PCAOB approves new audit standard: enterprise governance studied globally … Sarbanes-Oxley section 404 progress … computer crime on the rise …

Internal Auditor, April, 2004 by J. Whitley

THE U.S. PUBLIC COMPANY Accounting Oversight Board (PCAOB) recently approved Auditing Standard No. 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction With an Audit of Financial Statements. The 250-page standard, which will become effective upon approval by the U.S. Securities and Exchange Commission, addresses the work required by a company's external auditor to audit internal controls over financial reporting, as well as the relationship of that work to the audit of the firm's financial statements.

The standard recognizes an integrated audit of internal control and financial statements, resulting in two audit opinions: one on management's assessment and one on the effectiveness of internal control over financial reporting. It also supports the use of the term audit rather than attestation, considering the relationship between an integrated approach of internal control and financial statement audits.

The PCAOB acknowledges that internal controls are not a one-size-fits-all process and expects the external auditor to use reasonable judgment in determining the scope of the audit. Also sensitive to the cost of compliance, the PCAOB encourages companies to invest in competent and objective internal audit functions to help reduce external audit costs. Prompted by more than 190 comments from respondents to the initial exposure draft, including The Institute of Internal Auditors (IIA), the board acknowledged the value of an experienced internal audit function. It amended the standard to allow more flexibility for external auditors to rely on the work performed by internal auditors--at the external auditors' discretion--and stressed the importance of competency and independence as required in The IIA's International Standards for the Professional Practice of Internal Auditing.

According to the new standard, among other work requirements, the external auditor must:

* Evaluate management's basis for expressing its conclusion on the effectiveness of internal controls over financial reporting.

* Perform a walkthrough of the company's significant processes to gain an understanding of how internal controls are designed and operated.

* Identify significant accounts and make relevant assertions about which controls should be tested to obtain evidence about the operating effectiveness of the controls.

* Perform sufficient testing of internal controls to evaluate where the controls are likely to prevent or detect financial statement misstatements.

* Obtain evidence to support the operating controls related to financial statement assertions.

* Provide the principal evidence for the audit opinion. In doing so, external auditors are allowed flexibility in using internal audit test results, based on the competency and objectivity of the people who performed the work.

* Evaluate the results of testing, identify significant deficiencies, and report material weaknesses. The auditors must notify the audit committee of control deficiencies that rise to a certain level of severity.

The PCAOB also proposed amendments to its existing interim audit standards to include Auditing Standard No. 2 and voted to extend the registration deadline for non-U.S. accounting firms from April 19 to July 19, 2004.

The new standard and its related appendices can be found on the PCAOB's Web site, www.pcaobus.org, under "Rulemaking."