AS2 and AS5 are auditing standards enacted by the Security and Exchange Commission. Auditing Standard No. 5 replaced Auditing Standard No. 2 in 2007. Both have to do with Section 404 of the Sarbanes–Oxley Act, which is reporting done by management and external auditors on the internal controls of the business. The aim of AS5's implementation was to improve problems and enhance standards of AS2.
One of the most important differences between AS2 and AS5 is that AS5 incorporates risk assessment much more profoundly than AS2. For instance, instead of emphasis being placed primarily on a prescriptive auditor focus, as AS2 did, AS5 uses a principles-based focus. Risk analysis begins at financial statement levels and there is an emphasized approach to entity-level controls. AS5 also features an increased focus on fraud and fraud awareness.
AS5 seeks to reduce or eliminate unnecessary procedures and costs, particularly for small public-works companies with a market capitalization less or equal to $75 million. AS5 also encourages auditors to reference and utilize the work of others. This allows for a greater degree of risk control and risk management. Compared to AS2, AS5 emphasizes an increased awareness for internal control and strays from focusing on financial reporting. AS5 also uses a streamlined, single-audit framework system.
Changes in Terms
AS5 amended the definitions of certain terms. For instance, "material weakness" under AS5 means a "reasonable possibility that a material misstatement will not be prevented or detected on a timely basis." Another term that changed was "significant deficiency." Under AS5, this means "less severe than a material weakness, yet important enough to merit attention;" however, under AS5, companies are not required to search for significant deficiencies. When deficiency severity is identified, however, it should be evaluated.
Under AS5, the role and process of management's assessment changed. AS5 seeks to emphasize a top-down approach for audit planning. Another big difference had to do with understanding material weakness. Under AS2, material weakness was largely based upon eight different strong indicators. This made some auditors focus exclusively on these indicators, even if actual material weakness was not always present. AS5 simply uses the term "indicators" and notes that the presence of these indicators does not always warrant internal-control failure. This system is meant to have auditors use their own judgment in determining whether or not the indicators incite material weakness.