Speech by SEC Commissioner:
Remarks at the SEC Open Meeting: Approval of Auditing Standard #5 and Significant Deficiency
Commissioner Roel C. Campos
U.S. Securities and Exchange Commission
July 25, 2007
It's taken a long time to get here, but we've finally arrived. As promised, today marks the culmination of a tremendous amount of hard work and determination on the part of many people here at the SEC and at the PCAOB. First, I want to congratulate the PCAOB and their staff for responding to public comments and for crafting an excellent standard. Second, I want to thank the staff of our Office of the Chief Accountant and the Division of Corporation Finance for all of their efforts in this process. I know that AS 5 is the product of intensive hard work and tremendous cooperation on the part of the staffs of the SEC and PCAOB. The adoption of AS 5 is evidence that we and the PCAOB have developed a framework to work on complex accounting issues and to resolve them in a professional manner. It is an important milestone, and we have overcome certain growing pains. We have now hopefully established a framework to deal with tough issues and good faith differences of opinion, and still come out with a joint position on guidance and rulemaking.
At this point, the SEC and PCAOB have done everything that we have promised. After granting numerous extensions over the years to companies, particularly non-accelerated filers, we and the PCAOB have finally adopted standards and guidance for both auditors and management that should promote more effective and more efficient audits of internal control over financial reporting. I am confident that AS 5 and Management Guidance will greatly help companies of all sizes — but particularly smaller companies — comply with Section 404 in a cost-effective manner that seeks to minimize the possibility of a material misstatement in the financial statements. AS 5 is a rational, right-sized and principles-based approach that should enable auditors to appropriately scale the audit for smaller or less complex companies.
I'm confident that once auditors and companies begin to comply with and implement the new standard, costs will be rational and appropriate for smaller public companies. From this point forward, issuers should have nothing to fear from Section 404 of the Sarbanes-Oxley Act. Certainly investors, both domestic and foreign, have always appreciated the protections offered by SOX 404. Now, they will still have the protections offered by SOX 404, but they will also benefit by getting these protections in a more efficient and cost effective manner. As I have repeatedly emphasized, the rigorous disclosure regime in the United States, which includes the recent protections offered by the Sarbanes-Oxley Act, is a great protector of capital.
Let me focus on a few discrete aspects of AS 5 that I think deserve mentioning. First, much has been made about making the standard more principles-based and top-down focused. This is entirely appropriate and necessary. But we can't lose sight of the fact the passage of the Sarbanes-Oxley Act was due in large part to the massive financial frauds of a few years ago, that is, intentional fraud by senior management, who were able to override internal controls. In this respect, I think and hope that AS 5 has done an even better job of trying to focus auditors on the risk of fraud. Specifically, I note that addressing the risk of fraud has been moved into the "Planning the Audit" section of the standard. The focus on fraud risk during the planning stage of the audit should put fraud risk in the minds of the auditors from the very beginning of the process. I also think it is appropriate that AS 5 provides examples of controls that might address fraud risks. This, too, should focus auditors on the biggest risk of a massive financial misstatement.
I'm also pleased with respect to the definitions of "material weakness" and "significant deficiency." I know that we specifically asked a question about "material weaknesses" when we voted to put AS 5 out for public comment. I note that a majority of commenters believe that the definition appropriately describes the deficiencies that should prevent the auditor from concluding that internal controls over financial reporting are effective. Further, it is entirely appropriate for the definition to reference "interim financial statements." It makes perfect sense to me that if auditors uncover a deficiency that poses a reasonable possibility of a material misstatement in a company's Form 10-Q, that deficiency should be disclosed to investors.
I also think AS 5 has done a much better job with respect to scaling the audit. In particular, I appreciate the fact that the standard emphasizes that scaling should be based on both size and complexity of the company. As AS 5 notes, "even a larger, less complex company might achieve its control objectives differently than a more complex company." Notably, however, the notion of scaling the audit should not result in a less rigorous audit, nor does it exempt smaller or less complex companies from any of the principles set forth in AS 5.
In general, what makes AS 5 an appropriate and consistent standard is that all of the parts seem to fit together in a way that hopefully will produce a more effective, yet more efficient audit. It allows companies to scale the audit, to eliminate unnecessary procedures and to use more principles-based approaches. In this way, auditors should focus on what matters the most. Instead of checking the box, auditors should focus on the big picture.
With that said, let me just ask a few questions: I've focused on fraud controls and the fact that auditors must consider the risk of fraud when planning the audit. Do you think that AS 5 has done enough to focus on the risk of fraud?
Given the significance of the improvements from AS 2, both auditors and management are probably very anxious for the new standard to be implemented. How soon can auditors begin using AS 5?
There's been much talk about the potential need for small business issuers to get another extension. We all know that implementation will occur in stages. First, management's report is due next March for calendar year-end issuers, and then the following year, full implementation is required. In your view, is this enough time?
Thanks for those answers. Again, I'd like to thank everyone here and at the PCAOB who have put so much time into AS 5. It's an excellent document, and I'm pleased to support the finalization of AS 5.