PCAOB Wants More SOX Scrutiny
is to gain assurance that the output con- By Tammy Whitehouse
trols are accurate and operating effectively.
“How do you know” questions typically
lead to the desired response. The level of
detail is subjective to the SMEs performing
C orporate America should take note that auditors may soon be upping their game
when it comes to performing internal control audits over financial reporting, fol-
lowing a recent regulatory report that highlights areas where more work is needed.
the assessment and the level of assurance one The Public Company Accounting Oversight Board published a report summarizing
obtains from the documentation, reports, or inspectors’ observations after the first full cycle of auditing and inspection under Audit-
tests performed on the controls. ing Standard No. 5, the new-and-improved handbook for how to audit internal controls
over financial reporting. AS5 replaced Auditing Standard No. 2, the PCAOB’s original
Don’t Repeat Your Own Y2K standard on internal control auditing, which was heavily criticized for requiring exces-
A mini Y2K may exist at many firms in
the form of service recoveries, cus-
tomer rebates for inaccurate calculations,
sive, costly audit work.
In its report, the PCAOB said auditors generally are hitting the mark in terms of
planning and performing audits, but listed six specific areas where improvements can
or financial statement restatements. How be made. The six hot spots identified by inspectors touch on the perennial issues that
can these errors be avoided? By imple- have been controversial since The Sarbanes-Oxley Act first put internal controls over
menting a regular health check on your financial reporting into the spotlight.
systems output controls you can reduce Most notably, the PCAOB cited weaknesses in evaluating entity-level controls and
or eliminate a significant number of these in testing controls, which address “tone at the top” and cover things such as informa-
problems. tion technology infrastructure, investigation procedures, ethics programs, and the like.
In today’s fast-paced environment where In addition, inspectors also are focusing on
staff changes due to downsizing and busi- risk assessments, the risk of fraud, using the
ness challenges and other demands adverse- work of others, and evaluating and commu-
ly impact technology, we must ensure that nicating deficiencies.
changes to our systems are truly understood “The report generally says auditors are
“The report says auditors are
end to end. If we fail to remember to ensure getting the idea, but they’re not doing it getting the idea, but they’re
that one simple change in one application perfectly yet,” says Susan Lister, national
can have serious implications downstream