Statement on Proposed Auditing Standard - An Audit of Internal Control Over Financial Reporting

A centerpiece of the Sarbanes-Oxley Act of 2002 is its emphasis on improving internal control as a means of restoring the credibility of financial reporting in the United States.

Under Section 404 of the Act, management of public companies must perform an annual assessment of the effectiveness of their companies' internal control over financial reporting and report the results of that assessment in their companies' annual reports to shareholders.

Under Sections 103 and 404 of the Act, the Board has a related responsibility to provide standards for the auditor's required attestation on management's report on internal controls.

You have before you a proposed auditing standard entitled An Audit of Internal Control Over Financial Reporting Performed in Conjunction with An Audit of Financial Statements. We believe this proposed standard provides the necessary direction to the auditor to achieve the key objectives of Section 404.

Development Process

The implementation deadlines for Section 404 demanded that the Board proceed with an auditing standard on internal control quickly. As a result, this proposed auditing standard has followed an accelerated development process.

The Board has also emphasized the importance of public input in the development of its standards. The Board convened a Roundtable on July 29th to obtain public input on internal control related matters. Representatives from auditing firms, issuers, investors and regulators provided valuable input at that Roundtable which has been carefully considered in developing this proposed standard.

We also spent additional time with the federal bank regulators, understanding lessons they learned from audit engagements under the Federal Deposit Insurance Corporation Improvement Act of 1991. As you know, Section 404 was largely patterned after a section of the FDICIA. The federal banking regulators' insight on their FDICIA experiences has been very helpful to us.

In addition, we received, and considered, a recommendation from the American Institute of Certified Public Accountants' Auditing Standards Board that we also found to be very helpful.

We also have remained alert for implementation issues, and have listened to concerns expressed by issuers, auditors, and others. We are aware that PCAOB Board members, for example, are sensitive to potential unintended consequences of Section 404 and the proposed standard on small and medium-sized companies, that the compliance costs of Section 404 could potentially become so high that the access of smaller companies to public capital markets might be unduly restricted.

Every public company has an obligation to establish and maintain effective internal control over financial reporting to assure investors that they are receiving accurate information about the company's financial condition and performance. However, we also recognize that internal control is not "one-size-fits-all" and that the nature and extent of controls that are necessary depend, to a great extent, on the size and complexity of the company. We also expect auditors to exercise reasonable judgment in determining the extent of the audit of internal control and perform only those tests that are necessary to ascertain the effectiveness of the company's controls. Therefore, complying with Section 404 should naturally be less costly and less of an undertaking for a small company. We believe the proposed auditing standard provides the flexibility necessary for the auditor to make appropriate judgments in this area.

So, even though this proposed standard has followed an accelerated development process, we believe it reflects a thorough analysis of the existing standards, practice issues encountered, and high quality practices that we believe should become the norm. Yet at the same time, the proposed standard was developed with a focus on balancing the costs to implement versus the benefits associated with the effectiveness of the audit of internal control.

Perhaps now is a good time to clarify why we refer to this as the "audit" of internal control when Section 404 talks about an "attestation." An attestation is, in a general sense, an expert's communication of a conclusion about the reliability of someone else's assertion. For example, a financial statement audit is a form of attestation. Management makes assertions about the accuracy and completeness of the financial statements, and the auditor evaluates management's assertions. Internal control is similar: management makes an assertion about the effectiveness of internal control and the auditor evaluates management's assertion.

In either case, the auditor ultimately renders an opinion about whether management's assertion is correct – either that the financial statements are fairly stated or that internal control is effective. To do that the auditor evaluates the process management used to make its assertion and obtains evidence about whether management's assertion is correct.

The objectives and work performed both in an attestation of management's assessment of internal control and an audit of the financial statements are closely interrelated. Therefore, the proposed standard states that these activities should be integrated, and that the auditor cannot report on management's assessment of the effectiveness of internal control over financial reporting without also performing an audit of the company's financial statement. Consistent with that idea, the proposed standard is an integrated standard that refers to both the financial statement audit and the internal control attestation. Throughout the proposed standard, the auditor's attestation of management's assessment of the effectiveness of internal control over financial reporting is referred to as the audit of internal control over financial reporting.

Auditor Independence

The proposed standard requires the auditor to be independent to perform an audit of internal control over financial reporting. We are not proposing, at this time, to amend the independence rules with regard to the provision of non-audit, internal control-related services. However, the proposed standard explicitly prohibits the auditor from accepting an engagement to provide an internal control-related non-audit service to an audit client that has not been specifically pre-approved by the audit committee. In other words, the audit committee would not be able to pre-approve internal control-related non-audit services as a category. Each specific engagement would be required to be specifically pre-approved.

Responsibilities for Management's Certifications

The proposed standard also defines the auditor's responsibilities related to management's quarterly and annual certifications required by Section 302 of the Act. These responsibilities are analogous to the auditor's responsibilities for interim financial statements and other information in a Form 10-K.


We recommend that the Board expose the proposed auditing standard for a comment period of 45 days. The length of the comment period is designed to meet the impending effective date set by the SEC for management's first annual report under Section 404.

That concludes our report to the Board. We would be pleased to address your questions.

Related Information