Corporate IT Security Audit Compliance

event. However, many executives would rather not discuss
crisis readiness, he noted.

One reason for the lack of concern is that most ofthe com-
panies surveyed recovered from crises quickly and without
serious fmancial damage. Seventy-one percent of respondents
say crises had a limited impact on their company’s profitabil-
ity, while 6 percent report crises had a major impact. Simi-
larly, 71 percent praise their company’s ability to overcome
crises — 26 percent rate recovery efforts as “outstanding.”
Even so, respondents whose companies have overcome a
recent crisis are more likely to expect a future crisis and less
confident that their organization is prepared, the survey notes.
“When it comes to preparedness, they simply do not see as
high a level of readiness for many of their company’s key busi-
ness processes,” Everson said.

Regulatory Notes

PCAOB Proposes
Audit Standards

THE U.S. PUBLIC COMPANYAccounting Oversight
Board (PCAOB) has released
a draft standard for auditing
internal controls over finan-
cial reporting. If approved by
the U.S. Securities and
Exchange Commission (SEC),
An Audit of Internal Control
Over Financial Reporting
That Is Integrated With an
Audit of Financial State-
ments would replace Audit-
ing Standard No. 2 (AS2),
which was approved by the
SEC in June 2004. The board
is accepting public com-
ments through Feb. 26.

The PCAOB proposal fol-
lows recent SEC interpre-
tive guidance to help
management evaluate
internal controls over finan-
cial reporting more effi-
ciently. Both measures are
intended to help publicly

listed companies reduce
the costs of compliance
with the U.S. Sarbanes-
OxleyAct of 2002.

The PCAOB’s principles-
based internal control stan-
dard focuses the external
auditor on the most impor-
tant matters that can
increase the likelihood that
companies will discover
material weaknesses before
they impact financial state-
ments. It also eliminates
audit requirements that are
unnecessary to achieve the
intended benefits, provides
direction on how to scale
the audit for a smaller and
less complex company, and
simplifies the text of AS2.

In conjunction with the
AS2 revision, the PCAOB
proposed a rule to revise
the standard’s indepen-
dence requirement, which
requires external auditors to
seek specific pre-approval
of any internal control-
related service from the
audit committee. Proposed
Rule js^S’ Audit Committee
Pre-approval of Services
Related to Internal Control,
is intended to ensure that
audit committees receive
relevant information to
make an informed decision
on how the performance of

UPDATE

Overall, o n e – t h i r d of survey respondents aren’t concerned
about their company’s preparedness for a major crisis. M o r e
t h a n 6 0 percent are confident t h a t key husiness processes
such as legal a n d insurance services, financial m a n a g e m e n t ,
a n d accounting a n d reporting are well-prepared in t h e event
of a major crisis. – T. MCCOLLUM

IFAC Issues Code of Conduct Draft
E7PHE INTERNATIONAL FEDERATION OF ACCOUNTANTS
y (IFAC) has re-released draft guidance to help companies

develop and implement a code of conduct. Defining and
Developing an Effective Code of Conduct reflects updates
made after IFAC’s Professional Accountants in
Committee reviewed comments and suggestions received on

such services may affect
their independence.

In addition to the new
internal control audit stan-
dard, the PCAOB issued a
draft standard to clarify how
and to what extent an inde-
pendent auditor may use
the work of others — such
as internal auditors and
management — in an inte-
grated audit of financial
statements and internal
control or in an audit of
financial statements only.
Information about the pro-
posed audit standards is
available from the PCAOB’s
Web site, www.pcaob.org.

– J . WHITLEY

SEC Extends
Deadlines

THE SEC HAS GIVEN SMALLpublic companies and
new issuers more time to
comply with the internal
control reporting require-
ments of Sarbanes-Oxley
Section 404. The extension,
which was exposed for
comment in August 2006, is
consistent with the commis-
sion’s May 2006 proposal,
“Next Steps for Sarbanes-
Oxley Implementation.”

Small nonaccelerated fil-
ers now must provide a

management assessment of
the effectiveness ofthe
company’s internal control
over financial reporting
starting with fiscal periods
ending on or after Dec. 15,
2007. These firms have until
their first annual report for
the fiscal year ending on or
after Dec. 15, 2008, to com-
ply with the Section 4O4(b)
requirement to provide an
independent auditor’s attes-
tation report on internal
control over financial report-
ing in the company’s annual
reports. The new rules also
give newly public compa-
nies until their first annual
report after becoming an
Exchange Act reporting
company to comply with
Section 404 requirements.

These extensions will pro-
vide nonaccelerated filers
additional time to incorpo-
rate the SEC’s recently pro-
posed guidance to improve
the efficiency ofthe Section
4O4(b) auditor attestation
reporting process. The
extensions will also help
auditors adapt to the
PCAOB’s proposed replace-
ment standard for AS2.

Information about the
SEC’s extended compliance
deadlines can be found at
WWW.SeC.gov. – J . WHITLEY

F E B R U A R Y 2 0 0 7 I N T E R N A L A U D I T O R