Several provisions of the Sarbanes-Oxley Act of 2002 (SOX) have led to tightened audit regulations and considerable increases in audit fees. For example, SOX section 103 requires audit workpaper retention for a minimum of seven years, and section 404(b) requires that auditors attest to management's assessment of its internal controls. In 2004, the Public Company Accounting Oversight Board (PCAOB) issued Auditing Standard 2 (AS2), An Audit of Internal Control over Financial Reporting Performed in Conjunction with an Audit of Financial Statements, to address these new audit requirements. Due to the added audit work, auditors tended to charge higher audit fees, and companies had to devote more resources to meet the new requirements. A number of publicly traded companies have expressed their concerns about tiie increased financial and staffing burdens as a result of these more stringent auditing regulations. In some extreme cases, to avoid tiie added burdens, some of these companies have either gone private or moved to securities markets in other countries. In reaction to the high compliance costs and other concerns, the SEC postponed SOX section 404(b) auditor attestation requirements four times (to fiscal years ending after December 15, 2009), for nonaccelerated filers that were primarily small entities.
After two years of closely monitoring AS2 implementation, the PCAOB found that tiie benefits of internal control audits came at a significant cost In light of these findings, the PCAOB released Auditing Standard S (AS5), An Audit of Internal Control over Financial Reporting That Is Integrated with an Audit of Financial Statements, in 2007, which loosens some of these auditing requirements to alleviate the financial burden on public companies. ASS is designed to provide guidance to auditors on how to more effectively identify internal control weaknesses and, at the same time, eliminate costly and unnecessary procedures. There is some disagreement, however, on the potential cost savings that will result from this guidance, which advocates a risk-based approach to section 404. Former PCAOB deputy chief auditor Laura J. Phillips estimates that the new rules could result in a 10% reduction in related audit fees. Cynthia Fornelli, executive director of the Center for Audit Quality (CAQ)- an AICPA-affiliated nonprofit organization that represents almost 800 public accounting firms - cautions, 'It's dangerous to speculate about tiie cost savings at this point." Recent trends in reported audit fees provide a basis for analyzing tiie impact of ASS.
Key Differences Between AS5 and AS2
Five key differences between the requirements of ASS and AS2 are outlined below: 1) the degree of auditor discretion in identification of material weaknesses; 2) the top-down versus bottom-up approach in audit planning; 3) the scalability of the audit; 4) the ability to rely on tiie work of others; and S) the requirement for walkthroughs of significant transactions. The differences between AS2 and ASS are also summarized in Exhibit 1.
AS2 consisted of a detailed set of rules-based auditing standards which prescribed procedures for internal control audits, whereas ASS is more principlesbased, affording some discretion to the auditor. AS2 specified eight "strong indicators" of the existence of internal control material weakness: financial report restatement, internal control detection failures, an ineffective audit committee, an ineffective internal audit function or risk assessment function, an ineffective compliance function for entities in highly regulated industries, senior management fraud, uncor- rected significant deficiencies, and an inef- fective control environment. AS2 required auditors to regard and report these cir- cumstances as significant deficiencies and encouraged auditors to treat these "strong indicators" as material weaknesses. As a result, AS2 may have caused cautious audi- tors to direct audit efforts to all of the list- ed indicators, including those that were unlikely to lead to a material weakness in tiie context of tiie particular audit ASS uses the term "indicators" as opposed to "strong indicators," and explicitly states that the existence of these indicators does not necessary mandate the conclusion that internal control is ineffective. …