Remarks of Chief Auditor Thomas Ray

Good afternoon. It is a pleasure to be here in Pasadena with you once again. I am especially delighted to be a participant in this conference as it marks its twenty-fifth year.

Introduction and Background

We are at a very important point in the implementation of the internal control reporting requirements of the Sarbanes-Oxley Act of 2002. Large U.S. public companies have been through two cycles of reporting. Mounting evidence points to measurable benefits to investors and to companies in the form of more reliable financial reports and reductions in the cost of capital.[1] Those companies also are improving the efficiency and reducing the cost of compliance.[2] Yet, many still question whether the costs of the internal control requirements are worth the benefits, especially for small companies.

Although there has been considerable progress in making the internal control reporting process efficient and sustainable, there is a need to further improve efficiency. So, efficiency is one of the continuing and important themes as we enter the third year of internal control reporting.

Last month, the Board announced a four-point plan to further improve the implementation of the SOX internal control reporting requirements.[3]

One of the four points is to amend the Board's Auditing Standard No. 2, to sharpen auditors' focus during an integrated audit of financial statements and internal control over financial reporting on areas that pose higher risk of fraud or material error. We are working on those amendments now.

Importantly, there are steps that auditors can and should be taking right now, under the existing Auditing Standard No. 2, to both increase efficiency and achieve the objectives of that standard, and that is what I plan to talk about today.

Before I go further, I have to note that the views I express are my own, and do not necessarily reflect the views of the Board, members of the Board, or other members of the Board's staff.

I will highlight two areas in which I believe significant opportunities for increased efficiency currently exist: the auditor's evaluation of management's assessment process, and the application of the auditor's risk assessment to the nature, timing, and extent of the tests of controls.

The Auditor's Evaluation of Management's Assessment Process

In talking about the auditor's role with regard to management's assessment process, it is helpful to first talk about the auditor's report.

As you know, when reporting on the audit of internal control over financial reporting in accordance with Auditing Standard No. 2, the auditor expresses two opinions: the first opinion is on whether management's assessment about the company's internal control over financial reporting is fairly stated, in all material respects; and the second opinion is on whether the company maintained, in all material respects, effective internal control over financial reporting.

There continues to be some misunderstanding with regard to the first of the two auditor opinions. Some believe that the auditor is expressing an opinion on management's assessment process. That belief, in turn, is fueling what probably is unnecessary additional work directed to evaluating the adequacy of management's process.

Let me dispel the misunderstanding. The first of the two opinions expressed by the auditor is not on management's assessment process. Rather, it is the auditor's opinion as to whether management's required statements about the effectiveness of the company's internal control and its descriptions of any material weaknesses are fairly stated.

So, how is this affecting the auditor's work? Doesn't AS No. 2 require the auditor to evaluate management's assessment process? Yes, AS No. 2 requires the auditor to obtain an understanding of and evaluate management's assessment process, and provides direction as to what the auditor should look for when performing that evaluation.[4]

The principal objective of the auditor's evaluation of management's assessment process is for the auditor to be satisfied that management has an appropriate basis for its conclusion.[5] Accordingly, the extent of the auditor's work is only that which is necessary for the auditor to form a conclusion as to whether management's process was sufficiently complete to provide management with a basis to support its reporting, and whether the results of management's testing support management's conclusion about internal control effectiveness.

In its most basic form, the evaluation of management's process consists of the auditor obtaining from management the documentation of its assessment process, reading that documentation, and discussing the process with management. The procedures the auditor performs to conduct the evaluation need not be extensive and need not include procedures such as retesting items tested by management.

Similarly, the auditor's documentation of his or her evaluation of management's process need not be extensive. For example, the audit documentation might consist of a summary document prepared by management that explains, perhaps for the benefit of the audit committee or other senior managers, the process management used in making its assessment, along with a memorandum prepared by the auditor that documents the auditor's procedures, the results of those procedures, other evidence obtained, if any, and conclusions.

I believe it also is helpful to point out that the auditor's evaluation of management's process is most efficient when management has done a good job documenting both the design of the company's internal control and the assessment process and results.

This also will better enable the auditor to realize other substantial efficiencies in conducting the internal control audit. For example, complete and accurate documentation of the design of the company's internal control helps the auditor to obtain the necessary understanding of the internal control to plan the audit and to focus on the higher risk areas and to understand changes made to the internal control since the previous audit. Good documentation of management's assessment process will help the auditor understand the work done by management and others that the auditor might use as a part of the basis for his or her audit opinions. Additional work by the auditor directed to realizing these benefits is useful and appropriate.

Effect of Risk on the Nature, Timing, and Extent of Testing

Now I will turn your attention to the auditor's risk assessment and its effects on the nature, timing, and extent of the tests of controls necessary to support the auditor's opinion.

As discussed in staff questions and answers issued in May 2005, a direct relationship exists between the degree of risk that a material weakness could exist in a particular area of the company's controls and the amount of audit attention the auditor should devote to that area.

This risk consists of at least two components: the first is the inherent risk that the particular assertion could contain a material misstatement, absent the existence of controls; the second is the risk that the controls themselves will fail to prevent or detect on a timely basis a material misstatement, if one exists.

This latter risk has to do with how the design of the control affects the likelihood that it will not operate effectively. For example, an automated control is less likely to fail than a manual control because there is no human involvement in the operation of the automated control. As another example, controls that require management to exercise judgment, such as account reconciliations and the clearance of exception reports, are more likely to fail than controls that do not have such judgment as an element of their design.

We have received much feedback after the second year of experience with the SOX internal control reporting provisions that auditors are focusing too much audit attention on low-risk, transaction-level controls.[6] Although transaction-level controls are important to the overall functioning of effective internal control over financial reporting, there is significant opportunity for auditors to reduce the testing in low-risk areas.

Auditors who have two years of internal control experience should now have a thorough understanding of the design and operation of their client's controls, and should be able to bring that knowledge to bear in assessing risk and developing their audit strategy in subsequent audits. Company management may also have increased attention to strengthening company level controls, in particular, monitoring controls – those controls that are designed to monitor the effectiveness of other company controls. Strong controls at the company level, and in particular the monitoring controls, can have a significant effect on the auditor's testing in lower risk areas.

The existing standard provides the auditor with significant flexibility to adjust the nature, timing and extent of testing based on risk. For example, provided that the auditor is satisfied that there have been no changes to controls tested in the previous audit – a fact the auditor naturally will confirm as a part of his or her walkthrough procedures – the auditor might limit his or her testing in some low risk areas to just the walkthrough itself.

It is, of course, necessary for the independent auditor, internal auditors or others to test the detailed operation of those controls from time-to-time, so that the auditor has sufficient evidence about the operating effectiveness of those controls over time. The frequency of that testing will depend on various factors, including the effectiveness of the company's monitoring controls.

As another example, based on the nature of the controls and the auditor's assessment of risk, the nature of the auditor's procedures might be limited to inquiry, observation, and inspection of company documents that evidence the operation of the controls. Of course, one of the most important elements in making those determinations is the auditor's professional judgment.

Auditing Standard No. 2 does say that, each year, the auditor must obtain evidence about the effectiveness of controls for all relevant assertions related to all significant accounts and disclosures in the financial statements.[7] At first, this might seem like a lot of controls. However, the provisions of AS No. 2 and the guidance issued by the PCAOB in May 2005 provide direction to help the auditor limit the number of controls that are tested in any given year.

First, the auditor is able to eliminate from consideration those controls that do not affect the financial statements. The auditor does that by applying a top-down approach.

Second, the auditor does not necessarily need to test unique controls for each relevant financial statement assertion. Some controls are designed to be effective at addressing the risk of misstatement in more than one account or assertion. Also, management might decide to implement redundant controls in some areas. Provided that the auditor has identified controls that sufficiently guard against the risk of material misstatement and obtained evidence about their effectiveness, it is neither necessary to test all controls nor is it necessary to test redundant controls.[8]

The key to doing this efficiently is through a careful application of the top-down approach and by thoroughly understanding the design of the company's internal control and how the relevant assertions are linked to specific controls.


The methods I’ve discussed today are designed not only to make the internal control audit less costly. They also make the audit more effective, because they focus the auditor on the parts of a company’s internal control that present the greatest risk of failing to prevent or detect a material misstatement in the financial statements.

We already have begun to see numerous and valuable benefits from internal control audits, but those benefits depend on auditors performing their work in a way that identifies and addresses real risks. I think most auditors understand this, and I believe progress has been made in making the integrated audit more efficient. There is more to do, however, and my remarks today should help auditors exercise appropriate judgment in achieving further efficiency.

Our goal is to retain the benefits of internal control reporting – above all, to protect the interests of investors – while eliminating unnecessary costs. As the Board laid out in its four-point plan last month, the Board’s planned refinements to its auditing standard on internal control will likely further focus auditors on ways to make their work as effective and efficient as possible. And, as I hope I have made clear, the audit profession also has a leading role to play.

Thank you.

[1] See, for example, Ashbaugh-Skaife, Hollis, Collins, Daniel W., Kinney, Jr., William R. and LaFond, Ryan, "The Effect of Internal Control Deficiencies on Firm Risk and Cost of Equity Capital" (April 2006), and The Lord and Benoit Report: Do the Benefits of 404 Exceed the Cost? Highest Returns were Companies with Good Section 404 Internal Controls (May 8, 2006).

[2] See, for example, Sarbanes-Oxley Section 404 Costs and Implementation Issues: Spring 2006 Survey Update, prepared by CRA International (April 17, 2006), and FEI Survey on Sarbanes-Oxley Section 404 Implementation (March 2006).

[3] See PCAOB news release dated May 17, 2006.

[4] See Auditing Standard No. 2, paragraphs 40 through 46.

[5] If the auditor is not satisfied that management has fulfilled its responsibilities as they relate to the audit of internal control, the auditor is not permitted to express an opinion, either on management's assessment or directly on the effectiveness of the internal control. See Auditing Standard No. 2, paragraph 21.

[6] For comments received in connection with the PCAOB and SEC Roundtable on Internal Control Reporting Requirements (May 10, 2006), see Unedited Roundtable Transcript and written submissions, which are available at

[7] See Auditing Standard No. 2, paragraph 104.

[8] See Auditing Standard No. 2, paragraph 66.

Related Information