|A generally positive review of the first-year audits under Auditing Standard No. 5 finds some fault with public accountants’ use of “others” to perform some internal control testing and related work. |
The PCAOB's inspectors reviewed auditors' integrated-audit proceduresand their efforts to transition to the new standard governing such audits, AS No. 5. The inspections indicated that the auditors whose work was inspected generally had applied the new standard so as to focus their procedures on the areas that they had assessed as presenting more significant audit risk. The inspectors observed, though, deficiencies
in some engagement teams' implementation of certain aspects of the standard. These deficiencies included instances where the engagement teams could have improved the audit by shifting more of their focus to the procedures that addressed audit areas of higher risk, as well as instances in which the auditors' procedures in the ICFR audit should have been more effective.
“Our report finds that, in the engagements our inspection teams looked at, auditors generally focused on the areas that presented the more significant audit risks,” says Daniel Goelzer, acting chair of the PCAOB. “While we are encouraged by the first-year implementation of AS 5, there is still room for improvement, and we will continue to review and assess the effectiveness of firms’ integrated audit procedures in 2009.”
Of note, inspectors for the most part found no deficiencies in external auditor assessments of risk, especially fraud risk. In fact, inspectors cited numerous instances in which auditors were “particularly effective” in identifying and testing controls that address fraud risk, notably the risk of management override. And the report is especially complimentary of auditors who involved client personnel with special skills and knowledge regarding fraud to assist in the fraud risk assessment and controls evaluation.
CAEs, however, should look beyond the PCAOB’s overall findings — most notably at the board’s assessment of the appropriateness of public accountant reliance on the work of others to reduce the costs of audits. AS 5 allows external auditors to apply professional judgment in determining appropriate reliance on the testing and other internal control work performed not only by internal auditors but also by other “objective and competent” client personnel. During the drafting of AS 5 in July 2007, The IIA urged that these “others” be limited to those with relevant certifications who operate in accordance with a stringent code of ethics and widely recognized standards.
PCAOB inspectors report numerous instances where, consistent with AS 5 guidance, external auditors used the work of company personnel other than internal auditors appropriately after determining that those performing the work on behalf of management were sufficiently competent and objective. However, the inspectors “also identified several instances that presented further opportunities for the auditors to use the work of others when the assessed level of risk was low,” such as when testing certain system reports and application controls.
Moreover, the report continues, inspectors found numerous instances where the extent of the use of the work of others to reduce the external auditor's own work was greater than is appropriate under AS 5 considering the level of risk associated with the control being tested. Examples cited include controls over journal entries, which typically are considered higher risk because of the risk of management override or other risk of fraud.
Finally, the PCAOB notes, “in certain instances the auditors performed few or no procedures to assess the competence of the others relative to the task being performed or did not adequately assess the objectivity of the others, particularly where the work was performed by company personnel other than internal auditors.”
Download the full report.