Until now, practitioners equated reporting on internal control with either the annual "management letter" issued in connection with an audit or, less frequently, a report directly on an entity's internal control system, in accordance with SAS No. 30, Reporting on Internal Accounting Controls. The expanding and intense emphasis placed on internal control by the public, regulators, and the profession is about to usher in a new era of internal control reporting.

In response to the recommendation of the Treadway Commission and public expectations, an increasing number of companies are assessing and discussing internal control in annual reports to shareholders. The Federal Deposit Insurance Corporation Improvement Act of 1991 requires auditors of certain insured depository institutions to examine and report on management's assertions about the effectiveness of the internal control structure. Other regulatory bodies are likely to follow suit. Further, managements are looking to engage independent accountants for a variety of services relative to internal control, including suggesting improvements, gathering data to help management make assessments, and providing assurance as to management's assertions regarding controls over financial reporting, compliance with laws and regulations, and efficiency and effectiveness of operations.

New Attestation Standard

In response, the AICPA Auditing Standards Board issued Statement on Standards for Attestation Engagements (SSAE) No. 2, Reporting on an Entity's Internal Control Structure over Financial Reporting ("the Statement"). The effective date of the Statement is for periods ending after December 15, 1993. The Statement supersedes and constitutes a major revision of the approach taken in SAS No. 30.

The AICPA published its first SSAE in 1986. The new Statement represents a very specific application of the standards and will bring home to the profession in a forceful manner, the delineation between audits covered by SASs and attest engagements.

It will be useful for the discussion to recall a few matters relative to attestation engagements. An attestation engagement is one in which a practitioner is engaged to issue or issues a written communication that expresses a conclusion about the reliability of a written assertion that is the responsibility of another party.

One of the general attestation standards provides that the practitioner shall perform an engagement only if he or she has reason to believe that the following two conditions exist:

* The assertion is capable of evaluation against criteria that either have been established by a recognized body or are stated in the presentation of the assertion in a sufficiently clear and comprehensive manner for a knowledgeable reader to be able to understand them.

* The assertion is capable of reasonably consistent estimation or measurement using such criteria.

There is a level of assurance hierarchy in attestation reporting that ranges from agreed upon procedures (presenting findings) to reviews (negative assurance) to examination (positive opinion).

SAS No. 30 was at odds with the attestation standards and required revision. Exhibit 1, taken from the Statement summary section, indicates how the new attestation statement will change existing standards. Under the Statement, management makes a written assertion about the effectiveness of an entity's internal control structure over financial reporting and the practitioner gives an opinion on management's assertion. The independent accountant no longer reports directly on an entity's internal control structure. This is a significant change from SAS 30 and not without controversy. Some have argued that direct reporting should continue to be permitted as long as there is restricted distribution of reports.

The assertion by management may take either of two forms: a separate report to accompany the independent accountant's report or a representation letter. In the latter instance, the independent accountant's report would be restricted to use by management and, if applicable, a regulatory agency.

Care must be taken to insure that management's assertion is clear and not subjective. For example, an assertion that internal control structure over financial reporting is "very effective" would not be acceptable.

The Statement does not directly address providing assurances on management assertions as to an entity's internal control structure over compliance with laws and regulations, other operating controls, or over safeguarding assets other than those encompassed by control procedures. The Statement does make clear, however, that these types of engagements fall within the attestation standards and their guidance would apply as appropriate.

Under the Statement, a practitioner may report on his or her examination of management's assertion or he or she may apply agreed-upon procedures; he or she is proscribed, however, from accepting an engagement to review and report on the assertion. A report on agreed-upon procedures should indicate procedures and findings; it should not, however, provide negative assurance as to whether management's assertion is fairly stated.

Accepting the Engagement

Certain conditions are specified that must exist for a practitioner to perform an engagement to examine and report on management's assertion regarding the effectiveness of an entity's internal control structure.

One of these conditions is that "management evaluates the effectiveness of the entity's internal control structure using reasonable criteria established by a recognized body." A recognized body means the AICPA, regulatory agencies, and other bodies composed of experts that follow due process procedures that include broad distribution for public comment.

In a footnote, the Statement provides that in other cases "criteria should be stated in the presentation of the assertion in a sufficiently clear and comprehensive manner for a reader to be able to understand them."

The Statement goes on to say that the Committee of Sponsoring Organizations of the Treadway Commission (COSO) report Internal Control- -Integrated Framework provides reasonable criteria and a simple reference to that document would suffice.

An ASB task force has been formed to propose necessary revisions to SAS No. 55, Consideration of the Internal Control Structure in a Financial Statement Audit, to reconcile it with COSO.

Under the new Statement, it is management that must decide what definition of internal control structure to use. For example, the elements of an entity's internal control structure as defined in SAS No. 55 differs from those as defined by COSO. A comparison of the elements of internal control structure as defined in the two documents follows:

ElementsofInternalControlStructure

SAS55COSO

ControlenvironmentControlenvironment

AccountingsystemRiskassessment

ControlproceduresControlactivities

Information/Communication

Monitoring

Whatever definition of internal control structure is used, it is important that the criteria selected be identified in the assertion in a clear and comprehensive manner.

Other conditions necessary for engagement acceptance are that management provides its assertion in writing, that management is sufficiently knowledgeable to accept responsibility for its assertion, and sufficient evidence exists to support management's evaluation.

After engagement acceptance conditions are met, a typical engagement to examine and report on an entity's internal control structure over financial reporting would generally follow the following chronology:

* Planning;

* Obtaining an understanding of the internal control structure;

* Evaluating the design and testing operating effectiveness of internal control structure policies and procedures;

* Evaluation of management's assertion; and

* Reporting on the engagement and communicating reportable conditions and material weaknesses.

Planning

Underpinning planning considerations is the risk model for attestation engagements as set forth in the first SSAE. Attestation risk is defined as "the risk that the practitioner may unknowingly fail to appropriately modify his or her attest report on an assertion that is materially misstated. It consists of a) the risk (consisting of inherent and control risk) that the assertion contains errors that could be material and b) the risk that the practitioner will not detect such errors (detection risk)."

Inherent Risk. For purposes of the Statement, inherent risk would relate to the conditions and environment that uniquely pertain to the entity that increase or decrease the likelihood that management has reached the appropriate conclusion about the effectiveness of the internal control structure. At an industry level, factors entering into inherent risk would include government regulations, economic conditions, financial reporting practices, and technological changes. Entity-specific matters of inherent risk relate to such things as organization, operating characteristics--i.e., size and complexity--and capital structure.

Control Risk. Control risk would relate to the effectiveness of the procedures the entity has put in place to assure its control objectives are being achieved. It has to do with the entity's supervision of the effectiveness of its control structure. Normally control risk in an engagement of this kind would be assessed at the maximum. To do otherwise would mean making a distinction between controls to prevent and detect financial statement misstatements and those which assure the entity that those controls that do so are effective. A common exception to assessing control risk at the maximum would occur if the entity had an internal audit function that regularly tested control effectiveness.

If the practitioner assesses control risk at less than maximum due to the presence of an internal audit function, the practitioner would have to perform procedures to satisfy him or herself that the internal audit activities were effective.

Detection Risk. Detection risk relates to the nature and extent of the actual test of controls the practitioner performs to gain satisfaction that the controls are operating effectively to support management's assertion.

Examination Risk. The product of the inherent, control, and detection risks must lead to an overall acceptable examination risk. The risk when dealing with test of controls and internal control structure matters is often thought of in terms of frequency of deviation. What rate of failure of a properly designed procedure could occur and still keep the overall examination risk at an acceptable level?

This discussion of the attestation risk model in the control structure setting is intended to help practitioners plan the nature and extent of detailed testing necessary to conclude about management's assertion. Basically, the practitioner needs to understand the relationship of management's evaluation of the control structure and the procedures needed to assess that evaluation. It demonstrates the importance of planning in performing a successful engagement.

Materiality. Planning must also include a preliminary judgment about materiality levels and other factors relating to the determination of material weaknesses. In this type of engagement the effectiveness of the internal control structure rests on its ability to prevent or detect misstatements that would be material to financial statements. A control structure's effectiveness to do this is evaluated in terms of material weaknesses--"a condition in which the design or operation of one or more of the specific internal control structure elements does not reduce to a relatively low level the risk that errors or irregularities in amounts that would be material in relation to the financial statements may occur and not be detected within a timely period by employees in the normal course of performing their assigned functions."

Point-in-time Reporting. Most commonly, management will present its assertion about the effectiveness of the entity's internal control structure over financial reporting as of a point in time, usually at the end of the entity's fiscal year. Therefore the extent of testing may be different than it would be if the assertion ran to the effectiveness of control procedures over a period of time, such as a year.

The practitioner might begin the planning process by establishing how management made their evaluation of the effectiveness of the control structure and what control criteria were used. The extent of formality and documentation management uses will vary significantly from engagement to engagement depending on such factors as the size and complexity of the entity and the competence and diligence of management. A preliminary survey should be made of the type and extent of evidential matter supporting management's assertion. These can include flow charts, questionnaires, policy and procedure manuals, completed forms and worksheets from the COSO "tools" material, and internal audit reports and results of testing. At management's request, the practitioner may assist in gathering or preparing this documentation.

The practitioner performing an examination engagement under the attestation standard may already possess a significant amount of knowledge of an entity's internal control structure. This may have been gained by prior engagements such as assisting management in gathering the data necessary for an assertion or from the understanding of internal control structure obtained by performing an audit. The practitioner should carefully consider this knowledge during the planning process in determining the extent of additional procedures to be performed and making the various assessments about the effectiveness of the internal control structure.

Obtaining an Understanding of Internal Control Structure

Management selects the control criteria and the elements that constitute the internal control structure. Different criteria may have different requirements. For example, in the case of COSO, the criteria for control environment indicates that in most instances it is "necessary that the board contain outside directors." Therefore, if there are no outside directors, the practitioner would have to consider what effect this would have on his or her opinion about management's assertion. A given control objective can be met by applying various control procedures. The practitioner must obtain an understanding of the internal control structure policies and procedures within each element. In doing this, the practitioner focuses on how these policies and procedures assist in achieving the objectives of the control criteria, e.g., that the board has the required number of outside directors.

The practitioner gains an understanding of the design of specific policies and procedures by making inquiries of management personnel, inspecting documents, and observing entity activities and operations.

Evaluating the Design and Testing Operating Effectiveness

To evaluate the design of a specific internal control structure policy or procedure the practitioner considers whether that policy or procedure is suitably designed to prevent or detect material misstatements in specific financial statement assertions. The specific procedures to be followed will vary depending on the nature of documentation and complexity of the entity's operation and systems.

If COSO's integrated framework provides the control criteria, it includes guidance in applying the criteria to small and mid-size entities.

The practitioner must obtain sufficient evidential matter to support the opinion in his or her report. To do this he or she performs tests of the operating effectiveness of internal control structure policies and procedures. The tests may include inquiries, inspection of documentation, observation, and reperformance of internal control procedures.

The extent of testing is a matter of professional judgment based on the planning considerations and the attestation risk model discussed earlier. Additional matters the practitioner should consider are the following:

* The extent of testing performed by management. This will be a factor in determining the extent of testing the practitioner will perform. Evidence obtained through the direct efforts of the practitioner, however, is necessary and considered more persuasive.

* The period or point in time to which management's assertion relates. Even though management selects a point in time for its assertion, the practitioner must perform a test of controls over an adequate period of time to determine that control structure policies and procedures were operating effectively at the point selected by management.

The decision of how much testing to do must now be made. This is an issue for which the statement gives no specific or numerical guidance. The starting point for deciding how many documents to look at in a particular test might be the number that an auditor would test in a financial statement audit if control risk were assessed at the minimum. This number might be decreased after considering other matters such as inherent risk, the complexity of operations, and control risk over the control structure, i.e., a strong internal audit function. A CPA firm might establish, as a matter of policy, a minimum number to test say 20 or 30 items. There would, of course, be control procedures whose effectiveness would not be tested by examining transactions, but rather by observation, inquiry, or reperformance of a control activity. An example of this would be the reperformance of an entity's procedures to account for the completeness of prenumbered documents issued during a period.

An Example Using COSO

COSO provides a useful set of tools for conducting an evaluation of an entity's internal control system. The tools are, according to COSO, for purely illustrative purposes, and it is suggested they be used as a starting point and be modified to reflect the particular facts, conditions and risks relevant to the entity under consideration.

A "Reference Manual" included within the tools, presents illustrative objectives, risks and "points of focus for actions/control activities."

For example, Exhibit 3 presents a portion of the tool for evaluating the control activity: "Process Accounts Payable," which is at the transaction level. The full COSO form includes other objectives relating to the internal control structure for this activity, including those for effectiveness and efficiency of operations and compliance with laws and regulations. Management would use this "tool" as part of its assessment of risk and the design and effectiveness of control activities. The first step would be to tailor the form to the specific conditions of the entity. This would mean both adding to and deleting from the form.

This process may cause management to modify its actual control policies and procedures to properly achieve its control objectives. Another tool is a "Risk Assessment and Control Activities" worksheet which is a place for management to summarize and conclude on the effectiveness of its control activities. Other tools are presented to assist entities in reaching entity-wide decisions about the control structure.

The practitioner, as part of planning the engagement, would refer to the completed tools.

Evaluation of Management's Assertion

At each point in the examination, the practitioner would document and summarize the results of his or her procedures. Design problems noted in the planning stages would be considered along with performance deficiencies noted in the testing phase. Deficiencies would be classified as to material weaknesses, reportable conditions that are not material weaknesses, and other findings. The findings would be related to management's assertion about the effectiveness of the internal control structure over financial reporting.

Reporting

The new Statement incorporates the definition of reportable conditions and material weaknesses from SAS 60, Communication of Internal Control Structure Related Matters Noted in an Audit. The practitioner is required to communicate reportable conditions and identify material weaknesses, preferably in writing, to audit committees or their equivalent.

A material weakness should preclude management from asserting that the entity has an effective control structure. Management may, however, depending on the significance of the material weakness, qualify its assertion, i.e., assert that the control structure is effective "except for" the material weakness noted.

Management's assertion and the practitioner's opinion on management's assertion will generally relate to the internal control structure as a whole rather than to each element. The practitioner, therefore considers the interrelationship of the elements in achieving the objective of the control criteria.

Guidance is presented in the Statement for reporting when management presents its assertion in a separate report that will accompany the practitioner's report and when management's assertion is presented only in a letter of representation to the practitioner. As indicated, in the latter instance, the report is to be restricted to management, boards of directors and, if applicable, to specified regulatory agencies. Examples and discussion are also provided for modified reports.

Practitioners can expect to be called upon with increasing frequency to provide a wide spectrum of services to public and private companies relative to internal control structure. The new attestation statement will often be the source to provide guidance for such engagements. Exhibit 2, Sources for Professional Guidance for Internal Control Structure Engagements, provides an indication of the scope of such services and where authoritative guidance can be found for particular engagements.

EXHIBIT 1 COMPARISON OF THEIR STANDARDS TO EXISTING STANDARDS

This Statement supersedes Statement on Auditing Standards (SAS) No. 30, "Reporting on Internal Accounting Control" (AICPA, Professional Standards, vol. 1, AU sec. 642). It differs from SAS No. 30 in that the Statement --

* Requires practitioners to consider whether management's assertion is based on reasonable criteria against which it can be evaluated, and whether the assertion is capable of reasonably consistent estimates or measurement using those criteria. (Unlike SAS No. 30, this proposed Statement does not define the specific criteria).

* Precludes the practitioner from reporting directly on the company's internal control structure. (Unlike SAS no. 30, this proposed Statement does not allow the practitioner for report directly on the company's internal control structure. Instead, the practitioner reports on management's assertion only).

* Precludes the practitioner from issuing a public report unless management's assertion is included in a separate written report that accompanies the practitioner's report.

* Requires the practitioner to limit his or her report on management's assertion about the company's internal control structure when management elects to present its assertion only in a representation letter and not in a separate written report.

* Updates the definition of internal control, including terminology and concepts that are consistent with SAS No. 55, "Consideration of the Internal control Structure in a Financial Statement Audit".

TABULAR DATA OMITTED

EXHIBIT 3 ACCOUNTS PAYABLE ANALYSIS FROM COSO

Objectives

* Accurately record invoices on a timely basis for all accepted purchases that have been authorized and only for such purchases.

Risks

* Missing documents or records

* Inaccurate input of data

* Invalid accounts payable fraudulently created for unauthorized or nonexistent purchases

Points of focus for action/control activities

* Prenumber and account for purchase orders and reports

* Match invoices, receiving and purchase order information and follow up on missing or inconsistent information

* Follow up on unmatched open purchase orders, receiving reports, and invoices and resolve missing, duplicate, or unmatched items, by individuals independent of purchasing and receiving functions.

* Use of control totals or one-for-one checking

* Restrict ability to modify data

* Reconcile vendor statements to accounts payable items

ATTESTATION STANDARDS NOW NUMBERED

In January 1989, the Statements on Standards for Attestation Engagements (SSAE) Attestation Standards (AT 100), Financial Forecasts and Projections (AT 200), and Reporting on Pro Forma Financial Information (AT 300), were codified in Codification of Statements on Standards for Attestation Engagements. In April 1993, the codified Statements became SSAE No. 1, Attestation Standards (AICPA, Professional Standards, Vol. 1, AT Sec. 100)

Joseph Takacs, CPA, Own Account, is a member of the NYSSCPA's Quality Review Oversight committee. He is a frequent lecturer on accounting and auditing matters.