Shapi's Summary of PCAOB AS-5
December 20, 2006
So I read the PCAOB's new release last night. Here's what I think are the most noteworthy points:
1) They keep saying (p.6, A1-9)they will look for controls to prevent management override.
2) Company-level controls may be sufficient to address certain WCGWs (p.6 note 10, p. A1-9)
3) Audit procedures should be flexible and dynamic. The auditor should continually adjust his procedures to reflect new information learned (p.7). This includes knowledge based on previous years' work. Such knowledge can allow the auditor to reduce testing in some areas based on the effect this knowledge has on risk assessment (p.19, A1-26)
4) Testing procedures depend on risk. There should be a direct relationship between risk and evidence necessary to confirm controls to mitigate it (p.7, A1-21)
5) When determining the risk related to a given control, the auditor should take into consideration the audit procedures performed in the financial statement audit (p.8)
6) Regarding the new "definition" of MW - a "reasonable possibility": When I heard the PCAOB was coming out with this, I thought it meant something different than the old definition, "a less than remote chance." I was wrong; they both mean the same thing. The new definition is just a clarification of the old one (p.9)
7) "Strong indicators" of MWs are no longer automatically SDs (p.11).
8) SDs that are not remediated timely may or may not be MWs. It depends on why they were not remediated. If the company is not sufficiently committed to remediating SDs then it becomes an MW because it reflects on the control environment, not because of the issue itself (p.12 see also p.A1-30)
9) The same materiality and procedural guidelines for the financial statement audit should be used in the audit of ICFP (pp 13,14, A1-5).
10) There is no longer a requirement for the auditor to provide an opinion on management's assessment of internal controls; auditors only express an opinion on the effectiveness of the internal controls themselves (p. 15,16)
11) Auditors still need to acquire an understanding of management's process to determine the amount of management work they can rely on, as well as other reasons. However, the extent of work that auditors should perform for these purposes should be limited (p.16)
12) The amount of work the auditors can rely on depends on the competence and objectivity of those who performed the work. To determine this, auditors should, among other things, test some work of the individual whose work they want to rely on (p.17, 24, p.A2-4
13) Besides relying on work of management, auditors may also have management assist them in their own work (p.A2-8).
14) Auditors only need to obtain from management information that constitutes evidence about effectiveness of internal controls or potential misstatements. Anything beyond this does not need to be provided to the auditors (p.23, p. A2-3, p. A2-4).
15) Auditors only have to do walkthroughs for each significant process, not for each significant transaction within the process (p.26)
16) Auditors should use individual circumstances to determine specific procedures, based on the Standard's general principles (p.31).
17) Lack of documentation of a control is NOT determinative of the lack of a control. In smaller companies, such documentation is typically lacking. In such cases, inquiry, observation, and other such procedures can suffice for testing (p. A1-8).
18) Testing only should be done when a controls deficiency will violate an assertion to the point of creating a MW (p. A1-11, A1-18 See also p. A1-15).
19) You don't need to identify assertions. Quote: "The auditor may base his or her work on assertions that differ from those in this standard if the auditor has selected and tested controls over the pertinent risks in each significant account and over the representations by management that have a reasonable possibility of containing misstatements that would cause the financial statements to be materially misstated." (p. A1-16).
20) There is no preference for a preventive control over a detective control (p. A1-19)
21) Benchmarking is permitted for automated application controls (p.A1-26, A1-57, A1-58).
1) They keep saying (p.6, A1-9)they will look for controls to prevent management override.
2) Company-level controls may be sufficient to address certain WCGWs (p.6 note 10, p. A1-9)
3) Audit procedures should be flexible and dynamic. The auditor should continually adjust his procedures to reflect new information learned (p.7). This includes knowledge based on previous years' work. Such knowledge can allow the auditor to reduce testing in some areas based on the effect this knowledge has on risk assessment (p.19, A1-26)
4) Testing procedures depend on risk. There should be a direct relationship between risk and evidence necessary to confirm controls to mitigate it (p.7, A1-21)
5) When determining the risk related to a given control, the auditor should take into consideration the audit procedures performed in the financial statement audit (p.8)
6) Regarding the new "definition" of MW - a "reasonable possibility": When I heard the PCAOB was coming out with this, I thought it meant something different than the old definition, "a less than remote chance." I was wrong; they both mean the same thing. The new definition is just a clarification of the old one (p.9)
7) "Strong indicators" of MWs are no longer automatically SDs (p.11).
8) SDs that are not remediated timely may or may not be MWs. It depends on why they were not remediated. If the company is not sufficiently committed to remediating SDs then it becomes an MW because it reflects on the control environment, not because of the issue itself (p.12 see also p.A1-30)
9) The same materiality and procedural guidelines for the financial statement audit should be used in the audit of ICFP (pp 13,14, A1-5).
10) There is no longer a requirement for the auditor to provide an opinion on management's assessment of internal controls; auditors only express an opinion on the effectiveness of the internal controls themselves (p. 15,16)
11) Auditors still need to acquire an understanding of management's process to determine the amount of management work they can rely on, as well as other reasons. However, the extent of work that auditors should perform for these purposes should be limited (p.16)
12) The amount of work the auditors can rely on depends on the competence and objectivity of those who performed the work. To determine this, auditors should, among other things, test some work of the individual whose work they want to rely on (p.17, 24, p.A2-4
13) Besides relying on work of management, auditors may also have management assist them in their own work (p.A2-8).
14) Auditors only need to obtain from management information that constitutes evidence about effectiveness of internal controls or potential misstatements. Anything beyond this does not need to be provided to the auditors (p.23, p. A2-3, p. A2-4).
15) Auditors only have to do walkthroughs for each significant process, not for each significant transaction within the process (p.26)
16) Auditors should use individual circumstances to determine specific procedures, based on the Standard's general principles (p.31).
17) Lack of documentation of a control is NOT determinative of the lack of a control. In smaller companies, such documentation is typically lacking. In such cases, inquiry, observation, and other such procedures can suffice for testing (p. A1-8).
18) Testing only should be done when a controls deficiency will violate an assertion to the point of creating a MW (p. A1-11, A1-18 See also p. A1-15).
19) You don't need to identify assertions. Quote: "The auditor may base his or her work on assertions that differ from those in this standard if the auditor has selected and tested controls over the pertinent risks in each significant account and over the representations by management that have a reasonable possibility of containing misstatements that would cause the financial statements to be materially misstated." (p. A1-16).
20) There is no preference for a preventive control over a detective control (p. A1-19)
21) Benchmarking is permitted for automated application controls (p.A1-26, A1-57, A1-58).