This training blog is made for you to understand Auditing Standards No. 5 without having to go through over a hundred-page book lecture. This will give context to the SOX 404 requirements, so it’s recommended for those looking for a refresher or just new to SOX 404.
I suggest you watch the video. It’s easier to understand if you are a visual/audio learner. The content below is the same as the video. It’s for those who learn by reading.
Sarbanes-Oxley Act of 2002 was passed by Congress in 2002. This act has many sections. To name a few of them, they are section 302 and section 404. The first one is about CEOs and CFOs certifying that internal controls are in place and that they have effective internal controls. Section 404 pertains to management assessment of internal controls.
The Public Company Accounting Oversight Board or PCAOB creates standards or rules that serve as guide to auditors, so that companies can comply with the law. The first one they created related to SOX 404 is Auditing Standard No. 2. It was not easily accepted by companies as it was very prescriptive. There are some rules that are too general in some areas and yet so detailed in others, but all companies had to follow it.
From multinational companies and subsidiaries to a small biotech company that has no revenue, all of them were affected and complained that it was so expensive.
This was heard by the congress, so they put pressure on the PCAOB to address the issue. That is how the Auditing Standard No. 5 came about.
Before 2002, the audit opinion of the financial statements was just on the reasonableness of the numbers and not about HOW you got the actual numbers for cash, AR, pre-paid, fixed assets, P&L, the cash flow, or your disclosures.
It was all about the end result while the auditing firms actually understand some of how you got there. They focused on the following: Are the numbers correct? Can we substantiate it or tie it back to a third party report or confirmation?
When the Enron scandal happened, Congress put together a big committee to find out what are the root causes. These were the realizations:
- Not only are the numbers that the investors rely on importance.
- The processes to get to the numbers are also important.
- It is important to have internal controls over the financial reporting process.
- Auditors are now required to have separate opinions.
|Before the year 2002||When SOX 404 came after 2004|
|There is a standard three paragraph opinion:
||These were the changes:
The changes made to the auditor’s opinion led to the integration of the internal controls and financial audits. This is when the phrase “integrating the audits” started.
These are what paragraphs 6 and 7 of PCAOB AS5 talk about.
Paragraph 8 of AS5 explains that there is the recognition that you don’t necessarily need all of these rules to apply. Like for a start-up company that just went public, maybe they don’t have all the complexities or they don’t have revenues, so we don’t have to do any stuff about revenues. In situations like this, you need to scale back.
The note after this paragraph tells that this gives us license to say, “Make sure it’s risk based, that if in some circumstances, if it doesn’t apply, then it’s okay. You can skip it.” As an auditor, you can have that judgment and not have to do so much prescriptive work.
This is about the guidelines for the external auditors to plan the audit of the internal controls over financial reporting. Paragraph 9 and the next several paragraphs related to planning the audits talk about the factors that external auditors, especially for SOX auditors, should think about.
- Knowledge about the company’s internal controls if there were other audits done and other type of engagements done.
- The industry in which the company operates and other matters affecting this industry.
- There are some industries where revenue recognition is very critical, while others, like biotech industry, consider clinical trial accruals as critical.
- Company’s business – type of industry, operating characteristics
- Recent changes within the company or industry like new CFO, new system, or procedures implemented.
- Materiality risk and other factors in terms of material weakness.
- Control deficiencies previously communicated like having material weaknesses from last year.
- Legal or regulatory matters
- If the company is doing business with high-risk countries or BRIC countries (Brazil, Russia, India, China), there could be tone at the top or bribery issues. Then you are subjected to FCPA.
- Public information about the company
- Complexity of the operations
- Are there international subsidiaries or operations?
This is the end of part 1 of the Auditing Standards No. 5 training. Part 2 will be about Fraud Risks.