Skip Ribbon Commands
Skip to main content
Stay Connected: Twitter Facebook Flickr RSS E-Mail

Click Plus Sign Icon to expand menu items
Click Minus Sign Icon to collapse menu items

AT Section 501

Reporting on an Entity's Internal Control Over Financial Reporting

[The following section was effective when the subject matter or assertion was as of or period ending on or after June 1, 2001. It was superseded by PCAOB Auditing Standard No. 2, effective for audits of fiscal years ending on or after November 15, 2004, for accelerated filers, and on or after July 15, 2005, for all other issuers. See PCAOB Release No. 2004-008.

Current versions of the Interim Standards. ]
Source: SSAE No. 10.
See section 9501 for interpretation of this section.
Effective when the subject matter or assertion is as of or for a period ending on or after June 1, 2001. Earlier application is permitted.

Applicability

.01

This section provides guidance to the practitioner who is engaged to issue or does issue an examination report on the effectiveness of an entity's internal control over financial reporting fn 1 as of a point in time (or on an assertion thereon). fn 2 Specifically, guidance is provided regarding the following:

  1. Conditions that must be met for a practitioner to accept an engagement to examine the effectiveness of an entity's internal control (See paragraphs .04 and .05.); the prohibition of acceptance of an engagement to review such subject matter (See paragraph .10.)
  2. Engagements to examine the design and operating effectiveness of an entity's internal control (See paragraphs .16–.68.)
  3. Engagements to examine the design and operating effectiveness of a segment of an entity's internal control (See paragraph .69.)
  4. Engagements to examine only the suitability of design of an entity's internal control (no assertion is made about the operating effectiveness of the internal control) (See paragraphs .70 and .71.)
  5. Engagements to examine the design and operating effectiveness of an entity's internal control based on criteria established by a regulatory agency (See paragraphs .72–.76.)

.02

This section does not provide guidance for the following:

  1. Engagements to examine controls over operations or compliance with laws and regulations fn 3
  2. Agreed-upon procedures engagements (See section 201, Agreed-Upon Procedures Engagements.)
  3. Certain other services in connection with an entity's internal control covered by other authoritative guidance (See paragraph .11 and the Appendix [paragraph .84].)
  4. Consulting engagements (See paragraph .12.)
  5. Engagements to gather data for management (See paragraphs .09 and .21.)

.03

An entity's internal control over financial reporting fn 4 includes those policies and procedures that pertain to an entity's ability to initiate, record, process, and report financial data consistent with the assertions embodied in either annual financial statements or interim financial statements, or both. A practitioner engaged to examine the effectiveness of an entity's internal control should comply with the general, fieldwork, and reporting standards in section 101, Attest Engagements, and the specific performance and reporting standards set forth in this section. fn 5 [Revised, April 2002, to reflect conforming changes necessary due to the issuance of Statement on Auditing Standards No. 94.]

Conditions for Engagement Performance

.04

A practitioner may examine the effectiveness of an entity's internal control if the following conditions are met.

  1. Management of the entity accepts responsibility for the effectiveness of the entity's internal control. (The term responsible party is used in this section to refer to the management personnel who accept responsibility for the effectiveness of the entity's internal control.)
  2. The responsible party evaluates the effectiveness of the entity's internal control using suitable criteria. Such criteria are referred to as control criteria throughout this section. fn 6
  3. Sufficient evidential matter exists or could be developed to support the responsible party’s evaluation.

.05

As part of engagement performance, the practitioner should obtain from the responsible party a written assertion about the effectiveness of the entity's internal control. The responsible party may present its written assertion in either of the following:

  1. A separate report that will accompany the practitioner's report
  2. A representation letter to the practitioner

.06

The responsible party’s written assertion about the effectiveness of an entity's internal control may take many forms. Throughout this section, for example, the phrase, "management's assertion that W Company maintained effective internal control over financial reporting as of [date]," illustrates such an assertion. Other phrases, such as "management's assertion that W Company's internal control over financial reporting as of [date] is sufficient to meet the stated objectives," may also be used. However, a practitioner should not accept an assertion that is so subjective (for example, "very effective" internal control) that people having competence in and using the same or similar criteria would not ordinarily be able to arrive at similar conclusions.

.07

Regardless of whether the practitioner’s client is the responsible party, the responsible party’s refusal to furnish a written assertion as part of an examination engagement should cause the practitioner to withdraw from the engagement. However, an exception is provided if an examination of internal control is required by law or regulation. In that circumstance, the practitioner should disclaim an opinion on internal control unless he or she obtains evidential matter that warrants expressing an adverse opinion. If the practitioner expresses an adverse opinion and the responsible party does not provide an assertion, the practitioner's report should be restricted as to use (see section 101.78–.81).

.08

Additionally, at the beginning of the engagement, the practitioner may want to consider discussing with the client and the responsible party the need for the responsible party to provide the practitioner with a written representation letter prior to the conclusion of the engagement. In that letter, the responsible party will be asked to provide, among other possible items, a written acknowledgment of their responsibility for establishing and maintaining internal control and their assertion stating their evaluation of the effectiveness of the entity's internal control and specifying the control criteria used. The responsible party's refusal to furnish these representations (see paragraphs .44 and .45) constitutes a limitation on the scope of the engagement.

.09

The responsible party is responsible for establishing and maintaining effective internal control. In some cases, the responsible party may evaluate and report on the effectiveness of internal control without the practitioner's assistance. However, the responsible party may engage the practitioner to gather information to enable the responsible party to evaluate the effectiveness of the entity's internal control.

Other Attest Services

.10

A practitioner may examine or perform agreed-upon procedures relating to the effectiveness of the entity's internal control. However, he or she should not accept an engagement to review such subject matter or a written assertion about such subject matter. A practitioner asked to perform agreed-upon procedures relating to an entity’s internal control should refer to the guidance in section 201.

.11

The Appendix [paragraph .84] presents a listing of authoritative guidance for a practitioner engaged to provide other services in connection with an entity's internal control. Under the Securities Exchange Act of 1934, certain reports on the entity's internal control are required. Rule 17a-5 requires such a report for a broker or dealer in securities. The American Institute of Certified Public Accountants (AICPA) Audit and Accounting Guide Brokers and Dealers in Securities contains a sample report that a practitioner might use in such circumstances. In addition, Form N-SAR requires a report on the internal control of an investment company. A sample report that a practitioner might use in such situations is included in the Audit and Accounting Guide Audits of Investment Companies, published by the AICPA. Such information, included in the Appendix [paragraph .84], in Rule 17a-5, and in Form N-SAR, is not covered by this section.

Nonattest Services

.12

The responsible party may engage the practitioner to provide certain nonattest services in connection with the entity's internal control. For example, the responsible party may engage the practitioner to provide recommendations on improvements to the entity's internal control. A practitioner engaged to provide such nonattest services should refer to the guidance in CS section 100, Consulting Services: Definitions and Standards.

Components of an Entity's Internal Control

.13

The components that constitute an entity's internal control are a function of the definition and description of internal control used by the responsible party for the purpose of assessing its effectiveness. For example, the responsible party may select the definition and description of internal control based on the internal control framework set forth in Internal Control—Integrated Framework, fn 7 published by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission. fn 8Internal Control—Integrated Framework describes an entity's internal control as consisting of five components: control environment, risk assessment, control activities, information and communication, and monitoring. If the responsible party selects another definition and description of internal control, these components may not be relevant.

Limitations of an Entity's Internal Control

.14

Internal control, no matter how well designed and operated, can provide only reasonable assurance to the responsible party and the board of directors regarding achievement of an entity's control objectives. The likelihood of achievement is affected by limitations inherent to internal control. These include the realities that human judgment in decision-making can be faulty, and that breakdowns in internal control can occur because of human failures such as simple error or mistake. Additionally, controls can be circumvented by the collusion of two or more people or management override of internal control.

.15

Custom, culture, and the corporate governance system may inhibit fraud by management, but they are not absolute deterrents. An effective control environment, too, may help mitigate the probability of such fraud. For example, an effective board of directors, audit committee, and an internal audit function may constrain improper conduct by management. Alternatively, an ineffective control environment may negate the effectiveness of the other components. For example, when the presence of management incentives creates an environment that could result in material misstatement of financial statements, the effectiveness of control activities may be reduced. The effectiveness of an entity's internal control might also be adversely affected by factors such as a change in ownership or control, changes in management or other personnel, or developments in the entity's market or industry.

Examination Engagement

.16

The practitioner's objective in an engagement to examine the effectiveness of the entity's internal control is to express an opinion on (a) the effectiveness of the entity’s internal control, in all material respects, based on the control criteria or (b) whether the responsible party's written assertion about the effectiveness of internal control is fairly stated, in all material respects, based on the control criteria. The practitioner's opinion relates to the effectiveness of the entity's internal control taken as a whole, and not to the effectiveness of each individual component (control environment, risk assessment, control activities, information and communication, and monitoring) of the entity's internal control. fn 9 Therefore, the practitioner considers the interrelationship of the components of an entity's internal control in achieving the objectives of the control criteria. To express an opinion, the practitioner accumulates sufficient evidence about the design effectiveness and operating effectiveness of the entity's internal control, thereby restricting attestation risk to an appropriately low level. When evaluating the design effectiveness of specific controls, the practitioner considers whether the control is suitably designed to prevent or detect material misstatements on a timely basis. When evaluating operating effectiveness, the practitioner considers how the control was applied, the consistency with which it was applied, and by whom it was applied.

.17

Performing an examination of the effectiveness of an entity's internal control involves the following:

  1. Planning the engagement
  2. Obtaining an understanding of internal control
  3. Evaluating the design effectiveness of the controls
  4. Testing and evaluating the operating effectiveness of the controls
  5. Forming an opinion on the effectiveness of the entity's internal control, or the responsible party’s assertion thereon, based on the control criteria

Planning the Engagement

General Considerations

.18

Planning an engagement to examine the effectiveness of the entity's internal control involves developing an overall strategy for the scope and performance of the engagement. When developing an overall strategy for the engagement, the practitioner should consider factors such as the following:

  • Matters affecting the industry in which the entity operates, such as financial reporting practices, economic conditions, laws and regulations, and technological changes
  • Knowledge of the entity's internal control obtained during other professional engagements
  • Matters relating to the entity's business, including its organization, operating characteristics, capital structure, and distribution methods
  • The extent of recent changes, if any, in the entity, its operations, or its internal control
  • The responsible party’s method of evaluating the effectiveness of the entity's internal control based upon control criteria
  • Preliminary judgments about materiality, inherent risk, and other factors relating to the determination of material weaknesses
  • The type and extent of evidential matter pertaining to the effectiveness of the entity's internal control
  • The nature of specific controls designed to achieve the objectives of the control criteria, and their significance to internal control taken as a whole
  • Preliminary judgments about the effectiveness of internal control

Multiple Locations

.19

A practitioner planning an engagement to examine the effectiveness of the internal control of an entity with operations in several locations should consider factors similar to those he or she would consider in performing an audit of the financial statements of an entity with multiple locations. It may not be necessary to understand and test controls at each location. In addition to the factors listed in paragraph .18, the selection of locations should be based on factors such as the following:

  1. The similarity of business operations and internal control at the various locations
  2. The degree of centralization of records
  3. The effectiveness of the control environment, particularly management's direct control over the exercise of authority delegated to others and its ability to effectively supervise activities at the various locations
  4. The nature and amount of transactions executed and related assets at the various locations

Internal Audit Function

.20

Another factor the practitioner should consider when planning the engagement is whether the entity has an internal audit function. An important responsibility of the internal audit function is to monitor the performance of an entity's controls. One way internal auditors monitor such performance is by performing tests that provide evidence about the effectiveness of the design and operation of specific controls. A practitioner should consider the guidance in AU section 322, The Auditor's Consideration of the Internal Audit Function in an Audit of Financial Statements, when assessing the competence and objectivity of internal auditors, the extent of work to be performed, and other matters.

Documentation

.21

Controls and the control objectives that they were designed to achieve should be appropriately documented to serve as a basis for the responsible party's assertion and the practitioner's report. Such documentation is generally prepared by the responsible party. However, at the responsible party's request, the practitioner may assist in preparing or gathering such documentation. This documentation may take various forms: entity policy manuals, accounting manuals, narrative memoranda, flowcharts, decision tables, procedural write-ups, or completed questionnaires. No one particular form of documentation is necessary, and the extent of documentation may vary depending upon the size and complexity of the entity.

Obtaining an Understanding of Internal Control

.22

A practitioner generally obtains an understanding of the design of specific controls by making inquiries of appropriate management, supervisory, and staff personnel; by inspecting entity documents; and by observing entity activities and operations. The nature and extent of the procedures a practitioner performs vary from entity to entity and are influenced by factors such as those discussed in paragraph .18.

Evaluating the Design Effectiveness of Controls

.23

To evaluate the design effectiveness of an entity's internal control, the practitioner should obtain an understanding of the controls within each component of internal control. fn 10

.24

Any of the components of internal control may include controls designed to achieve the objectives of the control criteria. Some controls may have a pervasive effect on achieving many overall objectives of these criteria. For example, computer general controls over program development, program changes, computer operations, and access to programs and data help assure that specific controls over the processing of transactions are operating effectively. In contrast, other controls are designed to achieve specific objectives of the control criteria. For example, management generally establishes specific controls, such as accounting for all shipping documents, to ensure that all valid sales are recorded.

.25

The practitioner should focus on the significance of controls in achieving the objectives of the control criteria rather than on specific controls in isolation. The absence or inadequacy of a specific control designed to achieve the objectives of a specific criterion may not be a deficiency if other controls specifically address the same criterion. Further, when one or more control achieves the objectives of a specific criterion, the practitioner may not need to consider other controls designed to achieve those same objectives.

.26

Procedures to evaluate the effectiveness of the design of a specific control are concerned with whether that control is suitably designed to prevent or detect material misstatements in specific financial statement assertions. Such procedures will vary depending upon the nature of the specific control, the nature of the entity's documentation of the specific control, and the complexity and sophistication of the entity's operations and systems.

Testing and Evaluating the Operating Effectiveness of Controls

.27

To evaluate the operating effectiveness of an entity's internal control, the practitioner performs tests of relevant controls to obtain sufficient evidence to support the opinion in the report. Tests of the operating effectiveness of a control are concerned with how the control was applied, the consistency with which it was applied, and by whom it was applied. The tests ordinarily include procedures such as inquiries of appropriate personnel, inspection of relevant documentation, observation of the entity's operations, and reapplication or reperformance of the control.

.28

The evidential matter that is sufficient to support a practitioner's opinion is a matter of professional judgment. However, the practitioner should consider matters such as the following:

  • The nature of the control
  • The significance of the control in achieving the objectives of the control criteria
  • The nature and extent of tests of the operating effectiveness of the controls performed by the entity, if any
  • The risk of noncompliance with the control, which might be assessed by considering the following:
    • Whether there have been changes in the volume or nature of transactions that might adversely affect control design or operating effectiveness
    • Whether there have been changes in controls
    • The degree to which the control relies on the effectiveness of other controls (for example, the control environment or computer general controls)
    • Whether there have been changes in key personnel who perform the control or monitor its performance
    • Whether the control relies on performance by an individual or by electronic equipment
    • The complexity of the control
    • Whether more than one control achieves a specific objective

.29

The responsible party may provide the practitioner with the results of its tests of the operating effectiveness of certain controls. Although the practitioner should consider the results of such tests when evaluating the operating effectiveness of controls, it is the practitioner's responsibility to obtain sufficient evidence to support his or her opinion and, if applicable, corroborate the results of such tests. When evaluating whether sufficient evidence has been obtained, the practitioner should consider that evidence obtained through his or her direct personal knowledge, observation, reperformance, and inspection is more persuasive than information obtained indirectly, such as from management or other personnel. Further, judgments about the sufficiency of evidence obtained and other factors affecting the practitioner's opinion, such as the materiality of identified control deficiencies, should be those of the practitioner.

.30

The nature of the controls influences the nature of the tests of controls the practitioner can perform. For example, the practitioner may examine documents regarding controls for which documentary evidence exists. However, documentary evidence regarding the control environment (such as management's philosophy and operating style) often does not exist. In these circumstances, the practitioner's tests of controls would consist of inquiries of appropriate personnel and observation of entity activities. The practitioner's preliminary judgments about the effectiveness of the control environment often influence the nature, timing, and extent of the tests of controls to be performed to obtain evidence about the operating effectiveness of controls in the accounting system and other controls.

.31

The period of time over which the practitioner should perform tests of controls is a matter of judgment; however, it varies with the nature of the controls being tested and with the frequency with which specific controls operate and specific policies are applied. Some controls operate continuously (for example, controls over sales) while others operate only at certain times (for example, controls over the preparation of interim financial statements and controls over physical inventory counts). The practitioner should perform tests of controls over a period of time that is adequate to determine whether, as of the date specified in the assertion, the controls necessary for achieving the objectives of the control criteria are operating effectively.

.32

The client may request the practitioner to examine the effectiveness of controls related to the preparation of interim financial information. Depending on the period(s) specified in the assertion, the practitioner should perform tests of controls in effect during one or more interim periods to form an opinion about the effectiveness of such controls in achieving the related interim reporting objectives.

.33

Prior to the date specified in the assertion, the responsible party may change the entity's controls to make them more effective or efficient, or to address control deficiencies. In these circumstances, the practitioner may not need to consider controls that have been superseded. For example, if the practitioner determines that the new controls achieve the related objectives of the control criteria and have been in effect for a sufficient period to permit the practitioner to assess their design and operating effectiveness by performing tests of controls, the practitioner will not need to consider the design and operating effectiveness of the superseded controls.

Forming an Opinion

.34

When forming an opinion on the effectiveness of an entity's internal control or a written assertion thereon, the practitioner should consider all evidence obtained, including the results of the tests of controls and any identified control deficiencies, to evaluate the design and operating effectiveness of the controls based on the control criteria.

Deficiencies in an Entity's Internal Control

.35

During the course of the engagement, the practitioner may become aware of significant deficiencies in the entity's internal control. The practitioner's responsibility to communicate such deficiencies is described in paragraphs .41–.43.

Reportable Conditions

.36

AU section 325, Communication of Internal Control Related Matters Noted in an Audit, defines reportable conditions as matters coming to an auditor's attention that represent significant deficiencies in the design or operation of internal control that could adversely affect the entity's ability to initiate, record, process, and report financial data consistent with the assertions of management in the financial statements. [Revised, April 2002, to reflect conforming changes necessary due to the issuance of Statement on Auditing Standards No. 94.]

Material Weaknesses

.37

A reportable condition may be of such magnitude as to be considered a material weakness. AU section 325 defines a material weakness as a condition in which the design or operation of one or more of the internal control components does not reduce to a relatively low level the risk that misstatements caused by error or fraud in amounts that would be material in relation to the financial statements may occur and not be detected within a timely period by employees in the normal course of performing their assigned functions. Therefore, the presence of a material weakness will preclude the practitioner from concluding that the entity has effective internal control. However, depending on the significance of the material weakness and its effect on the achievement of the objectives of the control criteria, the practitioner may qualify his or her opinion (that is, express an opinion that internal control is effective "except for" the material weakness noted) or may express an adverse opinion. fn 11

.38

When evaluating whether a reportable condition is also a material weakness, the practitioner should recognize that—

  1. The amounts of misstatements caused by error or fraud that might occur and remain undetected range from zero to more than the gross financial statement amounts or transactions that are exposed to the reportable condition.
  2. The risk of misstatement due to error or fraud is likely to be different for the different possible amounts within that range. For example, the risk of misstatement due to error or fraud in amounts equal to the gross exposure might be very low, but the risk of smaller amounts might be progressively greater.

.39

In evaluating whether the combined effect of individual reportable conditions results in a material weakness, the practitioner should consider the following:

  1. The range or distribution of the amounts of misstatement caused by error or fraud that may result during the same accounting period from two or more individual reportable conditions
  2. The joint risk or probability that such a combination of misstatements would be material

.40

Evaluating whether a reportable condition is also a material weakness is a subjective process that depends on factors such as the nature of the accounting system and of any financial statement amounts or transactions exposed to the reportable condition, the overall control environment, other controls, and the judgment of those making the evaluation.

Communicating Reportable Conditions and Material Weaknesses

.41

A practitioner engaged to examine the effectiveness of the entity's internal control should communicate reportable conditions to the client’s audit committee fn 12 and identify the reportable conditions that are also considered to be material weaknesses. Such a communication should preferably be made in writing. Because of the potential for misinterpretation of the limited degree of assurance associated with the practitioner issuing a written report representing that no reportable conditions were noted during the examination, the practitioner should not issue such representations.

.42

Because timely communication may be important, the practitioner may choose to communicate to his or her client significant matters during the course of the examination rather than after the examination is concluded. The decision about whether an interim communication should be issued would be influenced by the relative significance of the matters noted and the urgency of corrective follow-up action.

.43

If, in a multiple-party arrangement, the practitioner’s client is not the responsible party, the practitioner has no responsibility to communicate reportable conditions to the responsible party. For example, if the practitioner is engaged by his or her client to examine the effectiveness of internal control of an entity targeted for acquisition, the practitioner has no obligation to communicate any reportable conditions to the targeted entity. However, the practitioner is not precluded from making such a communication.

Written Representations

.44

.44The practitioner should obtain written representations from the responsible party fn 13

  1. Acknowledging the responsible party's responsibility for establishing and maintaining effective internal control.
  2. Stating that the responsible party has performed an evaluation of the effectiveness of the entity's internal control and specifying the control criteria.
  3. Stating the responsible party's assertion about the effectiveness of the entity's internal control based on the control criteria as of a specified date.
  4. Stating that the responsible party has disclosed to the practitioner all significant deficiencies in the design or operation of internal control which could adversely affect the entity's ability to initiate, record, process, and report financial data consistent with the assertions of management in the financial statements and has identified those that it believes to be material weaknesses in internal control.
  5. Describing any material fraud and any other fraud that, although not material, involve management or other employees who have a significant role in the entity's internal control.
  6. Stating whether there were, subsequent to the date being reported on, any changes in internal control or other factors that might significantly affect internal control, including any corrective actions taken by the responsible party with regard to significant deficiencies and material weaknesses.

[Revised, April 2002, to reflect conforming changes necessary due to the issuance of Statement on Auditing Standards No. 94.]

.45

The responsible party's refusal to furnish all appropriate written representations constitutes a limitation on the scope of the examination sufficient to preclude an unqualified opinion and is ordinarily sufficient to cause the practitioner to disclaim an opinion or withdraw from an examination engagement. However, based on the nature of the representations not obtained or the circumstances of the refusal, the practitioner may conclude, in an examination engagement, that a qualified opinion is appropriate. Further, the practitioner should consider the effects of the responsible party's refusal on his or her ability to rely on other representations.

Reporting Standards

.46

The practitioner may examine and report directly on an entity's effectiveness of internal control (see paragraphs .47 and .48) or he or she may examine and report on the responsible party's written assertion (see paragraphs .49–.51), except as described in paragraph .54.

.47

The practitioner's examination report on the effectiveness of an entity's internal control over financial reporting should include the following:

  1. A title that includes the word independent
  2. An identification of the subject matter (internal control over financial reporting) and the responsible party
  3. A statement that the responsible party is responsible for maintaining effective internal control over financial reporting
  4. A statement that the practitioner’s responsibility is to express an opinion on the effectiveness of an entity’s internal control based on his or her examination
  5. A statement that the examination was conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants and, accordingly, included obtaining an understanding of internal control over financial reporting, testing and evaluating the design and operating effectiveness of internal control, and performing such other procedures as the practitioner considered necessary in the circumstances
  6. A statement that the practitioner believes the examination provides a reasonable basis for his or her opinion
  7. A paragraph stating that, because of inherent limitations of any internal control, misstatements due to errors or fraud may occur and not be detected. (In addition, the paragraph should state that projections of any evaluation of internal control over financial reporting to future periods are subject to the risk that internal control may become inadequate because of changes in conditions, or that the degree of compliance with the policies or procedures may deteriorate.)
  8. The practitioner’s opinion on whether the entity has maintained, in all material respects, effective internal control over financial reporting as of the specified date based on the control criteria fn 14
  9. A statement restricting the use of the report to the specified parties (see the fourth reporting standard) under the following circumstances (see also paragraph .07):
    • When the criteria used to evaluate internal control over financial reporting are determined by the practitioner to be appropriate only for a limited number of parties who either participated in their establishment or can be presumed to have an adequate understanding of the criteria
    • When the criteria used to evaluate internal control over financial reporting are available only to specified parties
  10. The manual or printed signature of the practitioner’s firm
  11. The date of the examination report

.48

The following is the form of report a practitioner should use when he or she expresses an opinion directly on the effectiveness of an entity's internal control as of a specified date.

Independent Accountant's Report

[Introductory paragraph]

We have examined the effectiveness of W Company's internal control over financial reporting as of December 31, 20XX, based on [identify criteria]. W Company's management is responsible for maintaining effective internal control over financial reporting. Our responsibility is to express an opinion on the effectiveness of internal control based on our examination.

[Scope paragraph]

Our examination was conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants and, accordingly, included obtaining an understanding of the internal control over financial reporting, testing and evaluating the design and operating effectiveness of the internal control, and performing such other procedures as we considered necessary in the circumstances. We believe that our examination provides a reasonable basis for our opinion.

[Inherent limitations paragraph]

Because of inherent limitations in any internal control, misstatements due to error or fraud may occur and not be detected. Also, projections of any evaluation of the internal control over financial reporting to future periods are subject to the risk that the internal control may become inadequate because of changes in conditions, or that the degree of compliance with the policies or procedures may deteriorate.

[Opinion paragraph]

In our opinion, W Company maintained, in all material respects, effective internal control over financial reporting as of December 31, 20XX, based on [identify criteria] fn 15

[Signature]

[Date]

.49

The practitioner's examination report on a written assertion about the effectiveness of an entity's internal control over financial reporting should include the following:

  1. A title that includes the word independent
  2. An identification of the written assertion about the effectiveness of the entity's internal control over financial reporting as of a specified date and the responsible party (When the written assertion does not accompany the practitioner's report, the first paragraph of the report should also contain a statement of the assertion.)
  3. A statement that the assertion is the responsibility of the responsible party
  4. A statement that the practitioner’s responsibility is to express an opinion on the written assertion based on his or her examination
  5. A statement that the examination was conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants and, accordingly, included obtaining an understanding of internal control over financial reporting, testing and evaluating the design and operating effectiveness of internal control, and performing such other procedures as the practitioner considered necessary in the circumstances
  6. A statement that the practitioner believes the examination provides a reasonable basis for his or her opinion
  7. A paragraph stating that, because of inherent limitations of any internal control, misstatements due to errors or fraud may occur and not be detected (In addition, the paragraph should state that projections of any evaluation of internal control over financial reporting to future periods are subject to the risk that internal control may become inadequate because of changes in conditions, or that the degree of compliance with the policies or procedures may deteriorate.)
  8. The practitioner’s opinion on whether the assertion about the effectiveness of the entity’s internal control over financial reporting as of the specified date is fairly stated, in all material respects, based on the control criteria fn 16
  9. A statement restricting the use of the report to specified parties (see the fourth reporting standard) under the following circumstances:
    • When the criteria used to evaluate the effectiveness of internal control over financial reporting are determined by the practitioner to be appropriate only for a limited number of parties who either participated in their establishment or can be presumed to have an adequate understanding of the criteria
    • When the criteria used to evaluate the effectiveness of internal control over financial reporting are available only to specified parties
  10. The manual or printed signature of the practitioner’s firm
  11. The date of the examination report

.50

The following is the form of report a practitioner should use when he or she expresses an opinion on a written assertion about the effectiveness of an entity’s internal control as of a specified date.

Independent Accountant’s Report

[Introductory paragraph]

We have examined management's assertion, included in the accompanying [title of management report], that W Company maintained effective internal control over financial reporting as of December 31, 20XX based on [identify criteria]. fn 17 W Company's management is responsible for maintaining effective internal control over financial reporting. Our responsibility is to express an opinion on management's assertion based on our examination.

[Standard scope and inherent limitations paragraphs]

[Opinion paragraph]

In our opinion, management’s assertion that W Company maintained effective internal control over financial reporting as of December 31, 20XX is fairly stated, in all material respects, based on [identify criteria]. fn 18

[Signature]

[Date]

.51

Nothing precludes the practitioner from examining an assertion but opining directly on the effectiveness of internal control.

Restricting the Use of the Report

.52

Section 101.78–.83 provide guidance on restricting the use of an attest report. Nothing in this section precludes the practitioner from restricting the use of the report. If the practitioner is requested by one party to examine the effectiveness of another entity's internal control, he or she may want to restrict the report to the party making the request.

Report Modifications

.53

The practitioner should modify the standard reports if any of the following conditions exist.

  1. There is a material weakness in the entity's internal control. (See paragraphs .54–.58.)
  2. There is a restriction on the scope of the engagement. (See paragraphs .59–.62.)
  3. The practitioner decides to refer to the report of another practitioner as the basis, in part, for the practitioner's own report. (See paragraphs .63 and .64.)
  4. A significant subsequent event has occurred since the date being reported on. (See paragraphs .65–.68.)
  5. The engagement relates to examining and reporting on the effectiveness of only a segment of the entity's internal control. (See paragraph .69.)
  6. The engagement only relates to examining and reporting on the suitability of design of the entity's internal control. (See paragraphs .70 and .71.
  7. The criteria are not suitable for general use (See paragraphs .72–.76.)

Material Weaknesses

.54

If the examination discloses conditions that, individually or in combination, result in one or more material weaknesses (paragraphs .37–.40), the practitioner should modify the report and, to most effectively communicate with the reader of the report, should express his or her opinion directly on the effectiveness of internal control, not on the assertion. The nature of the modification depends on the weakness and its effect on the achievement of the objectives of the control criteria.

.55

The following is the form of the report, modified with explanatory language, that a practitioner should use when there is a material weakness in an entity's internal control and, based on its significance and its effect on the achievement of the objectives of the control criteria, the practitioner concludes that a qualified opinion is appropriate.

Independent Accountant's Report

[Introductory paragraph]

We have examined the effectiveness of W Company's internal control over financial reporting as of December 31, 20XX, based on [identify criteria]. W Company's management is responsible for maintaining effective internal control over financial reporting. Our responsibility is to express an opinion on the effectiveness of internal control based on our examination.

[Standard scope and inherent limitations paragraphs]

[Explanatory paragraph]

[Include sentence(s) describing the material weakness and its effect on the achievement of the objectives of the control criteria.] We believe such condition represents a material weakness. A material weakness is a condition that precludes the entity’s internal control from providing reasonable assurance that material misstatements in the financial statements will be prevented or detected on a timely basis. fn 19

[Opinion paragraph]

In our opinion, except for the effect of the material weakness described in the preceding paragraph on the achievement of the objectives of the control criteria, W Company has maintained, in all material respects, effective internal control over financial reporting as of December 31, 20XX, based on [identify criteria].

[Signature]

[Date]

.56

The following is the form of report, expressing an adverse opinion, that a practitioner should use when a material weakness in internal control exists and, in the practitioner’s judgment, the material weakness(es) is (are) so pervasive that the entity’s internal control over financial reporting does not achieve the control objectives.

Independent Accountant’s Report

[Introductory paragraph]

We have examined the effectiveness of W Company's internal control over financial reporting as of December 31, 20XX, based on [identify criteria] W Company's management is responsible for maintaining effective internal control over financial reporting. Our responsibility is to express an opinion on the effectiveness of internal control based on our examination.

[Standard scope and inherent limitations paragraphs]

[Explanatory paragraph]

[Include sentence(s) describing the material weakness and its effect on the achievement of the objectives of the control criteria] We believe such condition represents a material weakness. A material weakness is a condition that precludes the entity’s internal control from providing reasonable assurance that material misstatements in the financial statements will be prevented or detected on a timely basis. fn 20

[Opinion paragraph]

In our opinion, because of the effect of the material weakness described above on the achievement of the objectives of the control criteria, W Company has not maintained effective internal control over financial reporting as of December 31, 20XX, based on [identify criteria].

[Signature]

[Date]

.57

If a written assertion accompanying the practitioner's report contains a statement that the responsible party believes the cost of correcting the weakness would exceed the benefits to be derived from implementing new controls, the practitioner should disclaim an opinion on the responsible party's cost-benefit statement. The practitioner may use the following sample language as the last paragraph of the report to disclaim an opinion on the responsible party's cost-benefit statement:

We do not express an opinion or any other form of assurance on management’s cost-benefit statement.

However, if the practitioner believes that the responsible party's cost-benefit statement is a material misstatement of fact, he or she should consider the guidance in section 101.92–.94, and take appropriate action.

Practitioner’s Report on Internal Control Identifies a Material Weakness and Is Included in the Same Document Containing the Audit Report

.58

If the practitioner's report on his or her examination of the effectiveness of the entity's internal control is included within the same document that includes his or her audit report on the entity's financial statements, the following sentence should be included in the paragraph of the examination report that describes the material weakness:

These conditions were considered in determining the nature, timing, and extent of audit tests applied in our audit of the 20XX financial statements, and this report does not affect our report dated [date of report] on these financial statements.

The practitioner may also include the preceding sentence in situations where the two reports are not included within the same document.

Scope Limitations

.59

An unqualified opinion on the effectiveness of the entity's internal control or the written assertion thereon can be expressed only if the practitioner has been able to apply all the procedures he or she considers necessary in the circumstances. Restrictions on the scope of the engagement, whether imposed by the client, the responsible party, or by the circumstances, may require the practitioner to withdraw from the engagement, disclaim an opinion, or express a qualified opinion. The practitioner's decision depends on his or her assessment of the importance of the omitted procedure(s) to his or her ability to form an opinion on the effectiveness of the entity's internal control.

.60

For example, the responsible party may have implemented controls to correct a material weakness identified prior to the date specified by the client. However, unless the practitioner has been able to obtain evidence that the new controls were appropriately designed and have been operating effectively for a sufficient period of time, fn 21 he or she should refer to the material weakness and qualify his or her opinion on the basis of a scope limitation. The following is the form of the report a practitioner should use when restrictions on the scope of the examination cause the practitioner to issue a qualified opinion.

Independent Accountant's Report

[Standard introductory paragraph]

[Scope paragraph]

Except as described below, our examination was conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants and, accordingly, included obtaining an understanding of the internal control over financial reporting, testing and evaluating the design and operating effectiveness of the internal control, and performing such other procedures as we considered necessary in the circumstances. We believe that our examination provides a reasonable basis for our opinion.

[Explanatory paragraph]

Prior to December 20, 20XX, W Company had an inadequate system for recording cash receipts, which could have prevented the Company from recording cash receipts on accounts receivable completely and properly. Therefore, cash received could have been diverted for unauthorized use, lost, or otherwise not properly recorded to accounts receivable. We believe this condition was a material weakness in the design or operation of the internal control of W Company in effect at [date]. A material weakness is a condition that precludes the entity’s internal control from providing reasonable assurance that material misstatements in the financial statements will be prevented or detected on a timely basis. Although the Company implemented a new cash receipts system on December 20, 20XX, the system has not been in operation for a sufficient period of time to enable us to obtain sufficient evidence about its operating effectiveness.

[Standard inherent limitations paragraph]

[Opinion paragraph]

In our opinion, except for the effect of matters we may have discovered had we been able to examine evidence about the effectiveness of the new cash receipts system, W Company maintained, in all material respects, effective internal control over financial reporting as of December 31, 20XX based on [identify criteria].

[Signature]

[Date]

.61

When restrictions that significantly limit the scope of the examination are imposed by the client or the responsible party, the practitioner generally should disclaim an opinion on the effectiveness of the entity's internal control or the written assertion thereon.

.62

The following is the form of report that a practitioner should use when restrictions that significantly limit the scope of the examination are imposed by the client or the responsible party and cause the practitioner to issue a disclaimer of opinion.

Independent Accountant's Report

[Introductory paragraph]

We were engaged to examine the effectiveness of W Company's internal control over financial reporting as of December 31, 20XX, based on [identify criteria]. W Company's management is responsible for maintaining effective internal control over financial reporting.

[Scope paragraph should be omitted]

[Explanatory paragraph]

[Include paragraph to describe scope restrictions]

[Opinion paragraph]

Since management [describe scope restrictions] and we were unable to apply other procedures to satisfy ourselves as to the entity's internal control over financial reporting, the scope of our work was not sufficient to enable us to express, and we do not express, an opinion on the effectiveness of the entity’s internal control over financial reporting.

[Signature]

[Date]

Opinion Based in Part on the Report of Another Practitioner

.63

When another practitioner has examined the effectiveness of internal control of one or more subsidiaries, divisions, branches, or components of the entity, the practitioner should consider whether he or she may serve as the principal practitioner and use the work and reports of the other practitioner as a basis, in part, for his or her opinion. If the practitioner decides it is appropriate for him or her to serve as the principal practitioner, he or she should then decide whether to make reference in the report to the examination performed by the other practitioner. In these circumstances, the practitioner's considerations are similar to those of the independent auditor who uses the work and reports of other independent auditors when reporting on an entity's financial statements. AU section 543, Part of Audit Performed by Other Independent Auditors, provides guidance on the auditor's considerations when deciding whether he or she may serve as the principal auditor and, if so, whether to make reference to the examination performed by the other practitioner.

.64

When the practitioner decides to make reference to the report of the other practitioner as a basis, in part, for the practitioner's opinion, the practitioner should disclose this fact when describing the scope of the examination and should refer to the report of the other practitioner when expressing the opinion. fn 22 The following form of the report is appropriate in these circumstances.

Independent Accountant's Report

[Introductory paragraph]

We have examined the effectiveness of W Company's internal control over financial reporting as of December 31, 20XX, based on [identify criteria]. W Company's management is responsible for maintaining effective internal control over financial reporting. Our responsibility is to express an opinion on the effectiveness of internal control based on our examination. We did not examine the effectiveness of internal control over financial reporting of B Company, a wholly owned subsidiary, whose financial statements reflect total assets and revenues constituting 20 and 30 percent, respectively, of the related consolidated financial statement amounts as of and for the year ended December 31, 20XX. The effectiveness of B Company's internal control over financial reporting was examined by other accountants whose report has been furnished to us, and our opinion, insofar as it relates to the effectiveness of B Company's internal control over financial reporting, is based solely on the report of the other accountants.

[Scope paragraph]

Our examination was conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants and, accordingly, included obtaining an understanding of internal control over financial reporting, testing and evaluating the design and operating effectiveness of internal control, and performing such other procedures as we considered necessary in the circumstances. We believe that our examination and the report of the other accountants provide a reasonable basis for our opinion.

[Standard inherent limitations paragraph]

[Opinion paragraph]

In our opinion, based on our examination and the report of the other accountants, W Company maintained, in all material respects, effective internal control over financial reporting as of December 31, 20XX, based on [identify criteria].

[Signature]

[Date]

Subsequent Events

.65

Changes in internal control or other factors that might significantly affect internal control may occur subsequent to the date as of which the internal control over financial reporting is being examined but before the date of the practitioner's report. As described in paragraph .44, the practitioner should obtain written representations from the responsible party relating to such matters. Additionally, to obtain information about whether changes have occurred that might affect the effectiveness of the entity's internal control and, therefore, the practitioner's report, he or she should inquire about and examine, for this subsequent period, the following:

  1. Relevant internal auditor reports issued during the subsequent period
  2. Independent auditor reports (if other than the practitioner's) of reportable conditions or material weaknesses
  3. Regulatory agency reports on the entity's internal control
  4. Information about the effectiveness of the entity's internal control obtained through other professional engagements

.66

If the practitioner obtains knowledge about subsequent events that he or she believes significantly affect the effectiveness of the entity's internal control as of the date specified in the assertion, the practitioner should report directly on the effectiveness of the entity’s internal control, and issue a qualified or an adverse opinion. If the practitioner is unable to determine the effect of the subsequent event on the effectiveness of the entity’s internal control, the practitioner should disclaim an opinion.

.67

The practitioner may obtain knowledge about subsequent events with respect to conditions that did not exist at the date specified in the assertion but arose subsequent to that date. Occasionally, a subsequent event of this type has such a material impact on the entity that the practitioner may wish to include in his or her report an explanatory paragraph describing the event and its effects or directing the reader’s attention to the event and its effects.

.68

The practitioner has no responsibility to keep informed of events subsequent to the date of his or her report; however, the practitioner may later become aware of conditions that existed at that date that might have affected the practitioner's opinion had he or she been aware of them. The practitioner's consideration of such subsequent information is similar to an auditor's consideration of information discovered subsequent to the date of the report on an audit of financial statements described in AU section 561, Subsequent Discovery of Facts Existing at the Date of the Auditor's Report. The guidance in that AU section requires the auditor to determine whether the information is reliable and whether the facts existed at the date of his or her report. If so, the auditor considers (a) whether the facts would have changed the report if he or she had been aware of them and (b) whether there are persons currently relying on or likely to rely on the practitioner's report on the effectiveness of the entity's internal control. Based on these considerations, detailed guidance is provided for the auditor in AU section 561.06.

Reporting on the Effectiveness of a Segment of the Entity's Internal Control

.69

When engaged to examine the effectiveness of only a segment of an entity's internal control (for example, internal control over financial reporting of an entity's operating division or its accounts receivable), a practitioner should follow the guidance in this section and issue a report using the guidance in paragraphs .46–.62, modified to refer to the segment of the entity's internal control examined. In this situation, the practitioner may use a report such as the following.

Independent Accountant's Report

[Introductory paragraph]

We have examined the effectiveness of W Company's internal control over financial reporting for its retail division as of December 31, 20XX, based on [identify criteria]. W Company's management is responsible for maintaining effective internal control over financial reporting. Our responsibility is to express an opinion on the effectiveness of internal control based on our examination.

[Standard scope and inherent limitations paragraphs]

[Opinion paragraph]

In our opinion, W Company's retail division maintained, in all material respects, effective internal control over financial reporting as of December 31, 20XX, based on [identify criteria].

[Signature]

[Date]

Reporting on the Suitability of Design of the Entity's Internal Control

.70

The client may request the practitioner to examine the suitability of the design of the entity's internal control for preventing or detecting material misstatements on a timely basis. For example, prior to granting a new casino a license to operate, a regulatory agency may request a report on whether the internal control that the responsible party plans to implement will provide reasonable assurance that the control objectives specified in the regulatory agency's regulations will be achieved. When evaluating the suitability of design of the entity's internal control for the regulatory agency's purpose, the practitioner should obtain an understanding of the components of internal control fn 23 that the responsible party should implement to meet the control objectives of the regulatory agency and identify the controls that are relevant to those control objectives.

.71

The following is a suggested form of report a practitioner may issue. The actual form of the report should be modified, as appropriate, to fit the particular circumstances. fn 24

Independent Accountant's Report

[Introductory paragraph]

We have examined the suitability of W Company's design of internal control over financial reporting to prevent or detect material misstatements in the financial statements on a timely basis as of December 31, 20XX, based on [identify criteria]. W Company's management is responsible for the suitable design of internal control over financial reporting. Our responsibility is to express an opinion on the design of internal control based on our examination.

[Scope paragraph]

Our examination was conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants and, accordingly, included obtaining an understanding of internal control over financial reporting, evaluating the design of internal control, and performing such other procedures as we considered necessary in the circumstances. We believe that our examination provides a reasonable basis for our opinion.

[Standard inherent limitations paragraph]

[Opinion paragraph]

In our opinion, W Company's internal control over financial reporting is suitably designed, in all material respects, to prevent or detect material misstatements in the financial statements on a timely basis as of December 31, 20XX, based on [identify criteria].

[Signature]

[Date]

When reporting on the suitability of design of the entity's internal control that has already been placed in operation, the practitioner should modify his or her report by adding the following to the scope paragraph of the report:

We were not engaged to examine and report on the operating effectiveness of W Company's internal control over financial reporting as of December 31, 20XX, and, accordingly, we express no opinion on operating effectiveness.

Reporting on Internal Control Based on Criteria Specified by a Regulatory Agency

.72

A governmental or other agency that exercises regulatory, supervisory, or other public administrative functions may establish its own criteria and require reports on the internal control of entities subject to its jurisdiction. Criteria established by a regulatory agency may be set forth in audit guides, questionnaires, or other publications. The criteria may encompass specified aspects of an entity's internal control and specified aspects of administrative control or compliance with grants, regulations, or statutes. If such criteria have been subjected to due process procedures, including the distribution of proposed criteria for public comment, and the criteria are available to users (see section 101.23–.33), a practitioner should use the form of report illustrated in paragraph .48. If, however, the criteria are not available to users as described in section 101.33, or such criteria have not been subjected to due process procedures and the practitioner determines that such criteria are appropriate only for a limited number of users who either participated in their establishment or can be presumed to have an adequate understanding of the criteria, the practitioner should modify the report by adding a separate paragraph that restricts the use of the report to the regulatory agency and to those within the entity.

.73

For purposes of these reports, a material weakness is—

a.A condition in which the design or operation of one or more of the specific internal control components does not reduce to a relatively low level the risk that misstatements due to error or fraud in amounts that would be material in relation to the applicable grant or program might occur and not be detected on a timely basis by employees in the normal course of performing their assigned functions.

b.A condition in which the lack of conformity with the regulatory agency's criteria is material in accordance with any guidelines for determining materiality that are included in such criteria.

.74

The following report illustrates one that a practitioner might use when he or she has been engaged to examine the adequacy of an entity's internal control over financial reporting based on criteria established by a regulatory agency that are not suitable for general use.

Independent Accountant's Report

[Introductory paragraph]

We have examined the adequacy of W Company's internal control over financial reporting as of December 31, 20XX, based on [identify criteria, for example, the criteria established by _________ agency, as set forth in its audit guide dated ________]. W Company's management is responsible for maintaining adequate internal control over financial reporting. Our responsibility is to express an opinion on whether internal control is adequate to meet such criteria based on our examination.

[Standard scope and inherent limitations paragraphs]

[Opinion paragraph]

We understand that the agency considers the controls over financial reporting that meet the criteria referred to in the first paragraph of this report adequate for its purpose. In our opinion, based on this understanding and on our examination, W Company's internal control over financial reporting is adequate, in all material respects, based on the criteria established by [__________ agency].

[Restricted use paragraph]

This report is intended solely for the information and use of the board of directors and management of W Company and [agency] and is not intended to be and should not be used by anyone other than these specified parties.

[Signature]

[Date]

.75

When the practitioner issues this form of report, he or she does not assume any responsibility for the comprehensiveness of the criteria established by the regulatory agency. However, the practitioner should report any condition that comes to his or her attention during the course of the examination that he or she believes is a material weakness, even though it may not be covered by the criteria.

.76

If a regulatory agency requires the reporting of all conditions (whether material or not) that are not in conformity with the agency's criteria, the practitioner should describe all conditions of which he or she is aware in the report.

Other Information in a Client-Prepared Document Containing the Practitioner's Report on the Effectiveness of the Entity's Internal Control

.77

A client may publish various documents that contain information in addition to the practitioner’s attest report on internal control (or an assertion related thereto). Section 101.91–.94 provide guidance to the practitioner when the other information is contained in (a) annual reports to holders of securities or beneficial interest, annual organizations for charitable and philanthropic purposes distributed to the public, and annual reports filed with regulatory authorities under the Securities Exchange Act of 1934, or (b) other documents to which the practitioner, at the client’s request devotes attention.

Relationship of the Practitioner's Examination of an Entity's Internal Control to the Opinion Obtained in an Audit

.78

The purpose of a practitioner's examination of the effectiveness of an entity's internal control is to express an opinion about whether the entity maintained, in all material respects, effective internal control as of a point in time based on the control criteria. In contrast, the purpose of an auditor's consideration of internal control in an audit of financial statements conducted in accordance with generally accepted auditing standards is to enable the auditor to plan the audit and determine the nature, timing, and extent of tests to be performed. Ultimately, the results of the auditor's tests will form the basis for the auditor's opinion on the fairness of the entity's financial statements in conformity with generally accepted accounting principles. The auditor's responsibility in considering the entity's internal control is discussed in AU section 319, Consideration of Internal Control in a Financial Statement Audit.

.79

In a financial statement audit, the auditor obtains an understanding of internal control by performing procedures such as inquiries, observations, and inspection of documents. After he or she has obtained this understanding, the auditor assesses the control risk for assertions related to significant account balances and transaction classes. The auditor assesses control risk for an assertion at maximum if he or she believes that controls are unlikely to pertain to the assertion, that controls are unlikely to be effective, or that an evaluation of their effectiveness would be inefficient. When the auditor assesses control risk for an assertion at below maximum, he or she identifies the controls that are likely to prevent or detect material misstatements in that assertion and performs tests of controls to evaluate the effectiveness of such controls.

.80

An auditor's consideration of internal control in a financial statement audit is more limited than that of a practitioner engaged to examine the effectiveness of the entity's internal control. However, knowledge the practitioner obtains about the entity's internal control as part of the examination of the effectiveness of internal control may serve as the basis for his or her understanding of internal control in an audit of the entity's financial statements. Similarly, the practitioner may consider the results of tests of controls performed in connection with an examination of the entity's internal control, as well as any material weaknesses identified, when assessing control risk in the audit of the entity's financial statements.

.81

While an examination of the effectiveness of the entity's internal control and an audit of the entity's financial statements may be performed by the same practitioner, each can be performed by a different practitioner. If the audit of the entity's financial statements is performed by another practitioner, the practitioner may wish to consider any material weaknesses and reportable conditions identified by the auditor and any disagreements between the responsible party and the auditor concerning such matters.

Relationship to the Foreign Corrupt Practices Act

.82

The Foreign Corrupt Practices Act of 1977 (FCPA) includes provisions regarding internal accounting control for entities subject to the Securities Exchange Act of 1934. Whether an entity is in compliance with those provisions of the FCPA is a legal determination. A practitioner's examination report issued under this section does not indicate whether an entity is in compliance with those provisions.

Effective Date

.83

This section is effective when the subject matter or assertion is as of or for a period ending on or after June 1, 2001. Early application is permitted.

Appendix

.84

The following documents contain guidance for practitioners engaged to provide other services in connection with an entity's internal control.

  • AU section 325, Communication of Internal Control Related Matters Noted in an Audit, provides guidance on identifying and communicating reportable conditions that come to the auditor's attention during an audit of financial statements.
  • AU section 324, Service Organizations, provides guidance to auditors of a service organization on issuing a report on certain aspects of the service organization's internal control that can be used by other auditors, as well as guidance on how other auditors should use such reports.
  • The AICPA Audit and Accounting Guide Audits of State and Local Governmental Units provides auditors of state and local governmental entities with a basic understanding of the work they should do and the reports they should issue for audits under Government Auditing Standards (1994 Revision), as amended, issued by the Comptroller General of the United States and for audits under the Single Audit Act requirements and A-133 (June 1997).
  • SOP 98-3, Audits of States, Local Governments, and Not-for-Profit Organizations Receiving Federal Awards, provides auditors with a basic understanding of the work they should do and the reports they should issue for audits under Government Auditing Standards (1994 Revision), as amended, issued by the Comptroller General of the United States and for audits under the Single Audit Act requirements and A-133 (June 1997).
Footnotes (AT Section 501 — Reporting on an Entity's Internal Control Over Financial Reporting):

fn 1 This section does not change the auditor’s responsibility for considering the entity’s internal control in an audit of the financial statements. See paragraphs .78–.81.

fn 2 Ordinarily, the practitioner will be engaged to examine the effectiveness of the entity’s internal control over financial reporting as of the end of the entity’s fiscal year; however, the client may select a different date. A practitioner may also be engaged to examine the effectiveness of an entity’s internal control during a period of time. In that case, the guidance in this section should be modified accordingly.

fn 3 A practitioner engaged to examine the effectiveness of an entity’s internal control over operations or compliance with laws and regulations should refer to the guidance in section 101, Attest Engagements. The guidance in section 601, Compliance Attestation, may be helpful when performing an engagement relating to internal control over compliance with laws and regulations. A practitioner engaged to perform agreed-upon procedures on an entity’s internal control over operations or compliance with laws and regulations should refer to the guidance in section 201, Agreed-Upon Procedures Engagements, and section 601. Further, the guidance in this section may be helpful in attest engagements to report on internal control over operations or compliance with laws and regulations.

fn 4 Throughout this section, an entity’s internal control over financial reporting is referred to as its internal control.

fn 5 A practitioner engaged to issue a report on the processing of transactions by a service organization for use by other auditors should refer to AU section 324, Service Organizations.

fn 6 Criteria issued by the AICPA, regulatory agencies, and other groups composed of experts that follow due-process procedures, including exposure of the proposed criteria for public comment, usually should be considered suitable criteria for this purpose. For example, the Committee of Sponsoring Organizations (COSO) of the Treadway Commission's report, Internal Control—Integrated Framework, provides suitable criteria against which management may evaluate and report on the effectiveness of the entity's internal control.

Criteria established by management, industry associations, or other groups that do not follow such due process procedures also may be considered suitable criteria. The practitioner should determine whether such criteria are suitable for general use reporting by evaluating them against the attributes in section 101.24. If the practitioner determines that such criteria are suitable for general use reporting, those criteria should also be available to users as discussed in section 101.33.

If the practitioner concludes that the criteria are appropriate only for a limited number of parties or are available only to specified parties, the practitioner's report shall state that the use of the report is restricted to those parties specified in the report. (See section 101.30, .34, and .78–.83.)

fn 7 As noted in footnote 6, this report also contains control criteria.

fn 8 This definition and description is consistent with the definition contained in AU section 319, Consideration of Internal Control in a Financial Statement Audit. However, AU section 319 is not intended to provide criteria for evaluating internal control effectiveness.

fn 9 However, as discussed in paragraph .69, the practitioner may be engaged to examine the effectiveness of only a segment of an entity's internal control.

fn 10 As discussed in paragraph .13, the components that constitute an entity’s internal control are a function of the definition and description of internal control selected by the responsible party. Paragraph .13 lists the components the practitioner should understand if the responsible party decides to evaluate the entity’s internal control based on the definition of internal control in Internal Control—Integrated Framework. If the responsible party selects another definition, these components may not be relevant.

fn 11 Paragraphs .54–.58 contain guidance the practitioner should consider when a material weakness exists.

fn 12 If the client does not have an audit committee, the practitioner should communicate with individuals whose authority and responsibility are equivalent to those of an audit committee, such as the board of directors, the board of trustees, an owner in an owner-managed entity, or those who engaged the practitioner.

fn 13 AU section 333, Management Representations, provides guidance on the date as of which the representation letter should be signed and who should sign it.

fn 14 See paragraphs .54–.58 for reporting when the examination discloses conditions that, individually or in combination, result in one or more material weaknesses.

fn 15 For example, “criteria established in Internal Control—Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).”

fn 16 See paragraphs .54–.58 for reporting when the examination discloses conditions that, individually or in combination, result in one or more material weaknesses.

fn 17 The practitioner should identify the responsible party’s report examined by referring to the title used by the responsible party in its report. Further, he or she should use the same description of the entity’s internal control as the responsible party uses in its report, including the kinds of controls (that is, control over the preparation of annual financial statements, interim financial statements, or both) on which the responsible party is reporting. If the presentation of the assertion does not accompany the practitioner’s report, the phrase “included in the accompanying [title of responsible party’s report]” would be omitted.

fn 18 For example, “criteria established in Internal Control—Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).”

fn 19 This description of a material weakness differs from the definition of a material weakness discussed in paragraph .37. Although a practitioner should consider the definition contained in paragraph .37 when determining whether a material weakness exists, the description above should be used to describe a material weakness in the practitioner’s report.

fn 20 This description of a material weakness differs from the definition of a material weakness discussed in paragraph .37. Although a practitioner should consider the definition contained in paragraph .37 when determining whether a material weakness exists, the description above should be used to describe a material weakness in the practitioner’s report.

fn 21 See guidance in paragraph .31.

fn 22 Whether the other practitioner’s opinion is expressed on the responsible party’s assertion or on the effectiveness of internal control does not affect the determination of whether the principal practitioner’s opinion is expressed on the assertion or on the subject matter itself.

fn 23 See paragraph .23.

fn 24 This report assumes that the control criteria of the regulatory agency are both suitable and available to users as discussed in section 101.23–.33. Therefore, there is no restriction on the use of this report.

Copyright © 2002, American Institute of Certified Public Accountants, Inc.