Auditing Standard No. 5 (AS 5) was released in the Summer of 2007 and companies continue to evaluate its impact on their financial reporting process. AS 5 provides a framework for conducting an audit of how well a company meets standards for internal control over financial reporting, that is also tied to an audit of that company's financial statements. One of the most important aspects of AS 5 is that it allows a risk-based model for controls testing, thereby hopefully reducing some of the problems and cost of earlier SOX compliance efforts.

Like the Sarbanes-Oxley Act (SOX), AS 5 is descriptive in nature "" meaning it doesn't specifically tell an auditor how to go about the audit. Rather, it provides guidance on the process and allows companies along with their external auditors to determine the true ramifications on how to best comply with SOX. The following is my interpretation of AS 5 based on feedback from many sources in the public accounting world and companies impacted by SOX. Make sure to visit the Public Company Accounting Oversight Board website and review the entire AS 5 guidance on your own, as well.

I find it's easiest to break down the AS 5 approach into four key buckets, with four corresponding questions:

• What is most important in an audit?




• Where is the "waste"?




• How big is the company?




• Where can we simplify?

Let's take a look at these buckets and their impact on your compliance efforts. I introduce each area with a question outlined above followed by a possible answer.



What is most important? Focus the audit on what really matters!

As with prior guidance from the PCAOB (Public Companies Accounting Oversight Board), AS 5 allows companies to focus on areas of higher risk to financial reporting. The common theme from PCAOB is: "Top-down, risk based approach emphasizing judgment". Most companies already perform risk assessment activities, but now part of those activities should incorporate risks related to financial reporting. Several frameworks exist for executing risk assessments, with the COSO Enterprise Risk Management framework as an example of one that is widely adopted.

However, AS 5 auditing can represent new challenges. A company must document their risk assessment, approach, judgments made, and testing of controls. Testing of controls is a process all companies are all too familiar with, but the focus now becomes associating risks to their respective controls testing. This is a daunting task and hopefully does not introduce yet another set of spreadsheets.











Where is the waste? Eliminate unnecessary procedures!

The PCAOB outlined several areas where wasteful activities may exist. The external auditor no longer has the formal requirement to evaluate management's process for evaluating controls. Management must no longer test all controls with the same diligence. Rotating controls' testing is not allowed; however, not all controls are created equal. For example, a manufacturing company will continue to test user management processes to financial applications. However, they may elect to deemphasize network access controls. Audit firms may now leverage the knowledge gained through testing controls in the previous year.

This section of AS 5 provides flexibility to use the work of others to a much greater extent, including testing of the control environment and performance of walk-throughs under the company's direct supervision. Excellent and much needed guidance is contained in this section of AS 5! As always, the company and external audit firm should communicate well in advance of the audit to determine the best approach for conducting SOX audit procedures.









How big is the company? Scale the audit for smaller companies!

During the era of SOX, many companies have complained of the onerous tasks "required" to comply with SOX. Now external audit firms should evaluate the size and complexity of their customer. Smaller companies can/should document how size and complexity affect the audit, since this will assist in discussions with external auditors. In this discussion, the company can present how they are less complex and their size affects their SOX compliance program.



Where can we simplify the requirements?

Focus on the important and critical areas of controls providing the greatest level of assurance for financial reporting. Some may interpret this as meaning the level of detail and specificity has been reduced to encourage auditors to apply professional judgment. This all depends on the facts and circumstances, rather than taking a one-size-fits-all approach. I have heard auditors, both internal and external, are relying more on judgment, provided the logic and rationale are clearly documented as to why a particular testing approach is in place.



Overall, the implementation of AS 5 marks a dramatic change in SOX compliance. I continually hear from colleagues how the amount of hours required to comply with SOX is in decline. This reduction of hours occurs both internally at companies and externally regarding the billable hours of audit firms. I believe this presents an opportunity for companies to better leverage technology beyond the traditional spreadsheet approach. Software vendors, including CA, are producing applications to document risk assessments, maintain controls testing information from year to year, more efficiently deploy testing tasks, and simply better maintain the entire set of documents produced by risk and compliance activities including SOX.