Speech by SEC Staff:
Opening Remarks at the SEC Open Meeting


Zoe-Vonna Palmrose

Deputy Chief Accountant, Office of the Chief Accountant
U.S. Securities and Exchange Commission

Washington, D.C.
July 25, 2007

Thank you Conrad.

Let me begin by looking back a few months and reviewing, first, as John mentioned, the PCAOB received 175 comment letters when it exposed a draft of Auditing Standard No. 5 for public comment last December. Then, as has been noted, at this year's April 4th Open Commission Meeting, the Commission and its staff discussed the comments received by the PCAOB, along with those received by the Commission in connection with its proposed interpretive guidance for management. At the 4-04 meeting, the Commission directed us to focus on four areas when working with the PCAOB staff. Those areas were:

  1. Aligning the proposed auditing standard with the Commission's proposed interpretive guidance for management, particularly with regard to prescriptive requirements, definitions and terms;
  2. Scaling the audit to account for the particular facts and circumstances of companies, particularly in smaller companies;
  3. Encouraging auditors to use professional judgment, particularly in using risk-assessment; and
  4. Following a principles-based approach to determining when and to what extent the auditor can use the work of others.

We are very pleased to be able to report to you today that the PCAOB has addressed each of these areas, in addition to other matters raised by commenters, in the version of AS No. 5 that they adopted in May and that you are now considering. While I won't detail all of the improvements — suffice it to say, this standard is much less prescriptive, appropriately allows for auditor judgment, eliminates unnecessary procedures from the audit, and directs the auditor to focus on what matters most. These improvements are significant and they are responsive to the comments received by the PCAOB, including those discussed at our April 4th Open Meeting.

Now let me turn to the comments in response to the Commission's June 7th request for comment on the standard you have before you. The Commission received 37 comment letters. These comment letters came from issuers, registered public accounting firms, professional associations, investors, and others. Overall, many commenters expressed support for the proposed standard and recommended that the Commission approve the standard and the related conforming amendments. Some of these commenters requested that this approval be done on an expedited basis to enable auditors to implement the provisions of AS 5 prior to the required effective date. A number of the commenters noted that AS 5 includes appropriate investor safeguards, that it will facilitate a more effective and efficient approach to the ICFR audit, and that the PCAOB appropriately responded to concerns raised by issuers, auditors, investors and others. Specifically, some commenters noted that the standard's focus on principles rather than prescriptive requirements expands the opportunities for auditors to apply well-reasoned professional judgment.

Still, a few commenters expressed their continuing concern that, in reducing the number of ICFR-related audit opinions from two to one, the Commission and the PCAOB retained the wrong auditor opinion. These few commenters indicated their belief that auditors should opine on the assessment made by management in order to comply with Section 404(b) of the Sarbanes-Oxley Act, which some equated to opining on management's evaluation process. These commenters expressed their belief that auditors opining directly on ICFR (as opposed to management's assessment) entails unnecessary and duplicative work. The staff has carefully considered this comment and continues to believe that — consistent with Sections 103 and 404 of the Sarbanes-Oxley Act and the Commission's recent rule amendments — AS 5 requires the appropriate opinion to be expressed by the auditor. Further, the staff believes that an auditing process that is restricted to evaluating what management has done would not necessarily provide the auditor with a sufficient level of assurance to render an independent opinion as to whether management's assessment about the effectiveness of ICFR is correct. Finally, the staff believes that the expression of a single opinion directly on the effectiveness of ICFR is not only important from an investor protection standpoint, but provides clear communication to investors that the auditor is not responsible for issuing an opinion on management's process for evaluating ICFR. In the staff's view, an opinion on the latter may not only have the unintended consequence of hindering management's ability to apply appropriate judgment in designing their evaluation approach, but also may have the effect of increasing audit costs without commensurate benefit to issuers and investors.

As you know, the Commission sought comments on seven specific questions in a supplemental June release as part of its request for public comment. I will briefly touch on the responses we received to each of the seven questions. And we would be pleased to discuss any issues in greater detail, and answer any questions that you might have.

On the first question, with respect to whether materiality is appropriately defined throughout AS 5 to provide sufficient guidance for auditors, the majority of the commenters who expressed a view on this question said yes. Some commenters elaborated that while application of materiality concepts in the context of planning and performing an audit requires the use of judgment, AS 5 appropriately specifies the basis on which those judgments should be made. The staff agrees that AS 5 adequately addresses materiality throughout the standard. Even so, a few commenters expressed a view that some auditors may need further and clearer guidance than is provided about materiality generally, for integrated audits of both ICFR and the financial statements. However, the staff does not believe that AS 5 is the appropriate forum to address broader questions about materiality, as the concept of materiality is fundamental to the federal securities laws — nonetheless, this is an area the staff continues to focus on in the broader context.

With respect to the second question, whether the communication requirement regarding significant deficiencies will divert auditors' attention away from material weaknesses, commenters who expressed a view on this matter overwhelmingly said no. They said, for example, that AS 5 clearly directs the auditor to scope the audit to identify material weaknesses to be disclosed to investors. The staff agrees.

With respect to the third question, whether AS 5 is sufficiently clear that multiple control deficiencies should only be looked at in combination if they are related to one another, most of those commenting on this question said yes — that AS 5 is sufficiently clear in this regard. Although a couple of commenters disagreed, stating that the auditor is expressing an opinion on the effectiveness of internal control as a whole. Again here, the staff agrees that AS 5 is sufficiently clear, and notes that it is aligned with the Commission's interpretive guidance for management in this regard.

With respect to the fourth question, whether the definition of "material weakness" appropriately describes the deficiencies that should prevent the auditor from finding that ICFR is effective, the majority of those commenting on this topic responded affirmatively. The staff agrees.

On the fifth question, related to the auditor's use of the work of others, the majority of those who commented expressed their view that AS 5 is clear about the extent to which auditors can use the work of others to gain efficiencies in the audit, with some noting that AS 5 provides substantial flexibility in the application of auditor judgment when determining whether, and to what extent, to use the work of others. The staff agrees that AS 5 is sufficiently clear about the extent to which the auditor can use the work of others. However, two commenters recommended that if the work of others is found to be competent and reliable, then the standard should require the auditor to utilize it. But while we anticipate auditors would use the work of others under appropriate circumstances, including when the approach results in greater efficiency, we do not believe that it is necessary or appropriate to preclude the auditor from utilizing his or her judgment in determining whether or not to use the work of others based on the particular facts and circumstances of the engagement.

As to the sixth question on whether AS 5 will reduce costs and result in cost-effective, integrated audits, a number of commenters stated their view that AS 5, as approved by the PCAOB, together with the Commission's guidance for management, will result in a reduction of the total Section 404 compliance effort. Some commenters agreed that a cost reduction would occur, but also noted that the amount of reduced effort and cost associated with the ICFR audit will vary by company depending on factors such as their size, complexity, the degree of change from year-to-year, the quality of their internal control systems and documentation, and the extent to which management appropriately applies the Commission's interpretive guidance for management. None of the commenters suggested that cost would increase.

Even so, some commenters noted that while AS 5 may curtail excessive testing of controls and reduce some of the unnecessary documentation currently required for Section 404 audits, they still have concerns about the extent to which it will reduce costs for smaller public companies. A number of commenters urged the Commission and PCAOB to closely monitor the extent to which the standard is implemented and achieves a reduction in costs, and to take action if there is not an appropriate reduction. In a minute, I will say more about this issue.

But first, and relatedly, let me cover the seventh question as to whether AS 5 inappropriately discourages or restricts auditors from scaling audits, particularly for smaller public companies. Most commenters who responded to this question said no. They noted that the standard appropriately discusses the concepts of scalability based on size and complexity without including inappropriate restrictions on the auditor's ability to scale the audit. The staff agrees that AS 5 appropriately recognizes scaling and tailoring of all audits to fit the relevant facts and circumstances, so that ICFR audits will fit the size and complexity of the company being audited rather than the company's control system being made to fit the auditing standard. The staff also agrees with the statement made by the Board in its release to AS 5 that "scaling will be most effective if it is a natural extension of the risk-based approach and applicable to all companies."

Before leaving question 7, I would also like to respond to the observation by some commenters that where feasible, AS 5 should provide additional guidance on how to effectively plan an integrated audit for smaller public companies and some discussion of related best practices to enhance a broader understanding of risk-based auditing. First, let me note that COSO guidance issued a year ago, and directed to smaller public companies, should be helpful to both those companies who choose COSO as the framework for evaluating their controls and their auditors, in effectively and efficiently implementing 404. In addition, COSO currently is conducting a project to develop guidance intended to help organizations better understand the monitoring component of the framework and comply with Section 404 in a cost effective manner.

Further, and importantly for responding to the concerns of some commenters, the PCAOB has underway a separate project to develop guidance and education for auditors of smaller public companies. We are monitoring this project. The staff recognizes its importance as part of getting a good implementation of AS 5 for non-accelerated filers on their first ICFR audits with their filings in 2009.

Moreover, in addition to this project, the staff is working in a number of other ways, as we go forward, to monitor the implementation of the Commission's new guidance for management and the PCAOB's new guidance for auditors. As selected examples:

So, these are among the activities that illustrate, going forward, both the SEC and PCAOB will be focused on whether audit firms are achieving an effective and efficient implementation of the new 404 guidance. In closing, I would like to reinforce the appreciation expressed by others to the Commission, including for your guidance to the staff throughout the past year and especially at the April 4th open Commission meeting, to the PCAOB Board and staff, and to the Office and Division staffs that have worked so long and hard on this project, including my staff, in particular, Brian Croteau, Josh Jones, Amy Hargrett, Esmeralda Rodriguez, Jeff Ellis, and Kevin Stout.

Brian Croteau and Josh Jones who have played key roles in our efforts to rationalize the implementation of 404 are at the table today to help answer your questions.

That concludes our opening remarks.

Chairman Cox, the staffs of OCA and the Division of Corp Fin would be happy to discuss any questions that you and the Commissioners might have.