Ask FERF (financial executives research foundation) about ... internal control audits.

• Author: de Mesa Graziano, Cheryl
• Position: Resources

On the same day the Public Company Accounting Oversight Board (PCAOB) issued its Auditing Standard 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statements, Financial Executives Research Foundation (FERF) summarized the Board's discussion in approving the standard and how it responded to comments on the proposed standard. (The complete analysis is at www.fei.org/news/pcaob_3_9_04.cfm). As a follow-up, the article by FERF beginning on page 48 provides a sampling of FEI member reactions to the rule and advice on what companies should do next.

Reliance on Internal Audit

While PCAOB understands the standard will be costly, it believes benefits will justify the costs. Thus, it has responded by being less prescriptive and allowing greater reliance by auditors on others, particularly internal audit. Specifically, the standard will allow more use of judgment by auditors and permits the use of a Statement of Auditing Standards (SAS) No. 65 approach, with modifications. Along these lines, walkthroughs must still be done directly by auditors, but now apply to major classes of transactions rather than all transactions. Also, external auditors can rely on information technology controls and period-end financial statement closing processes.

Reliance on internal audit, however, depends on auditors' judgment of both the competency and objectivity of others. Furthermore, a strong score on one criterion cannot offset weakness in the other. Also, judgment of competency and objectivity is specific to the area being assessed and does not mean the same reliance can be placed in other areas.

Management is still ultimately responsible for the internal control assessment to which external auditors will opine. And though final attestation still lies in the hands of external auditors, companies may want to take this opportunity to streamline documentation and testing efforts with their internal audit departments. This may reduce the time and resources a company spends on 404, especially considering that internal audit is focused on enterprise-wide risk management and operational controls, not just financial controls.

Thus, 404 work can be categorized as:

* Not independent and/or performed by management.

* Independent and/or performed by internal audit.

This could be helpful in identifying work on which external audit can rely. Internal audit may also be given priority in choosing specific areas to test...