Skip supplemental navigation

Auditing Standard No. 5

An Audit of Internal Control Over Financial Reporting that is Integrated with an Audit of Financial Statements

APPENDIX A - Definitions

A1.      For purposes of this standard, the terms listed below are defined as follows -

A2.      A control objective provides a specific target against which to evaluate the effectiveness of controls. A control objective for internal control over financial reporting generally relates to a relevant assertion and states a criterion for evaluating whether the company's control procedures in a specific area provide reasonable assurance that a misstatement or omission in that relevant assertion is prevented or detected by controls on a timely basis.

A3.      A deficiency in internal control over financial reporting exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis.

  • A deficiency in design exists when (a) a control necessary to meet the control objective is missing or (b) an existing control is not properly designed so that, even if the control operates as designed, the control objective would not be met.
  • A deficiency in operation exists when a properly designed control does not operate as designed, or when the person performing the control does not possess the necessary authority or competence to perform the control effectively.

A4.      Financial statements and related disclosures refers to a company's financial statements and notes to the financial statements as presented in accordance with generally accepted accounting principles ("GAAP"). References to financial statements and related disclosures do not extend to the preparation of management's discussion and analysis or other similar financial information presented outside a company's GAAP-basis financial statements and notes.

A5.       Internal control over financial reporting is a process designed by, or under the supervision of, the company's principal executive and principal financial officers, or persons performing similar functions, and effected by the company's board of directors, management, and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with GAAP and includes those policies and procedures that -

(1) Pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the company;
(2) Provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the company are being made only in accordance with authorizations of management and directors of the company; and
(3) Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use, or disposition of the company's assets that could have a material effect on the financial statements. 1/

Note: The auditor's procedures as part of either the audit of internal control over financial reporting or the audit of the financial statements are not part of a company's internal control over financial reporting.

Note: Internal control over financial reporting has inherent limitations. Internal control over financial reporting is a process that involves human diligence and compliance and is subject to lapses in judgment and breakdowns resulting from human failures. Internal control over financial reporting also can be circumvented by collusion or improper management override. Because of such limitations, there is a risk that material misstatements will not be prevented or detected on a timely basis by internal control over financial reporting. However, these inherent limitations are known features of the financial reporting process. Therefore, it is possible to design into the process safeguards to reduce, though not eliminate, this risk.

A6.      Management's assessment is the assessment described in Item 308(a)(3) of Regulations S-B and S-K that is included in management's annual report on internal control over financial reporting. 2/

A7.      A material weakness is a deficiency, or a combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the company's annual or interim financial statements will not be prevented or detected on a timely basis.

Note: There is a reasonable possibility of an event, as used in this standard,  when the likelihood of the event is either "reasonably possible" or "probable," as those terms are used in Financial Accounting Standards Board Statement No. 5, Accounting for Contingencies ("FAS 5"). 3/

A8.      Controls over financial reporting may be preventive controls or detective controls. Effective internal control over financial reporting often includes a combination of preventive and detective controls.

  • Preventive controls have the objective of preventing errors or fraud that could result in a misstatement of the financial statements from occurring.
  • Detective controls have the objective of detecting errors or fraud that has already occurred that could result in a misstatement of the financial statements.

A9.      A relevant assertion is a financial statement assertion that has a reasonable possibility of containing a misstatement or misstatements that would cause the financial statements to be materially misstated. The determination of whether an assertion is a relevant assertion is based on inherent risk, without regard to the effect of controls.

A10.    An account or disclosure is a significant account or disclosure if there is a reasonable possibility that the account or disclosure could contain a misstatement that, individually or when aggregated with others, has a material effect on the financial statements, considering the risks of both overstatement and understatement. The determination of whether an account or disclosure is significant is based on inherent risk, without regard to the effect of controls.

A11.    A significant deficiency is a deficiency, or a combination of deficiencies, in internal control over financial reporting that is less severe than a material weakness, yet important enough to merit attention by those responsible for oversight of the company's financial reporting.

1/ See Securities Exchange Act Rules 13a-15(f) and 15d-15(f), 17 C.F.R. §§ 240.13a-15(f) and 240.15d-15(f).

2/ See 17 C.F.R.  §§ 228.308(a)(3) and 229.308(a)(3).

3/ See FAS 5, paragraph 3.