Effective Date | This standard currently is effective. |
Applicability | Engagements to perform an audit of management’s assessment of the effectiveness of internal control over financial reporting that is integrated with an audit of the financial statements. |
Competence. The attainment and maintenance of a level of understanding and knowledge that enables a person to perform ably the tasks assigned to him or her.
Control objective. Provides a specific target against which to evaluate the effectiveness of controls. It generally relates to a relevant assertion and states a criterion for evaluating whether the entity’s control procedures provide reasonable assurance that a misstatement or omission in that assertion is prevented or detected by controls on a timely basis.
Deficiency in internal control over financial reporting. Exists when the design or operation of a control does not allow management or employees to prevent or detect misstatements on a timely basis.
Design deficiency. Exists when a control necessary to meet the control objective is missing, or an existing control is not properly designed so that, even if the control operates as designed, the control objective would not be met.
Detective controls. Controls having the objective of detecting errors or fraud that has already occurred that could result in a misstatement of the financial statements.
Material weakness. A deficiency, or a combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the entity’s annual or interim financial statements will not be prevented or detected on a timely basis.
Objectivity. The ability to perform assigned tasks impartially and with intellectual honesty.
Operation deficiency. Exists when a properly designed control does not operate as designed, or when the person performing the control does not possess the necessary authority or competence to perform the control effectively.
Preventive controls. Controls having the objective of preventing errors or fraud that could result in a misstatement of the financial statements from occurring.
Relevant assertion. A financial statement assertion that has a reasonable possibility of containing a misstatement that would cause the financial statements to be materially misstated.
Senior management. The principal executive and financial officers signing the entity’s certifications as required under Section 302 of the Act, as well as any other members of senior management who play a significant role in the entity’s financial reporting process.
Significant account or disclosure. An account or disclosure for which there is a reasonable possibility of a misstatement that, individually or when aggregated with others, has a material effect on the financial statements.
Significant deficiency. A deficiency, or a combination of deficiencies, in internal control over financial reporting that is less severe than a material weakness, yet is important enough to merit attention by those responsible for oversight of the entity’s financial reporting.
Walk-through. Following a transaction from origination through the entity’s processes, including information systems, until it is reflected in the entity’s financial records, using the same documents and information technology that the entity’s personnel use. Walk-through procedures usually include a combination of inquiry, observation, inspection of relevant documentation, and reperformance of controls.
Public Company Accounting Oversight Board (PCAOB) Auditing Standard 5 establishes the fieldwork and reporting standards applicable to an audit of internal control over financial reporting. Since a company’s internal control cannot be considered effective if one or more material weaknesses exist, the auditor must plan and perform the audit to obtain evidence that is sufficient to obtain a reasonable assurance about whether material weaknesses exist as of the date specified in management’s assessment.
In an integrated audit of internal control over financial reporting and the financial statements, the auditor should design his or her testing of controls to accomplish the objectives of both audits, which are to obtain:
When the auditor plans an audit of internal control over financial reporting, he or she should evaluate whether the following matters are important to the entity’s financial statements and internal control and how they will affect audit procedures:
If the auditor decides it is appropriate to serve as the principal auditor of the entity’s financial statements, then that auditor also should be the principal auditor of the entity’s internal control over financial reporting.
Risk assessment is the key underlying issue of this Standard. The auditor must consider risk when determining significant accounts and disclosures, relevant assertions, the selection of controls to be tested, and determining the evidence needed for a given control. The auditor should apply more effort in those areas where there is a higher degree of risk that a material weakness may exist. Conversely, it is not necessary to test controls that, even if deficient, would not present a reasonable possibility of material misstatement to the financial statements.
The complexity of an entity or business unit is of significant importance to the auditor in assessing risk and determining necessary procedures.
The auditor should incorporate a fraud risk assessment into the audit of internal control over financial reporting. This is an evaluation of whether the entity’s controls sufficiently address identified risks of material misstatement due to fraud and controls intended to address the risk of management override of other controls. Examples of controls addressing these risks are:
For an audit of internal control, the auditor may use work performed by, or receive assistance from, internal auditors, company personnel other than internal auditors, and third parties working under the direction of management or the audit committee that provides evidence about the effectiveness of internal control over financial reporting. If the auditor is conducting an integrated audit of internal control over financial reporting as well as the financial statements, he or she may also use this work to obtain evidence supporting the assessment of control risk for purposes of the audit of the financial statements.
The higher the degree of competence and objectivity of the person the auditor plans to use, the greater use the auditor may make of the work. Competence and objectivity were defined earlier in “Definitions of Terms.” To assess competence, the auditor should evaluate factors about the person’s qualifications and ability to perform the work the auditor plans to use. To assess objectivity, the auditor should evaluate whether factors are present that either inhibit or promote a person’s ability to perform with the necessary degree of objectivity the work the auditor plans to use. Internal auditors normally are expected to have greater competence and objectivity in performing the type of work that is useful to the auditor.
The auditor should not use the work of individuals who have either a low degree of objectivity or competence. Also, the auditor should be more inclined to perform his or her own work on a control as the risk associated with that control increases.
The auditor should use a top-down approach for the selection of controls in an audit of internal controls over financial reporting. This approach begins at the financial statement level and with the auditor’s understanding of the overall risks to internal control over financial reporting. The auditor then focuses on entity-level controls, and then significant accounts and disclosures and their relevant assertions. By taking this approach, the auditor focuses on those accounts, disclosures, and assertions that present a reasonable possibility of material misstatement to the financial statements and related disclosures.
The auditor’s evaluation of entity-level controls can result in changes to the testing that the auditor would otherwise have performed on other controls.
Entity-level controls include:
Some entity-level controls, such as those impacting the control environment, have an indirect (though important) effect on the likelihood that a misstatement will be detected or prevented on a timely basis. Other entity-level controls monitor the effectiveness of other controls; as such, they may allow the auditor to reduce the testing of other controls. Other entity-level controls may operate at a level of precision that would adequately prevent or detect misstatements; if so, the auditor may not need to test additional controls related to that risk.
The auditor must evaluate the control environment at the entity. As part of this evaluation, the auditor should assess:
The auditor must also evaluate the entity’s period-end reporting process. The reporting process includes those procedures:
As part of evaluating the period-end financial reporting process, the auditor should assess the following:
The auditor should identify significant accounts and disclosures, as well as their relevant assertions. Financial statement assertions include existence or occurrence, completeness, valuation or allocation, rights and obligations, and presentation and disclosure.
To identify significant accounts and disclosures and their relevant assertions, the auditor should evaluate the qualitative and quantitative risk factors related to the financial statement line items and disclosures. Risk factors relevant to the identification of significant accounts and disclosures and their relevant assertions include:
The auditor should also determine the likely sources of potential misstatements that would cause the financial statements to be materially misstated. The auditor might determine the likely sources of potential misstatements by asking what could go wrong within a given account or disclosure.
The risk factors that the auditor should evaluate in identifying significant accounts and disclosures and their relevant assertions are the same in the audit of internal control over financial reporting as in the audit of the financial statements; thus, significant accounts and disclosures and their relevant assertions are the same for both audits.
When an entity has multiple locations or business units, the auditor should identify significant accounts and disclosures and their relevant assertions based on the consolidated financial statements. See “Multiple Location Scoping Decisions” for more information.
The auditor should pursue the following objectives in order to further understand the likely sources of potential misstatements:
As part of this evaluation, the auditor should also understand how information technology affects the entity’s flow of transactions.
The auditor may find that a walk-through is the most effective way to understand likely sources of misstatement. In performing a walk-through, the auditor should question the entity’s personnel about their understanding of what is required by the entity’s procedures and controls. These questions, when combined with other walk-through procedures, allow the auditor to gain a sufficient understanding of the process, as well as be able to identify important points where a necessary control is either missing or not designed effectively.
Given the level of judgment required, the auditor should either directly perform the preceding procedures, or supervise the work of others who provide direct assistance to the auditor.
The auditor should test those controls that are important to the auditor’s conclusion about whether the entity’s controls sufficiently address the assessed risk of misstatement to each relevant assertion. It is not necessary to test all controls related to a relevant assertion, nor is it necessary to test redundant controls, unless redundancy is itself a control objective. The decision to select a control for testing depends on which controls, either individually or in combination, sufficiently address the assessed risk of misstatement to a given assertion.
The auditor should test the design effectiveness of controls by determining whether the controls satisfy the entity’s control objectives and can effectively prevent or detect errors or fraud that could result in material misstatements in the financial statements. Design effectiveness test procedures include a mix of personnel inquiry, operations observation, and relevant documentation inspection. Walk-throughs that include these procedures ordinarily are sufficient to evaluate design effectiveness.
The auditor should test the operating effectiveness of a control by determining whether the control is operating as designed and whether the person performing it possesses the authority and competence to perform the control effectively. If the entity uses a third party to provide assistance with some financial reporting functions, then the auditor may take into account the combined competence of company personnel and other parties that assist with functions related to financial reporting.
The evidence needed to persuade the auditor that a control is effective depends on the risk associated with the control. This is the risk that the control might not be effective, and if not effective, the risk that a material weakness would result. As this risk increases, the auditor should obtain additional evidence.
There are a number of factors influencing the risk associated with a control. These include:
When the auditor identifies deviations from the entity’s controls, he or she should determine the effect of the deviations on the assessment of the risk associated with the control being tested and the associated evidence to be obtained, as well as on the operating effectiveness of the control. Given that effective internal control over financial reporting cannot provide absolute assurance of achieving the entity’s control objectives, an individual control does not necessarily have to operate without any deviation to be considered effective.
When testing a control, the auditor will find that different combinations of the nature, timing, and extent of testing may provide sufficient evidence in relation to the risk associated with the control. The nature of the tests of effectiveness that will provide competent evidence depends considerably on the nature of the control to be tested.
Some tests produce greater evidence of control effectiveness than other tests. The following tests are presented in order of the most evidence provided to the least:
Testing controls over a greater period of time provides more evidence of the effectiveness of controls than testing over a shorter period of time. Further, testing performed closer to the date of management’s assessment provides more evidence than testing performed earlier in the year.
The auditor should evaluate the effect of the findings of the substantive auditing procedures performed in the audit of financial statements on the effectiveness of internal control over financial reporting. This evaluation should include:
The more extensively a control is tested, the greater the evidence obtained from that test.
When the auditor reports on the effectiveness of controls as of a specific date and obtains evidence about the operating effectiveness of controls at an interim date, he or she should determine what additional evidence concerning the operation of the controls for the remaining period is necessary. The additional evidence required depends on the following factors:
In subsequent years’ audits, the auditor should incorporate knowledge from past audits of the entity’s controls into the decision-making process for determining the nature, timing, and extent of testing needed. After taking into account all risk factors, the auditor may be able to reduce testing in subsequent years.
The auditor should vary the nature, timing, and extent of controls testing from year to year, to introduce unpredictability into the testing and respond to changes in circumstances. Thus, the auditor could test controls during different interim periods, change the number and types of tests performed, or change the combination of procedures used.
The auditor must evaluate the severity of each control deficiency to determine whether the deficiencies, individually or together, are material weaknesses as of the date of management’s assessment. However, in planning and performing the audit, the auditor is not required to search for deficiencies (either individually or in combination) that are less severe than a material weakness.
The severity of a deficiency depends on whether there is a reasonable possibility that the entity’s controls will fail to prevent or detect a misstatement of an account balance or disclosure, and the magnitude of the potential misstatement resulting from the deficiency. The severity of a deficiency does not depend on whether a misstatement actually has occurred, but rather on whether there is a reasonable possibility that the entity’s controls will fail to prevent or detect a misstatement.
Risk factors affect whether there is a reasonable possibility that a deficiency, or a combination of deficiencies, will result in a misstatement of an account balance or disclosure. The risk factors include
The valuation of whether a control deficiency presents a reasonable possibility of misstatement can be made without quantifying the probability of occurrence as a specific percentage or range.
Multiple control deficiencies that affect the same financial statement account balance or disclosure increase the likelihood of misstatement and may, in combination, constitute a material weakness, even though such deficiencies may individually be less severe. Thus, the auditor should determine whether individual control deficiencies that affect the same significant account or disclosure, relevant assertion, or component of internal control collectively result in a material weakness.
Factors affecting the magnitude of a misstatement that might result from a deficiency in controls include the financial statement amounts or total of transactions exposed to the deficiency, and the volume of activity in the account balance or class of transactions exposed to the deficiency that has either occurred in the current period or is expected in future periods.
When evaluating the magnitude of a potential misstatement, the maximum amount that an account balance or total of transactions can be overstated is generally the recorded amount, while understatements could be larger. Also, the probability of a small misstatement is greater than the probability of a large one.
The auditor should evaluate the effectiveness of compensating controls when determining whether a control deficiency or combination of deficiencies is a material weakness. To have a mitigating effect, the compensating control should operate at a level of precision that would prevent or detect a misstatement that could be material.
Indicators of material weakness in internal control over financial reporting include the following:
When evaluating the severity of a deficiency or combination of deficiencies, the auditor should also determine the level of detail and degree of assurance that would satisfy prudent officials in the conduct of their own affairs that they have reasonable assurance that transactions are recorded as necessary to permit the preparation of financial statements in conformity with generally accepted accounting principles (GAAP). If the auditor determines that this is not the case, then he or she should treat the deficiency or combination of deficiencies as an indicator of a material weakness.
The auditor should form an opinion on the effectiveness of the entity’s internal control over financial reporting by evaluating evidence from all sources. This should include the auditor’s controls tests, misstatements detected during the financial statement audit, any identified control deficiencies, and internal audit reports that address relevant controls.
The auditor should also evaluate the presentation of the elements that management is required to present in its annual report on internal control over financial reporting. If any elements of management’s annual report are incomplete or improperly presented, the auditor should modify his or her report to include an explanatory paragraph describing the reasons for this determination.
The auditor may form an opinion only when there have been no scope restrictions on the auditor’s work. If there is a scope limitation, the auditor must either disclaim an opinion or withdraw from the engagement. When disclaiming an opinion because of a scope limitation, the auditor should state that the scope of the audit was not sufficient to warrant the expression of an opinion and, in a separate paragraph, the reasons for the disclaimer; the auditor should not identify the procedures that were performed nor include the statements describing the characteristics of an audit of internal control over financial reporting.
In an audit of internal control over financial reporting, the auditor should obtain written representations from management that:
If management does not provide written representations, this is a scope limitation on the audit. In this case, the auditor must either withdraw from the engagement or disclaim an opinion. In such a case, the auditor must also evaluate the effects of management’s refusal on his or her ability to rely on other representations, including those obtained in the audit of the entity’s financial statements.
The auditor must issue written communications to management and the audit committee regarding all material weaknesses identified during the audit. This communication should be made prior to issuing the auditor’s report on internal control over financial reporting. If the auditor concludes that the oversight by the entity’s internal audit committee is ineffective, then he or she must communicate that conclusion in writing to the board of directors.
The auditor should consider whether there have been any deficiencies or combinations of deficiencies that have been identified during the audit that are significant deficiencies. If so, he or she must communicate these deficiencies, in writing, to the audit committee.
The auditor should also communicate to management, in writing, all deficiencies in internal control over financial reporting (i.e., those less-than-material weaknesses) identified during the audit and inform the audit committee when such a communication has been made. When formulating this communication to management, the auditor does not have to repeat information about deficiencies that have been communicated before.
The auditor should not issue a report stating that no deficiencies less severe than a material weakness were noted during the audit.
The auditor’s report on the audit of internal control over financial reporting must include the following components:
The auditor may choose to issue a combined statement that contains an opinion on the financial statements and an opinion on internal control over financial reporting. It is also acceptable to issue separate reports on these topics.
Several examples of the auditor’s report are included in the “Illustrations” section.
The auditor should date the audit report no earlier than the date on which the auditor has obtained sufficient competent evidence to support his or her opinion. Because the auditor cannot audit internal control over financial reporting without also auditing the financial statements, the reports should have the same date.
If there are deficiencies (either individually or in combination) resulting in one or more material weaknesses, the auditor must express an adverse opinion on the entity’s internal control over financial reporting.
When expressing an adverse opinion on internal control over financial reporting because of a material weakness, the auditor’s report must include:
If the material weakness was not included in management’s assessment, then the auditor should modify his or her report to state that a material weakness has been identified but not included in management’s assessment. Further, the report should include a description of the material weakness, which should provide the users of the audit report with specific information about the nature of the material weakness and its actual and potential effect on the presentation of the entity’s financial statements issued during the existence of the weakness. In addition, the auditor should communicate to the audit committee in writing that the material weakness was not disclosed or identified as a material weakness in management’s assessment.
If the material weakness was included in management’s assessment but the auditor concludes that the disclosure of the material weakness is not fairly presented in all material respects, then the auditor’s report should describe this conclusion as well as the information necessary to fairly describe the material weakness.
The auditor should determine the effect the adverse opinion has on his or her opinion on the financial statements. Further, the auditor should disclose whether his or her opinion on the financial statements was affected by the adverse opinion on internal control over financial reporting.
The auditor should modify his or her report if any of the following conditions exist:
If the auditor determines that elements of management’s annual report on internal control over financial reporting are incomplete or improperly presented, the auditor should modify his or her report to include an explanatory paragraph describing the reasons for this determination.
When the auditor plans to disclaim an opinion and the limited procedures performed by the auditor cause the auditor to conclude that a material weakness exists, the auditor’s report should include:
The auditor may issue a report disclaiming an opinion on internal control over financial reporting as soon as the auditor concludes that a scope limitation will prevent the auditor from obtaining the reasonable assurance necessary to express an opinion. The auditor is not required to perform any additional work prior to issuing a disclaimer, once the auditor concludes that he or she will not be able to obtain sufficient evidence to express an opinion.
AU Section 711, Filings under Federal Securities Statutes, describes the auditor’s responsibilities when the auditor’s report is included in registration statements, proxy statements, or periodic reports filed under the federal securities statutes. The auditor should apply Section 711 with respect to the auditor’s report on internal control over financial reporting included in such filings. In addition, the auditor should extend the direction in Section 711 to obtain written representations from officers and other executives responsible for financial and accounting matters about whether any events have occurred that have a material effect on the audited financial statements to matters that could have a material effect on internal control over financial reporting.
When the auditor intends to consent to the inclusion of his or her report on internal control over financial reporting in the securities filing, his or her consent should clearly indicate that both the audit report on financial statements and the audit report on internal control over financial reporting (or both opinions if a combined report is issued) are included in his or her consent.
There may be changes in internal control over financial reporting or other factors that significantly affect internal control over financial reporting, arising subsequent to the date as of which internal control over financial reporting is being audited, but before the date of the auditor’s report. The auditor should make inquiries of management as to whether there were any such changes or factors, and obtain written management representations relating to such matters.
The auditor’s inquiries during this subsequent period can include the following:
If the auditor obtains knowledge about subsequent events that materially and adversely affect the effectiveness of the entity’s internal control over financial reporting as of the date specified in the assessment, the auditor should issue an adverse opinion on internal control over financial reporting. If the auditor is unable to determine the effect of the subsequent event on the effectiveness of the entity’s internal control over financial reporting, he or she should disclaim an opinion.
If a subsequent event has a material effect on the entity’s internal control over financial reporting, then the auditor should include in his or her report an explanatory paragraph describing the event and its effects, or directing the reader’s attention to the event and its effects as disclosed in management’s report.
If, after issuance of the auditor’s report, the auditor becomes aware of conditions that existed at the report date that might have affected the auditor’s opinion, then follow the procedures noted in AU Section 561, Subsequent Discovery of Facts Existing at the Date of the Auditor’s Report.
In determining the locations or business units at which to perform tests of controls, the auditor should assess the risk of material misstatement to the financial statements associated with the location or business unit, and correlate the amount of audit attention with the degree of audit risk. The auditor can eliminate from consideration those locations or business units that, individually or when aggregated with others, do not present a reasonable possibility of material misstatement to the entity’s consolidated financial statements.
When determining the locations or business units at which to perform tests of controls, the auditor may take into account work performed by others on behalf of management. For example, this can involve the coordination of work with the entity’s internal auditors.
The scope of the audit should include entities that are acquired on or before the date of management’s assessment and operations that are accounted for as discontinued operations on the date of management’s assessment.
For equity method investments, the scope of the audit should include controls over the reporting in accordance with GAAP, in the entity’s financial statements, of the entity’s portion of the investee’s income or loss, the investment balance, adjustments to the income or loss and investment balance, and related disclosures. The audit ordinarily would not extend to the controls at the equity method investee.
If the Securities and Exchange Commission (SEC) allows management to exclude certain entities from its assessment of internal control over financial reporting, then the auditor may limit the audit in the same manner; this is not considered a scope limitation. However, the auditor should include in his or her report a disclosure similar to management’s regarding the exclusion of the entity from the scope of both management’s assessment and the auditor’s audit of internal control over financial reporting. Further, the auditor should evaluate the reasonableness of management’s conclusion that the situation meets the criteria of the SEC’s allowed exclusion and the appropriateness of any required disclosure related to such a limitation.
AU Section 324, Service Organizations, applies to the audit of financial statements of an entity that obtains services from another organization that are part of the entity’s information systems. The auditor may apply the relevant concepts described in Section 324 to the audit of internal control over financial reporting.
When a significant period of time has elapsed between the time period covered by the tests of controls in the service auditor’s report and the date specified in management’s assessment, additional procedures should be performed. The auditor should inquire of management to determine whether management has identified any changes in the service organization’s controls subsequent to the period covered by the service auditor’s report; these changes can include changes in the personnel at the service organization with whom management interacts, changes in reports or other data received from the service organization, changes in contracts or service level agreements with the service organization, or errors identified in the service organization’s processing. The auditor should evaluate the effect of such changes in the effectiveness of the entity’s internal control over financial reporting. The auditor should also evaluate whether the results of other procedures he or she performed indicate that there have been changes in the controls at the service organization.
The auditor should determine whether to obtain additional evidence about the operating effectiveness of controls at the service organization based (1) on the procedures performed by management or the auditor and the results of those procedures and (2) on an evaluation of the following risk factors:
If the auditor concludes that additional evidence about the operating effectiveness of controls at the service organization is required, his or her additional procedures might include:
The auditor should not refer to the service auditor’s report when expressing an opinion on internal control over financial reporting.
Automated application controls are usually not subject to breakdowns due to human failure, which allows the auditor to use a benchmarking strategy.
If controls over program changes, access to programs, and computer operations are effective and continue to be tested, and if the auditor verifies that the automated application control has not changed since he or she last tested the application control, then the auditor may conclude that the automated application control continues to be effective without repeating the prior year’s tests of the operation of the automated application control.
To determine whether to use a benchmarking strategy, the auditor should assess a number of risk factors. As these factors indicate lower risk, the control being evaluated might be well-suited for benchmarking. However, as these factors indicate increased risk, the control being evaluated is less suited for benchmarking. The risk factors are:
Benchmarking automated application controls can be especially effective when it involves purchased off-the-shelf software, since the possibility of program changes is remote.
After a period of time, the baseline of the operation of an automated application control should be reestablished. To determine when to reestablish a baseline, the auditor should evaluate the following factors:
The following is an illustration of a combined report that expresses an unqualified opinion on financial statements and an unqualified opinion on internal control over financial reporting, as well as a format where the auditor issues a separate report on internal control over financial reporting. They are adapted from PCAOB Standard 5.
1 Practitioners should reference the additional guidance listed in the section “Other PCAOB Guidance” in this volume’s chapter PCAOB 1.
18.222.184.0