Auditing Standard No. 2
An Audit of Internal Control Over Financial Reporting Performed in Conjunction With an Audit of Financial Statements
Superseded by Auditing Standard No. 5, effective for fiscal years ending on or after November 15, 2007.
Effective Date: See paragraphs 215-216 of this standard.
Final Rule: PCAOB Release No. 2004-001
Summary Table of Contents
- (1 - 3) Applicability of Standard
- (4 - 6) Auditor's Objective in an Audit of Internal Control Over Financial Reporting
- (7 - 12) Definitions Related to Internal Control Over Financial Reporting
- (13 - 15) Framework Used by Management to Conduct its Assessment
- (16) Inherent Limitations in Internal Control Over Financial Reporting
- (17 - 19) The Concept of Reasonable Assurance
- (20 - 21) Management's Responsibilities in an Audit of Internal Control Over Financial Reporting
- (22 - 23) Materiality Considerations in an Audit of Internal Control Over Financial Reporting
- (24 - 26) Fraud Considerations in an Audit of Internal Control Over Financial Reporting
- (27 - 141) Performing an Audit of Internal Control Over Financial Reporting
- (142 - 144) Requirement for Written Representations
- (145 - 158) Relationship of an Audit of Internal Control Over Financial Reporting to an Audit of Financial Statements
- (159 - 161) Documentation Requirements
- (162-199) Reporting on Internal Control Over Financial Reporting
- (200 - 206) Auditor's Responsibilities for Evaluating Management's Certification Disclosures About Internal Control Over Financial Reporting
- (207 - 214) Required Communications in an Audit of Internal Control Over Financial Reporting
- (215 - 216) Effective Date
- Appendix A Illustrative Reports on Internal Control Over Financial Reporting
- Appendix B Additional Performance Requirements and Directions; Extent-of-Testing Examples
- Appendix C Safeguarding of Assets
- Appendix D Examples of Significant Deficiencies and Material Weaknesses
- Appendix E Background and Basis for Conclusions
Applicability of Standard
1. This standard establishes requirements and provides directions that apply when an auditor is engaged to audit both a company's financial statements and management's assessment of the effectiveness of internal control over financial reporting.
Note: The term auditor includes both public accounting firms registered with the Public Company Accounting Oversight Board ("PCAOB" or the "Board") and associated persons thereof.
2. A company subject to the reporting requirements of the Securities Exchange Act of 1934 (an "issuer") is required to include in its annual report a report of management on the company's internal control over financial reporting. Registered investment companies, issuers of asset-backed securities, and nonpublic companies are not subject to the reporting requirements mandated by Section 404 of the Sarbanes-Oxley Act of 2002 (the "Act") (PL 107-204). The report of management is required to contain management's assessment of the effectiveness of the company's internal control over financial reporting as of the end of the company's most recent fiscal year, including a statement as to whether the company's internal control over financial reporting is effective. The auditor that audits the company's financial statements included in the annual report is required to attest to and report on management's assessment. The company is required to file the auditor's attestation report as part of the annual report.
Note: The term issuer means an issuer (as defined in Section 3 of the Securities Exchange Act of 1934), the securities of which are registered under Section 12 of that Act, or that is required to file reports under Section 15(d) of that Act, or that files or has filed a registration statement with the Securities and Exchange Commission ("SEC" or "Commission") that has not yet become effective under the Securities Act of 1933, and that it has not withdrawn.
Note: Various parts of this standard summarize legal requirements imposed on issuers by the SEC, as well as legal requirements imposed on auditors by regulatory authorities other than the PCAOB. These parts of the standard are intended to provide context and to promote the auditor's understanding of the relationship between his or her obligations under this standard and his or her other legal responsibilities. The standard does not incorporate these legal requirements by reference and is not an interpretation of those other requirements and should not be so construed. (This Note does not apply to references in the standard to the existing professional standards and the Board's interim auditing and related professional practice standards.)
3. This standard is the standard on attestation engagements referred to in Section 404(b) of the Act. This standard is also the standard referred to in Section 103(a)(2)(A)(iii) of the Act. Throughout this standard, the auditor's attestation of management's assessment of the effectiveness of internal control over financial reporting required by Section 404(b) of the Act is referred to as the audit of internal control over financial reporting.
Note: The two terms audit of internal control over financial reporting and attestation of management's assessment of the effectiveness of internal control over financial reporting refer to the same professional service. The first refers to the process, and the second refers to the result of that process.
Auditor's Objective in an Audit of Internal Control Over Financial Reporting
4. The auditor's objective in an audit of internal control over financial reporting is to express an opinion on management's assessment of the effectiveness of the company's internal control over financial reporting. To form a basis for expressing such an opinion, the auditor must plan and perform the audit to obtain reasonable assurance about whether the company maintained, in all material respects, effective internal control over financial reporting as of the date specified in management's assessment. The auditor also must audit the company's financial statements as of the date specified in management's assessment because the information the auditor obtains during a financial statement audit is relevant to the auditor's conclusion about the effectiveness of the company's internal control over financial reporting. Maintaining effective internal control over financial reporting means that no material weaknesses exist; therefore, the objective of the audit of internal control over financial reporting is to obtain reasonable assurance that no material weaknesses exist as of the date specified in management's assessment.
5. To obtain reasonable assurance, the auditor evaluates the assessment performed by management and obtains and evaluates evidence about whether the internal control over financial reporting was designed and operated effectively. The auditor obtains this evidence from a number of sources, including using the work performed by others and performing auditing procedures himself or herself.
6. The auditor should be aware that persons who rely on the information concerning internal control over financial reporting include investors, creditors, the board of directors and audit committee, and regulators in specialized industries, such as banking or insurance. The auditor should be aware that external users of financial statements are interested in information on internal control over financial reporting because it enhances the quality of financial reporting and increases their confidence in financial information, including financial information issued between annual reports, such as quarterly information. Information on internal control over financial reporting is also intended to provide an early warning to those inside and outside the company who are in a position to insist on improvements in internal control over financial reporting, such as the audit committee and regulators in specialized industries. Additionally, Section 302 of the Act and Securities Exchange Act Rule 13a-14(a) or 15d-14(a), 1/ whichever applies, require management, with the participation of the principal executive and financial officers, to make quarterly and annual certifications with respect to the company's internal control over financial reporting.
Definitions Related to Internal Control Over Financial Reporting
7. For purposes of management's assessment and the audit of internal control over financial reporting in this standard, internal control over financial reporting is defined as follows:
A process designed by, or under the supervision of, the company's principal executive and principal financial officers, or persons performing similar functions, and effected by the company's board of directors, management, and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles and includes those policies and procedures that:
(1) | Pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the company; |
(2) | Provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the company are being made only in accordance with authorizations of management and directors of the company; and |
(3) | Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the company's assets that could have a material effect on the financial statements. |
Note: This definition is the same one used by the SEC in its rules requiring management to report on internal control over financial reporting, except the word "registrant" has been changed to "company" to conform to the wording in this standard. (See Securities Exchange Act Rules 13a-15(f) and 15d-15(f). 2/)
Note: Throughout this standard, internal control over financial reporting (singular) refers to the process described in this paragraph. Individual controls or subsets of controls are referred to as controls or controls over financial reporting.
8. A control deficiency exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis.
- A deficiency in design exists when (a) a control necessary to meet the control objective is missing or (b) an existing control is not properly designed so that, even if the control operates as designed, the control objective is not always met.
- A deficiency in operation exists when a properly designed control does not operate as designed, or when the person performing the control does not possess the necessary authority or qualifications to perform the control effectively.
9. A significant deficiency is a control deficiency, or combination of control deficiencies, that adversely affects the company's ability to initiate, authorize, record, process, or report external financial data reliably in accordance with generally accepted accounting principles such that there is more than a remote likelihood that a misstatement of the company's annual or interim financial statements that is more than inconsequential will not be prevented or detected.
Note: The term "remote likelihood" as used in the definitions of significant deficiency and material weakness (paragraph 10) has the same meaning as the term "remote" as used in Financial Accounting Standards Board Statement No. 5, Accounting for Contingencies ("FAS No. 5"). Paragraph 3 of FAS No. 5 states:
When a loss contingency exists, the likelihood that the future event or events will confirm the loss or impairment of an asset or the incurrence of a liability can range from probable to remote. This Statement uses the terms probable, reasonably possible, and remote to identify three areas within that range, as follows:
- Probable. The future event or events are likely to occur.
- Reasonably possible. The chance of the future event or events occurring is more than remote but less than likely.
- Remote. The chance of the future events or events occurring is slight.
Therefore, the likelihood of an event is "more than remote" when it is either reasonably possible or probable.
Note: A misstatement is inconsequential if a reasonable person would conclude, after considering the possibility of further undetected misstatements, that the misstatement, either individually or when aggregated with other misstatements, would clearly be immaterial to the financial statements. If a reasonable person could not reach such a conclusion regarding a particular misstatement, that misstatement is more than inconsequential.
10. A material weakness is a significant deficiency, or combination of significant deficiencies, that results in more than a remote likelihood that a material misstatement of the annual or interim financial statements will not be prevented or detected.
Note: In evaluating whether a control deficiency exists and whether control deficiencies, either individually or in combination with other control deficiencies, are significant deficiencies or material weaknesses, the auditor should consider the definitions in paragraphs 8, 9 and 10, and the directions in paragraphs 130 through 137. As explained in paragraph 23, the evaluation of the materiality of the control deficiency should include both quantitative and qualitative considerations. Qualitative factors that might be important in this evaluation include the nature of the financial statement accounts and assertions involved and the reasonably possible future consequences of the deficiency. Furthermore, in determining whether a control deficiency or combination of deficiencies is a significant deficiency or a material weakness, the auditor should evaluate the effect of compensating controls and whether such compensating controls are effective.
11. Controls over financial reporting may be preventive controls or detective controls.
- Preventive controls have the objective of preventing errors or fraud from occurring in the first place that could result in a misstatement of the financial statements.
- Detective controls have the objective of detecting errors or fraud that have already occurred that could result in a misstatement of the financial statements.
12. Even well-designed controls that are operating as designed might not prevent a misstatement from occurring. However, this possibility may be countered by overlapping preventive controls or partially countered by detective controls. Therefore, effective internal control over financial reporting often includes a combination of preventive and detective controls to achieve a specific control objective. The auditor's procedures as part of either the audit of internal control over financial reporting or the audit of the financial statements are not part of a company's internal control over financial reporting.
Framework Used by Management to Conduct Its Assessment
13. Management is required to base its assessment of the effectiveness of the company's internal control over financial reporting on a suitable, recognized control framework established by a body of experts that followed due-process procedures, including the broad distribution of the framework for public comment. In addition to being available to users of management's reports, a framework is suitable only when it:
- Is free from bias;
- Permits reasonably consistent qualitative and quantitative measurements of a company's internal control over financial reporting;
- Is sufficiently complete so that those relevant factors that would alter a conclusion about the effectiveness of a company's internal control over financial reporting are not omitted; and
- Is relevant to an evaluation of internal control over financial reporting.
Committee of Sponsoring Organizations Framework
14. In the United States, the Committee of Sponsoring Organizations ("COSO") of the Treadway Commission has published Internal Control - Integrated Framework. Known as the COSO report, it provides a suitable and available framework for purposes of management's assessment. For that reason, the performance and reporting directions in this standard are based on the COSO framework. Other suitable frameworks have been published in other countries and may be developed in the future. Such other suitable frameworks may be used in an audit of internal control over financial reporting. Although different frameworks may not contain exactly the same elements as COSO, they should have elements that encompass, in general, all the themes in COSO. Therefore, the auditor should be able to apply the concepts and guidance in this standard in a reasonable manner.
15. The COSO framework identifies three primary objectives of internal control: efficiency and effectiveness of operations, financial reporting, and compliance with laws and regulations. The COSO perspective on internal control over financial reporting does not ordinarily include the other two objectives of internal control, which are the effectiveness and efficiency of operations and compliance with laws and regulations. However, the controls that management designs and implements may achieve more than one objective. Also, operations and compliance with laws and regulations directly related to the presentation of and required disclosures in financial statements are encompassed in internal control over financial reporting. Additionally, not all controls relevant to financial reporting are accounting controls. Accordingly, all controls that could materially affect financial reporting, including controls that focus primarily on the effectiveness and efficiency of operations or compliance with laws and regulations and also have a material effect on the reliability of financial reporting, are a part of internal control over financial reporting. More information about the COSO framework is included in the COSO report and in AU sec. 319, Consideration of Internal Control in a Financial Statement Audit. 3/ The COSO report also discusses special considerations for internal control over financial reporting for small and medium-sized companies.
Inherent Limitations in Internal Control Over Financial Reporting
16. Internal control over financial reporting cannot provide absolute assurance of achieving financial reporting objectives because of its inherent limitations. Internal control over financial reporting is a process that involves human diligence and compliance and is subject to lapses in judgment and breakdowns resulting from human failures. Internal control over financial reporting also can be circumvented by collusion or improper management override. Because of such limitations, there is a risk that material misstatements may not be prevented or detected on a timely basis by internal control over financial reporting. However, these inherent limitations are known features of the financial reporting process. Therefore, it is possible to design into the process safeguards to reduce, though not eliminate, this risk.
The Concept of Reasonable Assurance
17. Management's assessment of the effectiveness of internal control over financial reporting is expressed at the level of reasonable assurance. The concept of reasonable assurance is built into the definition of internal control over financial reporting and also is integral to the auditor's opinion. 4/ Reasonable assurance includes the understanding that there is a remote likelihood that material misstatements will not be prevented or detected on a timely basis. Although not absolute assurance, reasonable assurance is, nevertheless, a high level of assurance.
18. Just as there are inherent limitations on the assurance that effective internal control over financial reporting can provide, as discussed in paragraph 16, there are limitations on the amount of assurance the auditor can obtain as a result of performing his or her audit of internal control over financial reporting. Limitations arise because an audit is conducted on a test basis and requires the exercise of professional judgment. Nevertheless, the audit of internal control over financial reporting includes obtaining an understanding of internal control over financial reporting, testing and evaluating the design and operating effectiveness of internal control over financial reporting, and performing such other procedures as the auditor considers necessary to obtain reasonable assurance about whether internal control over financial reporting is effective.
19. There is no difference in the level of work performed or assurance obtained by the auditor when expressing an opinion on management's assessment of effectiveness or when expressing an opinion directly on the effectiveness of internal control over financial reporting. In either case, the auditor must obtain sufficient evidence to provide a reasonable basis for his or her opinion and the use and evaluation of management's assessment is inherent in expressing either opinion.
Note: The auditor's report on internal control over financial reporting does not relieve management of its responsibility for assuring users of its financial reports about the effectiveness of internal control over financial reporting.
Management's Responsibilities in an Audit of Internal Control Over Financial Reporting
20. For the auditor to satisfactorily complete an audit of internal control over financial reporting, management must do the following: 5/
- Accept responsibility for the effectiveness of the company's internal control over financial reporting;
- Evaluate the effectiveness of the company's internal control over financial reporting using suitable control criteria;
- Support its evaluation with sufficient evidence, including documentation; and
- Present a written assessment of the effectiveness of the company's internal control over financial reporting as of the end of the company's most recent fiscal year.
21. If the auditor concludes that management has not fulfilled the responsibilities enumerated in the preceding paragraph, the auditor should communicate, in writing, to management and the audit committee that the audit of internal control over financial reporting cannot be satisfactorily completed and that he or she is required to disclaim an opinion. Paragraphs 40 through 46 provide information for the auditor about evaluating management's process for assessing internal control over financial reporting.
Materiality Considerations in an Audit of Internal Control Over Financial Reporting
22. The auditor should apply the concept of materiality in an audit of internal control over financial reporting at both the financial-statement level and at the individual account-balance level. The auditor uses materiality at the financial-statement level in evaluating whether a deficiency, or combination of deficiencies, in controls is a significant deficiency or a material weakness. Materiality at both the financial-statement level and the individual account-balance level is relevant to planning the audit and designing procedures. Materiality at the account-balance level is necessarily lower than materiality at the financial-statement level.
23. The same conceptual definition of materiality that applies to financial reporting applies to information on internal control over financial reporting, including the relevance of both quantitative and qualitative considerations. 6/
- The quantitative considerations are essentially the same as in an audit of financial statements and relate to whether misstatements that would not be prevented or detected by internal control over financial reporting, individually or collectively, have a quantitatively material effect on the financial statements.
- The qualitative considerations apply to evaluating materiality with respect to the financial statements and to additional factors that relate to the perceived needs of reasonable persons who will rely on the information. Paragraph 6 describes some qualitative considerations.
Fraud Considerations in an Audit of Internal Control Over Financial Reporting
24. The auditor should evaluate all controls specifically intended to address the risks of fraud that have at least a reasonably possible likelihood of having a material effect on the company's financial statements. These controls may be a part of any of the five components of internal control over financial reporting, as discussed in paragraph 49. Controls related to the prevention and detection of fraud often have a pervasive effect on the risk of fraud. Such controls include, but are not limited to, the:
- Controls restraining misappropriation of company assets that could result in a material misstatement of the financial statements;
- Company's risk assessment processes;
- Code of ethics/conduct provisions, especially those related to conflicts of interest, related party transactions, illegal acts, and the monitoring of the code by management and the audit committee or board;
- Adequacy of the internal audit activity and whether the internal audit function reports directly to the audit committee, as well as the extent of the audit committee's involvement and interaction with internal audit; and
- Adequacy of the company's procedures for handling complaints and for accepting confidential submissions of concerns about questionable accounting or auditing matters.
25. Part of management's responsibility when designing a company's internal control over financial reporting is to design and implement programs and controls to prevent, deter, and detect fraud. Management, along with those who have responsibility for oversight of the financial reporting process (such as the audit committee), should set the proper tone; create and maintain a culture of honesty and high ethical standards; and establish appropriate controls to prevent, deter, and detect fraud. When management and those responsible for the oversight of the financial reporting process fulfill those responsibilities, the opportunities to commit fraud can be reduced significantly.
26. In an audit of internal control over financial reporting, the auditor's evaluation of controls is interrelated with the auditor's evaluation of controls in a financial statement audit, as required by AU sec. 316, Consideration of Fraud in a Financial Statement Audit. Often, controls identified and evaluated by the auditor during the audit of internal control over financial reporting also address or mitigate fraud risks, which the auditor is required to consider in a financial statement audit. If the auditor identifies deficiencies in controls designed to prevent and detect fraud during the audit of internal control over financial reporting, the auditor should alter the nature, timing, or extent of procedures to be performed during the financial statement audit to be responsive to such deficiencies, as provided in paragraphs .44 and .45 of AU sec. 316.
Performing an Audit of Internal Control Over Financial Reporting
27. In an audit of internal control over financial reporting, the auditor must obtain sufficient competent evidence about the design and operating effectiveness of controls over all relevant financial statement assertions related to all significant accounts and disclosures in the financial statements. The auditor must plan and perform the audit to obtain reasonable assurance that deficiencies that, individually or in the aggregate, would represent material weaknesses are identified. Thus, the audit is not designed to detect deficiencies in internal control over financial reporting that, individually or in the aggregate, are less severe than a material weakness. Because of the potential significance of the information obtained during the audit of the financial statements to the auditor's conclusions about the effectiveness of internal control over financial reporting, the auditor cannot audit internal control over financial reporting without also auditing the financial statements.
Note: However, the auditor may audit the financial statements without also auditing internal control over financial reporting, for example, in the case of certain initial public offerings by a company. See the discussion beginning at paragraph 145 for more information about the importance of auditing both internal control over financial reporting as well as the financial statements when the auditor is engaged to audit internal control over financial reporting.
28. The auditor must adhere to the general standards (See paragraphs 30 through 36) and fieldwork and reporting standards (See paragraph 37) in performing an audit of a company's internal control over financial reporting. This involves the following:
- Planning the engagement;
- Evaluating management's assessment process;
- Obtaining an understanding of internal control over financial reporting;
- Testing and evaluating design effectiveness of internal control over financial reporting;
- Testing and evaluating operating effectiveness of internal control over financial reporting; and
- Forming an opinion on the effectiveness of internal control over financial reporting.
29. Even though some requirements of this standard are set forth in a manner that suggests a sequential process, auditing internal control over financial reporting involves a process of gathering, updating, and analyzing information. Accordingly, the auditor may perform some of the procedures and evaluations described in this section on "Performing an Audit of Internal Control Over Financial Reporting" concurrently.
Applying General, Fieldwork, and Reporting Standards
30. The general standards (See AU sec. 150, Generally Accepted Auditing Standards) are applicable to an audit of internal control over financial reporting. These standards require technical training and proficiency as an auditor, independence in fact and appearance, and the exercise of due professional care, including professional skepticism.
31. Technical Training and Proficiency. To perform an audit of internal control over financial reporting, the auditor should have competence in the subject matter of internal control over financial reporting.
32. Independence. The applicable requirements of independence are largely predicated on four basic principles: (1) an auditor must not act as management or as an employee of the audit client, (2) an auditor must not audit his or her own work, (3) an auditor must not serve in a position of being an advocate for his or her client, and (4) an auditor must not have mutual or conflicting interests with his or her audit client. 7/ If the auditor were to design or implement controls, that situation would place the auditor in a management role and result in the auditor auditing his or her own work. These requirements, however, do not preclude the auditor from making substantive recommendations as to how management may improve the design or operation of the company's internal controls as a by-product of an audit.
33. The auditor must not accept an engagement to provide internal control-related services to an issuer for which the auditor also audits the financial statements unless that engagement has been specifically pre-approved by the audit committee. For any internal control services the auditor provides, management must be actively involved and cannot delegate responsibility for these matters to the auditor. Management's involvement must be substantive and extensive. Management's acceptance of responsibility for documentation and testing performed by the auditor does not by itself satisfy the independence requirements.
34. Maintaining independence, in fact and appearance, requires careful attention, as is the case with all independence issues when work concerning internal control over financial reporting is performed. Unless the auditor and the audit committee are diligent in evaluating the nature and extent of services provided, the services might violate basic principles of independence and cause an impairment of independence in fact or appearance.
35. The independent auditor and the audit committee have significant and distinct responsibilities for evaluating whether the auditor's services impair independence in fact or appearance. The test for independence in fact is whether the activities would impede the ability of anyone on the engagement team or in a position to influence the engagement team from exercising objective judgment in the audits of the financial statements or internal control over financial reporting. The test for independence in appearance is whether a reasonable investor, knowing all relevant facts and circumstances, would perceive an auditor as having interests which could jeopardize the exercise of objective and impartial judgments on all issues encompassed within the auditor's engagement.
36. Due Professional Care. The auditor must exercise due professional care in an audit of internal control over financial reporting. One important tenet of due professional care is exercising professional skepticism. In an audit of internal control over financial reporting, exercising professional skepticism involves essentially the same considerations as in an audit of financial statements, that is, it includes a critical assessment of the work that management has performed in evaluating and testing controls.
37. Fieldwork and Reporting Standards. This standard establishes the fieldwork and reporting standards applicable to an audit of internal control over financial reporting.
38. The concept of materiality, as discussed in paragraphs 22 and 23, underlies the application of the general and fieldwork standards.
Planning the Engagement
39. The audit of internal control over financial reporting should be properly planned and assistants, if any, are to be properly supervised. When planning the audit of internal control over financial reporting, the auditor should evaluate how the following matters will affect the auditor's procedures:
- Knowledge of the company's internal control over financial reporting obtained during other engagements.
- Matters affecting the industry in which the company operates, such as financial reporting practices, economic conditions, laws and regulations, and technological changes.
- Matters relating to the company's business, including its organization, operating characteristics, capital structure, and distribution methods.
- The extent of recent changes, if any, in the company, its operations, or its internal control over financial reporting.
- Management's process for assessing the effectiveness of the company's internal control over financial reporting based upon control criteria.
- Preliminary judgments about materiality, risk, and other factors relating to the determination of material weaknesses.
- Control deficiencies previously communicated to the audit committee or management.
- Legal or regulatory matters of which the company is aware.
- The type and extent of available evidence related to the effectiveness of the company's internal control over financial reporting.
- Preliminary judgments about the effectiveness of internal control over financial reporting.
- The number of significant business locations or units, including management's documentation and monitoring of controls over such locations or business units. (Appendix B, paragraphs B1 through B17, discusses factors the auditor should evaluate to determine the locations at which to perform auditing procedures.)
Evaluating Management's Assessment Process
40. The auditor must obtain an understanding of, and evaluate, management's process for assessing the effectiveness of the company's internal control over financial reporting. When obtaining the understanding, the auditor should determine whether management has addressed the following elements:
- Determining which controls should be tested, including controls over all relevant assertions related to all significant accounts and disclosures in the financial statements. Generally, such controls include:
- Evaluating the likelihood that failure of the control could result in a misstatement, the magnitude of such a misstatement, and the degree to which other controls, if effective, achieve the same control objectives.
- Determining the locations or business units to include in the evaluation for a company with multiple locations or business units (See paragraphs B1 through B17).
- Evaluating the design effectiveness of controls.
- Evaluating the operating effectiveness of controls based on procedures sufficient to assess their operating effectiveness. Examples of such procedures include testing of the controls by internal audit, testing of controls by others under the direction of management, using a service organization's reports (See paragraphs B18 through B29), inspection of evidence of the application of controls, or testing by means of a self-assessment process, some of which might occur as part of management's ongoing monitoring activities. Inquiry alone is not adequate to complete this evaluation. To evaluate the effectiveness of the company's internal control over financial reporting, management must have evaluated controls over all relevant assertions related to all significant accounts and disclosures.
- Determining the deficiencies in internal control over financial reporting that are of such a magnitude and likelihood of occurrence that they constitute significant deficiencies or material weaknesses.
- Communicating findings to the auditor and to others, if applicable.
- Evaluating whether findings are reasonable and support management's assessment.
– | Controls over initiating, authorizing, recording, processing, and reporting significant accounts and disclosures and related assertions embodied in the financial statements. | ||||
– | Controls over the selection and application of accounting policies that are in conformity with generally accepted accounting principles. | ||||
– | Antifraud programs and controls. | ||||
– | Controls, including information technology general controls, on which other controls are dependent. | ||||
– | Controls over significant nonroutine and nonsystematic transactions, such as accounts involving judgments and estimates. | ||||
– | Company level controls (as described in paragraph 53), including:
|
41. As part of the understanding and evaluation of management's process, the auditor should obtain an understanding of the results of procedures performed by others. Others include internal audit and third parties working under the direction of management, including other auditors and accounting professionals engaged to perform procedures as a basis for management's assessment. Inquiry of management and others is the beginning point for obtaining an understanding of internal control over financial reporting, but inquiry alone is not adequate for reaching a conclusion on any aspect of internal control over financial reporting effectiveness.
Note: Management cannot use the auditor's procedures as part of the basis for its assessment of the effectiveness of internal control over financial reporting.
42. Management's Documentation. When determining whether management's documentation provides reasonable support for its assessment, the auditor should evaluate whether such documentation includes the following:
- The design of controls over all relevant assertions related to all significant accounts and disclosures in the financial statements. The documentation should include the five components of internal control over financial reporting as discussed in paragraph 49, including the control environment and company-level controls as described in paragraph 53;
- Information about how significant transactions are initiated, authorized, recorded, processed and reported;
- Sufficient information about the flow of transactions to identify the points at which material misstatements due to error or fraud could occur;
- Controls designed to prevent or detect fraud, including who performs the controls and the related segregation of duties;
- Controls over the period-end financial reporting process;
- Controls over safeguarding of assets (See paragraphs C1 through C6); and
- The results of management's testing and evaluation.
43. Documentation might take many forms, such as paper, electronic files, or other media, and can include a variety of information, including policy manuals, process models, flowcharts, job descriptions, documents, and forms. The form and extent of documentation will vary depending on the size, nature, and complexity of the company.
44. Documentation of the design of controls over relevant assertions related to significant accounts and disclosures is evidence that controls related to management's assessment of the effectiveness of internal control over financial reporting, including changes to those controls, have been identified, are capable of being communicated to those responsible for their performance, and are capable of being monitored by the company. Such documentation also provides the foundation for appropriate communication concerning responsibilities for performing controls and for the company's evaluation of and monitoring of the effective operation of controls.
45. Inadequate documentation of the design of controls over relevant assertions related to significant accounts and disclosures is a deficiency in the company's internal control over financial reporting. As discussed in paragraph 138, the auditor should evaluate this documentation deficiency. The auditor might conclude that the deficiency is only a deficiency, or that the deficiency represents a significant deficiency or a material weakness. In evaluating the deficiency as to its significance, the auditor should determine whether management can demonstrate the monitoring component of internal control over financial reporting.
46. Inadequate documentation also could cause the auditor to conclude that there is a limitation on the scope of the engagement.
Obtaining an Understanding of Internal Control Over Financial Reporting
47. The auditor should obtain an understanding of the design of specific controls by applying procedures that include:
- Making inquiries of appropriate management, supervisory, and staff personnel;
- Inspecting company documents;
- Observing the application of specific controls; and
- Tracing transactions through the information system relevant to financial reporting.
48. The auditor could also apply additional procedures to obtain an understanding of the design of specific controls.
49. The auditor must obtain an understanding of the design of controls related to each component of internal control over financial reporting, as discussed below.
- Control Environment. Because of the pervasive effect of the control environment on the reliability of financial reporting, the auditor's preliminary judgment about its effectiveness often influences the nature, timing, and extent of the tests of operating effectiveness considered necessary. Weaknesses in the control environment should cause the auditor to alter the nature, timing, or extent of tests of operating effectiveness that otherwise should have been performed in the absence of the weaknesses.
- Risk Assessment. When obtaining an understanding of the company's risk assessment process, the auditor should evaluate whether management has identified the risks of material misstatement in the significant accounts and disclosures and related assertions of the financial statements and has implemented controls to prevent or detect errors or fraud that could result in material misstatements. For example, the risk assessment process should address how management considers the possibility of unrecorded transactions or identifies and analyzes significant estimates recorded in the financial statements. Risks relevant to reliable financial reporting also relate to specific events or transactions.
- Control Activities. The auditor's understanding of control activities relates to the controls that management has implemented to prevent or detect errors or fraud that could result in material misstatement in the accounts and disclosures and related assertions of the financial statements. For the purposes of evaluating the effectiveness of internal control over financial reporting, the auditor's understanding of control activities encompasses a broader range of accounts and disclosures than what is normally obtained for the financial statement audit.
- Information and Communication. The auditor's understanding of management's information and communication involves understanding the same systems and processes that he or she addresses in an audit of financial statements. In addition, this understanding includes a greater emphasis on comprehending the safeguarding controls and the processes for authorization of transactions and the maintenance of records, as well as the period-end financial reporting process (discussed further beginning at paragraph 76).
- Monitoring. The auditor's understanding of management's monitoring of controls extends to and includes its monitoring of all controls, including control activities, which management has identified and designed to prevent or detect material misstatement in the accounts and disclosures and related assertions of the financial statements.
50. Some controls (such as company-level controls, described in paragraph 53) might have a pervasive effect on the achievement of many overall objectives of the control criteria. For example, information technology general controls over program development, program changes, computer operations, and access to programs and data help ensure that specific controls over the processing of transactions are operating effectively. In contrast, other controls are designed to achieve specific objectives of the control criteria. For example, management generally establishes specific controls, such as accounting for all shipping documents, to ensure that all valid sales are recorded.
51. The auditor should focus on combinations of controls, in addition to specific controls in isolation, in assessing whether the objectives of the control criteria have been achieved. The absence or inadequacy of a specific control designed to achieve the objectives of a specific criterion might not be a deficiency if other controls specifically address the same criterion. Further, when one or more controls achieve the objectives of a specific criterion, the auditor might not need to evaluate other controls designed to achieve those same objectives.
52. Identifying Company-Level Controls. Controls that exist at the company-level often have a pervasive impact on controls at the process, transaction, or application level. For that reason, as a practical consideration, it may be appropriate for the auditor to test and evaluate the design effectiveness of company-level controls first, because the results of that work might affect the way the auditor evaluates the other aspects of internal control over financial reporting.
53. Company-level controls are controls such as the following:
- Controls within the control environment, including tone at the top, the assignment of authority and responsibility, consistent policies and procedures, and company-wide programs, such as codes of conduct and fraud prevention, that apply to all locations and business units (See paragraphs 113 through 115 for further discussion);
- Management's risk assessment process;
- Centralized processing and controls, including shared service environments;
- Controls to monitor results of operations;
- Controls to monitor other controls, including activities of the internal audit function, the audit committee, and self-assessment programs;
- The period-end financial reporting process; and
- Board-approved policies that address significant business control and risk management practices.
Note: The controls listed above are not intended to be a complete list of company-level controls nor is a company required to have all the controls in the list to support its assessment of effective company-level controls. However, ineffective company-level controls are a deficiency that will affect the scope of work performed, particularly when a company has multiple locations or business units, as described in Appendix B.
54. Testing company-level controls alone is not sufficient for the purpose of expressing an opinion on the effectiveness of a company's internal control over financial reporting.
55. Evaluating the Effectiveness of the Audit Committee's Oversight of the Company's External Financial Reporting and Internal Control Over Financial Reporting. The company's audit committee plays an important role within the control environment and monitoring components of internal control over financial reporting. Within the control environment, the existence of an effective audit committee helps to set a positive tone at the top. Within the monitoring component, an effective audit committee challenges the company's activities in the financial arena.
Note: Although the audit committee plays an important role within the control environment and monitoring components of internal control over financial reporting, management is responsible for maintaining effective internal control over financial reporting. This standard does not suggest that this responsibility has been transferred to the audit committee.
Note: If no such committee exists with respect to the company, all references to the audit committee in this standard apply to the entire board of directors of the company. 8/ The auditor should be aware that companies whose securities are not listed on a national securities exchange or an automated inter-dealer quotation system of a national securities association (such as the New York Stock Exchange, American Stock Exchange, or NASDAQ) may not be required to have independent directors for their audit committees. In this case, the auditor should not consider the lack of independent directors at these companies indicative, by itself, of a control deficiency. Likewise, the independence requirements of Securities Exchange Act Rule 10A-3 9/ are not applicable to the listing of non-equity securities of a consolidated or at least 50 percent beneficially owned subsidiary of a listed issuer that is subject to the requirements of Securities Exchange Act Rule 10A-3(c)(2). 10/ Therefore, the auditor should interpret references to the audit committee in this standard, as applied to a subsidiary registrant, as being consistent with the provisions of Securities Exchange Act Rule 10A-3(c)(2). 11/ Furthermore, for subsidiary registrants, communications required by this standard to be directed to the audit committee should be made to the same committee or equivalent body that pre-approves the retention of the auditor by or on behalf of the subsidiary registrant pursuant to Rule 2-01(c)(7) of Regulation S-X 12/ (which might be, for example, the audit committee of the subsidiary registrant, the full board of the subsidiary registrant, or the audit committee of the subsidiary registrant's parent). In all cases, the auditor should interpret the terms "board of directors" and "audit committee" in this standard as being consistent with provisions for the use of those terms as defined in relevant SEC rules.
56. The company's board of directors is responsible for evaluating the performance and effectiveness of the audit committee; this standard does not suggest that the auditor is responsible for performing a separate and distinct evaluation of the audit committee. However, because of the role of the audit committee within the control environment and monitoring components of internal control over financial reporting, the auditor should assess the effectiveness of the audit committee as part of understanding and evaluating those components.
57. The aspects of the audit committee's effectiveness that are important may vary considerably with the circumstances. The auditor focuses on factors related to the effectiveness of the audit committee's oversight of the company's external financial reporting and internal control over financial reporting, such as the independence of the audit committee members from management and the clarity with which the audit committee's responsibilities are articulated (for example, in the audit committee's charter) and how well the audit committee and management understand those responsibilities. The auditor might also consider the audit committee's involvement and interaction with the independent auditor and with internal auditors, as well as interaction with key members of financial management, including the chief financial officer and chief accounting officer.
58. The auditor might also evaluate whether the right questions are raised and pursued with management and the auditor, including questions that indicate an understanding of the critical accounting policies and judgmental accounting estimates, and the responsiveness to issues raised by the auditor.
59. Ineffective oversight by the audit committee of the company's external financial reporting and internal control over financial reporting should be regarded as at least a significant deficiency and is a strong indicator that a material weakness in internal control over financial reporting exists.
60. Identifying Significant Accounts. The auditor should identify significant accounts and disclosures, first at the financial-statement level and then at the account or disclosure-component level. Determining specific controls to test begins by identifying significant accounts and disclosures within the financial statements. When identifying significant accounts, the auditor should evaluate both quantitative and qualitative factors.
61. An account is significant if there is more than a remote likelihood that the account could contain misstatements that individually, or when aggregated with others, could have a material effect on the financial statements, considering the risks of both overstatement and understatement. Other accounts may be significant on a qualitative basis based on the expectations of a reasonable user. For example, investors might be interested in a particular financial statement account even though it is not quantitatively large because it represents an important performance measure.
Note: For purposes of determining significant accounts, the assessment as to likelihood should be made without giving any consideration to the effectiveness of internal control over financial reporting.
62. Components of an account balance subject to differing risks (inherent and control) or different controls should be considered separately as potential significant accounts. For instance, inventory accounts often consist of raw materials (purchasing process), work in process (manufacturing process), finished goods (distribution process), and an allowance for obsolescence.
63. In some cases, separate components of an account might be a significant account because of the company's organizational structure. For example, for a company that has a number of separate business units, each with different management and accounting processes, the accounts at each separate business unit are considered individually as potential significant accounts.
64. An account also may be considered significant because of the exposure to unrecognized obligations represented by the account. For example, loss reserves related to a self-insurance program or unrecorded contractual obligations at a construction contracting subsidiary may have historically been insignificant in amount, yet might represent a more than remote likelihood of material misstatement due to the existence of material unrecorded claims.
65. When deciding whether an account is significant, it is important for the auditor to evaluate both quantitative and qualitative factors, including the:
- Size and composition of the account;
- Susceptibility of loss due to errors or fraud;
- Volume of activity, complexity, and homogeneity of the individual transactions processed through the account;
- Nature of the account (for example, suspense accounts generally warrant greater attention);
- Accounting and reporting complexities associated with the account;
- Exposure to losses represented by the account (for example, loss accruals related to a consolidated construction contracting subsidiary);
- Likelihood (or possibility) of significant contingent liabilities arising from the activities represented by the account;
- Existence of related party transactions in the account; and
- Changes from the prior period in account characteristics (for example, new complexities or subjectivity or new types of transactions).
66. For example, in a financial statement audit, the auditor might not consider the fixed asset accounts significant when there is a low volume of transactions and when inherent risk is assessed as low, even though the balances are material to the financial statements. Accordingly, he or she might decide to perform only substantive procedures on such balances. In an audit of internal control over financial reporting, however, such accounts are significant accounts because of their materiality to the financial statements.
67. As another example, the auditor of the financial statements of a financial institution might not consider trust accounts significant to the institution's financial statements because such accounts are not included in the institution's balance sheet and the associated fee income generated by trust activities is not material. However, in determining whether trust accounts are a significant account for purposes of the audit of internal control over financial reporting, the auditor should assess whether the activities of the trust department are significant to the institution's financial reporting, which also would include considering the contingent liabilities that could arise if a trust department failed to fulfill its fiduciary responsibilities (for example, if investments were made that were not in accordance with stated investment policies). When assessing the significance of possible contingent liabilities, consideration of the amount of assets under the trust department's control may be useful. For this reason, an auditor who has not considered trust accounts significant accounts for purposes of the financial statement audit might determine that they are significant for purposes of the audit of internal control over financial reporting.
68. Identifying Relevant Financial Statement Assertions. For each significant account, the auditor should determine the relevance of each of these financial statement assertions: 13/
- Existence or occurrence;
- Completeness;
- Valuation or allocation;
- Rights and obligations; and
- Presentation and disclosure.
69. To identify relevant assertions, the auditor should determine the source of likely potential misstatements in each significant account. In determining whether a particular assertion is relevant to a significant account balance or disclosure, the auditor should evaluate:
- The nature of the assertion;
- The volume of transactions or data related to the assertion; and
- The nature and complexity of the systems, including the use of information technology by which the company processes and controls information supporting the assertion.
70. Relevant assertions are assertions that have a meaningful bearing on whether the account is fairly stated. For example, valuation may not be relevant to the cash account unless currency translation is involved; however, existence and completeness are always relevant. Similarly, valuation may not be relevant to the gross amount of the accounts receivable balance, but is relevant to the related allowance accounts. Additionally, the auditor might, in some circumstances, focus on the presentation and disclosure assertion separately in connection with the period-end financial reporting process.
71. Identifying Significant Processes and Major Classes of Transactions. The auditor should identify each significant process over each major class of transactions affecting significant accounts or groups of accounts. Major classes of transactions are those classes of transactions that are significant to the company's financial statements. For example, at a company whose sales may be initiated by customers through personal contact in a retail store or electronically through use of the internet, these types of sales would be two major classes of transactions within the sales process if they were both significant to the company's financial statements. As another example, at a company for which fixed assets is a significant account, recording depreciation expense would be a major class of transactions.
72. Different types of major classes of transactions have different levels of inherent risk associated with them and require different levels of management supervision and involvement. For this reason, the auditor might further categorize the identified major classes of transactions by transaction type: routine, nonroutine, and estimation.
- Routine transactions are recurring financial activities reflected in the accounting records in the normal course of business (for example, sales, purchases, cash receipts, cash disbursements, payroll).
- Nonroutine transactions are activities that occur only periodically (for example, taking physical inventory, calculating depreciation expense, adjusting for foreign currencies). A distinguishing feature of nonroutine transactions is that data involved are generally not part of the routine flow of transactions.
- Estimation transactions are activities that involve management judgments or assumptions in formulating account balances in the absence of a precise means of measurement (for example, determining the allowance for doubtful accounts, establishing warranty reserves, assessing assets for impairment).
73. Most processes involve a series of tasks such as capturing input data, sorting and merging data, making calculations, updating transactions and master files, generating transactions, and summarizing and displaying or reporting data. The processing procedures relevant for the auditor to understand the flow of transactions generally are those activities required to initiate, authorize, record, process and report transactions. Such activities include, for example, initially recording sales orders, preparing shipping documents and invoices, and updating the accounts receivable master file. The relevant processing procedures also include procedures for correcting and reprocessing previously rejected transactions and for correcting erroneous transactions through adjusting journal entries.
74. For each significant process, the auditor should:
- Understand the flow of transactions, including how transactions are initiated, authorized, recorded, processed, and reported.
- Identify the points within the process at which a misstatement - including a misstatement due to fraud - related to each relevant financial statement assertion could arise.
- Identify the controls that management has implemented to address these potential misstatements.
- Identify the controls that management has implemented over the prevention or timely detection of unauthorized acquisition, use, or disposition of the company's assets.
Note: The auditor frequently obtains the understanding and identifies the controls described above as part of his or her performance of walkthroughs (as described beginning in paragraph 79).
75. The nature and characteristics of a company's use of information technology in its information system affect the company's internal control over financial reporting. AU sec. 319, Consideration of Internal Control in a Financial Statement Audit, paragraphs .16 through .20, .30 through .32, and .77 through .79, discuss the effect of information technology on internal control over financial reporting.
76. Understanding the Period-end Financial Reporting Process. The period-end financial reporting process includes the following:
- The procedures used to enter transaction totals into the general ledger;
- The procedures used to initiate, authorize, record, and process journal entries in the general ledger;
- Other procedures used to record recurring and nonrecurring adjustments to the annual and quarterly financial statements, such as consolidating adjustments, report combinations, and classifications; and
- Procedures for drafting annual and quarterly financial statements and related disclosures.
77. As part of understanding and evaluating the period-end financial reporting process, the auditor should evaluate:
- The inputs, procedures performed, and outputs of the processes the company uses to produce its annual and quarterly financial statements;
- The extent of information technology involvement in each period-end financial reporting process element;
- Who participates from management;
- The number of locations involved;
- Types of adjusting entries (for example, standard, nonstandard, eliminating, and consolidating); and
- The nature and extent of the oversight of the process by appropriate parties, including management, the board of directors, and the audit committee.
78. The period-end financial reporting process is always a significant process because of its importance to financial reporting and to the auditor's opinions on internal control over financial reporting and the financial statements. The auditor's understanding of the company's period-end financial reporting process and how it interrelates with the company's other significant processes assists the auditor in identifying and testing controls that are the most relevant to financial statement risks.
79. Performing Walkthroughs. The auditor should perform at least one walkthrough for each major class of transactions (as identified in paragraph 71). In a walkthrough, the auditor traces a transaction from origination through the company's information systems until it is reflected in the company's financial reports. Walkthroughs provide the auditor with evidence to:
- Confirm the auditor's understanding of the process flow of transactions;
- Confirm the auditor's understanding of the design of controls identified for all five components of internal control over financial reporting, including those related to the prevention or detection of fraud;
- Confirm that the auditor's understanding of the process is complete by determining whether all points in the process at which misstatements related to each relevant financial statement assertion that could occur have been identified;
- Evaluate the effectiveness of the design of controls; and
- Confirm whether controls have been placed in operation.
Note: The auditor can often gain an understanding of the transaction flow, identify and understand controls, and conduct the walkthrough simultaneously.
80. The auditor's walkthroughs should encompass the entire process of initiating, authorizing, recording, processing, and reporting individual transactions and controls for each of the significant processes identified, including controls intended to address the risk of fraud. During the walkthrough, at each point at which important processing procedures or controls occur, the auditor should question the company's personnel about their understanding of what is required by the company's prescribed procedures and controls and determine whether the processing procedures are performed as originally understood and on a timely basis. (Controls might not be performed regularly but still be timely.) During the walkthrough, the auditor should be alert for exceptions to the company's prescribed procedures and controls.
81. While performing a walkthrough, the auditor should evaluate the quality of the evidence obtained and perform walkthrough procedures that produce a level of evidence consistent with the objectives listed in paragraph 79. Rather than reviewing copies of documents and making inquiries of a single person at the company, the auditor should follow the process flow of actual transactions using the same documents and information technology that company personnel use and make inquiries of relevant personnel involved in significant aspects of the process or controls. To corroborate information at various points in the walkthrough, the auditor might ask personnel to describe their understanding of the previous and succeeding processing or control activities and to demonstrate what they do. In addition, inquiries should include follow-up questions that could help identify the abuse of controls or indicators of fraud. Examples of follow-up inquiries include asking personnel:
- What they do when they find an error or what they are looking for to determine if there is an error (rather than simply asking them if they perform listed procedures and controls); what kind of errors they have found; what happened as a result of finding the errors, and how the errors were resolved. If the person being interviewed has never found an error, the auditor should evaluate whether that situation is due to good preventive controls or whether the individual performing the control lacks the necessary skills.
- Whether they have ever been asked to override the process or controls, and if so, to describe the situation, why it occurred, and what happened.
82. During the period under audit, when there have been significant changes in the process flow of transactions, including the supporting computer applications, the auditor should evaluate the nature of the change(s) and the effect on related accounts to determine whether to walk through transactions that were processed both before and after the change.
Note: Unless significant changes in the process flow of transactions, including the supporting computer applications, make it more efficient for the auditor to prepare new documentation of a walkthrough, the auditor may carry his or her documentation forward each year, after updating it for any changes that have taken place.
83. Identifying Controls to Test. The auditor should obtain evidence about the effectiveness of controls (either by performing tests of controls himself or herself, or by using the work of others) 14/ for all relevant assertions related to all significant accounts and disclosures in the financial statements. After identifying significant accounts, relevant assertions, and significant processes, the auditor should evaluate the following to identify the controls to be tested:
- Points at which errors or fraud could occur;
- The nature of the controls implemented by management;
- The significance of each control in achieving the objectives of the control criteria and whether more than one control achieves a particular objective or whether more than one control is necessary to achieve a particular objective; and
- The risk that the controls might not be operating effectively. Factors that affect whether the control might not be operating effectively include the following:
– Whether there have been changes in the volume or nature of transactions that might adversely affect control design or operating effectiveness; – Whether there have been changes in the design of controls; – The degree to which the control relies on the effectiveness of other controls (for example, the control environment or information technology general controls); – Whether there have been changes in key personnel who perform the control or monitor its performance; – Whether the control relies on performance by an individual or is automated; and – The complexity of the control.
84. The auditor should clearly link individual controls with the significant accounts and assertions to which they relate.
85. The auditor should evaluate whether to test preventive controls, detective controls, or a combination of both for individual relevant assertions related to individual significant accounts. For instance, when performing tests of preventive and detective controls, the auditor might conclude that a deficient preventive control could be compensated for by an effective detective control and, therefore, not result in a significant deficiency or material weakness. For example, a monthly reconciliation control procedure, which is a detective control, might detect an out-of-balance situation resulting from an unauthorized transaction being initiated due to an ineffective authorization procedure, which is a preventive control. When determining whether the detective control is effective, the auditor should evaluate whether the detective control is sufficient to achieve the control objective to which the preventive control relates.
Note: Because effective internal control over financial reporting often includes a combination of preventive and detective controls, the auditor ordinarily will test a combination of both.
86. The auditor should apply tests of controls to those controls that are important to achieving each control objective. It is neither necessary to test all controls nor is it necessary to test redundant controls (that is, controls that duplicate other controls that achieve the same objective and already have been tested), unless redundancy is itself a control objective, as in the case of certain computer controls.
87. Appendix B, paragraphs B1 through B17, provide additional direction to the auditor in determining which controls to test when a company has multiple locations or business units. In these circumstances, the auditor should determine significant accounts and their relevant assertions, significant processes, and major classes of transactions based on those that are relevant and significant to the consolidated financial statements. Having made those determinations in relation to the consolidated financial statements, the auditor should then apply the directions in Appendix B.
Testing and Evaluating Design Effectiveness
88. Internal control over financial reporting is effectively designed when the controls complied with would be expected to prevent or detect errors or fraud that could result in material misstatements in the financial statements. The auditor should determine whether the company has controls to meet the objectives of the control criteria by:
- Identifying the company's control objectives in each area;
- Identifying the controls that satisfy each objective; and
- Determining whether the controls, if operating properly, can effectively prevent or detect errors or fraud that could result in material misstatements in the financial statements.
89. Procedures the auditor performs to test and evaluate design effectiveness include inquiry, observation, walkthroughs, inspection of relevant documentation, and a specific evaluation of whether the controls are likely to prevent or detect errors or fraud that could result in misstatements if they are operated as prescribed by appropriately qualified persons.
90. The procedures that the auditor performs in evaluating management's assessment process and obtaining an understanding of internal control over financial reporting also provide the auditor with evidence about the design effectiveness of internal control over financial reporting.
91. The procedures the auditor performs to test and evaluate design effectiveness also might provide evidence about operating effectiveness.
Testing and Evaluating Operating Effectiveness
92. An auditor should evaluate the operating effectiveness of a control by determining whether the control is operating as designed and whether the person performing the control possesses the necessary authority and qualifications to perform the control effectively.
93. Nature of Tests of Controls. Tests of controls over operating effectiveness should include a mix of inquiries of appropriate personnel, inspection of relevant documentation, observation of the company's operations, and reperformance of the application of the control. For example, the auditor might observe the procedures for opening the mail and processing cash receipts to test the operating effectiveness of controls over cash receipts. Because an observation is pertinent only at the point in time at which it is made, the auditor should supplement the observation with inquiries of company personnel and inspection of documentation about the operation of such controls at other times. These inquiries might be made concurrently with performing walkthroughs.
94. Inquiry is a procedure that consists of seeking information, both financial and nonfinancial, of knowledgeable persons throughout the company. Inquiry is used extensively throughout the audit and often is complementary to performing other procedures. Inquiries may range from formal written inquiries to informal oral inquiries.
95. Evaluating responses to inquiries is an integral part of the inquiry procedure. Examples of information that inquiries might provide include the skill and competency of those performing the control, the relative sensitivity of the control to prevent or detect errors or fraud, and the frequency with which the control operates to prevent or detect errors or fraud. Responses to inquiries might provide the auditor with information not previously possessed or with corroborative evidence. Alternatively, responses might provide information that differs significantly from other information the auditor obtains (for example, information regarding the possibility of management override of controls). In some cases, responses to inquiries provide a basis for the auditor to modify or perform additional procedures.
96. Because inquiry alone does not provide sufficient evidence to support the operating effectiveness of a control, the auditor should perform additional tests of controls. For example, if the company implements a control activity whereby its sales manager reviews and investigates a report of invoices with unusually high or low gross margins, inquiry of the sales manager as to whether he or she investigates discrepancies would be inadequate. To obtain sufficient evidence about the operating effectiveness of the control, the auditor should corroborate the sales manager's responses by performing other procedures, such as inspecting reports or other documentation used in or generated by the performance of the control, and evaluate whether appropriate actions were taken regarding discrepancies.
97. The nature of the control also influences the nature of the tests of controls the auditor can perform. For example, the auditor might examine documents regarding controls for which documentary evidence exists. However, documentary evidence regarding some aspects of the control environment, such as management's philosophy and operating style, might not exist. In circumstances in which documentary evidence of controls or the performance of controls does not exist and is not expected to exist, the auditor's tests of controls would consist of inquiries of appropriate personnel and observation of company activities. As another example, a signature on a voucher package to indicate that the signer approved it does not necessarily mean that the person carefully reviewed the package before signing. The package may have been signed based on only a cursory review (or without any review). As a result, the quality of the evidence regarding the effective operation of the control might not be sufficiently persuasive. If that is the case, the auditor should reperform the control (for example, checking prices, extensions, and additions) as part of the test of the control. In addition, the auditor might inquire of the person responsible for approving voucher packages what he or she looks for when approving packages and how many errors have been found within voucher packages. The auditor also might inquire of supervisors whether they have any knowledge of errors that the person responsible for approving the voucher packages failed to detect.
98. Timing of Tests of Controls. The auditor must perform tests of controls over a period of time that is adequate to determine whether, as of the date specified in management's report, the controls necessary for achieving the objectives of the control criteria are operating effectively. The period of time over which the auditor performs tests of controls varies with the nature of the controls being tested and with the frequency with which specific controls operate and specific policies are applied. Some controls operate continuously (for example, controls over sales), while others operate only at certain times (for example, controls over the preparation of monthly or quarterly financial statements and controls over physical inventory counts).
99. The auditor's testing of the operating effectiveness of such controls should occur at the time the controls are operating. Controls "as of" a specific date encompass controls that are relevant to the company's internal control over financial reporting "as of" that specific date, even though such controls might not operate until after that specific date. For example, some controls over the period-end financial reporting process normally operate only after the "as of" date. Therefore, if controls over the December 31, 20X4 period-end financial reporting process operate in January 20X5, the auditor should test the control operating in January 20X5 to have sufficient evidence of operating effectiveness "as of" December 31, 20X4.
100. When the auditor reports on the effectiveness of controls "as of" a specific date and obtains evidence about the operating effectiveness of controls at an interim date, he or she should determine what additional evidence to obtain concerning the operation of the control for the remaining period. In making that determination, the auditor should evaluate:
- The specific controls tested prior to the "as of" date and the results of those tests;
- The degree to which evidence about the operating effectiveness of those controls was obtained;
- The length of the remaining period; and
- The possibility that there have been any significant changes in internal control over financial reporting subsequent to the interim date.
101. For controls over significant nonroutine transactions, controls over accounts or processes with a high degree of subjectivity or judgment in measurement, or controls over the recording of period-end adjustments, the auditor should perform tests of controls closer to or at the "as of" date rather than at an interim date. However, the auditor should balance performing the tests of controls closer to the "as of" date with the need to obtain sufficient evidence of operating effectiveness.
102. Prior to the date specified in management's report, management might implement changes to the company's controls to make them more effective or efficient or to address control deficiencies. In that case, the auditor might not need to evaluate controls that have been superseded. For example, if the auditor determines that the new controls achieve the related objectives of the control criteria and have been in effect for a sufficient period to permit the auditor to assess their design and operating effectiveness by performing tests of controls, 15/ he or she will not need to evaluate the design and operating effectiveness of the superseded controls for purposes of expressing an opinion on internal control over financial reporting.
103. As discussed in paragraph 207, however, the auditor must communicate all identified significant deficiencies and material weaknesses in controls to the audit committee in writing. In addition, the auditor should evaluate how the design and operating effectiveness of the superseded controls relates to the auditor's reliance on controls for financial statement audit purposes.
104. Extent of Tests of Controls. Each year the auditor must obtain sufficient evidence about whether the company's internal control over financial reporting, including the controls for all internal control components, is operating effectively. This means that each year the auditor must obtain evidence about the effectiveness of controls for all relevant assertions related to all significant accounts and disclosures in the financial statements. The auditor also should vary from year to year the nature, timing, and extent of testing of controls to introduce unpredictability into the testing and respond to changes in circumstances. For example, each year the auditor might test the controls at a different interim period; increase or reduce the number and types of tests performed; or change the combination of procedures used.
105. In determining the extent of procedures to perform, the auditor should design the procedures to provide a high level of assurance that the control being tested is operating effectively. In making this determination, the auditor should assess the following factors:
- Nature of the control. The auditor should subject manual controls to more extensive testing than automated controls. In some circumstances, testing a single operation of an automated control may be sufficient to obtain a high level of assurance that the control operated effectively, provided that information technology general controls also are operating effectively. For manual controls, sufficient evidence about the operating effectiveness of the controls is obtained by evaluating multiple operations of the control and the results of each operation. The auditor also should assess the complexity of the controls, the significance of the judgments that must be made in connection with their operation, and the level of competence of the person performing the controls that is necessary for the control to operate effectively. As the complexity and level of judgment increase or the level of competence of the person performing the control decreases, the extent of the auditor's testing should increase.
- Frequency of operation. Generally, the more frequently a manual control operates, the more operations of the control the auditor should test. For example, for a manual control that operates in connection with each transaction,
the auditor should test multiple operations of the control over a sufficient period of time to obtain a high level of assurance that the control operated effectively. For controls that operate less frequently, such as monthly account
reconciliations and controls over the period-end financial reporting process, the auditor may test significantly fewer operations of the control. However, the auditor's evaluation of each operation of controls operating less frequently
is likely to be more extensive. For example, when evaluating the operation of a monthly exception report, the auditor should evaluate whether the judgments made with regard to the disposition of the exceptions were appropriate and adequately
supported.
Note: When sampling is appropriate and the population of controls to be tested is large, increasing the population size does not proportionately increase the required sample size.
- Importance of the control. Controls that are relatively more important should be tested more extensively. For example, some controls may address multiple financial statement assertions, and certain period-end detective controls might be considered more important than related preventive controls. The auditor should test more operations of such controls or, if such controls operate infrequently, the auditor should evaluate each operation of the control more extensively.
106. Use of Professional Skepticism when Evaluating the Results of Testing. The auditor must conduct the audit of internal control over financial reporting and the audit of the financial statements with professional skepticism, which is an attitude that includes a questioning mind and a critical assessment of audit evidence. For example, even though a control is performed by the same employee whom the auditor believes performed the control effectively in prior periods, the control may not be operating effectively during the current period because the employee could have become complacent, distracted, or otherwise not be effectively carrying out his or her responsibilities. Also, regardless of any past experience with the entity or the auditor's beliefs about management's honesty and integrity, the auditor should recognize the possibility that a material misstatement due to fraud could be present. Furthermore, professional skepticism requires the auditor to consider whether evidence obtained suggests that a material misstatement due to fraud has occurred. In exercising professional skepticism in gathering and evaluating evidence, the auditor must not be satisfied with less-than-persuasive evidence because of a belief that management is honest.
107. When the auditor identifies exceptions to the company's prescribed control procedures, he or she should determine, using professional skepticism, the effect of the exception on the nature and extent of additional testing that may be appropriate or necessary and on the operating effectiveness of the control being tested. A conclusion that an identified exception does not represent a control deficiency is appropriate only if evidence beyond what the auditor had initially planned and beyond inquiry supports that conclusion.
Using the Work of Others
108. In all audits of internal control over financial reporting, the auditor must perform enough of the testing himself or herself so that the auditor's own work provides the principal evidence for the auditor's opinion. The auditor may, however, use the work of others to alter the nature, timing, or extent of the work he or she otherwise would have performed. For these purposes, the work of others includes relevant work performed by internal auditors, company personnel (in addition to internal auditors), and third parties working under the direction of management or the audit committee that provides information about the effectiveness of internal control over financial reporting.
Note: Because the amount of work related to obtaining sufficient evidence to support an opinion about the effectiveness of controls is not susceptible to precise measurement, the auditor's judgment about whether he or she has obtained the principal evidence for the opinion will be qualitative as well as quantitative. For example, the auditor might give more weight to work he or she performed on pervasive controls and in areas such as the control environment than on other controls, such as controls over low-risk, routine transactions.
109. The auditor should evaluate whether to use the work performed by others in the audit of internal control over financial reporting. To determine the extent to which the auditor may use the work of others to alter the nature, timing, or extent of the work the auditor would have otherwise performed, in addition to obtaining the principal evidence for his or her opinion, the auditor should:
- Evaluate the nature of the controls subjected to the work of others (See paragraphs 112 through 116);
- Evaluate the competence and objectivity of the individuals who performed the work (See paragraphs 117 through 122); and
- Test some of the work performed by others to evaluate the quality and effectiveness of their work (See paragraphs 123 through 125).
Note: AU sec. 322, The Auditor's Consideration of the Internal Audit Function in an Audit of Financial Statements, applies to using the work of internal auditors in an audit of the financial statements. The auditor may apply the relevant concepts described in that section to using the work of others in the audit of internal control over financial reporting.
110. The auditor must obtain sufficient evidence to support his or her opinion. Judgments about the sufficiency of evidence obtained and other factors affecting the auditor's opinion, such as the significance of identified control deficiencies, should be those of the auditor. Evidence obtained through the auditor's direct personal knowledge, observation, reperformance, and inspection is generally more persuasive than information obtained indirectly from others, such as from internal auditors, other company personnel, or third parties working under the direction of management.
111. The requirement that the auditor's own work must provide the principal evidence for the auditor's opinion is one of the boundaries within which the auditor determines the work he or she must perform himself or herself in the audit of internal control over financial reporting. Paragraphs 112 through 125 provide more specific and definitive direction on how the auditor makes this determination, but the directions allow the auditor significant flexibility to use his or her judgment to determine the work necessary to obtain the principal evidence and to determine when the auditor can use the work of others rather than perform the work himself or herself. Regardless of the auditor's determination of the work that he or she must perform himself or herself, the auditor's responsibility to report on the effectiveness of internal control over financial reporting rests solely with the auditor; this responsibility cannot be shared with the other individuals whose work the auditor uses. Therefore, when the auditor uses the work of others, the auditor is responsible for the results of their work.
112. Evaluating the Nature of the Controls Subjected to the Work of Others. The auditor should evaluate the following factors when evaluating the nature of the controls subjected to the work of others. As these factors increase in significance, the need for the auditor to perform his or her own work on those controls increases. As these factors decrease in significance, the need for the auditor to perform his or her own work on those controls decreases.
- The materiality of the accounts and disclosures that the control addresses and the risk of material misstatement.
- The degree of judgment required to evaluate the operating effectiveness of the control (that is, the degree to which the evaluation of the effectiveness of the control requires evaluation of subjective factors rather than objective testing).
- The pervasiveness of the control.
- The level of judgment or estimation required in the account or disclosure.
- The potential for management override of the control.
113. Because of the nature of the controls in the control environment, the auditor should not use the work of others to reduce the amount of work he or she performs on controls in the control environment. The auditor should, however, consider the results of work performed in this area by others because it might indicate the need for the auditor to increase his or her work.
114. The control environment encompasses the following factors: 16/
- Integrity and ethical values;
- Commitment to competence;
- Board of directors or audit committee participation;
- Management's philosophy and operating style;
- Organizational structure;
- Assignment of authority and responsibility; and
- Human resource policies and procedures.
115. Controls that are part of the control environment include, but are not limited to, controls specifically established to prevent and detect fraud that is at least reasonably possible to result in material misstatement of the financial statements.
Note: The term "reasonably possible" has the same meaning as in FAS No. 5. See the first note to paragraph 9 for further discussion.
116. The auditor should perform the walkthroughs (as discussed beginning at paragraph 79) himself or herself because of the degree of judgment required in performing this work. However, to provide additional evidence, the auditor may also review the work of others who have performed and documented walkthroughs. In evaluating whether his or her own evidence provides the principal evidence, the auditor's work on the control environment and in performing walkthroughs constitutes an important part of the auditor's own work.
117. Evaluating the Competence and Objectivity of Others. The extent to which the auditor may use the work of others depends on the degree of competence and objectivity of the individuals performing the work. The higher the degree of competence and objectivity, the greater use the auditor may make of the work; conversely, the lower the degree of competence and objectivity, the less use the auditor may make of the work. Further, the auditor should not use the work of individuals who have a low degree of objectivity, regardless of their level of competence. Likewise, the auditor should not use the work of individuals who have a low level of competence regardless of their degree of objectivity.
118. When evaluating the competence and objectivity of the individuals performing the tests of controls, the auditor should obtain, or update information from prior years, about the factors indicated in the following paragraph. The auditor should determine whether to test the existence and quality of those factors and, if so, the extent to which to test the existence and quality of those factors, based on the intended effect of the work of others on the audit of internal control over financial reporting.
119. Factors concerning the competence of the individuals performing the tests of controls include:
- Their educational level and professional experience.
- Their professional certification and continuing education.
- Practices regarding the assignment of individuals to work areas.
- Supervision and review of their activities.
- Quality of the documentation of their work, including any reports or recommendations issued.
- Evaluation of their performance.
120. Factors concerning the objectivity of the individuals performing the tests of controls include:
- The organizational status of the individuals responsible for the work of others ("testing authority") in testing controls, including-
- Whether the testing authority reports to an officer of sufficient status to ensure sufficient testing coverage and adequate consideration of, and action on, the findings and recommendations of the individuals performing the testing.
- Whether the testing authority has direct access and reports regularly to the board of directors or the audit committee.
- Whether the board of directors or the audit committee oversees employment decisions related to the testing authority.
- Policies to maintain the individuals' objectivity about the areas being tested, including-
- Policies prohibiting individuals from testing controls in areas in which relatives are employed in important or internal control-sensitive positions.
- Policies prohibiting individuals from testing controls in areas to which they were recently assigned or are scheduled to be assigned upon completion of their controls testing responsibilities.
121. Internal auditors normally are expected to have greater competence with regard to internal control over financial reporting and objectivity than other company personnel. Therefore, the auditor may be able to use their work to a greater extent than the work of other company personnel. This is particularly true in the case of internal auditors who follow the International Standards for the Professional Practice of Internal Auditing issued by the Institute of Internal Auditors. If internal auditors have performed an extensive amount of relevant work and the auditor determines they possess a high degree of competence and objectivity, the auditor could use their work to the greatest extent an auditor could use the work of others. On the other hand, if the internal audit function reports solely to management, which would reduce internal auditors' objectivity, or if limited resources allocated to the internal audit function result in very limited testing procedures on its part or reduced competency of the internal auditors, the auditor should use their work to a much lesser extent and perform more of the testing himself or herself.
122. When determining how the work of others will alter the nature, timing, or extent of the auditor's work, the auditor should assess the interrelationship of the nature of the controls, as discussed in paragraph 112, and the competence and objectivity of those who performed the work, as discussed in paragraphs 117 through 121. As the significance of the factors listed in paragraph 112 increases, the ability of the auditor to use the work of others decreases at the same time that the necessary level of competence and objectivity of those who perform the work increases. For example, for some pervasive controls, the auditor may determine that using the work of internal auditors to a limited degree would be appropriate and that using the work of other company personnel would not be appropriate because other company personnel do not have a high enough degree of objectivity as it relates to the nature of the controls.
123. Testing the Work of Others. The auditor should test some of the work of others to evaluate the quality and effectiveness of the work. The auditor's tests of the work of others may be accomplished by either (a) testing some of the controls that others tested or (b) testing similar controls not actually tested by others.
124. The nature and extent of these tests depend on the effect of the work of others on the auditor's procedures but should be sufficient to enable the auditor to make an evaluation of the overall quality and effectiveness of the work the auditor is considering. The auditor also should assess whether this evaluation has an effect on his or her conclusions about the competence and objectivity of the individuals performing the work.
125. In evaluating the quality and effectiveness of the work of others, the auditor should evaluate such factors as to whether the:
- Scope of work is appropriate to meet the objectives.
- Work programs are adequate.
- Work performed is adequately documented, including evidence of supervision and review.
- Conclusions are appropriate in the circumstances.
- Reports are consistent with the results of the work performed.
126. The following examples illustrate how to apply the directions discussed in this section:
- Controls over the period-end financial reporting process. Many of the controls over the period-end financial reporting process address significant risks of misstatement of the accounts and disclosures in the annual and quarterly financial statements, may require significant judgment to evaluate their operating effectiveness, may have a higher potential for management override, and may affect accounts that require a high level of judgment or estimation. Therefore, the auditor could determine that, based on the nature of controls over the period-end financial reporting process, he or she would need to perform more of the tests of those controls himself or herself. Further, because of the nature of the controls, the auditor should use the work of others only if the degree of competence and objectivity of the individuals performing the work is high; therefore, the auditor might use the work of internal auditors to some extent but not the work of others within the company.
- Information technology general controls. Information technology general controls are part of the control activities component of internal control; therefore, the nature of the controls might permit the auditor to use the work of others. For example, program change controls over routine maintenance changes may have a highly pervasive effect, yet involve a low degree of judgment in evaluating their operating effectiveness, can be subjected to objective testing, and have a low potential for management override. Therefore, the auditor could determine that, based on the nature of these program change controls, the auditor could use the work of others to a moderate extent so long as the degree of competence and objectivity of the individuals performing the test is at an appropriate level. On the other hand, controls to detect attempts to override controls that prevent unauthorized journal entries from being posted may have a highly pervasive effect, may involve a high degree of judgment in evaluating their operating effectiveness, may involve a subjective evaluation, and may have a reasonable possibility for management override. Therefore, the auditor could determine that, based on the nature of these controls over systems access, he or she would need to perform more of the tests of those controls himself or herself. Further, because of the nature of the controls, the auditor should use the work of others only if the degree of competence and objectivity of the individuals performing the tests is high.
- Management self-assessment of controls. As described in paragraph 40, management may test the operating effectiveness of controls using a self-assessment process. Because such an assessment is made by the same personnel who are responsible for performing the control, the individuals performing the self-assessment do not have sufficient objectivity as it relates to the subject matter. Therefore, the auditor should not use their work.
- Controls over the calculation of depreciation of fixed assets. Controls over the calculation of depreciation of fixed assets are usually not pervasive, involve a low degree of judgment in evaluating their operating effectiveness, and can be subjected to objective testing. If these conditions describe the controls over the calculation of depreciation of fixed assets and if there is a low potential for management override, the auditor could determine that, based on the nature of these controls, the auditor could use the work of others to a large extent (perhaps entirely) so long as the degree of competence and objectivity of the individuals performing the test is at an appropriate level.
- Alternating tests of controls. Many of the controls over accounts payable, including controls over cash disbursements, are usually not pervasive, involve a low degree of judgment in evaluating their operating effectiveness, can be subjected to objective testing, and have a low potential for management override. When these conditions describe the controls over accounts payable, the auditor could determine that, based on the nature of these controls, he or she could use the work of others to a large extent (perhaps entirely) so long as the degree of competence and objectivity of the individuals performing the test is at an appropriate level. However, if the company recently implemented a major information technology change that significantly affected controls over cash disbursements, the auditor might decide to use the work of others to a lesser extent in the audit immediately following the information technology change and then return, in subsequent years, to using the work of others to a large extent in this area. As another example, the auditor might use the work of others for testing controls over the depreciation of fixed assets (as described in the point above) for several years' audits but decide one year to perform some extent of the work himself or herself to gain an understanding of these controls beyond that provided by performing a walkthrough.
Forming an Opinion on the Effectiveness of Internal Control Over Financial Reporting
127. When forming an opinion on internal control over financial reporting, the auditor should evaluate all evidence obtained from all sources, including:
- The adequacy of the assessment performed by management and the results of the auditor's evaluation of the design and tests of operating effectiveness of controls;
- The negative results of substantive procedures performed during the financial statement audit (for example, recorded and unrecorded adjustments identified as a result of the performance of the auditing procedures); and
- Any identified control deficiencies.
128. As part of this evaluation, the auditor should review all reports issued during the year by internal audit (or similar functions, such as loan review in a financial institution) that address controls related to internal control over financial reporting and evaluate any control deficiencies identified in those reports. This review should include reports issued by internal audit as a result of operational audits or specific reviews of key processes if those reports address controls related to internal control over financial reporting.
129. Issuing an Unqualified Opinion. The auditor may issue an unqualified opinion only when there are no identified material weaknesses and when there have been no restrictions on the scope of the auditor's work. The existence of a material weakness requires the auditor to express an adverse opinion on the effectiveness of internal control over financial reporting (See paragraph 175), while a scope limitation requires the auditor to express a qualified opinion or a disclaimer of opinion, depending on the significance of the limitation in scope (See paragraph 178).
130. Evaluating Deficiencies in Internal Control Over Financial Reporting. The auditor must evaluate identified control deficiencies and determine whether the deficiencies, individually or in combination, are significant deficiencies or material weaknesses. The evaluation of the significance of a deficiency should include both quantitative and qualitative factors.
131. The auditor should evaluate the significance of a deficiency in internal control over financial reporting initially by determining the following:
- The likelihood that a deficiency, or a combination of deficiencies, could result in a misstatement of an account balance or disclosure; and
- The magnitude of the potential misstatement resulting from the deficiency or deficiencies.
132. The significance of a deficiency in internal control over financial reporting depends on the potential for a misstatement, not on whether a misstatement actually has occurred.
133. Several factors affect the likelihood that a deficiency, or a combination of deficiencies, could result in a misstatement of an account balance or disclosure. The factors include, but are not limited to, the following:
- The nature of the financial statement accounts, disclosures, and assertions involved; for example, suspense accounts and related party transactions involve greater risk.
- The susceptibility of the related assets or liability to loss or fraud; that is, greater susceptibility increases risk.
- The subjectivity, complexity, or extent of judgment required to determine the amount involved; that is, greater subjectivity, complexity, or judgment, like that related to an accounting estimate, increases risk.
- The cause and frequency of known or detected exceptions for the operating effectiveness of a control; for example, a control with an observed non-negligible deviation rate is a deficiency.
- The interaction or relationship of the control with other controls; that is, the interdependence or redundancy of the control.
- The interaction of the deficiencies; for example, when evaluating a combination of two or more deficiencies, whether the deficiencies could affect the same financial statement accounts and assertions.
- The possible future consequences of the deficiency.
134. When evaluating the likelihood that a deficiency or combination of deficiencies could result in a misstatement, the auditor should evaluate how the controls interact with other controls. There are controls, such as information technology general controls, on which other controls depend. Some controls function together as a group of controls. Other controls overlap, in the sense that these other controls achieve the same objective.
135. Several factors affect the magnitude of the misstatement that could result from a deficiency or deficiencies in controls. The factors include, but are not limited to, the following:
- The financial statement amounts or total of transactions exposed to the deficiency.
- The volume of activity in the account balance or class of transactions exposed to the deficiency that has occurred in the current period or that is expected in future periods.
136. In evaluating the magnitude of the potential misstatement, the auditor should recognize that the maximum amount that an account balance or total of transactions can be overstated is generally the recorded amount. However, the recorded amount is not a limitation on the amount of potential understatement. The auditor also should recognize that the risk of misstatement might be different for the maximum possible misstatement than for lesser possible amounts.
137. When evaluating the significance of a deficiency in internal control over financial reporting, the auditor also should determine the level of detail and degree of assurance that would satisfy prudent officials in the conduct of their own affairs that they have reasonable assurance that transactions are recorded as necessary to permit the preparation of financial statements in conformity with generally accepted accounting principles. If the auditor determines that the deficiency would prevent prudent officials in the conduct of their own affairs from concluding that they have reasonable assurance, 17/ then the auditor should deem the deficiency to be at least a significant deficiency. Having determined in this manner that a deficiency represents a significant deficiency, the auditor must further evaluate the deficiency to determine whether individually, or in combination with other deficiencies, the deficiency is a material weakness.
Note: Paragraphs 9 and 10 provide the definitions of significant deficiency and material weakness, respectively.
138. Inadequate documentation of the design of controls and the absence of sufficient documented evidence to support management's assessment of the operating effectiveness of internal control over financial reporting are control deficiencies. As with other control deficiencies, the auditor should evaluate these deficiencies as to their significance.
139. The interaction of qualitative considerations that affect internal control over financial reporting with quantitative considerations ordinarily results in deficiencies in the following areas being at least significant deficiencies in internal control over financial reporting:
- Controls over the selection and application of accounting policies that are in conformity with generally accepted accounting principles;
- Antifraud programs and controls;
- Controls over non-routine and non-systematic transactions; and
- Controls over the period-end financial reporting process, including controls over procedures used to enter transaction totals into the general ledger; initiate, authorize, record, and process journal entries into the general ledger; and record recurring and nonrecurring adjustments to the financial statements
140. Each of the following circumstances should be regarded as at least a significant deficiency and as a strong indicator that a material weakness in internal control over financial reporting exists:
- Restatement of previously issued financial statements to reflect the correction of a misstatement.
Note: The correction of a misstatement includes misstatements due to error or fraud; it does not include restatements to reflect a change in accounting principle to comply with a new accounting principle or a voluntary change from one generally accepted accounting principle to another generally accepted accounting principle.
- Identification by the auditor of a material misstatement in financial statements in the current period that was not initially identified by the company's internal control over financial reporting. (This is a strong indicator of a material weakness even if management subsequently corrects the misstatement.)
- Oversight of the company's external financial reporting and internal control over financial reporting by the company's audit committee is ineffective. (Paragraphs 55 through 59 present factors to evaluate when determining whether the audit committee is ineffective.)
- The internal audit function or the risk assessment function is ineffective at a company for which such a function needs to be effective for the company to have an effective monitoring or risk assessment component, such as for very large or highly
complex companies.
Note: The evaluation of the internal audit or risk assessment functions is similar to the evaluation of the audit committee, as described in paragraphs 55 through 59, that is, the evaluation is made within the context of the monitoring and risk assessment components. The auditor is not required to make a separate evaluation of the effectiveness and performance of these functions. Instead, the auditor should base his or her evaluation on evidence obtained as part of evaluating the monitoring and risk assessment components of internal control over financial reporting.
- For complex entities in highly regulated industries, an ineffective regulatory compliance function. This relates solely to those aspects of the ineffective regulatory compliance function in which associated violations of laws and regulations could have a material effect on the reliability of financial reporting.
- Identification of fraud of any magnitude on the part of senior management.
Note: The auditor is required to plan and perform procedures to obtain reasonable assurance that material misstatement caused by fraud is detected by the auditor. However, for the purposes of evaluating and reporting deficiencies in internal control over financial reporting, the auditor should evaluate fraud of any magnitude (including fraud resulting in immaterial misstatements) on the part of senior management of which he or she is aware. Furthermore, for the purposes of this circumstance, "senior management" includes the principal executive and financial officers signing the company's certifications as required under Section 302 of the Act as well as any other member of management who play a significant role in the company's financial reporting process.
- Significant deficiencies that have been communicated to management and the audit committee remain uncorrected after some reasonable period of time.
- An ineffective control environment.
141. Appendix D provides examples of significant deficiencies and material weaknesses.
Requirement for Written Representations
142. In an audit of internal control over financial reporting, the auditor should obtain written representations from management:
- Acknowledging management's responsibility for establishing and maintaining effective internal control over financial reporting;
- Stating that management has performed an assessment of the effectiveness of the company's internal control over financial reporting and specifying the control criteria;
- Stating that management did not use the auditor's procedures performed during the audits of internal control over financial reporting or the financial statements as part of the basis for management's assessment of the effectiveness of internal control over financial reporting;
- Stating management's conclusion about the effectiveness of the company's internal control over financial reporting based on the control criteria as of a specified date;
- Stating that management has disclosed to the auditor all deficiencies in the design or operation of internal control over financial reporting identified as part of management's assessment, including separately disclosing to the auditor all such deficiencies that it believes to be significant deficiencies or material weaknesses in internal control over financial reporting;
- Describing any material fraud and any other fraud that, although not material, involves senior management or management or other employees who have a significant role in the company's internal control over financial reporting;
- Stating whether control deficiencies identified and communicated to the audit committee during previous engagements pursuant to paragraph 207 have been resolved, and specifically identifying any that have not; and
- Stating whether there were, subsequent to the date being reported on, any changes in internal control over financial reporting or other factors that might significantly affect internal control over financial reporting, including any corrective actions taken by management with regard to significant deficiencies and material weaknesses.
143. The failure to obtain written representations from management, including management's refusal to furnish them, constitutes a limitation on the scope of the audit sufficient to preclude an unqualified opinion. As discussed further in paragraph 178, when management limits the scope of the audit, the auditor should either withdraw from the engagement or disclaim an opinion. Further, the auditor should evaluate the effects of management's refusal on his or her ability to rely on other representations, including, if applicable, representations obtained in an audit of the company's financial statements.
144. AU sec. 333, Management Representations, explains matters such as who should sign the letter, the period to be covered by the letter, and when to obtain an updating letter.
Relationship of an Audit of Internal Control over Financial Reporting to an Audit of Financial Statements
145. The audit of internal control over financial reporting should be integrated with the audit of the financial statements. The objectives of the procedures for the audits are not identical, however, and the auditor must plan and perform the work to achieve the objectives of both audits.
146. The understanding of internal control over financial reporting the auditor obtains and the procedures the auditor performs for purposes of expressing an opinion on management's assessment are interrelated with the internal control over financial reporting understanding the auditor obtains and procedures the auditor performs to assess control risk for purposes of expressing an opinion on the financial statements. As a result, it is efficient for the auditor to coordinate obtaining the understanding and performing the procedures.
Tests of Controls in an Audit of Internal Control Over Financial Reporting
147. The objective of the tests of controls in an audit of internal control over financial reporting is to obtain evidence about the effectiveness of controls to support the auditor's opinion on whether management's assessment of the effectiveness of the company's internal control over financial reporting is fairly stated. The auditor's opinion relates to the effectiveness of the company's internal control over financial reporting as of a point in time and taken as a whole.
148. To express an opinion on internal control over financial reporting effectiveness as of a point in time, the auditor should obtain evidence that internal control over financial reporting has operated effectively for a sufficient period of time, which may be less than the entire period (ordinarily one year) covered by the company's financial statements. To express an opinion on internal control over financial reporting effectiveness taken as a whole, the auditor must obtain evidence about the effectiveness of controls over all relevant assertions related to all significant accounts and disclosures in the financial statements. This requires that the auditor test the design and operating effectiveness of controls he or she ordinarily would not test if expressing an opinion only on the financial statements.
149. When concluding on the effectiveness of internal control over financial reporting for purposes of expressing an opinion on management's assessment, the auditor should incorporate the results of any additional tests of controls performed to achieve the objective related to expressing an opinion on the financial statements, as discussed in the following section.
Tests of Controls in an Audit of Financial Statements
150. To express an opinion on the financial statements, the auditor ordinarily performs tests of controls and substantive procedures. The objective of the tests of controls the auditor performs for this purpose is to assess control risk. To assess control risk for specific financial statement assertions at less than the maximum, the auditor is required to obtain evidence that the relevant controls operated effectively during the entire period upon which the auditor plans to place reliance on those controls. However, the auditor is not required to assess control risk at less than the maximum for all relevant assertions and, for a variety of reasons, the auditor may choose not to do so. 18/
151. When concluding on the effectiveness of controls for the purpose of assessing control risk, the auditor also should evaluate the results of any additional tests of controls performed to achieve the objective related to expressing an opinion on management's assessment, as discussed in paragraphs 147 through 149. Consideration of these results may require the auditor to alter the nature, timing, and extent of substantive procedures and to plan and perform further tests of controls, particularly in response to identified control deficiencies.
Effect of Tests of Controls on Substantive Procedures
152. Regardless of the assessed level of control risk or the assessed risk of material misstatement in connection with the audit of the financial statements, the auditor should perform substantive procedures for all relevant assertions related to all significant accounts and disclosures. Performing procedures to express an opinion on internal control over financial reporting does not diminish this requirement.
153. The substantive procedures that the auditor should perform consist of tests of details of transactions and balances and analytical procedures. Before using the results obtained from substantive analytical procedures, the auditor should either test the design and operating effectiveness of controls over financial information used in the substantive analytical procedures or perform other procedures to support the completeness and accuracy of the underlying information. For significant risks of material misstatement, it is unlikely that audit evidence obtained from substantive analytical procedures alone will be sufficient.
154. When designing substantive analytical procedures, the auditor also should evaluate the risk of management override of controls. As part of this process, the auditor should evaluate whether such an override might have allowed adjustments outside of the normal period-end financial reporting process to have been made to the financial statements. Such adjustments might have resulted in artificial changes to the financial statement relationships being analyzed, causing the auditor to draw erroneous conclusions. For this reason, substantive analytical procedures alone are not well suited to detecting fraud.
155. The auditor's substantive procedures must include reconciling the financial statements to the accounting records. The auditor's substantive procedures also should include examining material adjustments made during the course of preparing the financial statements. Also, other auditing standards require auditors to perform specific tests of details in the financial statement audit. For instance, AU sec. 316, Consideration of Fraud in a Financial Statement Audit, requires the auditor to perform certain tests of details to further address the risk of management override, whether or not a specific risk of fraud has been identified. Paragraph .34 of AU Sec. 330, The Confirmation Process, states that there is a presumption that the auditor will request the confirmation of accounts receivable. Similarly, paragraph .01 of AU Sec. 331, Inventories, states that observation of inventories is a generally accepted auditing procedure and that the auditor who issues an opinion without this procedure "has the burden of justifying the opinion expressed."
156. If, during the audit of internal control over financial reporting, the auditor identifies a control deficiency, he or she should determine the effect on the nature, timing, and extent of substantive procedures to be performed to reduce the risk of material misstatement of the financial statements to an appropriately low level.
Effect of Substantive Procedures on the Auditor's Conclusions About the Operating Effectiveness of Controls
157. In an audit of internal control over financial reporting, the auditor should evaluate the effect of the findings of all substantive auditing procedures performed in the audit of financial statements on the effectiveness of internal control over financial reporting. This evaluation should include, but not be limited to:
- The auditor's risk evaluations in connection with the selection and application of substantive procedures, especially those related to fraud (See paragraph 26);
- Findings with respect to illegal acts and related party transactions;
- Indications of management bias in making accounting estimates and in selecting accounting principles; and
- Misstatements detected by substantive procedures. The extent of such misstatements might alter the auditor's judgment about the effectiveness of controls.
158. However, the absence of misstatements detected by substantive procedures does not provide evidence that controls related to the assertion being tested are effective.
Documentation Requirements
159. In addition to the documentation requirements in AU sec. 339, Audit Documentation, the auditor should document:
- The understanding obtained and the evaluation of the design of each of the five components of the company's internal control over financial reporting;
- The process used to determine significant accounts and disclosures and major classes of transactions, including the determination of the locations or business units at which to perform testing;
- The identification of the points at which misstatements related to relevant financial statement assertions could occur within significant accounts and disclosures and major classes of transactions;
- The extent to which the auditor relied upon work performed by others as well as the auditor's assessment of their competence and objectivity;
- The evaluation of any deficiencies noted as a result of the auditor's testing; and
- Other findings that could result in a modification to the auditor's report.
160. For a company that has effective internal control over financial reporting, the auditor ordinarily will be able to perform sufficient testing of controls to be able to assess control risk for all relevant assertions related to significant accounts and disclosures at a low level. If, however, the auditor assesses control risk as other than low for certain assertions or significant accounts, the auditor should document the reasons for that conclusion. Examples of when it is appropriate to assess control risk as other than low include:
- When a control over a relevant assertion related to a significant account or disclosure was superseded late in the year and only the new control was tested for operating effectiveness.
- When a material weakness existed during the period under audit and was corrected by the end of the period.
161. The auditor also should document the effect of a conclusion that control risk is other than low for any relevant assertions related to any significant accounts in connection with the audit of the financial statements on his or her opinion on the audit of internal control over financial reporting.
Reporting on Internal Control Over Financial Reporting
Management's Report
162. Management is required to include in its annual report its assessment of the effectiveness of the company's internal control over financial reporting in addition to its audited financial statements as of the end of the most recent fiscal year. Management's report on internal control over financial reporting is required to include the following: 19/
- A statement of management's responsibility for establishing and maintaining adequate internal control over financial reporting for the company;
- A statement identifying the framework used by management to conduct the required assessment of the effectiveness of the company's internal control over financial reporting;
- An assessment of the effectiveness of the company's internal control over financial reporting as of the end of the company's most recent fiscal year, including an explicit statement as to whether that internal control over financial reporting is effective; and
- A statement that the registered public accounting firm that audited the financial statements included in the annual report has issued an attestation report on management's assessment of the company's internal control over financial reporting.
163. Management should provide, both in its report on internal control over financial reporting and in its representation letter to the auditor, a written conclusion about the effectiveness of the company's internal control over financial reporting. The conclusion about the effectiveness of a company's internal control over financial reporting can take many forms; however, management is required to state a direct conclusion about whether the company's internal control over financial reporting is effective. This standard, for example, includes the phrase "management's assessment that W Company maintained effective internal control over financial reporting as of [ date ]" to illustrate such a conclusion. Other phrases, such as "management's assessment that W Company's internal control over financial reporting as of [ date ] is sufficient to meet the stated objectives," also might be used. However, the conclusion should not be so subjective (for example, "very effective internal control") that people having competence in and using the same or similar criteria would not ordinarily be able to arrive at similar conclusions.
164. Management is precluded from concluding that the company's internal control over financial reporting is effective if there are one or more material weaknesses. 20/ In addition, management is required to disclose all material weaknesses that exist as of the end of the most recent fiscal year.
165. Management might be able to accurately represent that internal control over financial reporting, as of the end of the company's most recent fiscal year, is effective even if one or more material weaknesses existed during the period. To make this representation, management must have changed the internal control over financial reporting to eliminate the material weaknesses sufficiently in advance of the "as of" date and have satisfactorily tested the effectiveness over a period of time that is adequate for it to determine whether, as of the end of the fiscal year, the design and operation of internal control over financial reporting is effective. 21/
Auditor's Evaluation of Management's Report
166. With respect to management's report on its assessment, the auditor should evaluate the following matters:
- Whether management has properly stated its responsibility for establishing and maintaining adequate internal control over financial reporting.
- Whether the framework used by management to conduct the evaluation is suitable. (As discussed in paragraph 14, the framework described in COSO constitutes a suitable and available framework.)
- Whether management's assessment of the effectiveness of internal control over financial reporting, as of the end of the company's most recent fiscal year, is free of material misstatement.
- Whether management has expressed its assessment in an acceptable form.
– Management is required to state whether the company's internal control over financial reporting is effective. – A negative assurance statement indicating that, "Nothing has come to management's attention to suggest that the company's internal control over financial reporting is not effective," is not acceptable. – Management is not permitted to conclude that the company's internal control over financial reporting is effective if there are one or more material weaknesses in the company's internal control over financial reporting. - Whether material weaknesses identified in the company's internal control over financial reporting, if any, have been properly disclosed, including material weaknesses corrected during the period. 22/
Auditor's Report on Management's Assessment of Internal Control Over Financial Reporting
167. The auditor's report on management's assessment of the effectiveness of internal control over financial reporting must include the following elements:
- A title that includes the word independent ;
- An identification of management's conclusion about the effectiveness of the company's internal control over financial reporting as of a specified date based on the control criteria [for example, criteria established in Internal Control-Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO)];
- An identification of the title of the management report that includes management's assessment (the auditor should use the same description of the company's internal control over financial reporting as management uses in its report);
- A statement that the assessment is the responsibility of management;
- A statement that the auditor's responsibility is to express an opinion on the assessment and an opinion on the company's internal control over financial reporting based on his or her audit;
- A definition of internal control over financial reporting as stated in paragraph 7;
- A statement that the audit was conducted in accordance with the standards of the Public Company Accounting Oversight Board (United States);
- A statement that the standards of the Public Company Accounting Oversight Board require that the auditor plan and perform the audit to obtain reasonable assurance about whether effective internal control over financial reporting was maintained in all material respects;
- A statement that an audit includes obtaining an understanding of internal control over financial reporting, evaluating management's assessment, testing and evaluating the design and operating effectiveness of internal control, and performing such other procedures as the auditor considered necessary in the circumstances;
- A statement that the auditor believes the audit provides a reasonable basis for his or her opinions;
- A paragraph stating that, because of inherent limitations, internal control over financial reporting may not prevent or detect misstatements and that projections of any evaluation of effectiveness to future periods are subject to the risk that controls may become inadequate because of changes in conditions, or that the degree of compliance with the policies or procedures may deteriorate;
- The auditor's opinion on whether management's assessment of the effectiveness of the company's internal control over financial reporting as of the specified date is fairly stated, in all material respects, based on the control criteria (See discussion beginning at paragraph 162);
- The auditor's opinion on whether the company maintained, in all material respects, effective internal control over financial reporting as of the specified date, based on the control criteria;
- The manual or printed signature of the auditor's firm;
- The city and state (or city and country, in the case of non-U.S. auditors) from which the auditor's report has been issued; and
- The date of the audit report.
168. Example A-1 in Appendix A is an illustrative auditor's report for an unqualified opinion on management's assessment of the effectiveness of the company's internal control over financial reporting and an unqualified opinion on the effectiveness of the company's internal control over financial reporting.
169. Separate or Combined Reports. The auditor may choose to issue a combined report (that is, one report containing both an opinion on the financial statements and the opinions on internal control over financial reporting) or separate reports on the company's financial statements and on internal control over financial reporting. Example A-7 in Appendix A is an illustrative combined audit report on internal control over financial reporting. Appendix A also includes examples of separate reports on internal control over financial reporting.
170. If the auditor chooses to issue a separate report on internal control over financial reporting, he or she should add the following paragraph to the auditor's report on the financial statements:
We also have audited, in accordance with the standards of the Public Company Accounting Oversight Board (United States), the effectiveness of W Company's internal control over financial reporting as of December 31, 20X3, based on [ identify control criteria ] and our report dated [ date of report, which should be the same as the date of the report on the financial statements ] expressed [ include nature of opinions ].
and add the following paragraph to the report on internal control over financial reporting:
We have also audited, in accordance with the standards of the Public Company Accounting Oversight Board (United States), the [ identify financial statements ] of W Company and our report dated [ date of report, which should be the same as the date of the report on the effectiveness of internal control over financial reporting ] expressed [ include nature of opinion ].
171. Report Date. As stated previously, the auditor cannot audit internal control over financial reporting without also auditing the financial statements. Therefore, the reports should be dated the same.
172. When the auditor elects to issue a combined report on the audit of the financial statements and the audit of internal control over financial reporting, the audit opinion will address multiple reporting periods for the financial statements presented but only the end of the most recent fiscal year for the effectiveness of internal control over financial reporting and management's assessment of the effectiveness of internal control over financial reporting. See a combined report in Example A-7 in Appendix A.
173. Report Modifications. The auditor should modify the standard report if any of the following conditions exist.
- Management's assessment is inadequate or management's report is inappropriate. (See paragraph 174.)
- There is a material weakness in the company's internal control over financial reporting. (See paragraphs 175 through 177.)
- There is a restriction on the scope of the engagement. (See paragraphs 178 through 181.)
- The auditor decides to refer to the report of other auditors as the basis, in part, for the auditor's own report. (See paragraphs 182 through 185.)
- A significant subsequent event has occurred since the date being reported on. (See paragraphs 186 through 189.)
- There is other information contained in management's report on internal control over financial reporting. (See paragraphs 190 through 192.)
174. Management's Assessment Inadequate or Report Inappropriate. If the auditor determines that management's process for assessing internal control over financial reporting is inadequate, the auditor should modify his or her opinion for a scope limitation (discussed further beginning at paragraph 178). If the auditor determines that management's report is inappropriate, the auditor should modify his or her report to include, at a minimum, an explanatory paragraph describing the reasons for this conclusion.
175. Material Weaknesses. Paragraphs 130 through 141 describe significant deficiencies and material weaknesses. If there are significant deficiencies that, individually or in combination, result in one or more material weaknesses, management is precluded from concluding that internal control over financial reporting is effective. In these circumstances, the auditor must express an adverse opinion on the company's internal control over financial reporting.
176. When expressing an adverse opinion on the effectiveness of internal control over financial reporting because of a material weakness, the auditor's report must include:
- The definition of a material weakness, as provided in paragraph 10.
- A statement that a material weakness has been identified and included in management's assessment. (If the material weakness has not been included in management's assessment, this sentence should be modified to state that the material weakness has been identified but not included in management's assessment. In this case, the auditor also is required to communicate in writing to the audit committee that the material weakness was not disclosed or identified as a material weakness in management's report.)
- A description of any material weaknesses identified in a company's internal control over financial reporting. This description should provide the users of the audit report with specific information about the nature of any material weakness, and its actual and potential effect on the presentation of the company's financial statements issued during the existence of the weakness. This description also should address requirements described in paragraph 194.
177. Depending on the circumstances, the auditor may express both an unqualified opinion and an other-than-unqualified opinion within the same report on internal control over financial reporting. For example, if management makes an adverse assessment because a material weakness has been identified and not corrected ("…internal control over financial reporting is not effective…"), the auditor would express an unqualified opinion on management's assessment ("…management's assessment that internal control over financial reporting is not effective is fairly stated, in all material respects…"). At the same time, the auditor would express an adverse opinion about the effectiveness of internal control over financial reporting ("In our opinion, because of the effect of the material weakness described…, the company's internal control over financial reporting is not effective."). Example A-2 in Appendix A illustrates the form of the report that is appropriate in this situation. Example A-6 in Appendix A illustrates a report that reflects disagreement between management and the auditor that a material weakness exists.
178. Scope Limitations. The auditor can express an unqualified opinion on management's assessment of internal control over financial reporting and an unqualified opinion on the effectiveness of internal control over financial reporting only if the auditor has been able to apply all the procedures necessary in the circumstances. If there are restrictions on the scope of the engagement imposed by the circumstances, the auditor should withdraw from the engagement, disclaim an opinion, or express a qualified opinion. The auditor's decision depends on his or her assessment of the importance of the omitted procedure(s) to his or her ability to form an opinion on management's assessment of internal control over financial reporting and an opinion on the effectiveness of the company's internal control over financial reporting. However, when the restrictions are imposed by management, the auditor should withdraw from the engagement or disclaim an opinion on management's assessment of internal control over financial reporting and the effectiveness of internal control over financial reporting.
179. For example, management might have identified a material weakness in its internal control over financial reporting prior to the date specified in its report and implemented controls to correct it. If management believes that the new controls have been operating for a sufficient period of time to determine that they are both effectively designed and operating, management would be able to include in its assessment its conclusion that internal control over financial reporting is effective as of the date specified. However, if the auditor disagrees with the sufficiency of the time period, he or she would be unable to obtain sufficient evidence that the new controls have been operating effectively for a sufficient period. In that case, the auditor should modify the opinion on the effectiveness of internal control over financial reporting and the opinion on management's assessment of internal control over financial reporting because of a scope limitation.
180. When the auditor plans to disclaim an opinion and the limited procedures performed by the auditor caused the auditor to conclude that a material weakness exists, the auditor's report should include:
- The definition of a material weakness, as provided in paragraph 10.
- A description of any material weaknesses identified in the company's internal control over financial reporting. This description should provide the users of the audit report with specific information about the nature of any material weakness, and its actual and potential effect on the presentation of the company's financial statements issued during the existence of the weakness. This description also should address the requirements in paragraph 194.
181. Example A-3 in Appendix A illustrates the form of report when there is a limitation on the scope of the audit causing the auditor to issue qualified opinions. Example A-4 illustrates the form of report when restrictions on the scope of the audit cause the auditor to disclaim opinions.
182. Opinions Based, in Part, on the Report of Another Auditor. When another auditor has audited the financial statements and internal control over financial reporting of one or more subsidiaries, divisions, branches, or components of the company, the auditor should determine whether he or she may serve as the principal auditor and use the work and reports of another auditor as a basis, in part, for his or her opinions. AU sec. 543, Part of Audit Performed by Other Independent Auditors, provides direction on the auditor's decision of whether to serve as the principal auditor of the financial statements. If the auditor decides it is appropriate to serve as the principal auditor of the financial statements, then that auditor also should be the principal auditor of the company's internal control over financial reporting. This relationship results from the requirement that an audit of the financial statements must be performed to audit internal control over financial reporting; only the principal auditor of the financial statements can be the principal auditor of internal control over financial reporting. In this circumstance, the principal auditor of the financial statements needs to participate sufficiently in the audit of internal control over financial reporting to provide a basis for serving as the principal auditor of internal control over financial reporting.
183. When serving as the principal auditor of internal control over financial reporting, the auditor should decide whether to make reference in the report on internal control over financial reporting to the audit of internal control over financial reporting performed by the other auditor. In these circumstances, the auditor's decision is based on factors similar to those of the independent auditor who uses the work and reports of other independent auditors when reporting on a company's financial statements as described in AU sec. 543.
184. The decision about whether to make reference to another auditor in the report on the audit of internal control over financial reporting might differ from the corresponding decision as it relates to the audit of the financial statements. For example, the audit report on the financial statements may make reference to the audit of a significant equity investment performed by another independent auditor, but the report on internal control over financial reporting might not make a similar reference because management's evaluation of internal control over financial reporting ordinarily would not extend to controls at the equity method investee. 23/
185. When the auditor decides to make reference to the report of the other auditor as a basis, in part, for his or her opinions, the auditor should refer to the report of the other auditor when describing the scope of the audit and when expressing the opinions.
186. Subsequent Events. Changes in internal control over financial reporting or other factors that might significantly affect internal control over financial reporting might occur subsequent to the date as of which internal control over financial reporting is being audited but before the date of the auditor's report. The auditor should inquire of management whether there were any such changes or factors. As described in paragraph 142, the auditor should obtain written representations from management relating to such matters. Additionally, to obtain information about whether changes have occurred that might affect the effectiveness of the company's internal control over financial reporting and, therefore, the auditor's report, the auditor should inquire about and examine, for this subsequent period, the following:
- Relevant internal audit reports (or similar functions, such as loan review in a financial institution) issued during the subsequent period;
- Independent auditor reports (if other than the auditor's) of significant deficiencies or material weaknesses;
- Regulatory agency reports on the company's internal control over financial reporting; and
- Information about the effectiveness of the company's internal control over financial reporting obtained through other engagements.
187. The auditor could inquire about and examine other documents for the subsequent period. Paragraphs .01 through .09 of AU sec. 560, Subsequent Events, provides direction on subsequent events for a financial statement audit that also may be helpful to the auditor performing an audit of internal control over financial reporting.
188. If the auditor obtains knowledge about subsequent events that materially and adversely affect the effectiveness of the company's internal control over financial reporting as of the date specified in the assessment, the auditor should issue an adverse opinion on the effectiveness of internal control over financial reporting (and issue an adverse opinion on management's assessment of internal control over financial reporting if management's report does not appropriately assess the affect of the subsequent event). If the auditor is unable to determine the effect of the subsequent event on the effectiveness of the company's internal control over financial reporting, the auditor should disclaim opinions. As described in paragraph 190, the auditor should disclaim an opinion on management's disclosures about corrective actions taken by the company after the date of management's assessment, if any.
189. The auditor may obtain knowledge about subsequent events with respect to conditions that did not exist at the date specified in the assessment but arose subsequent to that date. If a subsequent event of this type has a material effect on the company, the auditor should include in his or her report an explanatory paragraph describing the event and its effects or directing the reader's attention to the event and its effects as disclosed in management's report. Management's consideration of such events to be disclosed in its report should be limited to a change that has materially affected, or is reasonably likely to materially affect, the company's internal control over financial reporting.
190. Management's Report Containing Additional Information. Management's report on internal control over financial reporting may contain information in addition to management's assessment of the effectiveness of its internal control over financial reporting. Such information might include, for example:
- Disclosures about corrective actions taken by the company after the date of management's assessment;
- The company's plans to implement new controls; and
- A statement that management believes the cost of correcting a material weakness would exceed the benefits to be derived from implementing new controls.
191. If management's assessment includes such additional information, the auditor should disclaim an opinion on the information. For example, the auditor should use the following language as the last paragraph of the report to disclaim an opinion on management's cost-benefit statement:
We do not express an opinion or any other form of assurance on management's statement referring to the costs and related benefits of implementing new controls.
192. If the auditor believes that management's additional information contains a material misstatement of fact, he or she should discuss the matter with management. If the auditor concludes that there is a valid basis for concern, he or she should propose that management consult with some other party whose advice might be useful, such as the company's legal counsel. If, after discussing the matter with management and those management has consulted, the auditor concludes that a material misstatement of fact remains, the auditor should notify management and the audit committee, in writing, of the auditor's views concerning the information. The auditor also should consider consulting the auditor's legal counsel about further actions to be taken, including the auditor's responsibility under Section 10A of the Securities Exchange Act of 1934. 24/
Note: If management makes the types of disclosures described in paragraph 190 outside its report on internal control over financial reporting and includes them elsewhere within its annual report on the company's financial statements, the auditor would not need to disclaim an opinion, as described in paragraph 191. However, in that situation, the auditor's responsibilities are the same as those described in paragraph 192 if the auditor believes that the additional information contains a material misstatement of fact.
193. Effect of Auditor's Adverse Opinion on Internal Control Over Financial Reporting on the Opinion on Financial Statements. In some cases, the auditor's report on internal control over financial reporting might describe a material weakness that resulted in an adverse opinion on the effectiveness of internal control over financial reporting while the audit report on the financial statements remains unqualified. Consequently, during the audit of the financial statements, the auditor did not rely on that control. However, he or she performed additional substantive procedures to determine whether there was a material misstatement in the account related to the control. If, as a result of these procedures, the auditor determines that there was not a material misstatement in the account, he or she would be able to express an unqualified opinion on the financial statements.
194. When the auditor's opinion on the financial statements is unaffected by the adverse opinion on the effectiveness of internal control over financial reporting, the report on internal control over financial reporting (or the combined report, if a combined report is issued) should include the following or similar language in the paragraph that describes the material weakness:
This material weakness was considered in determining the nature, timing, and extent of audit tests applied in our audit of the 20X3 financial statements, and this report does not affect our report dated [ date of report ] on those financial statements. [ Revise this wording appropriately for use in a combined report.]
195. Such disclosure is important to ensure that users of the auditor's report on the financial statements understand why the auditor issued an unqualified opinion on those statements.
196. Disclosure is also important when the auditor's opinion on the financial statements is affected by the adverse opinion on the effectiveness of internal control over financial reporting. In that circumstance, the report on internal control over financial reporting (or the combined report, if a combined report is issued) should include the following or similar language in the paragraph that describes the material weakness:
This material weakness was considered in determining the nature, timing, and extent of audit tests applied in our audit of the 20X3 financial statements.
197. Subsequent Discovery of Information Existing at the Date of the Auditor's Report on Internal Control Over Financial Reporting. After the issuance of the report on internal control over financial reporting, the auditor may become aware of conditions that existed at the report date that might have affected the auditor's opinions had he or she been aware of them. The auditor's evaluation of such subsequent information is similar to the auditor's evaluation of information discovered subsequent to the date of the report on an audit of financial statements, as described in AU sec. 561, Subsequent Discovery of Facts Existing at the Date of the Auditor's Report. That standard requires the auditor to determine whether the information is reliable and whether the facts existed at the date of his or her report. If so, the auditor should determine (1) whether the facts would have changed the report if he or she had been aware of them and (2) whether there are persons currently relying on or likely to rely on the auditor's report. For instance, if previously issued financial statements and the auditor's report have been recalled and reissued to reflect the correction of a misstatement, the auditor should presume that his or her report on the company's internal control over financial reporting as of same specified date also should be recalled and reissued to reflect the material weakness that existed at that date. Based on these considerations, paragraph .06 of AU sec. 561 provides detailed requirements for the auditor.
198. Filings Under Federal Securities Statutes. AU sec. 711, Filings Under Federal Securities Statutes, describes the auditor's responsibilities when an auditor's report is included in registration statements, proxy statements, or periodic reports filed under the federal securities statutes. The auditor should also apply AU sec. 711 with respect to the auditor's report on management's assessment of the effectiveness of internal control over financial reporting included in such filings. In addition, the direction in paragraph .10 of AU sec. 711 to inquire of and obtain written representations from officers and other executives responsible for financial and accounting matters about whether any events have occurred that have a material effect on the audited financial statements should be extended to matters that could have a material effect on management's assessment of internal control over financial reporting.
199. When the auditor has fulfilled these responsibilities and intends to consent to the inclusion of his or her report on management's assessment of the effectiveness of internal control over financial reporting in the securities filing, the auditor's consent should clearly indicate that both the audit report on financial statements and the audit report on management's assessment of the effectiveness of internal control over financial reporting (or both opinions if a combined report is issued) are included in his or her consent.
Auditor's Responsibilities for Evaluating Management's Certification Disclosures About Internal Control Over Financial Reporting
Required Management Certifications
200. Section 302 of the Act, and Securities Exchange Act Rule 13a-14(a) or 15d-14(a), whichever applies, 25/ requires a company's management, with the participation of the principal executive and financial officers (the certifying officers), to make the following quarterly and annual certifications with respect to the company's internal control over financial reporting:
- A statement that the certifying officers are responsible for establishing and maintaining internal control over financial reporting;
- A statement that the certifying officers have designed such internal control over financial reporting, or caused such internal control over financial reporting to be designed under their supervision, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles; and
- A statement that the report discloses any changes in the company's internal control over financial reporting that occurred during the most recent fiscal quarter (the company's fourth fiscal quarter in the case of an annual report) that have materially affected, or are reasonably likely to materially affect, the company's internal control over financial reporting.
201. When the reason for a change in internal control over financial reporting is the correction of a material weakness, management has a responsibility to determine and the auditor should evaluate whether the reason for the change and the circumstances surrounding that change are material information necessary to make the disclosure about the change not misleading. 26/
Auditor Evaluation Responsibilities
202. The auditor's responsibility as it relates to management's quarterly certifications on internal control over financial reporting is different from the auditor's responsibility as it relates to management's annual assessment of internal control over financial reporting. The auditor should perform limited procedures quarterly to provide a basis for determining whether he or she has become aware of any material modifications that, in the auditor's judgment, should be made to the disclosures about changes in internal control over financial reporting in order for the certifications to be accurate and to comply with the requirements of Section 302 of the Act.
203. To fulfill this responsibility, the auditor should perform, on a quarterly basis, the following procedures:
- Inquire of management about significant changes in the design or operation of internal control over financial reporting as it relates to the preparation of annual as well as interim financial information that could have occurred subsequent to the preceding annual audit or prior review of interim financial information;
- Evaluate the implications of misstatements identified by the auditor as part of the auditor's required review of interim financial information (See AU sec. 722, Interim Financial Information) as it relates to effective internal control over financial reporting; and
- Determine, through a combination of observation and inquiry, whether any change in internal control over financial reporting has materially affected, or is reasonably likely to materially affect, the company's internal control over financial reporting.
Note: Foreign private issuers filing Forms 20-F and 40-F are not subject to quarterly reporting requirements, therefore, the auditor's responsibilities would extend only to the certifications in the annual report of these companies.
204. When matters come to auditor's attention that lead him or her to believe that modification to the disclosures about changes in internal control over financial reporting is necessary for the certifications to be accurate and to comply with the requirements of Section 302 of the Act and Securities Exchange Act Rule 13a-14(a) or 15d-14(a), whichever applies, 27/ the auditor should communicate the matter(s) to the appropriate level of management as soon as practicable.
205. If, in the auditor's judgment, management does not respond appropriately to the auditor's communication within a reasonable period of time, the auditor should inform the audit committee. If, in the auditor's judgment, the audit committee does not respond appropriately to the auditor's communication within a reasonable period of time, the auditor should evaluate whether to resign from the engagement. The auditor should evaluate whether to consult with his or her attorney when making these evaluations. In these circumstances, the auditor also has responsibilities under AU sec. 317, Illegal Acts by Clients, and Section 10A of the Securities Exchange Act of 1934. 28/ The auditor's responsibilities for evaluating the disclosures about changes in internal control over financial reporting do not diminish in any way management's responsibility for ensuring that its certifications comply with the requirements of Section 302 of the Act and Securities Exchange Act Rule 13a-14(a) or 15d-14(a), whichever applies. 29/
206. If matters come to the auditor's attention as a result of the audit of internal control over financial reporting that lead him or her to believe that modifications to the disclosures about changes in internal control over financial reporting (addressing changes in internal control over financial reporting occurring during the fourth quarter) are necessary for the annual certifications to be accurate and to comply with the requirements of Section 302 of the Act and Securities Exchange Act Rule 13a-14(a) or 15d-14(a), whichever applies, 30/ the auditor should follow the same communication responsibilities as described in paragraphs 204 and 205. However, if management and the audit committee do not respond appropriately, in addition to the responsibilities described in the preceding two paragraphs, the auditor should modify his or her report on the audit of internal control over financial reporting to include an explanatory paragraph describing the reasons the auditor believes management's disclosures should be modified.
Required Communications in An Audit of Internal Control Over Financial Reporting
207. The auditor must communicate in writing to management and the audit committee all significant deficiencies and material weaknesses identified during the audit. The written communication should be made prior to the issuance of the auditor's report on internal control over financial reporting. The auditor's communication should distinguish clearly between those matters considered to be significant deficiencies and those considered to be material weaknesses, as defined in paragraphs 9 and 10, respectively.
208. If a significant deficiency or material weakness exists because the oversight of the company's external financial reporting and internal control over financial reporting by the company's audit committee is ineffective, the auditor must communicate that specific significant deficiency or material weakness in writing to the board of directors.
209. In addition, the auditor should communicate to management, in writing, all deficiencies in internal control over financial reporting (that is, those deficiencies in internal control over financial reporting that are of a lesser magnitude than significant deficiencies) identified during the audit and inform the audit committee when such a communication has been made. When making this communication, it is not necessary for the auditor to repeat information about such deficiencies that have been included in previously issued written communications, whether those communications were made by the auditor, internal auditors, or others within the organization. Furthermore, the auditor is not required to perform procedures sufficient to identify all control deficiencies; rather, the auditor should communicate deficiencies in internal control over financial reporting of which he or she is aware.
Note: As part of his or her evaluation of the effectiveness of internal control over financial reporting, the auditor should determine whether control deficiencies identified by internal auditors and others within the company, for example, through ongoing monitoring activities and the annual assessment of internal control over financial reporting, are reported to appropriate levels of management in a timely manner. The lack of an internal process to report deficiencies in internal control to management on a timely basis represents a control deficiency that the auditor should evaluate as to severity.
210. These written communications should state that the communication is intended solely for the information and use of the board of directors, audit committee, management, and others within the organization. When there are requirements established by governmental authorities to furnish such reports, specific reference to such regulatory agencies may be made.
211. These written communications also should include the definitions of control deficiencies, significant deficiencies, and material weaknesses and should clearly distinguish to which category the deficiencies being communicated relate.
212. Because of the potential for misinterpretation of the limited degree of assurance associated with the auditor issuing a written report representing that no significant deficiencies were noted during an audit of internal control over financial reporting, the auditor should not issue such representations.
213. When auditing internal control over financial reporting, the auditor may become aware of fraud or possible illegal acts. If the matter involves fraud, it must be brought to the attention of the appropriate level of management. If the fraud involves senior management, the auditor must communicate the matter directly to the audit committee as described in AU sec. 316, Consideration of Fraud in a Financial Statement Audit. If the matter involves possible illegal acts, the auditor must assure himself or herself that the audit committee is adequately informed, unless the matter is clearly inconsequential, in accordance with AU sec. 317, Illegal Acts by Clients. The auditor also must determine his or her responsibilities under Section 10A of the Securities Exchange Act of 1934. 31/
214. When timely communication is important, the auditor should communicate the preceding matters during the course of the audit rather than at the end of the engagement. The decision about whether to issue an interim communication should be determined based on the relative significance of the matters noted and the urgency of corrective follow-up action required.
Effective Date
215. Companies considered accelerated filers under Securities Exchange Act Rule 12b-2 32/ are required to comply with the internal control reporting and disclosure requirements of Section 404 of the Act for fiscal years ending on or after November 15, 2004. (Other companies have until fiscal years ending on or after July 15, 2005, to comply with these internal control reporting and disclosure requirements.) Accordingly, independent auditors engaged to audit the financial statements of accelerated filers for fiscal years ending on or after November 15, 2004, also are required to audit and report on the company's internal control over financial reporting as of the end of such fiscal year. This standard is required to be complied with for such engagements, except as it relates to the auditor's responsibilities for evaluating management's certification disclosures about internal control over financial reporting. The auditor's responsibilities for evaluating management's certification disclosures about internal control over financial reporting described in paragraphs 202 through 206 take effect beginning with the first quarter after the auditor's first audit report on the company's internal control over financial reporting.
216. Early compliance with this standard is permitted.
1/ See 17 C.F.R. 240.13a-14(a) or 17 C.F.R. 240.15d-14(a), whichever applies.
2/ See 17 C.F.R. 240, 13a-15(f) and 15d-15(f).
3/ The Board adopted the generally accepted auditing standards, as described in the AICPA Auditing Standards Board's ("ASB") Statement on Auditing Standards No. 95, Generally Accepted Auditing Standards, as in existence on April 16, 2003, on an initial, transitional basis. The Statements on Auditing Standards promulgated by the ASB have been codified into the AICPA Professional Standards, Volume 1, as AU sections 100 through 900. References in this standard to AU sections refer to those generally accepted auditing standards, as adopted on an interim basis in PCAOB Rule 3200T.
4/ See Final Rule: Management's Reports on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports, Securities and Exchange Commission Release No. 33-8238 (June 5, 2003) [68 FR 36636] for further discussion of reasonable assurance.
5/ Management is required to fulfill these responsibilities. See Items 308(a) and (c) of Regulation S-B and S-K, 17 C.F.R. 228.308 (a) and (c) and 229.308 (a) and (c), respectively.
6/ AU sec. 312, Audit Risk and Materiality in Conducting an Audit, provides additional explanation of materiality.
7/ See the Preliminary Note of Rule 2-01 of Regulation S-X, 17 C.F.R. 210.2-01.
8/ See 15 U.S.C. 78c(a)58 and 15 U.S.C. 7201(a)(3).
9/ See 17 C.F.R. 240.10A-3.
10/See 17 C.F.R. 240.10A-3(c)(2).
11/See 17 C.F.R. 240.10A-3(c)(2).
12/See 17 C.F.R. 210.2-01(c)(7).
13/See AU sec. 326, Evidential Matter, which provides additional information on financial statement assertions.
14/See paragraphs 108 through 126 for additional direction on using the work of others.
15/Paragraph 179 provides reporting directions in these circumstances when the auditor has not been able to obtain evidence that the new controls were appropriately designed or have been operating effectively for a sufficient period of time.
16/See the COSO report and paragraph .110 of AU sec. 319, Internal Control in a Financial Statement Audit, for additional information about the factors included in the control environment.
17/See SEC Staff Accounting Bulletin Topic 1M2, Immaterial Misstatements That Are Intentional, for further discussion about the level of detail and degree of assurance that would satisfy prudent officials in the conduct of their own affairs.
18/See paragraph 160 for additional documentation requirements when the auditor assesses control risk as other than low.
19/See Item 308(a) of Regulation S-B and S-K, 17 C.F.R. 228.308(a) and 17 C.F.R. 229.308(a), respectively.
20/See Item 308(a)(3) of Regulation S-B and S-K, 17 C.F.R. 228.308(a) and 17 C.F.R. 229.308(a), respectively.
21/However, when the reason for a change in internal control over financial reporting is the correction of a material weakness, management and the auditor should evaluate whether the reason for the change and the circumstances surrounding the change are material information necessary to make the disclosure about the change not misleading in a filing subject to certification under Securities Exchange Act Rule 13a-14(a) or 15d-14(a), 17 C.F.R. 240.13a-14(a) or 17 C.F.R. 240.15d-14(a). See discussion beginning at paragraph 200 for further direction.
22/See paragraph 206 for direction when a material weakness was corrected during the fourth quarter and the auditor believes that modification to the disclosures about changes in internal control over financial reporting are necessary for the annual certifications to be accurate and to comply with the requirements of Section 302 of the Act.
23/See Appendix B, paragraph B15, for further discussion of the evaluation of the controls over financial reporting for an equity method investment.
24/See Section 10A of the Securities Exchange Act of 1934, 15 U.S.C. 78j-1.
25/See 17 C.F.R., 240.13a-14a or 15d-14a, whichever applies.
26/See Securities Exchange Act Rule 12b-20, 17 C.F.R. 240.12b-20.
27/See 17 C.F.R. 240.13a-14(a) or 17 C.F.R. 240.15d-14(a), whichever applies.
28/See 15 U.S.C. 78j-1.
29/See 17 C.F.R. 240.13a-14(a) or 17 C.F.R. 240.15d-14(a), whichever applies.
30/See 17 C.F.R. 240.13a-14(a) or 17 C.F.R. 240.15d-14(a), whichever applies.
31/See 15 U.S.C. 78j-1.
32/See 17 C.F.R. 240.12b-2.