• Pressures will be applied to audit firms to create meaningful top-down, risk-adjusted audit plans for individual clients, moving beyond the checklist one-size-fits-all that was employed by some to get through the first year;
• PCAOB explicitly notes that good faith efforts of professional judgement will be reviewed as intended, and that their review of audit firms will expect external auditors to do a very thorough job of audit planning with an eye toward combined substantitive and control efforts;
• The importance of being able to rely on some of the testing of a corporate clients' internal controls staff is being increased in importance - a hotly debated question these last 9 months since AS2 was received;
• The PCAOB sees very real value in the continuing involvement of the external auditors when new accounting issues are being considered, a sticky widget and point of concern that had been very gray when the AS2 was released.

What is perhaps just as impressive as the message is the very readable, comprehensible format that this statement and QA take. Practitioners will find the Staff Questions and Answers to provide very specific "yes" and "no" answers haven't been as clear cut in past guidance.

One of the central questions in my mind has been how the Act will turn from a "you must comply" edict into a more sustainable business practice that management will feel more involved in driving. Key points of guidance make it clear that management has more discretion in directing efforts than has been communicated in the past, noting

• Q42 and Q49 consider the scope of testing deemed necessary by management versus that scope required for auditors to confirm managements attestation. With much emphasis on "top down" and "risk adjusted" testing, look for coming control audits to be very focused on Key Accounts, and not boiling the ocean - good news for Chief Accounting Officers that have been sweating the mounting audit fees.
• Q39, Q40 and Q43 suggest that auditors consider their previous experience and knowledge of a client company' s risks when designing their audit plan. The PCAOB seems very intent on making it clear: excessive or poorly planned audits are not acceptable. Accounting firms will need to be much more aware of their specific client risk environments, and plans need to be very dialed in.
• Q45 addresses the much debated issue of automated control testing. This recent guidance essentially acknowledges that, in the absence of changes AND in the presence of good general computer controls, automated controls can be relied on after a single testing. This notion of "benchmarking" should do much to encourage businesses to automate and streamline controls as well as monitor their general computer controls more closely, since it reduces both managements' necessary testing as well as that of the auditors.
• Finally, Q47 introduces what feels most dramatic in the way of sanity checking - the idea that many controls are in fact management monitoring and can be relied on for managements' attestation in lieu of extensive testing. Though perhaps a still too slippery slope for all management teams, the implications of this item suggest that regular management monitoring of control activities (i.e. management review of subordinates performance of control activities) is just as or more crucial to the health of the control environment as is the periodic testing. Go figure - this is why managers do these activities in the first place - to get comfortable that the work is being done correctly.

Very optimistic news indeed.