• Core ethics and independence requirements
• Specific services that impair the auditor's
  independence
• Contingent fees
• Tax transactions
• Tax services to persons in a financial reporting
  oversight role
• Additional communication requirements with audit
  committees as they relate to permissible tax
  services

30
Core ethics and independence requirements

• Codify principle that persons associated with a
  registered firm may not cause the firm to violate
  relevant laws, rules, and standards
• Rule 3502 A person associated with a registered
  public accounting firm shall not cause that firm
  to violate the Act, rules of the Board,
  provisions of applicable securities laws and SEC
  rules, or professional standards due to an act or
  omission the person knew, or was reckless in not
  knowing, would directly and substantially
  contribute to such violation.

31
Core ethics and independence requirements

• Introduce a foundation for the independence
  component of the Boards independence rules
• Rule 3520 A registered firm and it's associated
  persons must be independent of its audit client
  throughout the audit and professional engagement
  period. Must also satisfy all applicable
  independence criteria.

32
Prohibited Services

• Identification of certain impairments to
  independence
• Rule 3521 Contingent Fees
• Rule 3522 Tax Transactions
• Rule 3523 Tax Services for Persons in a
  Financial Reporting Oversight Role

33
Contingent Fees

• Rule 3521 A registered public accounting firm
  is not independent of its audit client if the
  firm, or affiliate, during the audit and
  engagement period, provides any service or
  product to the audit client for a contingent fee
  or a commission, or receives from the audit
  client, directly or indirectly, a contingent fee
  or commission.
• Contingent fee defined as any fee established for
  the sale of a product, or performance of any
  service pursuant to an arrangement, in which no
  fee will be charged unless a specified finding or
  result is attained, or in which the amount of the
  fee is dependent upon the finding or result of
  such product or service

34
Tax Transactions

• Rule 3522 A registered public accounting firm
  is not independent of its audit client if the
  firm, or affiliate, during the audit and
  engagement period, provides any non-audit service
  to the audit client related to marketing,
  planning, or opining in favor of the tax
  treatment of a transaction that is a -
• Confidential transaction
• Aggressive tax position transaction - that was
  initially recommended, directly or indirectly, by
  the firm and a significant purpose of which is
  tax avoidance, unless the proposed tax treatment
  is at least more likely than not to be allowable
  under applicable tax laws
• Listed transaction

35
Tax Services to Persons in FROR

• Rule 3523 A registered public accounting firm
  is not independent of its audit client if the
  firm, or affiliate, during the audit and
  engagement period, provides any tax service to a
  person in a financial reporting oversight role at
  the audit client or their immediate family member
• Financial Reporting Oversight Role (FROR) means a
  role in which a person is in a position to, or
  does, exercise influence over the contents of the
  financial statements or anyone who prepares them

36
Additional Communications Requirements

• Rule 3524 In connection with seeking audit
  committee pre-approval to perform for an audit
  client any permissible tax service, a registered
  public accounting firm shall
• Describe, in writing, to the audit committee the
  scope of the service, the fee structure for the
  engagement, and other certain information
• Discuss with the audit committee the potential
  effects of the services on the auditors
  independence
• Document the substance of the discussion with the
  audit committee

37
Effective Dates

• Rules 3501, 3502 and 3520 effective 10 days
  after SEC approval
• Rule 3521 and 3522 effective December 31, 2005
  or 10 days after SEC approval
• Rule 3523 effective June 30, 2006 or 10 days
  after SEC approval
• Rule 3524 - effective December 15, 2005 or 10
  days after SEC approval. In cases of
  pre-approval by policies and procedures, the rule
  will not apply to any tax service provided by
  March 31, 2006

38
2004 Internal Control ReportsWhat do these
companies have in common?

• Fannie Mae
• AIG
• GE
• Kroger
• MCI
• Goodyear

• Delphi
• Eastman Kodak
• Outback Steakhouses
• Dennys
• Blockbuster
• Panera Bread

39
2004 Internal Control Reports

• 14 of accelerated filers reported material
  weakness in internal controls
• 53 of MWs due to material financial statement
  adjustments found by auditormost prevalent
• Tax accounting (27),
• Revenue recognition (25),
• Inventory/cost of sales (19)
• Lease accounting (17)
• Source Audit Analytics, May 18, 2005

40
Auditing Standard No. 4

• Reporting on Whether a Previously Reported
  Material Weakness Continues to Exist
• Voluntary report
• Standard would permit a company to hire an
  auditor to determine if a material weakness no
  longer exists, as of a specified date
• Objective is to express an opinion on whether a
  previously reported material weakness continues
  to exist
• Will be effective as of the date of SEC approval

41
Auditing Standard No. 4

• Conditions for auditor performance
• Auditor has audited the company's financial
  statements and internal control over financial
  reporting (ICFR) in accordance with AS 2 as of
  the date of company's most recent annual
  assessment of ICFR
• OR
• Auditor has been engaged to perform an audit of
  the financial statements and internal control
  over financial reporting in accordance with AS 2
  in the current year and has a sufficient basis
  for performing engagement

42
Auditing Standard No. 4

• Conditions for management
• Management accepts responsibility for
  effectiveness of ICFR
• Management evaluates the effectiveness of
  specific control(s) that it believes addresses
  the MW using the same control criteria and
  control objective(s)as used in most recent annual
  assessment of ICFR
• Management asserts that the specific control(s)
  identified is effective in achieving the control
  objective
• Management supports its assertion with sufficient
  evidence, including documentation
• Management presents a written report that will
  accompany the auditor's report that contains
  elements described in paragraph 48 of this
  standard

43
Auditing Standard No. 4

• Auditor must
• Obtain understanding of and evaluate management's
  evidence supporting its assertion that specified
  controls related to MW
• Are designed and operated effectively
• That controls achieve the company's stated
  control objective(s) consistent with control
  criteria
• Identified material weakness no longer exists
• Auditor should identify and test all controls
  necessary to achieve the stated control objective

44
Auditing Standard No. 4

• Auditor should evaluate operating effectiveness
  of specified control by determining whether
  specified control operated as designed and
  whether person performing the control possesses
  necessary authority and qualifications to perform
  control effectively
• If auditor determines that management has not
  supported assertion with sufficient evidence,
  auditor cannot complete the engagement because a
  condition for engagement completion would not be
  met

45
Auditing Standard No. 4

• Auditor's evaluation of management's report
• Auditor should evaluate whether
• Management has properly stated its responsibility
  for establishing and maintaining effective ICFR
• Control criteria used by management is suitable
• Material weakness, stated control objectives, and
  specified controls have been properly described
• Management's assertions, as of date specified in
  management's report, are free of material
  misstatement

46
Auditing Standard No. 4

• Auditor's report
• If auditor determines that previously reported MW
  continues to exist, he or she is not required to
  issue a report
• If the auditor does not issue report, he or she
  must communicate, in writing, to audit committee
  conclusion that the MW continues to exist
• If auditor identifies MW that has not been
  previously communicated to audit committee in
  writing, auditor must communicate that MW, in
  writing, to audit committee

47
Future Standard-Setting

• Responsibility for fraud detection
• Communications with audit committees
• Assessing audit risk
• Engagement quality review
• Auditing related party transactions
• Auditing fair value measurements
• Confirmation process

48
Keeping Current with PCAOB Standards Activities

• www.pcaobus.org
• Inspection reports
• Disciplinary proceedings
• Interim standards
• Proposed and final standards
• Staff QA
• Standing Advisory Group (SAG)
• Live and archived webcasts

49
Questions?