PCAOB Auditing Standard 2: Audits of Internal Control
Jack W. Paul
- The Sarbanes-Oxley Act of 2002 requires public accounting
firms that audit public companies to register with the Public
Company Accounting Oversight Board (PCAOB) and to adhere to
professional standards established by the board for audits
of public companies. The PCAOB’s pronouncement, Auditing
Standard 2, An Audit of Internal Control Over Financial
Reporting Performed in Conjunction with an Audit of Financial
Statements, requires auditors to issue an opinion on
the effectiveness of their public company clients’ internal
June 5, 2003, the SEC issued Release 33-8238 to implement
section 404(a) of the Sarbanes-Oxley Act (SOA), which requires
management to include in the annual report to shareholders
its assessment of the effectiveness of internal control.
The company’s external auditors must attest to and
report on management’s assessment for fiscal years
beginning on or after January 15, 2006, for accelerated
filers, and on or after July 15, 2006, for nonaccelerated
filers. Standard 2 imposes many new responsibilities on
public companies’ auditors and, by extension, on the
public companies themselves. In its over 200 pages, Standard
2 delineates the PCAOB’s expectations for an internal
of an Internal Control Audit
Standard 2 defines an “audit” as an integrated
audit of both the financial statements and internal control,
separate examination of the internal control audit facilitates
understanding. Standard 2 identifies the following important
steps in an audit of internal control:
Plan the audit.
management’s assessment process.
Obtain an understanding of internal control.
and evaluate design effectiveness.
Test and evaluate operating effectiveness.
Evaluate the sufficiency of testing.
Formulate an opinion on the effectiveness of internal
control over financial reporting.
Issue a report on internal control.
Communicate findings to the audit committee and management.
auditors routinely carry out some of the foregoing steps
in a financial statement audit, the audit of internal control
requires more extensive procedures, coupled with some requirements
that break new ground. Key implementation issues include
Differentiating between management and auditor responsibilities;
entities to include in the consolidated group;
Selecting testing locations;
Distinguishing design effectiveness from operating effectiveness;
Considering issues related to the “as of”
Deciding on the extent of control testing;
Using the work of others;
Distinguishing between a material weakness and a significant
results to management and financial statement users.
Between Management and Auditor Responsibilities
responsibilities. Standard 2 requires management
to do the following:
Accept responsibility for the effectiveness of the company’s
internal control over financial reporting.
Evaluate the effectiveness of internal control over financial
reporting, using suitable control criteria such as the
COSO framework or an alternative recognized framework
developed by body of experts following due process.
Support the evaluation with sufficient documented evidence.
Present a written assessment about the effectiveness of
the company’s internal control as of the end of
the most recent fiscal year.
must perform procedures sufficient to support its evaluation
of control effectiveness, and is prohibited by Standard
2 from using the auditor’s testing as part of the
basis for its assessment of control effectiveness. Management’s
failure to fulfill the foregoing responsibilities requires
the auditor to disclaim an opinion on internal control due
to a scope limitation.
responsibilities. Standard 2 requires the
auditor to do the following:
Understand and evaluate management’s process for
assessing the effectiveness of the company’s internal
control over financial reporting.
Plan and conduct an audit of the company’s internal
Based on this audit, provide an opinion on management’s
written assessment about the effectiveness of the company’s
opinion incorporates the auditor’s opinion on the
effectiveness of the company’s internal control over
responsibilities augment those required for the financial
general, the scope of the audit of internal control includes
all entities over which management has the ability to affect
Entities acquired on or before the date of management’s
assessment as of the end of the fiscal year, including
consolidated entities or those proportionately consolidated;
Those accounted for as discontinued operations at the
end of the fiscal year.
some situations, such as when management does not have the
ability to affect the controls of an equity method investee,
the auditor’s scope includes only the controls related
to the investor’s financial reporting of its interest
in the investee, rather than the controls in place at the
investee. The applicable controls are those designed to
ensure proper application of the equity method in reporting
the company’s proportion of investee income or loss,
the investment balance, adjustments, and disclosures. Variable
interest entities (VIE), defined in FASB Interpretation
46, are treated in a similar fashion when management is
not the primary beneficiary and does not consolidate the
the auditor must evaluate the reasonableness of management’s
claims regarding its inability to affect controls at such
Locations for Testing
a multilocation environment, the auditor must decide where
to focus control testing, typically by evaluating the set
of locations and selecting a subset that offers an optimal
combination of effectiveness and efficiency. Standard 2
recommends the following approach:
Identify business units or locations that are individually
locations having specific risks. For example, financial
trading firms are susceptible to counterparty risk. If
the client concentrates a large number of forward contracts
in a small number of institutions, failure of these institutions
could lead to significant losses that may result in material
errors, fraud, and other reporting improprieties.
When, in the aggregate, the remaining locations are insignificant,
no further action is required.
If the remaining locations are significant when aggregated,
the auditor should examine company-level controls over
this group by checking documentation and testing these
controls include those thought of as “general”
those pertaining to the control environment, such as the
“tone” set by management;
the internal audit function;
supervisory controls to monitor operations;
the risk assessment process; and
controls over the process related to period-end reporting.
the auditor cannot evaluate the effectiveness of company-wide
controls without site visits, locations should be selected
for testing. The Exhibit
summarizes the preceding approach.
Versus Operating Effectiveness
design effectiveness pertains to whether a control is properly
crafted, operating effectiveness deals with use of a properly
designed control to prevent, detect, or correct misstatements
or irregularities on a timely basis. For example, a daily
reconciliation of cash receipts is not effectively designed
when the cashier performs the reconciliation. But if an
independent person is designated to perform the reconciliation
and the other procedures are properly documented, the control
is effectively designed. The control is not operating effectively
when the independent reconciler either fails to perform
the reconciliation daily or does so in a perfunctory manner.
Design effectiveness of this control could be tested by
reviewing documentation to ensure that the procedures are
satisfactory. Operating effectiveness could be tested by
examining the reconciler’s initials on the daily reconciliation
“as of” Date
difference between a financial statement and an internal
control audit relates to the opportunity to correct deficiencies.
Whereas a company can correct material misstatements detected
during a financial statement audit by accepting the auditor’s
proposed adjustments, if the auditor detects a material
control weakness, it may not be possible to fix it in time.
Because the auditor’s opinion is “as of”
the balance sheet date, the auditor must issue an adverse
opinion on internal control when material weaknesses exist,
even when the company receives an unqualified opinion on
the financial statements.
Material weaknesses can be corrected when caught in time.
must correct the control system at such a time that the
auditor has sufficient time to test the modified controls.
Accordingly, the auditor should begin the control audit
to leave enough time for corrections.
2 indicates that the auditor’s opinion on internal
control relates both to a point in time and taken as a whole:
express an opinion on internal control over financial reporting
effectiveness as of a point in time, the auditor
should obtain evidence that internal control over financial
reporting has operated effectively for a sufficient period
of time, which may be less than the entire period (ordinarily
one year) covered by the company’s financial statements.
To express an opinion on internal control over financial
reporting effectiveness taken as a whole, the auditor
must obtain evidence about the effectiveness of controls
over all relevant assertions related to all significant
accounts and disclosures in the financial statements. This
requires that the auditor test the design and operating
effectiveness of controls he or she ordinarily would not
test if expressing an opinion only on the financial statements.
as a whole. The auditor exercises judgment
to ascertain those accounts considered “significant”
or more than material. The auditor also considers qualitative
characteristics. For example, investment balances not material
to the overall financial statements may obscure the true
nature of the relationship, especially when the investment
is in partially consolidated entities or involves debt guarantees.
And certain accounts that are liquid or incorporate significant
estimates are riskier than others. Examples include cash,
marketable securities, and warranty liabilities.
in time. Internal control procedures can relate
to either transaction flows or account balances, sometimes
referred to as “stocks.” Examples of controls
relating to transaction flows include approving cash disbursements;
prelisting cash receipts; approving credit sales; and matching
purchase orders, vendor invoices, and receiving reports
when booking accounts payable. Controls over balances (stocks)
include periodic reconciliation of bank accounts; reconciliation
of subsidiary ledgers with control accounts; procedures
for physical inventory counts; and controls governing the
periodic preparation of financial statements. Overarching
controls include the factors comprising the control environment.
Overarching controls and those pertaining to flows operate
continuously throughout the fiscal period; controls relating
to balances typically operate less frequently. Thus bank
accounts are reconciled monthly, whereas controls over cash
flows are continuous.
considerations. Controls must operate for
a long enough period, which need not be an entire fiscal
year, to provide sufficient confidence in the auditor’s
control tests. Accordingly, the auditor must make several
observations of controls that operate only at a point in
that operate infrequently should be tested closer to the
“as of” date. These include controls over: the
periodic preparation of financial statements; individual
account balances; and nonroutine transactions. Consider
a calendar-year company that begins the procedure of reconciling
the accounts-receivable subsidiary ledger to the control
account only at the end of December. The auditor might conclude
that one observation is not sufficient to evaluate this
control’s operating effectiveness.
considerations suggest that an unqualified opinion on internal
control should state: “The controls were effective
for a sufficient period of time during the fiscal year to
be able to support the conclusion that they were still effective
at the end of the period.” Nevertheless, Standard
2 calls for expressing an opinion as of a point in time,
the end of the fiscal year.
Standard 2 requires the auditor to obtain evidence of the
effectiveness of controls pertaining to all relevant assertions
for all significant accounts each year; each year must stand
on its own. It also calls for the auditor to vary the nature,
extent, and timing of testing from year to year to introduce
unpredictability and to respond to changing circumstances.
Examples of variations include changing the number of tests
performed and adjusting the combination of testing procedures.
much testing? The auditor should generally
perform sufficient testing to obtain a very high level of
confidence, in the range of 95% to 99%, that the controls
can prevent, detect, or correct material misstatements in
any particular assertion. Many control procedures are difficult
to quantify, however. Procedures such as approvals and reconciliations
typically leave a documentary trail. On the other hand,
because many controls involving segregation of functions
and control environment factors, such as management’s
philosophy and operating style, provide no documentary evidence
of the control’s performance, the auditor should subjectively
assess the probability of effectiveness.
results of substantive testing provide another opportunity
for assessing the effectiveness of controls. For example,
if the auditor uncovers a previously unnoticed material
misstatement of credit sales, then the auditor could easily
conclude that controls over credit sales are ineffective,
and decide that a material weakness exists requiring an
adverse opinion on internal control. Even nonmaterial misstatements
can signal ineffective controls.
of testing. Although Standard 2 precludes
the rotation of testing over several fiscal periods, reduced
testing seems reasonable when conditions have not changed
significantly and controls are unaltered from one period
to the next. For example, assume that extensive testing
was conducted on controls over inventories in fiscal year
2004. If in 2005, tests to obtain an understanding of these
controls indicate no significant changes, a company might
reasonably decide to reduce testing of controls over inventories
the Work of Others
auditor may use the work of competent client personnel,
as long as the auditor’s own work is the “principal
evidence” supporting the opinion. Principal evidence
should not be interpreted in a purely quantitative manner,
as the auditor may be able to rely extensively on certain
tests performed by client personnel but place little reliance
on other tests.
following considerations should be kept in mind when relying
on the work of others:
The greater the materiality of and the degree of judgment
and estimations inherent in an account, the less the auditor
should rely on client testing. Conversely, the auditor
could rely on the testing of routine accounts requiring
more pervasive the control and the higher the degree of
judgment involved in evaluating a control’s effectiveness,
the more the auditor should rely on her own testing. For
example, reviewing control environment factors requires
an auditor’s own tests, because of the qualitative
nature of these controls. Extensive reliance could be
placed on the client’s testing of more-routine controls,
such as reconciliations, document matching, and programmed
validity and logic checks.
the potential for management override is substantial,
the auditor should place little reliance on client testing.
formulate an opinion on internal control, the auditor needs
to evaluate all the evidence obtained, including that obtained
while conducting the financial statement audit. An unqualified
opinion is appropriate only in the absence of material weaknesses.
to Standard 2, an internal control deficiency exists when
the design or operation of a control does not allow for
the timely prevention or detection of misstatements. It
defines a significant deficiency as one that affects the
company’s ability to reliably process and report financial
data such that there is more than a remote likelihood that
the financial statements will be impacted in a manner that
is consequential but not material. For example, suppose
a company does not reconcile its intercompany transactions.
If the auditor expects the impact of any misstatement to
be significant but not material, the control weakness would
be considered a “significant deficiency.”
2 defines a material weakness as “a significant deficiency,
or combination of significant deficiencies, that results
in more than a remote likelihood that a material misstatement
of the annual or interim financial statements will not be
prevented or detected.” Identifying material weaknesses
requires the auditor to examine identified deficiencies
to determine whether any should be classified as “significant
deficiencies,” and to consider whether any of the
significant deficiencies are “material weaknesses.”
professional judgment is required when assessing the significance
of a deficiency, including the auditor’s consideration
of the following:
The potential for a misstatement, rather than whether
a misstatement has actually occurred;
The impact of a deficiency, including the amounts of transactions
exposed and the volume of transactions in the affected
How the interaction of controls with other controls, their
interdependence with other controls, and control redundancies
affects their proper functioning.
illustrate control interdependence and redundancies, consider
an example where a storeroom clerk keeps the perpetual inventory
records and takes the annual physical count. Although this
weakness could be considered material, redundant controls
reduce the risk. If the clerk is on one of several teams
using established procedures, such as properly supervised
counts, the control weakness is mitigated and would not
typically be considered a material weakness.
Weaknesses Versus Significant Deficiencies
a significant deficiency from a material weakness is subjective.
The distinguishing characteristic of a material weakness
is the existence of “more than a remote likelihood”
that a material misstatement will not be prevented or detected.
Although several examples in Appendix D of Standard 2 illustrate
that distinction, determining just what constitutes a material
weakness is difficult.
no definition of the term “remote” is offered
in the standard, a practical approach to evaluating weaknesses
consists of the following steps:
Estimate the monetary effect of each weakness uncovered.
Assign a “material misstatement likelihood factor”
to each weakness—for example, remote, reasonably
possible, or probable—similar to the labels found
in SFAS 5, Accounting for Contingencies.
Rank all weaknesses on the material misstatement likelihood
Denote all weaknesses with more than a remote likelihood
as “material weaknesses.”
Determine the significance of the remaining deficiencies
by reviewing the estimated monetary impact of each.
Examine those deficiencies designated “significant”
to decide whether a combination thereof constitutes a
2 specifies the content of the report on internal control.
Auditors should be aware of several factors:
An auditor may provide either separate or combined reports
on the financial statements and internal control.
Whereas the opinion on the financial statements typically
addresses multiple periods, the opinion on internal control
covers only the most recent fiscal year.
When an auditor issues separate reports, the annual report
must contain both.
The reports should have the same date, normally the last
day of fieldwork.
An auditor’s report on management’s assessment
of internal control over financial reporting includes
an opinion on the company’s internal control.
following situations call for the auditor to modify the
“clean opinion” report:
Inadequate management assessment or inappropriate
management report. If an auditor concludes that management’s
process for assessing internal control is inadequate,
the auditor should modify the opinion for a scope limitation,
which could result in a qualified opinion, a disclaimer
of opinion, or withdrawal from the engagement. When management’s
report is inappropriate, an auditor should include an
explanatory paragraph describing the reasons for the inappropriateness.
material weakness exists in the company’s internal
control. In this case, an auditor must render an
adverse opinion on the effectiveness of internal control.
An auditor may, in the same report, render an unqualified
opinion on management’s assessment if it also concludes
that internal control is not effective.
Management or circumstances restrict the scope of
the engagement. When management imposes restrictions,
an auditor should withdraw from the engagement or disclaim
an opinion on both management’s assessment and the
effectiveness of internal control.
The auditor’s report relies in part on the report
of another auditor.
A significant subsequent event occurred after the
“as of” date.
Management’s assessment contains additional
information. New information could concern corrective
action taken after management’s assessment, or indicate
plans to implement new controls. The auditor should disclaim
an opinion on the new information.
the auditor issues an unqualified opinion on the financial
statements but an adverse opinion on internal control, due
to one or more material weaknesses, the report should indicate
that the conduct of the financial statement audit took those
material weaknesses into account. This information helps
readers of the financial statements understand why the auditor
gave an unqualified opinion on the financial statements.
The auditor should include similar language when the adverse
opinion on internal control affects the opinion on the financial
Likely Reasons for Opinion Modifications
a practical matter, opinion modifications are likely to
arise from three circumstances:
Material misstatements detected by the auditor were not
identified by the company. This situation could result
in an adverse opinion.
Inadequate documentation. This situation is a control
deficiency that may constitute a material weakness if
extensive. In this case, the auditor renders an adverse
Inadequate management assessment creates a scope limitation
requiring a disclaimer, a qualified opinion on internal
control, or withdrawal from the engagement.
it requires the auditor to go well beyond the review and
evaluation of controls that was the norm for reporting on
financial statements, Standard 2 promises to fundamentally
alter both the control systems in public companies and auditors’
assessment of them, thereby providing additional assurance
W. Paul, PhD, CPA, is a professor of accounting at
Lehigh University, Bethlehem, Penn.