I think the first point to make is that we were always talking in terms of being ready to do a controls-based audit. That's actually a significant qualifier, the controls-based part. One can do audits that are not controls-based: the term used is a more substantive approach to auditing. From an auditor's perspective, that's a more costly way of proceeding, but it is equally effective or can be equally effective at the end of the day.
Our interest on focusing on the controls-based part of it was due to our interest being largely, as I suggested in my opening remarks, that we were looking at this as a catalyst for improving the internal control in government, for improving the state of the documentation of those controls and a kind of ongoing testing process to verify them.
So we embraced the idea of supporting the controls-based nature of auditing, and that goal remains in the policy that I've stated. We still endorse the notion that departments should have good systems of control and that a way of expressing this is that, should an audit be taken of them, we would hope the controls would be in a good enough state that the audit could indeed be controls-based.
What we haven't done, though--