Skip supplemental navigation

Auditing Standard No. 2

An Audit of Internal Control Over Financial Reporting Performed in Conjunction With an Audit of Financial Statements

APPENDIX E

Background and Basis for Conclusions
 

Introduction

E1.            This appendix summarizes factors that the Public Company Accounting Oversight Board (the "Board") deemed significant in reaching the conclusions in the standard.  This appendix includes reasons for accepting certain views and rejecting others.

Background

E2.            Section 404(a) of the Sarbanes-Oxley Act of 2002 (the "Act"), and the Securities and Exchange Commission's (SEC) related implementing rules, require the management of a public company to assess the effectiveness of the company's internal control over financial reporting, as of the end of the company's most recent fiscal year.  Section 404(a) of the Act also requires management to include in the company's annual report to shareholders management's conclusion as a result of that assessment of whether the company's internal control over financial reporting is effective.

E3.            Sections 103(a)(2)(A) and 404(b) of the Act direct the Board to establish professional standards governing the independent auditor's attestation and reporting on management's assessment of the effectiveness of internal control over financial reporting. 

E4.            The backdrop for the development of the Board's first major auditing standard was, of course, the spectacular audit failures and corporate malfeasance that led to the passage of the Act.  Although all of the various components of the Act work together to help restore investor confidence and help prevent the types of financial reporting breakdowns that lead to the loss of investor confidence, Section 404 of the Act is certainly one of the most visible and tangible changes required by the Act. 

E5.            The Board believes that effective controls provide the foundation for reliable financial reporting.  Congress believed this too, which is why the new reporting by management and the auditor on the effectiveness of internal control over financial reporting received such prominent attention in the Act.  Internal control over financial reporting enhances a company's ability to produce fair and complete financial reports.  Without reliable financial reports, making good judgments and decisions about a company becomes very difficult for anyone, including the board of directors, management, employees, investors, lenders, customers, and regulators.  The auditor's reporting on management's assessment of the effectiveness of internal control over financial reporting provides users of that report with important assurance about the reliability of the company's financial reporting.

E6.            The Board's efforts to develop this standard were an outward expression of the Board's mission, "to protect the interests of investors and further the public interest in the preparation of informative, fair, and independent audit reports."  As part of fulfilling that mission as it relates to this standard, the Board considered the advice that respected groups had offered to other auditing standards setters in the past.  For example, the Public Oversight Board's Panel on Audit Effectiveness recommended that "auditing standards need to provide clear, concise and definitive imperatives for auditors to follow." 1/  As another example, the International Organization of Securities Commissioners advised the International Auditing and Assurance Standards Board "that the IAASB must take care to avoid language that could inadvertently encourage inappropriate shortcuts in audits, at a time when rigorous audits are needed more than ever to restore investor confidence." 2/ 

E7.            The Board understood that, to effectively fulfill its mission and for this standard to achieve its ultimate goal of restoring investor confidence by increasing the reliability of public company financial reporting, the Board's standard must contain clear directions to the auditor consistent with investor's expectations that the reliability of financial reporting be significantly improved.  Just as important, the Board recognized that this standard must appropriately balance the costs to implement the standard's directions with the benefits of achieving these important goals.  As a result, all of the Board's decisions about this standard were guided by the additional objective of creating a rational relationship between costs and benefits.

E8.            When the Board adopted its interim attestation standards in Rule 3300T on an initial, transitional basis, the Board adopted a pre-existing standard governing an auditor's attestation on internal control over financial reporting. 3/  As part of the Board's process of evaluating that pre-existing standard, the Board convened a public roundtable discussion on July 29, 2003 to discuss issues and hear views related to reporting on internal control over financial reporting.  The participants at the roundtable included representatives from public companies, accounting firms, investor groups, and regulatory organizations.  Based on comments made at the roundtable, advice from the Board's staff, and other input the Board received, the Board determined that the pre-existing standard governing an auditor's attestation on internal control over financial reporting was insufficient for effectively implementing the requirements of Section 404 of the Act and for the Board to appropriately discharge its standard-setting obligations under Section 103(a) of the Act.  In response, the Board developed and issued, on October 7, 2003, a proposed auditing standard titled, An Audit of Internal Control Over Financial Reporting Performed in Conjunction with An Audit of Financial Statements.

E9.            The Board received 189 comment letters on a broad array of topics from a variety of commenters, including auditors, investors, internal auditors, issuers, regulators, and others.  Those comments led to changes in the standard, intended to make the requirements of the standard clearer and more operational.  This appendix summarizes significant views expressed in those comment letters and the Board's responses. 

Fundamental Scope of the Auditor's Work in an Audit of Internal Control over Financial Reporting

E10.        The proposed standard stated that the auditor's objective in an audit of internal control over financial reporting was to express an opinion on management's assessment of the effectiveness of the company's internal control over financial reporting.  To render such an opinion, the proposed standard required the auditor to obtain reasonable assurance about whether the company maintained, in all material respects, effective internal control over financial reporting as of the date specified in management's report.  To obtain reasonable assurance, the auditor was required to evaluate both management's process for making its assessment and the effectiveness of internal control over financial reporting.

E11.        Virtually all investors and auditors who submitted comment letters expressed support for this approach.  Other commenters, primarily issuers, expressed concerns that this approach was contrary to the intent of Congress and, therefore, beyond what was specifically required by Section 404 of the Act.  Further, issuers stated their views that this approach would lead to unnecessary and excessive costs.  Some commenters in this group suggested the auditor's work should be limited to evaluating management's assessment process and the testing performed by management and internal audit.  Others acknowledged that the auditor would need to test at least some controls directly in addition to evaluating and testing management's assessment process.  However, these commenters described various ways in which the auditor's own testing could be significantly reduced from the scope expressed in the proposed standard.  For instance, they proposed that the auditor could be permitted to use the work of management and others to a much greater degree; that the auditor could use a "risk analysis" to identify only a few controls to be tested; and a variety of other methods to curtail the extent of the auditor's work.  Of those opposed to the scope, most cited their belief that the scope of work embodied in the standard would lead to a duplication of effort between management and the auditor which would needlessly increase costs without adding significant value. 

E12.        After considering the comments, the Board retained the approach described in the proposed standard.  The Board concluded that the approach taken in the standard is consistent with the intent of Congress.  Also, to provide the type of report, at the level of assurance called for in Sections 103 and 404, the Board concluded that the auditor must evaluate both management's assessment process and the effectiveness of internal control over financial reporting.  Finally, the Board noted the majority of the cost to be borne by companies (and ultimately investors) results directly from the work the company will have to perform to maintain effective internal control over financial reporting and to comply with Section 404(a) of the Act.  The cost of the auditor's work as described in this standard ultimately will represent a smaller portion of the total cost to companies of implementing Section 404. 

E13.        The Board noted that large, federally insured financial institutions have had a similar internal control reporting requirement for over ten years.  The Federal Deposit Insurance Corporation Improvement Act of 1991 (FDICIA) has required, since 1993, managements of large financial institutions to make an assessment of internal control over financial reporting effectiveness and the institution's independent auditor to issue an attestation report on management's assessment.

E14.        The attestation standards under which FDICIA engagements are currently performed are clear that, when performing an examination of management's assertion  on the effectiveness of internal control over financial reporting (management's report on the assessment required by Section 404(a) of the Act must include a statement as to whether the company's internal control over financial reporting is effective), the auditor may express an opinion either on management's assertion (that is, whether management's assessment about the effectiveness of the internal control over financial reporting is fairly stated) or directly on the subject matter (that is, whether the internal control over financial reporting is effective) because the level of work that must be performed is the same in either case.

E15.        The Board observed that Congress indicated an intent to require an examination level of work in Section 103(a) of the Act, which states, in part, that each registered public accounting firm shall:

describe in each audit report the scope of the auditor's testing of the internal control structure and procedures of the issuer, required by Section 404(b), and present (in such report or in a separate report)-

(I) the findings of the auditor from such testing;
(II) an evaluation of whether such internal control structure and procedures-

(aa) include maintenance of records that in reasonable detail accurately reflect the transactions and dispositions of the assets of the issuer;

(bb) provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the issuer are being made only in accordance with authorizations of management and directors of the issuer; and

(III) a description, at a minimum, of material weaknesses in such internal controls, and of any material noncompliance found on the basis of such testing.  [emphasis added].

E16.        The Board concluded that the auditor must test internal control over financial reporting directly, in the manner and extent described in the standard, to make the evaluation described in Section 103.  The Board also interpreted Section 103 to provide further support that the intent of Congress was to require an opinion on the effectiveness of internal control over financial reporting.

E17.        The Board concluded that the auditor must obtain a high level of assurance that the conclusion expressed in management's assessment is correct to provide an opinion on management's assessment.  An auditing process restricted to evaluating what management has done would not provide the auditor with a sufficiently high level of assurance that management's conclusion is correct.  Instead, it is necessary for the auditor to evaluate management's assessment process to be satisfied that management has an appropriate basis for its statement, or assertion, about the effectiveness of the company's internal control over financial reporting.  It also is necessary for the auditor to directly test the effectiveness of internal control over financial reporting to be satisfied that management's conclusion is correct, and that management's assertion is fairly stated. 

E18.        This testing takes on added importance with the public nature of the internal control reporting.  Because of the auditor's association with a statement by management that internal control over financial reporting is effective, it is reasonable for a user of the auditor's report to expect that the auditor tested the effectiveness of internal control over financial reporting.  For the auditor to do otherwise would create an expectation gap, in which the assurance that the auditor obtained is less than what users reasonably expect.

E19.        Auditors, investors, and the Federal bank regulators reaffirmed in their comment letters on the proposed auditing standard that the fundamental approach taken by the Board was appropriate and necessary.  Investors were explicit in their expectation that the auditor must test the effectiveness of controls directly in addition to evaluating management's assessment process.  Investors further recognized that this kind of assurance would come at a price and expressed their belief that the cost of the anticipated benefits was reasonable.  The federal banking regulators, based on their experience examining financial institutions' internal control assessments and independent auditors' attestation reports under FDICIA, commented that the proposed auditing standard was a significant improvement over the existing attestation standard.

Reference to Audit vs. Attestation

E20.        The proposed standard referred to the attestation required by Section 404(b) of the Act as the audit of internal control over financial reporting instead of an attestation of management's assessment.  The proposed standard took that approach both because the auditor's objective is to express an opinion on management's assessment of the effectiveness of internal control over financial reporting, just as the auditor's objective in an audit of the financial statements is to express an opinion on the fair presentation of the financial statements, and because the level of assurance obtained by the auditor is the same in both cases.  Furthermore, the proposed standard described an integrated audit of the financial statements and internal control over financial reporting and allowed the auditor to express his or her opinions on the financial statements and on the effectiveness of internal control in separate reports or in a single, combined report.

E21.        Commenters' views on this matter frequently were related to their views on whether the proposed scope of the audit was appropriate.  Those who agreed that the scope in the proposed standard was appropriate generally agreed that referring to the engagement as an audit was appropriate.  On the other hand, commenters who objected to the scope of work described in the proposed standard often drew an important distinction between an audit and an attestation.  Because Section 404 calls for an attestation , they believed it was inappropriate to call the engagement anything else (or to mandate a scope that called for a more extensive level of work).

E22.        Based, in part, on the Board's decisions about the scope of the audit of internal control over financial reporting, the Board concluded that the engagement should continue to be referred to as an "audit."  This term emphasizes the nature of the auditor's objective and communicates that objective most clearly to report users.  Use of this term also is consistent with the integrated approach described in the standard and the requirement in Section 404 of the Act that this reporting not be subject to a separate engagement.

E23.        Because the Board's standard on internal control is an auditing standard, it is preferable to use the term audit to describe the engagement rather than the term examination , which is used in the attestation standards to describe an engagement designed to provide a high level of assurance.

E24.        Finally, the Board believes that using the term audit helps dispel the misconception that an audit of internal control over financial reporting is a different level of service than an attestation of management's assessment of internal control over financial reporting.  

Form of the Auditor's Opinion

E25.        The proposed auditing standard required that the auditor's opinion in his or her report state whether management's assessment of the effectiveness of the company's internal control over financial reporting as of the specified date is fairly stated, in all material respects, based on the control criteria.  However, the proposed standard also stated that nothing precluded the auditor from auditing management's assessment and opining directly on the effectiveness of internal control over financial reporting.  This is because the scope of the work, as defined by the proposed standard, was the same, regardless of whether the auditor reports on management's assessment or directly on the effectiveness of internal control over financial reporting.  The form of the opinion was essentially interchangeable between the two.

E26.         However, if the auditor planned to issue other than an unqualified opinion, the proposed standard required the auditor to report directly on the effectiveness of the company's internal control over financial reporting rather than on management's assessment.  The Board initially concluded that expressing an opinion on management's assessment, in these circumstances, did not most effectively communicate the auditor's conclusion that internal control was not effective.  For example, if management expresses an adverse assessment because a material weakness exists at the date of management's assessment ("…internal control over financial reporting is not effective…") and the auditor expresses his or her opinion on management's assessment ("…management's assessment that internal control over financial reporting is not effective is fairly stated, in all material respects…"), a reader might not be clear about the results of the auditor's testing and about the auditor's conclusions.  The Board initially decided that reporting directly on the effectiveness of the company's internal control over financial reporting better communicates to report users the effect of such conditions, because direct reporting more clearly states the auditor's conclusions about the effectiveness of internal control over financial reporting ("In our opinion, because of the effect of the material weakness described…, the Company's internal control over financial reporting is not effective.").

E27.        A number of commenters were supportive of the model described in the previous paragraph, as they agreed with the Board's reasoning.  However, several commenters believed that report users would be confused as to why the form of the auditor's opinion would be different in various circumstances.  These commenters thought that the auditor's opinion should be consistently expressed in all reports.  Several auditors recommended that auditors always report directly on the effectiveness of the company's internal control over financial reporting.  They reasoned that the scope of the audit-which always would require the auditor to obtain reasonable assurance about whether the internal control over financial reporting was effective-would be more clearly communicated, in all cases, by the auditor reporting directly on the effectiveness of internal control over financial reporting.  Other commenters suggested that the auditor always should express two opinions: one on management's assessment and one directly on the effectiveness of internal control over financial reporting.  They believed the Act called for two opinions: Section 404 calls for an opinion on management's assessment, while Section 103 calls for an opinion directly on the effectiveness of internal control over financial reporting. 

E28.        The Board believes that the reporting model in the proposed standard is appropriate.  However, the Board concluded that the expression of two opinions-one on management's assessment and one on the effectiveness of internal control over financial reporting-in all reports is a superior approach that balances the concerns of many different interested parties.  This approach is consistent with the scope of the audit, results in more consistent reporting in differing circumstances, and makes the reports more easily understood by report users.  Therefore, the standard requires that the auditor express two opinions in all reports on internal control over financial reporting.

Use of the Work of Others

E29.         After giving serious consideration to a rational relationship between costs and benefits, the Board decided to change the provisions in the proposed standard regarding using the work of others.  The proposed standard required the auditor to evaluate whether to use the work of others, such as internal auditors and others working under the direction of management, and described an evaluation process focused on the competence and objectivity of the persons who performed the work that the auditor was required to use when determining the extent to which he or she could use the work of others. 

E30.        The proposed standard also described two principles that limited the auditor's ability to use of the work of others.  First, the proposed standard defined three categories of controls and the extent to which the auditor could use the work of others in each of those categories:

  • Controls for which the auditor should not rely on the work of others, such as controls in the control environment and controls specifically intended to prevent or detect fraud that is reasonably likely to have a material effect on the company's financial statements,
  • Controls for which the auditor may rely on the work of others, but his or her reliance on the work of others should be limited, such as controls over nonroutine transactions that are considered high risk because they involve judgments and estimates, and
  • Controls for which the auditor's reliance on the work of others is not specifically limited, such as controls over routine processing of significant accounts. 

E31.        Second, the proposed standard required that, on an overall basis, the auditor's own work must provide the principal evidence for the audit opinion (this is referred to as the principal evidence provision ). 

E32.        In the proposed standard, these two principles provided the auditor with flexibility in using the work of others while preventing him or her from placing inappropriate over-reliance on the work of others.  Although the proposed standard required the auditor to reperform some of the tests performed by others to use their work, it did not establish specific requirements for the extent of the reperformance.  Rather, it allowed the auditor to use his or her judgment and the directions provided by the two principles discussed in the previous two paragraphs to determine the appropriate extent of reperformance.

E33.        The Board received a number of comments that agreed with the proposed three categories of controls and the principal evidence provision.  However, most commenters expressed some level of concern with the categories, the principal evidence provision, or both.

E34.        Comments opposing or criticizing the categories of controls varied from general to very specific.  In general terms, many commenters (particularly issuers) expressed concern that the categories described in the proposed standard were too restrictive.  They believed the auditor should be able to use his or her judgment to determine in which areas and to what extent to rely on the work of others.  Other commenters indicated that the proposed standard did not place enough emphasis on the work of internal auditors whose competence and objectivity, as well as adherence to professional standards of internal auditing, should clearly set their work apart from the work performed by others in the organization (such as management or third parties working under management's direction).  Further, these commenters believed that the standard should clarify that the auditor should be able to use work performed by internal auditors extensively.  In that case, their concerns about excessive cost also would be partially alleviated.

E35.        Other commenters expressed their belief that the proposed standard repudiated the approach established in AU sec. 322, The Auditor's Consideration of the Internal Audit Function in an Audit of Financial Statements, for the auditor's use of the work of internal auditors in a financial statement audit.  Commenters also expressed very specific and pointed views on the three categories of controls.  As defined in the proposed standard, the first category (in which the auditor should not use the work of others at all) included:

  • Controls that are part of the control environment, including controls specifically established to prevent and detect fraud that is reasonably likely to result in material misstatement of the financial statements.
  • Controls over the period-end financial reporting process, including controls over procedures used to enter transaction totals into the general ledger; to initiate, record, and process journal entries in the general ledger; and to record recurring and nonrecurring adjustments to the financial statements (for example, consolidating adjustments, report combinations, and reclassifications).
  • Controls that have a pervasive effect on the financial statements, such as certain information technology general controls on which the operating effectiveness of other controls depend.
  • Walkthroughs.

E36.        Commenters expressed concern that the prohibition on using the work of others in these areas would (a) drive unnecessary and excessive costs,  (b) not give appropriate recognition to those instances in which the auditor evaluated internal audit as having a high degree of competence and objectivity, and (c) be impractical due to resource constraints at audit firms.  Although each individual area was mentioned, the strongest and most frequent objections were to the restrictions imposed over the inclusion in the first category of walkthroughs, controls over the period-end financial reporting process, and information technology general controls.  Some commenters suggested the Board should consider moving these areas from the first category to the second category (in which using the work of others would be limited, rather than prohibited); others suggested removing any limitation on using the work of others in these areas altogether.

E37.        Commenters also expressed other concerns with respect to the three control categories.  Several commenters asked for clarification on what constituted limited use of the work of others for areas included in the second category.  Some commenters asked for clarification about the extent of reperformance necessary for the auditor to use the work of others.  Other commenters questioned the meaning of the term without specific limitation in the third category by asking, did this mean that the auditor could use the work of others in these areas without performing or reperforming any work in those areas?

E38.        Although most commenters suggested that the principal evidence threshold for the auditor's own work be retained, some commenters objected to the principal evidence provision.  Although many commenters identified the broad array of areas identified in the first category (in which the auditor should not use the work of others at all) as the key driver of excessive costs, others identified the principal evidence provision as the real source of their excessive cost concerns.  Even if the categories were redefined in such a way as to permit the auditor to use the work of others in more areas, any associated decrease in audit cost would be limited by the principal evidence provision which, if retained, would still require significant original work on the part of the auditor.  On the other hand, both investors and auditors generally supported retaining the principal evidence provision as playing an important role in ensuring the independence of the auditor's opinion and preventing inappropriate overreliance on the work of internal auditors and others.

E39.        Commenters who both supported and opposed the principal evidence provision indicated that implementing it would be problematic because the nature of the work in an audit of internal control over financial reporting does not lend itself to a purely quantitative measurement.  Thus, auditors would be forced to use judgment when determining whether the principal evidence provision has been satisfied.

E40.        In response to the comments, the Board decided that some changes to the guidance on using the work of others were necessary.  The Board did not intend to reject the concepts in AU sec. 322 and replace them with a different model.  Although AU sec. 322 is designed to apply to an audit of financial statements, the Board concluded that the concepts contained in AU sec. 322 are sound and should be used in an audit of internal control over financial reporting, with appropriate modification to take into account the differences in the nature of the evidence necessary to support an opinion on financial statements and the evidence necessary to support an opinion on internal control effectiveness.  The Board also wanted to make clear that the concepts in AU sec. 322 also may be applied, with appropriate auditor judgment, to the relevant work of others.

E41.        The Board remained concerned, however, with the possibility that auditors might overrely on the work of internal auditors and others.  Inappropriate overreliance can occur in a variety of ways.  For example, an auditor might rely on the work of a highly competent and objective internal audit function for proportionately too much of the evidence that provided the basis for the auditor's opinion.  Inappropriate overreliance also occurs when the auditor incorrectly concludes that internal auditors have a high degree of competence and objectivity when they do not, perhaps because the auditor did not exercise professional skepticism or due professional care when making his or her evaluation.  In either case, the result is the same: unacceptable risk that the auditor's conclusion that internal control over financial reporting is effective is incorrect.  For example, federal bank regulators commented that, in their experience with FDICIA, auditors have a tendency to rely too heavily on the work of management and others, further noting that this situation diminishes the independence of the auditor's opinion on control effectiveness.

E42.        The Board decided to revise the categories of controls by focusing on the nature of the controls being tested, evaluating the competence and objectivity of the individuals performing the work, and testing the work of others.  This allows the auditor to exercise substantial judgment based on the outcome of this work as to the extent to which he or she can make use of the work of internal auditors or others who are suitably qualified.

E43.        This standard emphasizes the direct relationship between the assessed level of competence and objectivity and the extent to which the auditor may use the work of others.  The Board included this clarification to highlight the special status that a highly competent and objective internal auditor has in the auditor's work as well as to caution against inappropriate overreliance on the work of management and others who would be expected to have lower degrees of competence and objectivity in assessing controls.  Indeed, the Board noted that, with regard to internal control over financial reporting, internal auditors would normally be assessed as having a higher degree of competence and objectivity than management or others and that an auditor will be able to rely to a greater extent on the work of a highly competent and objective internal auditor than on work performed by others within the company.

E44.        The Board concluded that the principal evidence provision is critical to preventing overreliance on the work of others in an audit of internal control over financial reporting.  The requirement for the auditor to perform enough of the control testing himself or herself so that the auditor's own work provides the principal evidence for the auditor's opinion is of paramount importance to the auditor's assurance providing the level of reliability that investors expect.  However, the Board also decided that the final standard should articulate clearly that the auditor's judgment about whether he or she has obtained the principal evidence required is qualitative as well as quantitative.  Therefore, the standard now states, "Because the amount of work related to obtaining sufficient evidence to support an opinion about the effectiveness of controls is not susceptible to precise measurement, the auditor's judgment about whether he or she has obtained the principal evidence for the opinion will be qualitative as well as quantitative.  For example, the auditor might give more weight to work performed on pervasive controls and in areas such as the control environment than on other controls, such as controls over low-risk, routine transactions."

E45.        The Board also concluded that a better balance could be achieved in the standard by instructing the auditor to factor into the determination of the extent to which to use the work of others an evaluation of the nature of the controls on which others performed their procedures. 

E46.        Paragraph 112 of the standard provides the following factors the auditor should consider when evaluating the nature of the controls subjected to the work of others:

  • The materiality of the accounts and disclosures that the control addresses and the risk of material misstatement.
  • The degree of judgment required to evaluate the operating effectiveness of the control (that is, the degree to which the evaluation of the effectiveness of the control requires evaluation of subjective factors rather than objective testing).
  • The pervasiveness of the control.
  • The level of judgment or estimation required in the account or disclosure.
  • The potential for management override of the control.

E47.        As these factors increase in significance, the need for the auditor to perform his or her own work on those controls increases.  As these factors decrease in significance, the auditor may rely more on the work of others.  Because of the nature of controls in the control environment, however, the standard does not allow the auditor to use the work of others to reduce the amount of work he or she performs on such controls.  In addition, the standard also does not allow the auditor to use the work of others in connection with the performance of walkthroughs of major classes of transactions because of the high degree of judgment required when performing them (See separate discussion in paragraphs E51 through E57).

E48.        The Board decided that this approach was responsive to those who believed that the auditor should be able to use his or her judgment in determining the extent to which to use the work of others.  The Board designed the requirement that the auditor's own work must provide the principal evidence for the auditor's opinion as one of the boundaries within which the auditor determines the work he or she must perform himself or herself in the audit of internal control over financial reporting.  The other instructions about using the work of others provide more specific direction about how the auditor makes this determination, but allow the auditor significant flexibility to use his or her judgment to determine the work necessary to obtain the principal evidence, and to determine when the auditor can use the work of others rather than perform the work himself or herself.  Although some of the directions are specific and definitive, such as the directions for the auditor to perform tests of controls in the control environment and walkthroughs himself or herself, the Board decided that these areas were of such audit importance that the auditor should always perform this testing as part of obtaining the principal evidence for his or her opinion.  The Board concluded that this approach appropriately balances the use of auditor judgment and the risk of inappropriate overreliance.

E49.        The Board was particularly concerned by comments that issuers might choose to reduce their internal audit staff or the extent of internal audit testing in the absence of a significant change in the proposed standard that would significantly increase the extent to which the auditor may use the work of internal auditors.  The Board believes the standard makes clear that an effective internal audit function does permit the auditor to reduce the work that otherwise would be necessary. 

E50.        Finally, as part of clarifying the linkage between the degree of competence and objectivity of the others and the ability to use their work, the Board decided that additional clarification should be provided on the extent of testing that should be required of the work of others.  The Board noted that the interaction of the auditor performing walkthroughs of every significant process and the retention of the principal evidence provision precluded the need for the auditor to test the work of others in every significant account.  However, testing the work of others is an important part of an ongoing assessment of their competence and objectivity.  Therefore, as part of the emphasis on the direct relationship between the assessed level of competence and objectivity to the extent of the use of the work of others, additional provisions were added discussing how the results of the testing of the work of others might affect the auditor's assessment of competence and objectivity.  The Board also concluded that testing the work of others should be clearly linked to an evaluation of the quality and effectiveness of their work.

Walkthroughs

E51.        The proposed standard included a requirement that the auditor perform walkthroughs, stating that the auditor should perform a walkthrough for all of the company's significant processes.  In the walkthrough, the auditor was to trace all types of transactions and events, both recurring and unusual, from origination through the company's information systems until they were included in the company's financial reports.  As stated in the proposed standard, walkthroughs provide the auditor with evidence to:

  • Confirm the auditor's understanding of the process flow of transactions;
  • Confirm the auditor's understanding of the design of controls identified for all five components of internal control over financial reporting, including those related to the prevention or detection of fraud;
  • Confirm that the auditor's understanding of the process is complete by determining whether all points in the process at which misstatements related to each relevant financial statement assertion that could occur have been identified;
  • Evaluate the effectiveness  of the design of controls; and
  • Confirm whether controls have been placed in operation.

E52.        A number of commenters expressed strong support for the requirement for the auditor to perform walkthroughs as described in the proposed standard.  They agreed that auditors who did not already perform the type of walkthrough described in the proposed standard should perform them as a matter of good practice.  These commenters further recognized that the first-hand understanding an auditor obtains from performing these walkthroughs puts the auditor in a much better position to design an effective audit and to evaluate the quality and effectiveness of the work of others.  They considered the walkthrough requirement part of "getting back to basics ," which they viewed as a positive development.

E53.        Some commenters expressed general support for walkthroughs as required procedures, but had concerns about the scope of the work.  A number of commenters suggested that requiring walkthroughs of all significant processes and all types of transactions would result in an overwhelming and unreasonable number of walkthroughs required.  Commenters made various suggestions for alleviating this problem, including permitting the auditor to determine, using broad auditor judgment, which classes of transactions to walk through or refining the scope of "all types of transactions" to include some kind of consideration of risk and materiality. 

E54.        Other commenters believed that required walkthroughs would result in excessive cost if the auditor were prohibited from using the work of others.  These commenters suggested that the only way that required walkthroughs would be a reasonable procedure is to permit the auditor to use the work of others.  Although commenters varied on whether the auditor's use of the work of others for walkthroughs should be liberal or limited, and whether it should include management or be limited to internal auditors, a large number of commenters suggested that limiting walkthroughs to only the auditor himself or herself was impractical.

E55.        The Board concluded that the objectives of the walkthroughs cannot be achieved second-hand.  For the objectives to be effectively achieved, the auditor must perform the walkthroughs himself or herself.  Several commenters who objected to the prohibition on using the work of internal auditors for walkthroughs described situations in which internal auditors would be better able to effectively perform walkthroughs because internal auditors understood the company's business and controls better than the external auditor and because the external auditor would struggle in performing walkthroughs due to a lack of understanding.  The Board observed that these commenters' perspectives support the importance of requiring the external auditor to perform walkthroughs.  If auditors struggle to initially perform walkthroughs because their knowledge of the company and its controls is weak, then that situation would only emphasize the necessity for the auditor to increase his or her level of understanding.  After considering the nature and extent of the procedures that would be required to achieve these objectives, the Board concluded that performing walkthroughs would be the most efficient means of doing so.  The first-hand understanding the auditor will obtain of the company's processes and its controls through the walkthroughs will translate into increased effectiveness and quality throughout the rest of the audit, in a way that cannot be achieved otherwise.

E56.        The Board also decided that the scope of the transactions that should be subjected to walkthroughs should be more narrowly defined.  To achieve the objectives the Board intended for walkthroughs to accomplish, the auditor should not be forced to perform walkthroughs on what many commenters reasoned was an unreasonably large population.  The Board decided that the auditor should be able to use judgment in considering risk and materiality to determine which transactions and events within a given significant process to walk through.  As a result, the directions in the standard on determining significant processes and major classes of transactions were expanded, and the population of transactions for which auditors will be required to walk through narrowed by replacing "all types of transactions" with "major classes of transactions."

E57.        Although judgments of risk and materiality are inherent in identifying major classes of transactions, the Board decided to also remove from the standard the statement, "walkthroughs are required procedures" as a means of further clarifying that auditor judgment plays an important role in determining the major classes of transactions for which to perform a walkthrough.  The Board observed that leading off the discussion of walkthroughs in the standard with such a sentence could be read as setting a tone that diminished the role of judgment in selecting the transactions to walk through.  As a result, the directions in the standard on performing walkthroughs begin with, "The auditor should perform at least one walkthrough for each major class of transactions…"  The Board's decision to eliminate the statement "walkthroughs are required procedures" should not be viewed as an indication that performing walkthroughs are optional under the standard's directions.  The Board believes the auditor might be able to achieve the objectives of a walkthrough by performing a combination of procedures, including inquiry, inspection, observation, and reperformance; however, performing a walkthrough represents the most efficient and effective means of doing so.  The auditor's work on the control environment and walkthroughs is an important part of the principal evidence that the auditor must obtain himself or herself.

Small Business Issues

E58.        Appendix E of the proposed standard discussed small and medium-sized company considerations.  Comments were widely distributed on this topic.   A number of commenters indicated that the proposed standard gave adequate consideration to how internal control is implemented in, and how the audit of internal control over financial reporting should be conducted at, small and medium-sized companies.  Other commenters, particularly smaller issuers and smaller audit firms, indicated that the proposed standard needed to provide much more detail on how internal control over financial reporting could be different at a small or medium-sized issuer and how the auditor's approach could differ.  Some of these commenters indicated that the concepts articulated in the Board's proposing release concerning accommodations for small and medium-sized companies were not carried through to the proposed standard itself.

E59.        On the other hand, other commenters, particularly large audit firms and  investors, expressed views that the proposed standard went too far in creating too much of an accommodation for small and medium-sized issuers.  In fact, many believed that the proposed standard permitted those issuers to have less effective internal control over financial reporting than larger issuers, while providing guidance to auditors permitting them to perform less extensive testing at those small and medium-sized issuers than they might have at larger issuers.  These commenters stressed that effective internal control over financial reporting is equally important at small and medium-sized issuers.  Some commenters also expressed concerns that the guidance in proposed Appendix E appeared to emphasize that the actions of senior management, if carried out with integrity, could offset deficiencies in internal control over financial reporting, such as the lack of written policies and procedures.  Because the risk of management override of controls is higher in these types of environments, such commenters were concerned that the guidance in proposed Appendix E might result in an increased fraud risk at small and medium-sized issuers.  At a minimum, they argued, the interpretation of Appendix E might result in a dangerous expectation gap for users of their internal control reports.  Some commenters who were of this view suggested that Appendix E be deleted altogether or replaced with a reference to the report of the Committee of Sponsoring Organizations (COSO) of the Treadway Commission, Internal Control-Integrated Framework , which they felt contained sufficient guidance on small and medium-sized company considerations.

E60.        Striking an appropriate balance regarding the needs of smaller issuers is particularly challenging.  The Board considered cautionary views about the difficulty in expressing accommodations for small and medium-sized companies without creating an inappropriate second class of internal control effectiveness and audit assurance.  Further, the Board noted that the COSO framework currently provides management and the auditor with more guidance and flexibility regarding small and medium-sized companies than the Board had provided in the proposed Appendix E.  As a result, the Board eliminated proposed Appendix E and replaced the appendix with a reference to COSO in paragraph 15 of the standard.  The Board believes providing internal control criteria for small and medium-sized companies within the internal control framework is more appropriately within the purview of COSO.  Furthermore, the COSO report was already tailored for special small and medium-sized company considerations.  The Board decided that emphasizing the existing guidance within COSO was the best way of recognizing the special considerations that can and should be given to small and medium-sized companies without inappropriately weakening the standard to which these smaller entities should, nonetheless, be held.  If additional tailored guidance on the internal control framework for small and medium-sized companies is needed, the Board encourages COSO, or some other appropriate body, to develop this guidance.

Evaluation of the Effectiveness of the Audit Committee

E61.         The proposed standard identified a number of circumstances that, because of their likely significant negative effect on internal control over financial reporting, are significant deficiencies as well as strong indicators that a material weakness exists.  A particularly notable significant deficiency and strong indicator of a material weakness was the ineffective oversight by the audit committee of the company's external financial reporting and internal control over financial reporting.  In addition, the proposed standard required the auditor to evaluate factors related to the effectiveness of the audit committee's oversight of the external financial reporting process and the internal control over financial reporting.

E62.        This provision related to evaluating the effectiveness of the audit committee was included in the proposed standard for two primary reasons.  First, the Board initially decided that, because of the significant role that the audit committee has in the control environment and monitoring components of internal control over financial reporting, an ineffective audit committee is a gravely serious control weakness that is strongly indicative of a material weakness.  Most auditors should have already been reaching this conclusion when confronted with an obviously ineffective audit committee.  Second, highlighting the adverse consequences of an ineffective audit committee would, perhaps, further encourage weak audit committees to improve.   

E63.        Investors supported this provision.  They expressed an expectation that the auditor would evaluate the audit committee's effectiveness and speak up if the audit committee was determined to be ineffective.  Investors drew a link among restoring their confidence, audit committees having new and enhanced responsibilities, and the need for assurance that audit committees are, in fact, meeting their responsibilities. 

E64.        Auditors also were generally supportive of such an evaluation.  However, many requested that the proposed standard be refined to clearly indicate that the auditor's responsibility to evaluate the effectiveness of the audit committee's oversight of the company's external financial reporting and internal control over financial reporting is not a separate and distinct evaluation.  Rather, the evaluation is one element of the auditor's overall understanding and assessment of the company's control environment and monitoring components.  Some commenters suggested that, in addition to needing clarification of the auditor's responsibility, the auditor would have difficulty in evaluating all of the factors listed in the proposed standard, because the auditor's normal interaction with the audit committee would not provide sufficient basis to conclude on some of those factors.

E65.        Issuers and some others were opposed to the auditor evaluating the effectiveness of the audit committee on the fundamental grounds that such an evaluation would represent an unacceptable conflict of interest.  Several commenters shared the view that this provision would reverse an important improvement in governance and audit quality.  Whereas the auditor was formerly retained and compensated by management, the Act made clear that these responsibilities should now be those of the audit committee.  In this way, commenters saw a conflict of interest being remedied.  Requiring the auditor to evaluate the effectiveness of the audit committee led commenters to conclude that the same kind of conflict of interest was being reestablished.  These commenters also believed that the auditor would not have a sufficient basis on which to evaluate the effectiveness of the audit committee because the auditor does not have complete and free access to the audit committee, does not have appropriate expertise to evaluate audit committee members (who frequently are more experienced businesspeople than the auditor), does not have the legal expertise to make determinations about some of the specific factors listed in the proposed standard, and other shortcomings.  These commenters also emphasized that the board of directors' evaluation of the audit committee is important and that the proposed standard could be read to supplant this important evaluation with that of the auditor's.

E66.        The Board concluded that this provision should be retained but decided that clarification was needed to emphasize that the auditor's evaluation of the audit committee was not a separate evaluation but, rather, was made as part of the auditor's evaluation of the control environment and monitoring components of internal control over financial reporting.  The Board reasoned that clarifying both this context and limitation on the auditor's evaluation of the audit committee would also address, to some degree, the conflict-of-interest concerns raised by other commenters.  The Board also observed, however, that conflict is, to some extent, inherent in the duties that society expects of auditors.  Just as auditors were expected in the past to challenge management when the auditor believed a material misstatement of the financial statements or material weakness in internal control over financial reporting existed, the auditor similarly is expected to speak up when he or she believes the audit committee is ineffective in its oversight.

E67.        The Board decided that when the auditor is evaluating the control environment and monitoring components, if the auditor concludes that the audit committee's oversight of the company's external financial reporting and internal control over financial reporting is ineffective, the auditor should be strongly encouraged to consider that situation a material weakness and, at a minimum, a significant deficiency.  The objective of the evaluation is not to grade the effectiveness of the audit committee along a scale.  Rather, in the course of performing procedures related to evaluating the effectiveness of the control environment and monitoring components, including evaluating factors related to the effectiveness of the audit committee's oversight, if the auditor concludes that the audit committee's oversight of the external financial reporting and internal control over financial reporting is ineffective, then the auditor should consider that a strong indicator of a material weakness.

E68.        The Board concluded that several refinements should be made to this provision.  As part of emphasizing that the auditor's evaluation of the audit committee is to be made as part of evaluating the control environment and not as a separate evaluation, the Board determined that the evaluation factors should be modified.  The factors that addressed compliance with listing standards and sections of the Act were deleted, because those factors were specifically criticized in comment letters as being either outside the scope of the auditor's expertise or outside the scope of internal control over financial reporting.  The Board also believed that those factors were not significant to the type of evaluation the auditor was expected to make of the audit committee.  The Board decided to add the following factors, which are based closely on factors described in COSO, as relevant to evaluating those who govern, including the audit committee:

  • Extent of direct and independent interaction with key members of financial management, including the chief financial officer and chief accounting officer.
  • Degree to which difficult questions are raised and pursued with management and the auditor, including questions that indicate an understanding of the critical accounting policies and judgmental accounting estimates.
  • Level of responsiveness to issues raised by the auditor, including those required to be communicated by the auditor to the audit committee.

E69.         The Board also concluded that the standard should explicitly acknowledge that the board of directors is responsible for evaluating the effectiveness of the audit committee and that the auditor's evaluation of the control environment is not intended to supplant those evaluations.  In addition, the Board concluded that, in the event the auditor determines that the audit committee's oversight is ineffective, the auditor should communicate that finding to the full board of directors.  This communication should occur regardless of whether the auditor concludes that the condition represents a significant deficiency or a material weakness, and the communication should take place in addition to the normal communication requirements that attach to those deficiencies.

Definitions of Significant Deficiency and Material Weakness

E70.        As part of developing the proposed standard, the Board evaluated the existing definitions of significant deficiency (which the SEC defined as being the same as a reportable condition) and material weakness to determine whether they would permit the most effective implementation of the internal control reporting requirements of the Act.

E71.        AU sec. 325, Communication of Internal Control Related Matters Noted in an Audit , defined a material weakness as follows:

A material weakness in internal control is a reportable condition in which the design or operation of one or more of the internal control components does not reduce to a relatively low level the risk that misstatements caused by error or fraud in amounts that would be material in relation to the financial statements being audited may occur and not be detected within a timely period by employees in the normal course of performing their assigned functions.

E72.        The framework that defined a material weakness focused on likelihood of and magnitude for evaluating a weakness.  The Board decided that this framework would facilitate effective implementation of the Act's internal control reporting requirements; therefore, the Board's proposed definitions focused on likelihood and magnitude.  However, as part of these deliberations, the Board decided that likelihood and magnitude needed to be defined in terms that would encourage more consistent application.

E73.        Within the existing definition of material weakness, the magnitude of "material in relation to the financial statements" was well supported by the professional standards, SEC rules and guidance, and other literature.  However, the Board decided that the definition of likelihood would be improved if it used "more than remote" instead of "relatively low level."  FASB Statement No. 5, Accounting for Contingencies (FAS No. 5) defines "remote . "  The Board decided that, because auditors were familiar with the application of the likelihood definitions in FAS No. 5, using "more than remote" in the definition of material weakness would infuse the evaluation of whether a control deficiency was a material weakness with the additional consistency that the Board wanted to encourage.

E74.        AU sec. 325 defined reportable conditions as follows:

...matters coming to the auditor's attention that, in his judgment, should be communicated to the audit committee because they represent significant deficiencies in the design or operation of internal control, which could adversely affect the organization's ability to initiate, record, process, and report financial data consistent with the assertions of management in the financial statements.

E75.        The Board observed that this definition makes the determination of whether a condition is reportable solely a matter of the auditor's judgment.  The Board believed that this definition was insufficient for purposes of the Act because management also needs a definition to determine whether a deficiency is significant and that the definition should be the same as the definition used by the auditor.  Furthermore, using this existing definition, the auditor's judgment could never be questioned.

E76.        The Board decided that the same framework that represented an appropriate framework for defining a material weakness also should be used for defining a significant deficiency.  Although auditor judgment is integral and essential to the audit process (including in determining the severity of control weaknesses), auditors, nonetheless, must be accountable for their judgments.  Increasing the accountability of auditors for their judgments about whether a condition represents a significant deficiency and increasing the consistency with which those judgments are made are interrelated.  Hence, the same framework of likelihood and magnitude were applied in the Board's proposed definition of significant deficiency.

E77.        In applying the likelihood and magnitude framework to defining a significant deficiency, the Board decided that the "more than remote" likelihood of occurrence used in the definition of material weakness was the best benchmark.  In terms of magnitude, the Board decided that "more than inconsequential" should be the threshold for a significant deficiency.

E78.        A number of commenters were supportive of the definitions in the proposed standard.  These commenters believed the definitions were an improvement over the previous definitions, used terms familiar to auditors, and would promote increased consistency in evaluations.

E79.        Most commenters, however, objected to these definitions.  The primary, over-arching objection was that these definitions set too low a threshold for the reporting of significant deficiencies.  Some commenters focused on "more than remote" likelihood as the driver of an unreasonably low threshold, while others believed "more than inconsequential" in the definition of significant deficiency was the main culprit.  While some commenters understood "more than inconsequential" well enough, others indicated significant concerns that this represented a new term of art that needed to be accompanied by a clear definition of "inconsequential" as well as supporting examples.  Several commenters suggested retaining the likelihood and magnitude approach to a definition but suggested alternatives for likelihood (such as reasonably likely, reasonably possible, more likely than not, probable) and magnitude (such as material, significant, insignificant).

E80.        Some commenters suggested that the auditing standard retain the existing definitions of material weakness and significant deficiency, consistent with the SEC's final rules implementing Section 404.  In their final rules, the SEC tied management's assessment to the existing definitions of material weakness and significant deficiency (through the existing definition of a reportable condition) in AU sec. 325.  These commenters suggested that, if the auditing standard used a different definition, a dangerous disconnect would result, whereby management would be using one set of definitions under the SEC's rules and auditors would be using another set under the Board's auditing standards.  They further suggested that, absent rulemaking by the SEC to change its definitions, the Board should simply defer to the existing definitions.

E81.        A number of other commenters questioned the reference to "a misstatement of the annual or interim financial statements" in the definitions, with the emphasis on why "interim" financial statements were included in the definition, since Section 404 required only an annual assessment of internal control over financial reporting effectiveness, made as of year-end.  They questioned whether this definition implied that the auditor was required to identify deficiencies that could result in a misstatement in interim financial statements; they did not believe that the auditor should be required to plan his or her audit of internal control over financial reporting at a materiality level of the interim financial statements.

E82.        The Board ultimately concluded that focusing the definitions of material weakness and significant deficiency on likelihood of misstatement and magnitude of misstatement provides the best framework for evaluating deficiencies.  Defaulting to the existing definitions would not best serve the public interest nor facilitate meaningful and effective implementation of the auditing standard. 

E83.        The Board observed that the SEC's final rules requiring management to report on internal control over financial reporting define material weakness, for the purposes of the final rules, as having "the same meaning as the definition under GAAS and attestation standards."  Those rules state:

The term "significant deficiency" has the same meaning as the term "reportable condition" as used in AU §325 and AT§501.  The terms "material weakness" and "significant deficiency" both represent deficiencies in the design or operation of internal control that could adversely affect a company's ability to record, process, summarize and report financial data consistent with the assertions of management in the company's financial statements, with a "material weakness" constituting a greater deficiency than a "significant deficiency."  Because of this relationship, it is our judgment that an aggregation of significant deficiencies could constitute a material weakness in a company's internal control over financial reporting. 4/

E84.        The Board considered the SEC's choice to cross-reference to generally accepted auditing standards (GAAS) and the attestation standards as the means of defining these terms, rather than defining them outright within the final rules, noteworthy as it relates to the question of whether any disconnect could result between auditors' and managements' evaluations if the Board changed the definitions in its standards.  Because the standard changes the definition of these terms within the interim standards, the Board believes the definitions are, therefore, changed for both auditors' and managements' purposes.

E85.        The Board noted that commenters who were concerned that the definitions in the proposed standard set too low of a threshold for significant deficiencies and material weaknesses believed that the proposed standard required that each control deficiency be evaluated in isolation.  The intent of the proposed standard was that control deficiencies should first be evaluated individually; the determination as to whether they are significant deficiencies or material weaknesses should be made considering the effects of compensating controls.  The effect of compensating controls should be taken into account when assessing the likelihood of a misstatement occurring and not being prevented or detected.  The proposed standard illustrated this type of evaluation, including the effect of compensating controls when assessing likelihood, in the examples in Appendix D.  Based on the comments received, however, the Board determined that additional clarification within the standard was necessary to emphasize the importance of considering compensating controls when evaluating the likelihood of a misstatement occurring.  As a result, the note to paragraph 10 was added.

E86.        The Board concluded that considering the effect of compensating controls on the likelihood of a misstatement occurring and not being prevented or detected sufficiently addressed the concerns that the definitions set too low a threshold.  For example, several issuer commenters cited concerns that the proposed definitions precluded a rational cost-benefit analysis of whether to correct a deficiency.  These issuers believed they would be compelled to correct deficiencies (because the deficiencies would be considered to be at least significant deficiencies) in situations in which management had made a previous conscious decision that the costs of correcting the deficiency outweighed the benefits.  The Board observed that, in cases in which management has determined not to correct a known deficiency based on a cost-benefit analysis, effective compensating controls usually lie at the heart of management's decision.  The standard's use of "likelihood" in the definition of a significant deficiency or material weakness accommodates such a consideration of compensating controls.  If a deficiency is effectively mitigated by compensating controls, then the likelihood of a misstatement occurring and not being prevented or detected may very well be remote. 

E87.        The Board disagreed with comments that "more than inconsequential" was too low a threshold; however, the Board decided the term "inconsequential" needed additional clarity.  The Board considered the term "inconsequential" in relation to the SEC's guidance on audit requirements and materiality.  Section 10A(b)(1)(B) 5/ describes the auditor's communication requirements when the auditor detects or otherwise becomes aware of information indicating that an illegal act has or may have occurred, "unless the illegal act is clearly inconsequential."  Staff Accounting Bulletin (SAB) No. 99, Materiality , provides the most recent and definitive guidance on the concept of materiality as it relates to the financial reporting of a public company.  SAB No. 99 uses the term "inconsequential" in several places to draw a distinction between amounts that are not material.  SAB No. 99 provides the following guidance to assess the significance of a misstatement:

Though the staff does not believe that registrants need to make finely calibrated determinations of significance with respect to immaterial items, plainly it is "reasonable" to treat misstatements whose effects are clearly inconsequential differently than more significant ones.

E88.        The discussion in the previous paragraphs provided the Board's context for using "material" and "more than inconsequential" for the magnitude thresholds in the standard's definitions.  "More than inconsequential" indicates an amount that is less than material yet has significance.

E89.        The Board also considered the existing guidance in the Board's interim standards for evaluating materiality and accumulating audit differences in a financial statement audit.  Paragraph .41 of AU sec. 312, Audit Risk and Materiality in Conducting an Audit, states:

In aggregating likely misstatements that the entity has not corrected, pursuant to paragraphs .34 and .35, the auditor may designate an amount below which misstatements need not be accumulated.  This amount should be set so that any such misstatements, either individually or when aggregated with other such misstatements, would not be material to the financial statements, after the possibility of further undetected misstatements is considered.

E90.        The Board considered the discussion in AU sec. 312 that spoke specifically to evaluating differences individually and in the aggregate , as well as to considering the possibility of additional undetected misstatements, important distinguishing factors that should be carried through to the evaluation of whether a control deficiency represents a significant deficiency because the magnitude of the potential misstatement is more than inconsequential.

E91.        The Board combined its understanding of the salient concepts in AU sec. 312 and the SEC guidance on materiality to develop the following definition of inconsequential: 

A misstatement is inconsequential if a reasonable person would conclude, after considering the possibility of further undetected misstatements, that the misstatement, either individually or when aggregated with other misstatements, would clearly be immaterial to the financial statements.  If a reasonable person could not reach such a conclusion regarding a particular misstatement, that misstatement is more than inconsequential.

E92.        Finally, the inclusion of annual or interim financial statements in the definitions rather than just "annual financial statements" was intentional and, in the Board's opinion, closely aligned with the spirit of what Section 404 seeks to accomplish.  However, the Board decided that this choice needed clarification within the auditing standard.  The Board did not intend the inclusion of the interim financial statements in the definition to require the auditor to perform an audit of internal control over financial reporting at each interim date.  Rather, the Board believed that the SEC's definition of internal control over financial reporting included all financial reporting that a public company makes publicly available.  In other words, internal control over financial reporting includes controls over the preparation of annual and quarterly financial statements.  Thus, an evaluation of internal control over financial reporting as of year-end encompasses controls over the annual financial reporting and quarterly financial reporting as such controls exist at that point in time.

E93.        Paragraphs 76 and 77 of the standard clarify this interpretation, as part of the discussion of the period-end financial reporting process.  The period-end financial reporting process includes procedures to prepare both annual and quarterly financial statements.

Strong Indicators of Material Weaknesses and DeFacto Significant Deficiencies

E94.         The proposed standard identified a number of circumstances that, because of their likely significant negative effect on internal control over financial reporting, are significant deficiencies as well as strong indicators that a material weakness exists.  The Board developed this list to promote increased rigor and consistency in auditors' evaluations of weaknesses.  For the implementation of Section 404 of the Act to achieve its objectives, the public must have confidence that all material weaknesses that exist as of the company's year-end will be publicly reported.  Historically, relatively few material weaknesses have been reported by the auditor to management and the audit committee.  That condition is partly due to the nature of a financial statement audit.  In an audit of only the financial statements, the auditor does not have a detection responsibility for material weaknesses in internal control; such a detection responsibility is being newly introduced for all public companies through Sections 103 and 404 of the Act.  However, the Board was concerned about instances in which auditors had identified a condition that should have been, but was not, communicated as a material weakness.  The intention of including the list of strong indicators of material weaknesses in the proposed standard was to bring further clarity to conditions that were likely to be material weaknesses in internal control and to create more consistency in auditors' evaluations.

E95.        Most commenters were generally supportive of a list of significant deficiencies and strong indicators of the existence of material weaknesses.  They believed such a list provided instructive guidance to both management and the auditor.  Some commenters, however, disagreed with the proposed approach of providing such a list.  They believed that the determination of the significance of a deficiency should be left entirely to auditor judgment.  A few commenters requested clarification of the term "strong indicator" and specific guidance on how and when a "strong indicator" could be overcome.  A number of commenters expressed various concerns with individual circumstances included in the list. 

  • Restatement of previously issued financial statements to reflect the correction of a misstatement.  Some commenters expressed concern about the kinds of restatements that would trigger this provision.  A few mentioned the specific instance in which the restatement reflected the SEC's subsequent view of an accounting matter when the auditor, upon reevaluation, continued to believe that management had reasonable support for its original position.  They believed this specific circumstance would not necessarily indicate a significant deficiency in internal control over financial reporting.  Others commented that a restatement of previously issued financial statements would indicate a significant deficiency and strong indicator of a material weakness in the prior period but not necessarily in the current period.
  • Identification by the auditor of a material misstatement in financial statements in the current period that was not initially identified by the company's internal control over financial reporting (even if management subsequently corrects the misstatement).  Several commenters, issuers and auditors alike, expressed concern about including this circumstance on the list.  They explained that, frequently, management is completing the preparation of the financial statements at the same time that the auditor is completing his or her auditing procedures.  In the face of this "strong indicator" provision, a lively debate of "who found it first" would ensue whenever the auditor identifies a misstatement that management subsequently corrects.  Another argument is that the company's controls would have detected a misstatement identified by the auditor if the controls had an opportunity to operate (that is, the auditor performed his or her testing before the company's controls had an opportunity to operate).  Several issuers indicated that they would prevent this latter situation by delaying the auditor's work until the issuers had clearly completed their entire period-end financial reporting process - a delay they viewed as detrimental. 
  • For larger, more complex entities, the internal audit function or the risk assessment function is ineffective.  Several commenters asked for specific factors the auditor was expected to use to assess the effectiveness of these functions.
  • For complex entities in highly regulated industries, an ineffective regulatory compliance function.   Several commenters, particularly issuers in highly regulated industries, objected to the inclusion of this circumstance because they believed this to be outside the scope of internal control over financial reporting.  (They agreed that this would be an internal control-related matter, but one that falls into operating effectiveness and compliance with laws and regulations, not financial reporting.)  Many of these commenters suggested that this circumstance be deleted from the list altogether.  Fewer commenters suggested that this problem could be addressed by simply clarifying that this circumstance is limited to situations in which the ineffective regulatory function relates solely to those aspects for which related violations of laws and regulations could have a direct and material effect on the financial statements.
  • Identification of fraud of any magnitude on the part of senior management.  Several commenters expressed concern that the inclusion of this circumstance created a detection responsibility for the auditor such that the auditor would have to plan and perform procedures to detect fraud of any magnitude on the part of senior management.  Others expressed concern that identification of fraud on the part of senior management by the company's system of internal control over financial reporting might indicate that controls were operating effectively rather than indicating a significant deficiency or material weakness.  Still others requested clarification on how to determine who constituted "senior management."

E96.        A couple of commenters also suggested that an ineffective control environment should be added to the list.

E97.        The Board concluded that the list of significant deficiencies and strong indicators of material weakness should be retained.  Such a list will promote consistency in auditors' and managements' evaluations of deficiencies consistent with the definitions of significant deficiency and material weakness.  The Board also decided to retain the existing structure of the list.  Although the standard leaves auditor judgment to determine whether those deficiencies are material weaknesses, the existence of one of the listed deficiencies is by definition a significant deficiency.  Furthermore, the "strong indicator" construct allows the auditor to factor extenuating or unique circumstances into the evaluation and possibly to conclude that the situation does not represent a material weakness, rather, only a significant deficiency. 

E98.        The Board decided that further clarification was not necessary within the standard itself addressing specifically how and when a "strong indicator" can be overcome.  The term "strong indicator" was selected as opposed to the stronger "presumption" or other such term precisely because the Board did not intend to provide detailed instruction on how to overcome such a presumption.  It is, nevertheless, the Board's view that auditors should be biased toward considering the listed circumstances as material weaknesses. 

E99.        The Board decided to clarify several circumstances included in the list:

  • Restatement of previously issued financial statements to reflect the correction of a misstatement .  The Board observed that the circumstance in which a restatement reflected the SEC's subsequent view of an accounting matter, when the auditor concluded that management had reasonable support for its original position, might present a good example of only a significant deficiency and not a material weakness.  However, the Board concluded that requiring this situation to, nonetheless, be considered by definition a significant deficiency is appropriate, especially considering that the primary result of the circumstance being considered a significant deficiency is the communication of the matter to the audit committee.  Although the audit committee might already be well aware of the circumstances of any restatement, a restatement to reflect the SEC's view on an accounting matter at least has implications for the quality of the company's accounting principles, which is already a required communication to the audit committee.

    With regard to a restatement being a strong indicator of a material weakness in the prior period but not necessarily the current period, the Board disagreed with these comments.  By virtue of the restatement occurring during the current period, the Board views it as appropriate to consider that circumstance a strong indicator that a material weakness existed during the current period.  Depending on the circumstances of the restatement, however, the material weakness may also have been corrected during the current period.  The construct of the standard does not preclude management and the auditor from determining that the circumstance was corrected prior to year-end and, therefore, that a material weakness did not exist at year-end.  The emphasis here is that the circumstance is a strong indicator that a material weakness exists; management and the auditor will separately need to determine whether it has been corrected.  The Board decided that no further clarification was needed in this regard.

  • Identification by the auditor of a material misstatement in financial statements in the current period that was not initially identified by the company's internal control over financial reporting (even if management subsequently corrects the misstatement) .  Regarding the "who-found-it-first" dilemma, the Board recognizes that this circumstance will present certain implementation challenges.  However, the Board decided that none of those challenges were so significant as to require eliminating this circumstance from the list.

    When the Board developed the list of strong indicators, the Board observed that it is not uncommon for the financial statement auditor to identify material misstatements in the course of the audit that are corrected by management prior to the issuance of the company's financial statements.  In some cases, management has relied on the auditor to identify misstatements in certain financial statement items and to propose corrections in amount, classification, or disclosure.  With the introduction of the requirement for management and the auditor to report on the effectiveness of internal control over financial reporting, it becomes obvious that this situation is unacceptable, unless management is willing to accept other than an unqualified report on the internal control effectiveness.  (This situation also raises the question as to the extent management may rely on the annual audit to produce accurate and fair financial statements without impairing the auditor's independence.)  This situation is included on the list of strong indicators because the Board believes it will encourage management and auditors to evaluate this situation with intellectual honesty and to recognize, first, that the company's internal control should provide reasonable assurance that the company's financial statements are presented fairly in accordance with generally accepted accounting principles.

    Timing might be a concern for some issuers.  However, to the extent that management takes additional steps to ensure that the financial information is correct prior to providing it to their auditors, this may, at times, result in an improved control environment.  When companies and auditors work almost simultaneously on completing the preparation of the annual financial statements and the audit, respectively, the role of the auditor can blur with the responsibility of management.  In the year-end rush to complete the annual report, some companies might have come to rely on their auditors as a "control" to further ensure no misstatements are accidentally reflected in the financial statements.  The principal burden seems to be for management's work schedule and administration of their financial reporting deadlines to allow the auditor sufficient time to complete his or her procedures.

    Further, if the auditor initially identified a material misstatement in the financial statements but, given the circumstances, determined that management ultimately would have found the misstatement, the auditor could determine that the circumstance was a significant deficiency but not a material weakness.  The Board decided to retain the provision that this circumstance is at least a significant deficiency because reporting such a circumstance to the audit committee would always be appropriate.

  • For larger, more complex entities, the internal audit function or the risk assessment function is ineffective.  Relatively few commenters requested clarification on how to evaluate these functions.  The Board expects that most auditors will not have trouble making this evaluation.  Similar to the audit committee evaluation, this evaluation is not a separate evaluation of the internal audit or risk assessment functions but, rather, is a way of requiring the auditor to speak up if either of these functions is obviously ineffective at an entity that needs them to have an effective monitoring or risk assessment component.  Unlike the audit committee discussion, most commenters seemed to have understood that this was the context for the internal audit and risk assessment function evaluation.  Nonetheless, the Board decided to add a clarifying note to this circumstance emphasizing the context.
  • For complex entities in highly regulated industries, an ineffective regulatory compliance function.  The Board decided that this circumstance, as described in the proposed standard, would encompass aspects that are outside internal control over financial reporting (which would, of course, be inappropriate for purposes of this standard given its definition of internal control over financial reporting).  The Board concluded that this circumstance should be retained, though clarified, to only apply to those aspects of an ineffective regulatory compliance function that could have a material effect on the financial statements.
  • Identification of fraud of any magnitude on the part of senior management.  The Board did not intend to create any additional detection responsibility for the auditor; rather, it intended that this circumstance apply to fraud on the part of senior management that came to the auditor's attention, regardless of amount.  The Board decided to clarify the standard to make this clear.  The Board noted that identification of fraud by the company's system of internal control over financial reporting might indicate that controls were operating effectively, except when that fraud involves senior management.  Because of the critical role of tone-at-the-top in the overall effectiveness of the control environment and due to the significant negative evidence that fraud of any magnitude on the part of senior management reflects on the control environment, the Board decided that it is appropriate to include this circumstance in the list, regardless of whether the company's controls detected the fraud.  The Board also decided to clarify who is included in "senior management" for this purpose.

E100.   The Board agreed that an ineffective control environment was a significant deficiency and a strong indicator that a material weakness exists and decided to add it to the list.

Independence

E101.   The proposed standard explicitly prohibited the auditor from accepting an engagement to provide an internal control-related service to an audit client that has not been specifically pre-approved by the audit committee.  In other words, the audit committee would not be able to pre-approve internal control-related services as a category.  The Board did not propose any specific guidance on permissible internal control-related services in the proposed standard but, rather, indicated its intent to conduct an in-depth evaluation of independence requirements in the future and highlighted its ability to amend the independence information included in the standard pending the outcome of that analysis.

E102.   Comments were evenly split among investors, auditors, and issuers who believed the existing guidance was sufficient versus those who believed the Board should provide additional guidance.  Commenters who believed existing guidance was sufficient indicated that the SEC's latest guidance on independence needed to be given more time to take effect given its recency and because existing guidance was clear enough.  Commenters who believed more guidance was necessary suggested various additions, from more specificity about permitted and prohibited services to a sweeping ban on any internal control-related work for an audit client.  Other issuers commented about auditors participating in the Section 404 implementation process at their audit clients in a manner that could be perceived as affecting their independence.

E103.   Some commenters suggested that the SEC should change the pre-approval requirements on internal control-related services to specific pre-approval.  Another commenter suggested that specific pre-approval of all internal control-related services would pose an unreasonable burden on the audit committee and suggested reverting to pre-approval by category.

E104.   The Board clearly has the authority to set independence standards as it may deem necessary or appropriate in the public interest or for the protection of investors.  Given ongoing concerns about the appropriateness of auditors providing these types of services to audit clients, the fact-specific nature of each engagement, and the critical importance of ongoing audit committee oversight of these types of services, the Board continues to believe that specific pre-approval of internal control-related services is a logical step that should not pose a burden on the audit committee beyond that which effective oversight of financial reporting already entails.  Therefore, the standard retains this provision unchanged.

Requirement for Adverse Opinion When a Material Weakness Exists

E105.    The existing attestation standard (AT sec. 501) provides that, when the auditor has identified a material weakness in internal control over financial reporting, depending on the significance of the material weakness and its effect on the achievement of the objectives of the control criteria, the auditor may qualify his or her opinion ("except for the effect of the material weakness, internal control over financial reporting was effective") or express an adverse opinion ("internal control over financial reporting was not effective").

E106.   The SEC's final rules implementing Section 404 state that, "Management is not permitted to conclude that the registrant's internal control over financial reporting is effective if there are one or more material weaknesses in the registrant's internal control over financial reporting."  In other words, in such a case, management must conclude that internal control over financial reporting is not effective (that is, a qualified or "except-for" conclusion is not acceptable).

E107.   The Board initially decided that the reporting model for the auditor should follow the required reporting model for management.  Therefore, because management is required to express an "adverse" conclusion in the event a material weakness exists, the auditor's opinion also must be adverse.  The proposed standard did not permit a qualified audit opinion in the event of a material weakness.

E108.   Comments received on requiring an adverse opinion when a material weakness exists were split.  A large number affirmed that this seemed to be the only logical approach, based on a philosophical belief that if a material weakness exists, then internal control over financial reporting is ineffective.  These commenters suggested that permitting a qualified opinion would be akin to creating another category of control deficiency-material weaknesses that were really material (resulting in an adverse opinion) and material weaknesses that weren't so material (resulting in a qualified opinion).

E109.   A number of commenters agreed that the auditor's report must follow the same model as management' reporting, but they believe strongly that the SEC's guidance for management accommodated either a qualified or adverse opinion when a material weakness existed.

E110.   These commenters cited Section II.B.3.c of the SEC Final Rule and related footnote no. 72:

The final rules therefore preclude management from determining that a company's internal control over financial reporting is effective if it identifies one or more material weaknesses in the company's internal control over financial reporting.  This is consistent with interim attestation standards.  See AT sec. 501.

E111.   They believe this reference to the interim attestation standard in the SEC Final Rule is referring to paragraph .37 of AT sec. 501, which states, in part,

Therefore, the presence of a material weakness will preclude the practitioner from concluding that the entity has effective internal control.  However, depending on the significance of the material weakness and its effect on the achievement of the objectives of the control criteria, the practitioner may qualify his or her opinion (that is, express an opinion that internal control is effective "except for" the material weakness noted) or may express an adverse opinion.

E112.   Their reading of the SEC Final Rule and the interim attestation standard led them to conclude that it would be appropriate for the auditor to express either an adverse opinion or a qualified "except-for" opinion about the effectiveness of the company's internal control over financial reporting depending on the circumstances. 

E113.   Some commenters responded that they thought a qualified opinion would be appropriate in certain cases, such as an acquisition close to year-end (too close to be able to assess controls at the acquiree). 

E114.   After additional consultation with the SEC staff about this issue, the Board decided to retain the proposed reporting model in the standard.  The primary reason for that decision was the Board's continued understanding that the SEC staff would expect only an adverse conclusion from management (not a qualified conclusion) in the event a material weakness existed as of the date of management's report.

E115.   The commenters who suggested that a qualified opinion should be permitted in certain circumstances, such as an acquisition close to year-end, were essentially describing scope limitations.  The standard permits a qualified opinion, a disclaimer of opinion, or withdrawal from the engagement if there are restrictions on the scope of the engagement.  As it relates specifically to acquisitions near year-end, this is another case in which the auditor's model needs to follow the model that the SEC sets for management.  The standard added a new paragraph to Appendix B permitting the auditor to limit the scope of his or her work (without referring to a scope limitation in the auditor's report) in the same manner that the SEC permits management to limit its assessment.  In other words, if the SEC permits management to exclude an entity acquired late in the year from a company's assessment of internal control over financial reporting, then the auditor could do the same. 

Rotating Tests of Controls

E116.   The proposed standard directed the auditor to perform tests of controls on "relevant assertions" rather than on "significant controls."  To comply with those requirements, the auditor would be required to apply tests to those controls that are important to presenting each relevant assertion in the financial statements.  The proposed standard emphasized controls that affect relevant assertions because those are the points at which misstatements could occur.  However, it is neither necessary to test all controls nor to test redundant controls (unless redundancy is itself a control objective, as in the case of certain computer controls).  Thus, the proposed standard encouraged the auditor to identify and test controls that addressed the primary areas in which misstatements could occur, yet limited the auditor's work to only the necessary controls.

E117.   Expressing the extent of testing in this manner also simplified other issues involving extent of testing decisions from year to year (the so-called "rotating tests of controls" issue).  The proposed standard stated that the auditor should vary testing from year to year, both to introduce unpredictability into the testing and to respond to changes at the company.  However, the proposed standard maintained that each year's audit must stand on its own.  Therefore, the auditor must obtain evidence of the effectiveness of controls over all relevant assertions related to all significant accounts and disclosures every year.

E118.   Auditors and investors expressed support for these provisions as described in the proposed standard.  In fact, some commenters compared the notion of rotating tests of control in an audit of internal control over financial reporting to an auditor testing accounts receivable only once every few years in a financial statement audit.  Permitting so-called rotation of testing would compromise the auditor's ability to obtain reasonable assurance that his or her opinion was correct.

E119.   Others, especially issuers concerned with limiting costs, strongly advocated some form of rotating tests of controls.  Some commenters suggested that the auditor should have broad latitude to perform some cursory procedures to determine whether any changes had occurred in controls and, if not, to curtail any further testing in that area.  Some suggested that testing as described in the proposed standard should be required in the first year of the audit (the "baseline" year) and that in subsequent years the auditor should be able to reduce the required testing.  Others suggested progressively less aggressive strategies for reducing the amount of work the auditor should be required to perform.  In fact, several commenters (primarily internal auditors) described "baselining" controls as an important strategy to retain.  They argued, for example, that IT application controls, once tested, could be relied upon (without additional testing) in subsequent years as long as general controls over program changes and access controls were effective and continued to be tested.

E120.   The Board concluded that each year's audit must stand on its own.  Cumulative audit knowledge is not to be ignored; some natural efficiencies will emerge as the auditor repeats the audit process.  For example, the auditor will frequently spend less time to obtain the requisite understanding of the company's internal control over financial reporting in subsequent years compared with the time necessary in the first year's audit of internal control over financial reporting.  Also, to the extent that the auditor has previous knowledge of control weaknesses, his or her audit strategy should, of course, reflect that knowledge.  For example, a pattern of mistakes in prior periods is usually a good indicator of the areas in which misstatements are likely to occur.  However, the absence of fraud in prior periods is not a reasonable indicator of the likelihood of misstatement due to fraud.

E121.   However, the auditor needs to test controls every year, regardless of whether controls have obviously changed.  Even if nothing else changed about the company - no changes in the business model, employees, organization, etc. - controls that were effective last year may not be effective this year due to error, complacency, distraction, and other human conditions that result in the inherent limitations in internal control over financial reporting.

E122.   What several commenters referred to as "baselining" (especially as it relates to IT controls) is more commonly referred to by auditors as "benchmarking."  This type of testing strategy for application controls is not precluded by the standard.  However, the Board believes that providing a description of this approach is beyond the scope of this standard.  For these reasons, the standard does not address it.

Mandatory Integration with the Audit of the Financial Statements

E123.   Section 404(b) of the Act provides that the auditor's attestation of management's assessment of internal control shall not be the subject of a separate engagement.  Because the objectives of and work involved in performing both an attestation of management's assessment of internal control over financial reporting and an audit of the financial statements are closely interrelated, the proposed auditing standard introduced an integrated audit of internal control over financial reporting and audit of financial statements.

E124.   However, the proposed standard went even further.  Because of the potential significance of the information obtained during the audit of the financial statements to the auditor's conclusions about the effectiveness of internal control over financial reporting, the proposed standard stated that the auditor could not audit internal control over financial reporting without also auditing the financial statements.  (However, the proposed standard retained the auditor's ability to audit only the financial statements, which might be necessary in the case of certain initial public offerings.)

E125.   Although the Board solicited specific comment on whether the auditor should be prohibited from performing an audit of internal control over financial reporting without also performing an audit of the financial statements, few commenters focused on the significance of the potentially negative evidence that would be obtained during the audit of the financial statements or the implications of this prohibition.  Most commenters focused on the wording of Section 404(b), which indicates that the auditor's attestation of management's assessment of internal control over financial reporting shall not be the subject of a separate engagement.  Based on this information, most commenters saw the prohibition in the proposed standard as superfluous and benign.

E126.   Several commenters recognized the importance of the potentially negative evidence that might be obtained as part of the audit of the financial statements and expressed strong support for requiring that an audit of financial statements be performed to audit internal control over financial reporting.

E127.   Others recognized the implications of this prohibition and expressed concern: What if a company wanted or needed an opinion on the effectiveness of internal control over financial reporting as of an interim date?  For the most part, these commenters (primarily issuers) objected to the implication that an auditor would have to audit a company's financial statements as of an interim date to enable him or her to audit and report on its internal control over financial reporting as of that same interim date.  Other issuers expressed objections related to their desires to engage one auditor to provide an opinion on the effectiveness of internal control over financial reporting and another to audit the financial statements.  Others requested clarification about which guidance would apply when other forms of internal control work were requested by companies.

E128.   The Board concluded that an auditor should perform an audit of internal control over financial reporting only when he or she has also audited company's financial statements.  The auditor must audit the financial statements to have a high level of assurance that his or her conclusion on the effectiveness of internal control over financial reporting is correct.  Inherent in the reasonable assurance provided by the auditor's opinion on internal control over financial reporting is a responsibility for the auditor to plan and perform his or her work to obtain reasonable assurance that material weaknesses, if they exist, are detected.  As previously discussed, this standard states that the identification by the auditor of a material misstatement in the financial statements that was not initially identified by the company's internal control over financial reporting, is a strong indicator of a material weakness.  Without performing a financial statement audit, the auditor would not have reasonable assurance that he or she had detected all material misstatements.  The Board believes that allowing the auditor to audit internal control over financial reporting without also auditing the financial statements would not provide the auditor with a high level of assurance and would mislead investors in terms of the level of assurance obtained.

E129.   In response to other concerns, the Board noted that an auditor can report on the effectiveness of internal control over financial reporting using existing AT sec. 501 for purposes other than satisfying the requirements of Section 404.  This standard supersedes AT sec. 501 only as it relates to complying with Section 404 of the Act.

E130.   Although reporting under the remaining provisions of AT sec. 501 is currently permissible, the Board believes reports issued for public companies under the remaining provisions of AT sec. 501 will be infrequent.  In any event, additional rulemaking might be necessary to prevent confusion that might arise from reporting on internal control engagements under two different standards.  For example, explanatory language could be added to reports issued under AT sec. 501 to clarify that an audit of financial statements was not performed in conjunction with the attestation on internal control over financial reporting and that such a report is not the report resulting from an audit of internal control over financial reporting performed in conjunction with an audit of the financial statements under this standard.  This report modification would alert report readers, particularly if such a report were to appear in an SEC filing or otherwise be made publicly available, that the assurance obtained by the auditor in that engagement is different from the assurance that would have been obtained by the auditor for Section 404 purposes.  Another example of the type of change that might be necessary in separate rulemaking to AT sec. 501 would be to supplement the performance directions to be comparable to those in this standard.  Auditors should remain alert for additional rulemaking by the Board that affects AT sec. 501.

1/ Panel on Audit Effectiveness, Report and Recommendations, sec. 2.228 (August 31, 2000).

2/ April 8, 2003 comment letter from the International Organization of Securities Commissions to the International Auditing and Assurance Standards Board regarding the proposed international standards on audit risk (Amendment to ISA 200, "Objective and Principles Governing an Audit of Financial Statements;" proposed ISAs, "Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement;" "Auditor's Procedures in Response to Assessed Risks;" and "Audit Evidence").

3/ The pre-existing standard is Chapter 5, " Reporting on an Entity's Internal Control Over Financial Reporting " of Statement on Standards for Attestation Engagements (SSAE) No. 10 , Attestation Standards: Revision and Recodification (AICPA, Professional Standards, Vol. 1, AT sec. 501). SSAE No. 10 has been codified into AICPA Professional Standards , Volume 1, as AT sections 101 through 701.

4/See footnote 73 to Final Rule: Management's Reports on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports , Securities and Exchange Commission Release No. 33-8238 (June 5, 2003) [68 FR 36636].

5/ See Section 10A of the Securities Exchange Act of 1934, 15 U.S.C., 78j-1.