Tuesday, April 14, 2009

PCAOB Votes To Issue Concept Release on Audit Confirms

At its board meeting earlier today, the PCAOB board voted unanimously to release a Concept Release regarding possible revisions to the board’s standard on audit confirmations. Here is PCAOB’s press release. The existing standard was adopted by the PCAOB as one of its ‘interim standards’ – i.e. adopted directly from the preexisting auditing standard of the AICPA, contained in AU Section 330. The PCAOB reviews the interim standards over time to determine whether amendments or new standards are needed. There will be a 45 day comment period on the Concept Release, ending May 29.

Nine topics for comment
Nine topics are raised for comment in the Concept Release, and staff noted they also seek comments in any other areas (besides the nine areas identified) from interested parties, including investors, auditors, preparers, and firms involved with technology. Based on my listening to the webcast of the meeting, here are the nine topics (reference should be made to the Concept Release when issued; we will update this post to include link to the Concept Release, and revise list below accordingly, if necessary, when the Concept Release is posted):
  1. Definition of confirmation –e.g., changing the definition may provide an opportunity for auditors to use such methods as direct access to 3rd party information to improve the response rate, and may take less time than traditional confirmation process
  2. Design/form of confirmation request: auditor should consider prior experience on audits of similar engagements, nature of information being confirmed… whether to test some or all addresses where confirmations will be sent, before they are sent.
  3. Requirement to confirm
  4. Designing response: the form of the request
  5. Maintain control over request and response; consider that advances in technology can also provide additional opportunities for skilled individuals to intercept and revise response
  6. Reliability: consider whether additional direction may be needed, changes may include performing procedures to address reliability when alternative forms of communication are used; factors to be considered include: is the confirmation process secure, properly controlled, is information obtained from a 3rd party who is the intended recipient.
  7. Exceptions to nonresponse: whether the standard should eliminate the ability of auditor to omit performing alternate procedures for a nonresponse [i.e. to obtain a positive confirmation]; performing alternative procedures and investigating nonresponse may result in identification of previously unidentified risk of material misstatement and fraud
  8. Management requests not to confirm selected accounts, disclaimers and restrictive language: AU 330 does not address what actions auditors should consider taking when management requests the auditor not to confirm selected accounts or other items; procedures the auditor could perform could include… [procedures] to support reasonableness of management’s request, evaluate impact on auditors assessment [of risk of material misstatement] including risk of fraud, the need to perform alternate procedures to obtain sufficient, competent evidence. In addition, consider any disclaimers used in management’s response (e.g. language that may say ‘management takes no responsibility for accuracy of the response’); whether auditor should evaluate restrictive language, and determine if alternate procedures should be used.
  9. Negative confirmations: consider whether to continue to allow use of negative confirmations, and if allowed, whether the auditor should be required to perform other substantive procedures.
An ‘Experiment’
Staff noted that discussion at the April 2 PCAOB Standing Advisory Group (SAG) meeting and an earlier SAG meeting supports the need for potential improvements to the audit confirmation process.

Based on feedback received on the Concept Release, the board will consider whether to propose an amendment to AU330, or a new standard to replace AU330. It was noted that information from the inspection process indicates there could be some improvement to the existing standard, particularly in light of new technologies developed since AU 330 was written 15 years ago, however, inspection results also indicate some auditors are simply not following the existing standard.

Similar to the SEC’s use of Concept Releases, issuance of a Concept Release by the PCAOB is a precursor to publishing a proposed standard or proposed amendment to a standard. Board members described this Concept Release as an ‘experiment’ in response to recommendations by the SAG that the PCAOB be more transparent about its deliberations in connection with rulemaking.

However, two board members (Bill Gradison and Steve Harris) noted concern about this extra step (issuance of a Concept Release) potentially stretching out the timetable of reaching a proposed and then final standard in this area.

Attorney confirmations
Board member Daniel Goelzer asked if attorney confirmations were within the scope of this Concept Release. He explained, “[An] auditor asks [legal] Counsel to provide information concerning litigation, pending claims, unasserted claims, is that in the scope of this?

Staff replied, “We have a section talking about attorney letters and confirmations in other standards, but specifically no, the Concept Release is not contemplating affecting attorney letters, they are unique, not expecting this Concept Release to effect that at all.” NOTE: Reference should be made to the Concept Release on this and other issues.

Additional highlights from today’s PCAOB board meeting will be included in a detailed summary on FEI’s website. (Detailed summary will be accessible by FEI members only, consider joining FEI!) If you received this blog post from ‘a friend’ and would like to receive our blog by email, send an email to blogs@financialexecutives.org and write in Subject line: Sign up.

Print this post

1 comment:

Brian Fox, CPA said...

Auditors used to think that "Controlling" the confirmation process meant putting the confirmations in the blue mailboxes ourselves and that the responses must come back to our offices and not the client's. In truth, we lost control of the confirmation process when we relied on and took the address of where to send the confirmations from either (1) the client or material in the client's possession, or (2) last year's work papers where at some point someone simply asked the client for where to send the confirmation or took that information off of client provided material.

I would submit that the audit standards are actually well written and what is needed is not necessarily more standards, but instead – regardless of the process used: mail, fax, electronic confirmations - auditors need to actually validate where they are sending the confirmations and authenticate the authorization and identity of the person who responded to the confirmation. Otherwise frauds involving fake confirmations like Parmalat, Satyam, Ahold, Take-Two Interactive, Just-for-Feet, CF Foods, ZZZZ Best and others will continue to happen.

Brian Fox, CPA