Spe-cifically, the act instructed the PCAOB to include in their yet-to-be-adopted rules a require-ment that each audit of a public firm should include a review and approval, carried out
Trang 1Bruce Bettinghaus
This article
dis-cusses the requirements of the recently proposed
Public Company
Accounting
Over-sight Board (PCAOB)
Auditing Standard
No 7 (AS 7)
requir-ing the review and
approval of a second
audit partner of each
audit A discussion of
the concerns expressed in
com-ment letters to the proposed
AS 7 follows the presentation
of the requirements of the
stan-dard Initially this requirement
will only directly affect
Securi-ties and Exchange Commission
(SEC) registrants, but as with
other PCAOB requirements,
this requirement is expected to
influence non-SEC registrants
as well Therefore, AS 7 should
be of concern to all audited or
potentially audited companies as
well as investors and creditors
SEC APPROVES NEW
STANDARD
On October 29, 2009, the SEC formally received
Audit-ing Standard No 7,
Engage-ment Quality Review, from the
PCAOB for the SEC’s approval
The SEC took a bit longer than normal to approve the new rule, but they did approve the rule
on January 15, 2010 The new standard accomplishes two main goals for the PCAOB First the new standard fulfills a require-ment that was originally included
in the Sarbanes-Oxley Act (SOX) As part of the original
2002 act as passed by Congress, the legislators called for a second partner, or concurring review and approval of the audit report
of a registered audit firm Spe-cifically, the act instructed the PCAOB to include in their yet-to-be-adopted rules a
require-ment that each audit of
a public firm should include a review and approval, carried out either by a qualified second partner in the firm or a qualified independent reviewer.1 Although it took the Board seven years to promulgate such a rule, the new standard ful-fills this mandate
Additionally, the Board thinks that this new standard will “increase the likelihood that
a registered public accounting firm will catch any significant deficiencies before it issues its audit report.”2 This second rea-son is echoed by then-Chairman Mark W Olson As part of his public statements during the open meeting where the standard was adopted, he suggests that poor-quality concurring reviews were at the heart of some audit failures Olson indicates PCAOB inspectors have found that the range in quality and rigor of the second or concurring partner
is one of the most problematic issues they face.3 So, the Board not only was tying up a loose
The author discusses the requirements of the recently proposed Public Company Accounting Oversight Board (PCAOB) auditing standard (AS 7) requiring the review and approval of a second audit partner of each audit The PCAOB intended
to get tough—the standard is designed to be rigorous Unfortunately, the additional costs of implementing it might exceed any benefit
© 2010 Wiley Periodicals, Inc.
Quality Review Standard
Trang 2has been discovered too late and a restatement
is required A well-performed engagement quality review should significantly reduce the risk of such a problem
Anyone who has been through a restatement and re-audit will tell you that a timely, high quality engagement review is well worth the burden and cost to avoid bigger burdens and costs later (PCAOB Member Charles D Niemeier, July 28, 2009) The language in the last sentence of Niemeier’s statement makes it clear the Board believes the new standard to be a net benefit His argument
is based on an average cost benefit analysis; a small increase in cost that improves the audit process will lower the likelihood of
a more serious audit fail-ure If the Board is correct, then investors and creditors who are concerned with the governance of related firms should be supportive of the new standard
The actual language in the standard calls for the quality reviewer to “evaluate the sig-nificant judgments made by the engagement team and the related conclusions reached in forming the overall conclusion on the engagement and in preparing the engagement report.”4 The standard outlines a nine-point process and instructions for communicating the work done
by the EQR
Exhibit 1 summarizes the checklist for the engagement quality reviewer in an audit The EQR should evaluate significant judgments related to engagement
The standard is intended
to be rigorous, because our inspection record amply demonstrates renewed rigor is jus-tified But it’s not intended to be a re-audit Rather, the review
is simply that—a review
of work already per-formed by the engage-ment team To accom-plish this, the reviewer uses three tools: the standard expects the reviewer to talk with the engagement part-ner and team members, review certain relevant documents, and apply some critical thinking
to determine whether to
sign off with concurring approval The reviewer doesn’t do any testing, request any confirma-tions, conduct any walk-throughs, or perform any other procedures that are necessary to obtain rea-sonable assurance that the financial statements are fairly stated
There’s simply no way
to see this as a re-audit, which is indeed an enormous undertaking
Regrettably, in some cir-cumstances, companies
do undergo re-audits, for example when a problem
end from the now
seven-year-old Sarbanes-Oxley Act, but
they also believe that a stronger
standard for a peer-based audit
review would help to improve
the overall quality of audits for
public companies
This standard, once it is approved by the SEC, will be
required for all SEC clients
for both their yearly audit and
their quarterly reviews An
open question is how this new
standard will impact the audit
practices of private firms The
members of the Board seem
convinced that the new standard
will be a net benefit That is, the
increase in audit quality will be a
greater benefit than any increase
in the cost of the audit It is
likely that the American
Institute of Certified Public
Accountants (AICPA) will
include this second review
and sign off in auditing
standards for non-SEC
registrants to be consistent
with PCAOB
require-ments Also, if this second
sign-off is considered a
net benefit, private firms’
owners and lenders might
also require a concurring-partner
quality review as part of their
audits
WHAT THE STANDARD
WILL REQUIRE
One of the main concerns
of comment letter writers was
the new standard would require
the engagement quality reviewer
(EQR) to essentially reaudit
the client Obviously, if this
was the case, the added costs
would have been substantial
Board member Charles D
Niemeier lays this concern
to rest by insisting that this
required review will not require
the duplication of audit
procedures:
If the Board is correct, then investors and creditors who are concerned with the governance of related firms should be supportive of the new standard.
Trang 3planning, including the firm’s
recent engagement experience
with the company and risks
identified in connection with
the firm’s client acceptance and
retention process as well as
con-sideration of the company’s
busi-ness, recent significant
activi-ties, related financial reporting
issues and risks, and judgments
made about materiality and the
effect of those judgments on the
engagement strategy The EQR
should also evaluate the
engage-ment team’s assessengage-ment of, and
audit responses to, significant
risks identified by the
engage-ment team, including fraud risks The EQR should evalu-ate significant judgments made about materiality and disposition
of corrected and uncorrected identified misstatements and the severity and disposition of identified control deficiencies
The EQR should also consider the engagement team’s evalua-tion of the firm’s independence
in relation to the engagement, the engagement completion document, and confirm with the engagement partner that there are no significant unresolved matters Financial statements,
management’s report on internal control, and the related engage-ment report should be reviewed
The EQR should read other information in documents con-taining the financial statements
to be filed with the SEC and evaluate whether the engage-ment team has taken appropriate action Based on the procedures required by this standard, the EQR should evaluate whether appropriate matters have been communicated, or identified for communication, to the audit committee, management, and other parties, such as regulatory bodies.5
After going through the above steps, the EQR should evaluate if the engagement team responded appropriately to sig-nificant risks, and if the engage-ment docuengage-mentation supports the conclusions made by the team
Finally, the reviewer’s report can provide approval for the auditors
to release their audit report if the EQR does not discover any sig-nificant engagement deficiency
The audit firm is prohibited from releasing their engagement report for the client’s use until the EQR is satisfied with the quality of the audit Finally, the EQR must supply documenta-tion that “should contain suf-ficient information to enable an experienced auditor, having no previous connection with the engagement, to understand the procedures performed by the EQR, and others who assisted the reviewer.”6 The standard also requires essentially the same process and documentation for quarterly reviews
HOW IS THIS DIFFERENT FROM OTHER EQR STANDARDS?
Other auditing standard setters have existing standards for EQR, including both the
Engagement Quality Reviewer Checklist
Evaluate significant judgments considering:
•
• Recent engagement experience
• Identified risks
• Company’s business
• Significant activities
• Materiality Evaluate engagement team’s assessment of significant risks
• Evaluate significant judgments made about:
•
• Materiality
• Disposition identified misstatements
• Severity and disposition of control deficiencies Review:
•
• Evaluation of independence
• Completion document
• Financial statements
• Management’s report on internal control
• Related engagement report Confirm with the engagement partner that there are no significant
• unresolved matters
Read documents containing financial statements to be filed with the
• SEC
Evaluate:
•
• Handling of material inconsistencies or misstatements of fact
• Whether appropriate consultations have taken place
• Whether appropriate matters have been communicated
Exhibit 1
Trang 4accounting firm and comply with all applicable independence requirements In addition, the standard prohibits the engage-ment quality reviewer from hav-ing had overall responsibility for the audit client for at least two years prior to serving as the review partner Neither the IAASB nor the ASB standards require the engagement partner reviewer to comply with the two-year “cooling-off ” period, nor do they require the reviewer
to be an associated person of the firm Finally, the IAASB stan-dards do not include reviewer independence requirements.7
IS THE STANDARD A NET BENEFIT?
The process of auditing financial statements is designed
to improve the usefulness of those financial statements for the end-user However, if the audit costs are high enough, they will swamp the value of the audit to the users of the financial state-ments Many of the comment letters to the SEC regarding the final rule suggest that auditors believe that the new require-ments will not be a net benefit (see Exhibit 3 for a list of the commenters’ main concerns)
The two areas that generated complaints from commenters
specifically related to subse-quent changes to, or retention
of, the EQR documentation in either the IAASB or the ASB standards The EQR standard includes a requirement that the reviewer evaluate whether the engagement documentation (1) indicates that the engagement team responded appropriately
to significant risks and (2) supports the conclusion reached
by the engagement team
Although the IAASB standards contain a similar documentation review requirement, the ASB standard does not contain an equivalent requirement The EQR standard requires the engagement quality reviewer to
be an associated person of the
International Auditing and
Assurance Standards Board
(IAASB) and the Auditing
Stan-dards Board (ASB) The PCAOB
believes that their standard is
superior to those standards The
written comments of Board
member Steven B Harris detail
the differences as indicated in
Exhibit 2 The EQR standard
requires concurring approval
of issuance by the engagement
quality reviewer before an audit
firm can grant permission to the
client to use the audit report
Neither of the comparable
stan-dards issued by the IAASB or
ASB require the same level of
assurance The EQR standard
requires that appropriate
docu-mentation of the EQR process—
including the documentation
that is specifically described in
the standard—be included as a
part of the engagement
docu-mentation, and that the
require-ments be followed in AS No 3,
Audit Documentation, related
to subsequent changes to audit
documentation and document
retention These requirements
are in direct response to
docu-mentation deficiencies related to
second-partner reviews
identi-fied by the PCAOB inspection
process There are no provisions
Differences Between AS 7 and Other Standards
Requires concurring approval of issuance before use of audit report
• Requires a higher level of assurance
• Requires a higher level of documentation
• Addresses subsequent changes to, or retention of, the EQR
• documentation Requires evaluation of risk consideration and conclusions
• Requires a two-year “cooling-off” period
• Requires reviewer independence
•
Exhibit 2
Concerns of Comment Writers
Reviewer reaudits client
• Costs too high, so not a net benefit
• Excessive and unrealistic documentation requirements
• Increased legal risk from excessive documentation
• Changing definition of due professional care
•
Exhibit 3
Trang 5practitioners by leaving
a trail enabling litigants and other adversaries
to impugn the compe-tency of engagement personnel (Comment letter to the SEC, Piercy Bowler Taylor & Kern, November 6, 2009) The other area of concern that the majority of commenters focused on was the language in the release related to “due pro-fessional care.” AU 230 spells out the general standard relating
to due professional care The standard requires that auditors act with diligence and reasonable care, but the standard does not specifically say that by using due care the auditor will catch all possible deficiencies in the audit; in fact, the stan-dard says just the opposite
A quote from Cooley on Torts is the third paragraph
of the standard, and it is clear that the auditor who takes on an engagement does so “for good faith and integrity, but not for infal-libility.”8 In light of this commonly understood auditing term, many commenters took issue with the language in the release that seemed to be rais-ing the bar on what constituted due professional care The let-ter from Grant Thornton was a clear indictment of this release language:
We agree with para-graph 12 of AS 7, which requires the engagement quality reviewer to per-form the review with due professional care
However, we believe the Board has introduced confusion in the release, which states: “A quali-fied reviewer who has
could have the effect of requiring documentation
of all of the interac-tions between the EQR reviewer and the engage-ment team We do not believe this is what was intended by the stan-dard, as it would clearly
be impracticable, and
we believe it would be useful to confirm that the standard as written does not create such a documentation obliga-tion (Deloitte letter to the SEC, November 24, 2009)
The audit firm’s fears are spelled out in a few of the
com-ment letters; the clearest state-ment comes from Piercy Bowler Taylor & Kern These firms are all concerned that a thorough documentation of all conversa-tions between the EQR and the engagement team would result
in a much higher risk of legal action
We firmly believe that documentation of defi-ciencies encountered by reviewers at any level and their resolution would be of no posi-tive value with regard
to engagement quality and more significantly, would pose substantial unwarranted risks to
were the Board’s interpretation
of the phrase “due professional
care” and the Board’s discussion
of the documentation
require-ments contained in AS 7
When the Board issues a new standard, they also issue a
release document that explains
the process and conclusions used
in finalizing the new standard
It is this release document that
seems to have caused the
con-cern among those who wrote to
the SEC to comment on the new
standard A clear majority of
let-ter wrilet-ters focused on language
in the release that seemed to
either contradict the language in
the standard or add additional
burdens to the EQR With regard
to the documentation required,
the standard is quite clear
about requiring three
spe-cific items The
documen-tation should include who
was on the engagement
quality review, what
docu-ments they examined, and
when the EQR team gave
their concurrence to the
audit team
But the language in the release document seems
to go much further than those
three requirements A number
of commenters focused on the
following sentence in the release
as an example that modified
the standard in a way that was
unacceptable: “For example, if
a reviewer identified a
signifi-cant engagement deficiency to
be addressed by the engagement
team, the engagement team
should document its response
to the identified deficiency in
accordance with AS No 3” (AS
No 7 Release, p 38) The letter
from Deloitte requests
clarification:
We are concerned, however, that the state-ments in the Release
The documentation should include who was on the engagement quality review, what documents they exam-ined, and when the EQR team gave their concurrence to the audit team.
Trang 6the requirements of the proposed standard and indicated concerns expressed in comment letters
Additional costs might exceed any benefit Potentially exces-sive documentation requirements might be unrealistic to comply with and increase exposure to risks of legal liability Finally, the standard of due professional care might be raised to an untenable level
NOTES
1 Sarbanes-Oxley Act of 2002, 103(a)(2) (A)(ii).
2 PCAOB Release 2009-004, p 2.
3 PCAOB Chair, Mark W Olson, July 28, 2009.
4 AS 7, ¶ 9.
5 AS 7, ¶ 10.
6 AS 7, ¶ 19.
7 Statement of Steven B Harris, July 28, 2009.
8 AU Section 230.03—Due Professional Care in the Performance
of Work.
cies will be detected, but rather that the engage-ment quality reviewer will have reasonable, but not absolute, assurance that significant engage-ment deficiencies have been discovered in the review (Comment letter
to the SEC from Grant Thornton, November 25, 2009)
CONCLUDING COMMENTS
AS 7, recently approved by the SEC, is being issued by the PCAOB to both comply with Sarbanes-Oxley and attempt to improve the quality of audits of SEC registrants As with other PCAOB audit requirements, AS 7
is also likely to influence audit requirements for private com-panies This article summarized
done so will, necessarily, have discovered any significant engagement deficiencies that could reasonably have been discovered under the circumstances.” Some may interpret this as redefining “due profes-sional care.” We do not believe that the Board should set requirements
in the standards, and then, in the release imply that the words in the standards do not mean what they say
To clarify that due pro-fessional care, as defined
in AU sec 230, Due Pro-fessional Care in the Per-formance of Work, does not guarantee that any or all significant
deficien-Bruce Bettinghaus, PhD, is an assistant professor of accounting in Grand Valley State University’s School
of Accounting (Grand Rapids, MI) His teaching and research interests focus on global financial reporting, corporate governance, and business ethics education