PCAOB 5: An Audit of Internal Control Over Financial Reporting That Is Integrated with an Audit of Financial Statements1

EFFECTIVE DATE AND APPLICABILITY

DEFINITIONS OF TERMS

Competence. The attainment and maintenance of a level of understanding and knowledge that enables a person to perform ably the tasks assigned to him or her.

Control objective. Provides a specific target against which to evaluate the effectiveness of controls. It generally relates to a relevant assertion and states a criterion for evaluating whether the entity’s control procedures provide reasonable assurance that a misstatement or omission in that assertion is prevented or detected by controls on a timely basis.

Deficiency in internal control over financial reporting. Exists when the design or operation of a control does not allow management or employees to prevent or detect misstatements on a timely basis.

Design deficiency. Exists when a control necessary to meet the control objective is missing, or an existing control is not properly designed so that, even if the control operates as designed, the control objective would not be met.

Detective controls. Controls having the objective of detecting errors or fraud that has already occurred that could result in a misstatement of the financial statements.

Material weakness. A deficiency, or a combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the entity’s annual or interim financial statements will not be prevented or detected on a timely basis.

Objectivity. The ability to perform assigned tasks impartially and with intellectual honesty.

Operation deficiency. Exists when a properly designed control does not operate as designed, or when the person performing the control does not possess the necessary authority or competence to perform the control effectively.

Preventive controls. Controls having the objective of preventing errors or fraud that could result in a misstatement of the financial statements from occurring.

Relevant assertion. A financial statement assertion that has a reasonable possibility of containing a misstatement that would cause the financial statements to be materially misstated.

Senior management. The principal executive and financial officers signing the entity’s certifications as required under Section 302 of the Act, as well as any other members of senior management who play a significant role in the entity’s financial reporting process.

Significant account or disclosure. An account or disclosure for which there is a reasonable possibility of a misstatement that, individually or when aggregated with others, has a material effect on the financial statements.

Significant deficiency. A deficiency, or a combination of deficiencies, in internal control over financial reporting that is less severe than a material weakness, yet is important enough to merit attention by those responsible for oversight of the entity’s financial reporting.

Walk-through. Following a transaction from origination through the entity’s processes, including information systems, until it is reflected in the entity’s financial records, using the same documents and information technology that the entity’s personnel use. Walk-through procedures usually include a combination of inquiry, observation, inspection of relevant documentation, and reperformance of controls.

OBJECTIVES OF PCAOB STANDARD 5

Public Company Accounting Oversight Board (PCAOB) Auditing Standard 5 establishes the fieldwork and reporting standards applicable to an audit of internal control over financial reporting. Since a company’s internal control cannot be considered effective if one or more material weaknesses exist, the auditor must plan and perform the audit to obtain evidence that is sufficient to obtain a reasonable assurance about whether material weaknesses exist as of the date specified in management’s assessment.

In an integrated audit of internal control over financial reporting and the financial statements, the auditor should design his or her testing of controls to accomplish the objectives of both audits, which are to obtain:

• Sufficient evidence to support the auditor’s opinion on internal control over financial reporting as of year-end; and
• Sufficient evidence to support the auditor’s control risk assessments for purposes of the audit of financial statements.

FUNDAMENTAL REQUIREMENTS

Planning the Audit

When the auditor plans an audit of internal control over financial reporting, he or she should evaluate whether the following matters are important to the entity’s financial statements and internal control and how they will affect audit procedures:

• Knowledge of the entity’s internal control over financial reporting obtained during other engagements performed by the auditor;
• Matters affecting the industry in which the entity operates, such as financial reporting practices, economic conditions, laws and regulations, and technological changes;
• Matters relating to the entity’s business, including its organization, operating characteristics, and capital structure;
• The extent of recent changes in the entity, its operations, or its internal control over financial reporting;
• The auditor’s preliminary judgments about materiality, risk, and other factors relating to the determination of material weaknesses;
• Control deficiencies previously communicated to the audit committee or management;
• Legal or regulatory matters of which the entity is aware;
• The type and extent of available evidence related to the effectiveness of the entity’s internal control over financial reporting;
• Preliminary judgments about the effectiveness of internal control over financial reporting;
• Public information about the entity relevant to the evaluation of the likelihood of material financial statement misstatements and the effectiveness of the entity’s internal control over financial reporting;
• Knowledge about the risks related to the entity evaluated as part of the auditor’s client acceptance and retention evaluation; and
• The relative complexity of the entity’s operations.

If the auditor decides it is appropriate to serve as the principal auditor of the entity’s financial statements, then that auditor also should be the principal auditor of the entity’s internal control over financial reporting.

Risk Assessment

Risk assessment is the key underlying issue of this Standard. The auditor must consider risk when determining significant accounts and disclosures, relevant assertions, the selection of controls to be tested, and determining the evidence needed for a given control. The auditor should apply more effort in those areas where there is a higher degree of risk that a material weakness may exist. Conversely, it is not necessary to test controls that, even if deficient, would not present a reasonable possibility of material misstatement to the financial statements.

The complexity of an entity or business unit is of significant importance to the auditor in assessing risk and determining necessary procedures.

The auditor should incorporate a fraud risk assessment into the audit of internal control over financial reporting. This is an evaluation of whether the entity’s controls sufficiently address identified risks of material misstatement due to fraud and controls intended to address the risk of management override of other controls. Examples of controls addressing these risks are:

• Controls over significant, unusual transactions, especially those resulting in late or unusual journal entries;
• Controls over journal entries and adjustments made in the period-end financial reporting process;
• Controls over related-party transactions;
• Controls related to significant management estimates; and
• Controls that mitigate incentives for, and pressures on, management to falsify or inappropriately manage financial results.

Using the Work of Others

For an audit of internal control, the auditor may use work performed by, or receive assistance from, internal auditors, company personnel other than internal auditors, and third parties working under the direction of management or the audit committee that provides evidence about the effectiveness of internal control over financial reporting. If the auditor is conducting an integrated audit of internal control over financial reporting as well as the financial statements, he or she may also use this work to obtain evidence supporting the assessment of control risk for purposes of the audit of the financial statements.

The higher the degree of competence and objectivity of the person the auditor plans to use, the greater use the auditor may make of the work. Competence and objectivity were defined earlier in “Definitions of Terms.” To assess competence, the auditor should evaluate factors about the person’s qualifications and ability to perform the work the auditor plans to use. To assess objectivity, the auditor should evaluate whether factors are present that either inhibit or promote a person’s ability to perform with the necessary degree of objectivity the work the auditor plans to use. Internal auditors normally are expected to have greater competence and objectivity in performing the type of work that is useful to the auditor.

The auditor should not use the work of individuals who have either a low degree of objectivity or competence. Also, the auditor should be more inclined to perform his or her own work on a control as the risk associated with that control increases.

The Top-Down Approach for Controls Selection

The auditor should use a top-down approach for the selection of controls in an audit of internal controls over financial reporting. This approach begins at the financial statement level and with the auditor’s understanding of the overall risks to internal control over financial reporting. The auditor then focuses on entity-level controls, and then significant accounts and disclosures and their relevant assertions. By taking this approach, the auditor focuses on those accounts, disclosures, and assertions that present a reasonable possibility of material misstatement to the financial statements and related disclosures.

The auditor’s evaluation of entity-level controls can result in changes to the testing that the auditor would otherwise have performed on other controls.

Entity-level controls include:

• Controls related to the control environment;
• Controls over management override (which are especially important in smaller entities where there is usually an increased involvement by senior managers in performing controls and in the period-end financial reporting process);
• The entity’s risk assessment process;
• Centralized processing and controls, including shared service environments;
• Controls to monitor results of operations;
• Controls to monitor other controls, including activities of the internal audit function, the audit committee, and self-assessment programs;
• Controls over the period-end financial reporting process; and
• Policies that address significant business control and risk management practices.

Some entity-level controls, such as those impacting the control environment, have an indirect (though important) effect on the likelihood that a misstatement will be detected or prevented on a timely basis. Other entity-level controls monitor the effectiveness of other controls; as such, they may allow the auditor to reduce the testing of other controls. Other entity-level controls may operate at a level of precision that would adequately prevent or detect misstatements; if so, the auditor may not need to test additional controls related to that risk.

The auditor must evaluate the control environment at the entity. As part of this evaluation, the auditor should assess:

• Whether management’s philosophy and operating style promote effective internal control over financial reporting;
• Whether sound integrity and ethical values, particularly of top management, are developed and understood; and
• Whether the board of directors or audit committee understands and exercises oversight responsibility over financial reporting and internal control.

The auditor must also evaluate the entity’s period-end reporting process. The reporting process includes those procedures:

• Used to enter transaction totals into the general ledger;
• Related to the selection and application of accounting policies;
• Used to initiate, authorize, record, and process journal entries in the general ledger;
• Used to record recurring and nonrecurring adjustments to the annual and quarterly financial statements; and
• Used for preparing annual and quarterly financial statements and related disclosures.

As part of evaluating the period-end financial reporting process, the auditor should assess the following:

• Inputs, procedures performed, and outputs of the processes the entity uses to produce its annual and quarterly financial statements;
• The extent of information technology involvement in the period-end financial reporting process;
• Who participates from management;
• The locations involved in the period-end financial reporting process;
• The types of adjusting and consolidating entries; and
• The nature and extent of the oversight of the process by management, the board of directors, and the audit committee.

Identification of Significant Accounts and Disclosures

The auditor should identify significant accounts and disclosures, as well as their relevant assertions. Financial statement assertions include existence or occurrence, completeness, valuation or allocation, rights and obligations, and presentation and disclosure.

To identify significant accounts and disclosures and their relevant assertions, the auditor should evaluate the qualitative and quantitative risk factors related to the financial statement line items and disclosures. Risk factors relevant to the identification of significant accounts and disclosures and their relevant assertions include:

• Size and composition of the account;
• Susceptibility to misstatement due to errors or fraud;
• Volume of activity, complexity, and homogeneity of the individual transactions processed through the account or reflected in the disclosure;
• Nature of the account or disclosure;
• Accounting and reporting complexities associated with the account or disclosure;
• Exposure to losses in the account;
• Possibility of significant contingent liabilities arising from the activities reflected in the account or disclosure;
• Existence of related-party transactions in the account; and
• Changes from the prior period in account or disclosure characteristics.

The auditor should also determine the likely sources of potential misstatements that would cause the financial statements to be materially misstated. The auditor might determine the likely sources of potential misstatements by asking what could go wrong within a given account or disclosure.

The risk factors that the auditor should evaluate in identifying significant accounts and disclosures and their relevant assertions are the same in the audit of internal control over financial reporting as in the audit of the financial statements; thus, significant accounts and disclosures and their relevant assertions are the same for both audits.

When an entity has multiple locations or business units, the auditor should identify significant accounts and disclosures and their relevant assertions based on the consolidated financial statements. See “Multiple Location Scoping Decisions” for more information.

Understanding Likely Sources of Misstatement

The auditor should pursue the following objectives in order to further understand the likely sources of potential misstatements:

• Understand the flow of transactions related to the relevant assertions, including how the transactions are initiated, authorized, processed, and recorded;
• Verify that the auditor has identified the points within the entity’s processes at which a misstatement could arise that would be material (either individually or in combination with other misstatements);
• Identify the controls that management has implemented to address these potential misstatements; and
• Identify the controls that management has implemented over the prevention or timely detection of unauthorized acquisition, use, or disposition of the entity’s assets that could result in a material misstatement of the financial statements.

As part of this evaluation, the auditor should also understand how information technology affects the entity’s flow of transactions.

The auditor may find that a walk-through is the most effective way to understand likely sources of misstatement. In performing a walk-through, the auditor should question the entity’s personnel about their understanding of what is required by the entity’s procedures and controls. These questions, when combined with other walk-through procedures, allow the auditor to gain a sufficient understanding of the process, as well as be able to identify important points where a necessary control is either missing or not designed effectively.

Given the level of judgment required, the auditor should either directly perform the preceding procedures, or supervise the work of others who provide direct assistance to the auditor.

Selecting Controls for Testing

The auditor should test those controls that are important to the auditor’s conclusion about whether the entity’s controls sufficiently address the assessed risk of misstatement to each relevant assertion. It is not necessary to test all controls related to a relevant assertion, nor is it necessary to test redundant controls, unless redundancy is itself a control objective. The decision to select a control for testing depends on which controls, either individually or in combination, sufficiently address the assessed risk of misstatement to a given assertion.

Testing Controls

The auditor should test the design effectiveness of controls by determining whether the controls satisfy the entity’s control objectives and can effectively prevent or detect errors or fraud that could result in material misstatements in the financial statements. Design effectiveness test procedures include a mix of personnel inquiry, operations observation, and relevant documentation inspection. Walk-throughs that include these procedures ordinarily are sufficient to evaluate design effectiveness.

The auditor should test the operating effectiveness of a control by determining whether the control is operating as designed and whether the person performing it possesses the authority and competence to perform the control effectively. If the entity uses a third party to provide assistance with some financial reporting functions, then the auditor may take into account the combined competence of company personnel and other parties that assist with functions related to financial reporting.

Relationship of Risk to the Evidence to Be Obtained

The evidence needed to persuade the auditor that a control is effective depends on the risk associated with the control. This is the risk that the control might not be effective, and if not effective, the risk that a material weakness would result. As this risk increases, the auditor should obtain additional evidence.

There are a number of factors influencing the risk associated with a control. These include:

• The nature and materiality of misstatements that the control is intended to prevent or detect;
• The inherent risk associated with the related account(s) and assertion(s);
• Whether there have been changes in the volume or nature of transactions that might adversely affect control design or operating effectiveness;
• Whether the account has a history of errors;
• The effectiveness of entity-level controls, especially controls that monitor other controls;
• The nature of the control and the frequency with which it operates;
• The degree to which the control relies on the effectiveness of other controls;
• The competence of the personnel who perform the control or monitor its performance and whether there have been changes in key personnel who perform the control or monitor its performance;
• Whether the control relies on performance by an individual or is automated (Note: an automated control is generally expected to be lower risk if information technology controls are effective); and

• The complexity of the control and the significance of the judgments that must be made in connection with its operation.

When the auditor identifies deviations from the entity’s controls, he or she should determine the effect of the deviations on the assessment of the risk associated with the control being tested and the associated evidence to be obtained, as well as on the operating effectiveness of the control. Given that effective internal control over financial reporting cannot provide absolute assurance of achieving the entity’s control objectives, an individual control does not necessarily have to operate without any deviation to be considered effective.

When testing a control, the auditor will find that different combinations of the nature, timing, and extent of testing may provide sufficient evidence in relation to the risk associated with the control. The nature of the tests of effectiveness that will provide competent evidence depends considerably on the nature of the control to be tested.

Nature of Tests of Controls

Some tests produce greater evidence of control effectiveness than other tests. The following tests are presented in order of the most evidence provided to the least:

Testing controls over a greater period of time provides more evidence of the effectiveness of controls than testing over a shorter period of time. Further, testing performed closer to the date of management’s assessment provides more evidence than testing performed earlier in the year.

Using Results from the Audit of Financial Statements

The auditor should evaluate the effect of the findings of the substantive auditing procedures performed in the audit of financial statements on the effectiveness of internal control over financial reporting. This evaluation should include:

• The auditor’s risk assessments in connection with the selection and application of substantive procedures, especially those related to fraud
• Findings with respect to illegal acts and related-party transactions
• Indications of management bias in making accounting estimates and in selecting accounting principles
• Misstatements detected by substantive procedures (the extent of such misstatements might alter the auditor’s judgment about the effectiveness of controls)

Extent of Tests of Controls

The more extensively a control is tested, the greater the evidence obtained from that test.

Roll-Forward Procedures

When the auditor reports on the effectiveness of controls as of a specific date and obtains evidence about the operating effectiveness of controls at an interim date, he or she should determine what additional evidence concerning the operation of the controls for the remaining period is necessary. The additional evidence required depends on the following factors:

• The specific control tested prior to the as-of date, including the risks associated with the control and the nature of the control, and the results of those tests;
• The sufficiency of the evidence of effectiveness obtained at an interim date;
• The length of the remaining period; and
• The possibility that there have been any significant changes in internal control over financial reporting subsequent to the interim date.

Special Considerations for Subsequent Years’ Audits

In subsequent years’ audits, the auditor should incorporate knowledge from past audits of the entity’s controls into the decision-making process for determining the nature, timing, and extent of testing needed. After taking into account all risk factors, the auditor may be able to reduce testing in subsequent years.

The auditor should vary the nature, timing, and extent of controls testing from year to year, to introduce unpredictability into the testing and respond to changes in circumstances. Thus, the auditor could test controls during different interim periods, change the number and types of tests performed, or change the combination of procedures used.

Evaluating Identified Deficiencies

The auditor must evaluate the severity of each control deficiency to determine whether the deficiencies, individually or together, are material weaknesses as of the date of management’s assessment. However, in planning and performing the audit, the auditor is not required to search for deficiencies (either individually or in combination) that are less severe than a material weakness.

The severity of a deficiency depends on whether there is a reasonable possibility that the entity’s controls will fail to prevent or detect a misstatement of an account balance or disclosure, and the magnitude of the potential misstatement resulting from the deficiency. The severity of a deficiency does not depend on whether a misstatement actually has occurred, but rather on whether there is a reasonable possibility that the entity’s controls will fail to prevent or detect a misstatement.

Risk factors affect whether there is a reasonable possibility that a deficiency, or a combination of deficiencies, will result in a misstatement of an account balance or disclosure. The risk factors include

• The nature of the financial statement accounts, disclosures, and assertions involved;
• The susceptibility of the related asset or liability to loss or fraud;
• The subjectivity, complexity, or extent of judgment required to determine the amount involved;
• The interaction or relationship of the control with other controls, including whether they are interdependent or redundant;
• The interaction of the deficiencies; and
• The possible future consequences of the deficiency.

The valuation of whether a control deficiency presents a reasonable possibility of misstatement can be made without quantifying the probability of occurrence as a specific percentage or range.

Multiple control deficiencies that affect the same financial statement account balance or disclosure increase the likelihood of misstatement and may, in combination, constitute a material weakness, even though such deficiencies may individually be less severe. Thus, the auditor should determine whether individual control deficiencies that affect the same significant account or disclosure, relevant assertion, or component of internal control collectively result in a material weakness.

Factors affecting the magnitude of a misstatement that might result from a deficiency in controls include the financial statement amounts or total of transactions exposed to the deficiency, and the volume of activity in the account balance or class of transactions exposed to the deficiency that has either occurred in the current period or is expected in future periods.

When evaluating the magnitude of a potential misstatement, the maximum amount that an account balance or total of transactions can be overstated is generally the recorded amount, while understatements could be larger. Also, the probability of a small misstatement is greater than the probability of a large one.

The auditor should evaluate the effectiveness of compensating controls when determining whether a control deficiency or combination of deficiencies is a material weakness. To have a mitigating effect, the compensating control should operate at a level of precision that would prevent or detect a misstatement that could be material.

Indicators of Material Weakness

Indicators of material weakness in internal control over financial reporting include the following:

• Identification of fraud, whether or not material, on the part of senior management;
• Restatement of previously issued financial statements to reflect the correction of a material misstatement;
• Identification by the auditor of a material misstatement of financial statements in the current period in circumstances indicating that the misstatement would not have been detected by the entity’s internal control over financial reporting; and
• Ineffective oversight of the entity’s external financial reporting and internal control over financial reporting by the entity’s audit committee.

When evaluating the severity of a deficiency or combination of deficiencies, the auditor should also determine the level of detail and degree of assurance that would satisfy prudent officials in the conduct of their own affairs that they have reasonable assurance that transactions are recorded as necessary to permit the preparation of financial statements in conformity with generally accepted accounting principles (GAAP). If the auditor determines that this is not the case, then he or she should treat the deficiency or combination of deficiencies as an indicator of a material weakness.

Forming an Opinion

The auditor should form an opinion on the effectiveness of the entity’s internal control over financial reporting by evaluating evidence from all sources. This should include the auditor’s controls tests, misstatements detected during the financial statement audit, any identified control deficiencies, and internal audit reports that address relevant controls.

The auditor should also evaluate the presentation of the elements that management is required to present in its annual report on internal control over financial reporting. If any elements of management’s annual report are incomplete or improperly presented, the auditor should modify his or her report to include an explanatory paragraph describing the reasons for this determination.

The auditor may form an opinion only when there have been no scope restrictions on the auditor’s work. If there is a scope limitation, the auditor must either disclaim an opinion or withdraw from the engagement. When disclaiming an opinion because of a scope limitation, the auditor should state that the scope of the audit was not sufficient to warrant the expression of an opinion and, in a separate paragraph, the reasons for the disclaimer; the auditor should not identify the procedures that were performed nor include the statements describing the characteristics of an audit of internal control over financial reporting.

Obtaining Written Representations

In an audit of internal control over financial reporting, the auditor should obtain written representations from management that:

• Acknowledges management’s responsibility for establishing and maintaining effective internal control over financial reporting;
• States that management has performed an evaluation and made an assessment of the effectiveness of the entity’s internal control over financial reporting and specifying the control criteria;
• States that management did not use the auditor’s procedures performed during the audits of internal control over financial reporting or the financial statements as part of the basis for management’s assessment of the effectiveness of internal control over financial reporting;
• States management’s conclusion, as set forth in its assessment, about the effectiveness of the entity’s internal control over financial reporting based on the control criteria as of a specified date;
• States that management has disclosed to the auditor all deficiencies in the design or operation of internal control over financial reporting identified as part of management’s evaluation, including separately disclosing to the auditor all such deficiencies that it believes to be significant deficiencies or material weaknesses in internal control over financial reporting;
• Describes any fraud resulting in a material misstatement to the entity’s financial statements and any other fraud that does not result in a material misstatement to the entity’s financial statements but involves senior management or management or other employees who have a significant role in the entity’s internal control over financial reporting;
• States whether control deficiencies identified and communicated to the audit committee during previous engagements have been resolved, and specifically identifying any that have not; and
• States whether there were, subsequent to the date being reported on, any changes in internal control over financial reporting or other factors that might significantly affect internal control over financial reporting, including any corrective actions taken by management with regard to significant deficiencies and material weaknesses.

If management does not provide written representations, this is a scope limitation on the audit. In this case, the auditor must either withdraw from the engagement or disclaim an opinion. In such a case, the auditor must also evaluate the effects of management’s refusal on his or her ability to rely on other representations, including those obtained in the audit of the entity’s financial statements.

Communicating Matters Related to the Audit

The auditor must issue written communications to management and the audit committee regarding all material weaknesses identified during the audit. This communication should be made prior to issuing the auditor’s report on internal control over financial reporting. If the auditor concludes that the oversight by the entity’s internal audit committee is ineffective, then he or she must communicate that conclusion in writing to the board of directors.

The auditor should consider whether there have been any deficiencies or combinations of deficiencies that have been identified during the audit that are significant deficiencies. If so, he or she must communicate these deficiencies, in writing, to the audit committee.

The auditor should also communicate to management, in writing, all deficiencies in internal control over financial reporting (i.e., those less-than-material weaknesses) identified during the audit and inform the audit committee when such a communication has been made. When formulating this communication to management, the auditor does not have to repeat information about deficiencies that have been communicated before.

The auditor should not issue a report stating that no deficiencies less severe than a material weakness were noted during the audit.

Reporting on Internal Control

The auditor’s report on the audit of internal control over financial reporting must include the following components:

The auditor may choose to issue a combined statement that contains an opinion on the financial statements and an opinion on internal control over financial reporting. It is also acceptable to issue separate reports on these topics.

Several examples of the auditor’s report are included in the “Illustrations” section.

The Report Date

The auditor should date the audit report no earlier than the date on which the auditor has obtained sufficient competent evidence to support his or her opinion. Because the auditor cannot audit internal control over financial reporting without also auditing the financial statements, the reports should have the same date.

Material Weaknesses

If there are deficiencies (either individually or in combination) resulting in one or more material weaknesses, the auditor must express an adverse opinion on the entity’s internal control over financial reporting.

When expressing an adverse opinion on internal control over financial reporting because of a material weakness, the auditor’s report must include:

• The definition of a material weakness
• A statement that a material weakness has been identified and an identification of the material weakness that was described in management’s assessment

If the material weakness was not included in management’s assessment, then the auditor should modify his or her report to state that a material weakness has been identified but not included in management’s assessment. Further, the report should include a description of the material weakness, which should provide the users of the audit report with specific information about the nature of the material weakness and its actual and potential effect on the presentation of the entity’s financial statements issued during the existence of the weakness. In addition, the auditor should communicate to the audit committee in writing that the material weakness was not disclosed or identified as a material weakness in management’s assessment.

If the material weakness was included in management’s assessment but the auditor concludes that the disclosure of the material weakness is not fairly presented in all material respects, then the auditor’s report should describe this conclusion as well as the information necessary to fairly describe the material weakness.

The auditor should determine the effect the adverse opinion has on his or her opinion on the financial statements. Further, the auditor should disclose whether his or her opinion on the financial statements was affected by the adverse opinion on internal control over financial reporting.

Report Modifications

The auditor should modify his or her report if any of the following conditions exist:

• Elements of management’s annual report on internal control are incomplete or improperly presented.
• There is a restriction on the scope of the engagement.
• The auditor decides to refer to the report of other auditors as the basis, in part, for the auditor’s own report.
• There is other information contained in management’s annual report on internal control over financial reporting.
• Management’s annual certification pursuant to Section 302 of the Sarbanes-Oxley Act is misstated.

If the auditor determines that elements of management’s annual report on internal control over financial reporting are incomplete or improperly presented, the auditor should modify his or her report to include an explanatory paragraph describing the reasons for this determination.

When the auditor plans to disclaim an opinion and the limited procedures performed by the auditor cause the auditor to conclude that a material weakness exists, the auditor’s report should include:

• The definition of a material weakness
• A description of any material weaknesses identified in the entity’s internal control over financial reporting; this description should provide the users of the audit report with specific information about the nature of any material weakness and its actual and potential effect on the presentation of the entity’s financial statements issued during the existence of the weakness

The auditor may issue a report disclaiming an opinion on internal control over financial reporting as soon as the auditor concludes that a scope limitation will prevent the auditor from obtaining the reasonable assurance necessary to express an opinion. The auditor is not required to perform any additional work prior to issuing a disclaimer, once the auditor concludes that he or she will not be able to obtain sufficient evidence to express an opinion.

Filings under Federal Securities Statutes

AU Section 711, Filings under Federal Securities Statutes, describes the auditor’s responsibilities when the auditor’s report is included in registration statements, proxy statements, or periodic reports filed under the federal securities statutes. The auditor should apply Section 711 with respect to the auditor’s report on internal control over financial reporting included in such filings. In addition, the auditor should extend the direction in Section 711 to obtain written representations from officers and other executives responsible for financial and accounting matters about whether any events have occurred that have a material effect on the audited financial statements to matters that could have a material effect on internal control over financial reporting.

When the auditor intends to consent to the inclusion of his or her report on internal control over financial reporting in the securities filing, his or her consent should clearly indicate that both the audit report on financial statements and the audit report on internal control over financial reporting (or both opinions if a combined report is issued) are included in his or her consent.

Subsequent Events

There may be changes in internal control over financial reporting or other factors that significantly affect internal control over financial reporting, arising subsequent to the date as of which internal control over financial reporting is being audited, but before the date of the auditor’s report. The auditor should make inquiries of management as to whether there were any such changes or factors, and obtain written management representations relating to such matters.

The auditor’s inquiries during this subsequent period can include the following:

• Relevant internal audit reports issued during the subsequent period
• Independent auditor reports of deficiencies in internal control
• Regulatory agency reports on the entity’s internal control over financial reporting
• Information about the effectiveness of the entity’s internal control over financial reporting that is obtained through other engagements

If the auditor obtains knowledge about subsequent events that materially and adversely affect the effectiveness of the entity’s internal control over financial reporting as of the date specified in the assessment, the auditor should issue an adverse opinion on internal control over financial reporting. If the auditor is unable to determine the effect of the subsequent event on the effectiveness of the entity’s internal control over financial reporting, he or she should disclaim an opinion.

If a subsequent event has a material effect on the entity’s internal control over financial reporting, then the auditor should include in his or her report an explanatory paragraph describing the event and its effects, or directing the reader’s attention to the event and its effects as disclosed in management’s report.

If, after issuance of the auditor’s report, the auditor becomes aware of conditions that existed at the report date that might have affected the auditor’s opinion, then follow the procedures noted in AU Section 561, Subsequent Discovery of Facts Existing at the Date of the Auditor’s Report.

Multiple Location Scoping Decisions

In determining the locations or business units at which to perform tests of controls, the auditor should assess the risk of material misstatement to the financial statements associated with the location or business unit, and correlate the amount of audit attention with the degree of audit risk. The auditor can eliminate from consideration those locations or business units that, individually or when aggregated with others, do not present a reasonable possibility of material misstatement to the entity’s consolidated financial statements.

When determining the locations or business units at which to perform tests of controls, the auditor may take into account work performed by others on behalf of management. For example, this can involve the coordination of work with the entity’s internal auditors.

The scope of the audit should include entities that are acquired on or before the date of management’s assessment and operations that are accounted for as discontinued operations on the date of management’s assessment.

For equity method investments, the scope of the audit should include controls over the reporting in accordance with GAAP, in the entity’s financial statements, of the entity’s portion of the investee’s income or loss, the investment balance, adjustments to the income or loss and investment balance, and related disclosures. The audit ordinarily would not extend to the controls at the equity method investee.

If the Securities and Exchange Commission (SEC) allows management to exclude certain entities from its assessment of internal control over financial reporting, then the auditor may limit the audit in the same manner; this is not considered a scope limitation. However, the auditor should include in his or her report a disclosure similar to management’s regarding the exclusion of the entity from the scope of both management’s assessment and the auditor’s audit of internal control over financial reporting. Further, the auditor should evaluate the reasonableness of management’s conclusion that the situation meets the criteria of the SEC’s allowed exclusion and the appropriateness of any required disclosure related to such a limitation.

Use of Service Organizations

AU Section 324, Service Organizations, applies to the audit of financial statements of an entity that obtains services from another organization that are part of the entity’s information systems. The auditor may apply the relevant concepts described in Section 324 to the audit of internal control over financial reporting.

When a significant period of time has elapsed between the time period covered by the tests of controls in the service auditor’s report and the date specified in management’s assessment, additional procedures should be performed. The auditor should inquire of management to determine whether management has identified any changes in the service organization’s controls subsequent to the period covered by the service auditor’s report; these changes can include changes in the personnel at the service organization with whom management interacts, changes in reports or other data received from the service organization, changes in contracts or service level agreements with the service organization, or errors identified in the service organization’s processing. The auditor should evaluate the effect of such changes in the effectiveness of the entity’s internal control over financial reporting. The auditor should also evaluate whether the results of other procedures he or she performed indicate that there have been changes in the controls at the service organization.

The auditor should determine whether to obtain additional evidence about the operating effectiveness of controls at the service organization based (1) on the procedures performed by management or the auditor and the results of those procedures and (2) on an evaluation of the following risk factors:

• The elapsed time between the time period covered by the tests of controls in the service auditor’s report and the date specified in management’s assessment
• The significance of the activities of the service organization
• Whether errors have been identified in the service organization’s processing
• The nature and significance of any changes in the service organization’s controls identified by management or the auditor

If the auditor concludes that additional evidence about the operating effectiveness of controls at the service organization is required, his or her additional procedures might include:

• Evaluating procedures performed by management and the results of those procedures
• Contacting the service organization, through the user organization, to obtain specific information
• Requesting that a service auditor be engaged to perform procedures that will supply the necessary information
• Visiting the service organization and performing procedures

The auditor should not refer to the service auditor’s report when expressing an opinion on internal control over financial reporting.

Benchmarking of Automated Controls

Automated application controls are usually not subject to breakdowns due to human failure, which allows the auditor to use a benchmarking strategy.

If controls over program changes, access to programs, and computer operations are effective and continue to be tested, and if the auditor verifies that the automated application control has not changed since he or she last tested the application control, then the auditor may conclude that the automated application control continues to be effective without repeating the prior year’s tests of the operation of the automated application control.

To determine whether to use a benchmarking strategy, the auditor should assess a number of risk factors. As these factors indicate lower risk, the control being evaluated might be well-suited for benchmarking. However, as these factors indicate increased risk, the control being evaluated is less suited for benchmarking. The risk factors are:

• The extent to which the application control can be matched to a defined program within an application
• The extent to which the application is stable (i.e., there are few changes over time)
• The availability and reliability of a report of the compilation dates of the programs placed in production

Benchmarking automated application controls can be especially effective when it involves purchased off-the-shelf software, since the possibility of program changes is remote.

After a period of time, the baseline of the operation of an automated application control should be reestablished. To determine when to reestablish a baseline, the auditor should evaluate the following factors:

• The effectiveness of the information technology control environment, including controls over application and system software acquisition and maintenance, access controls and computer operations
• The auditor’s understanding of the nature of changes, if any, on the specific programs that contain the controls
• The nature and timing of other related tests
• The consequences of errors associated with the application control that was bench-marked
• Whether the control is sensitive to other business factors that may have changed. For example, an automated control may have been designed with the assumption that only positive amounts will exist in a file. This control would no longer be effective if negative amounts were to be posted to the account

ILLUSTRATIONS

The following is an illustration of a combined report that expresses an unqualified opinion on financial statements and an unqualified opinion on internal control over financial reporting, as well as a format where the auditor issues a separate report on internal control over financial reporting. They are adapted from PCAOB Standard 5.

1 Practitioners should reference the additional guidance listed in the section “Other PCAOB Guidance” in this volume’s chapter PCAOB 1.