Exploring PCAOB Auditing Standard 2: Audits of Internal Control

By Jack W. Paul

On June 5, 2003, the SEC issued Release 33-8238 to implement section 404(a) of the Sarbanes-Oxley Act (SOA), which requires management to include in the annual report to shareholders its assessment of the effectiveness of internal control. The company’s external auditors must attest to and report on management’s assessment for fiscal years beginning on or after January 15, 2006, for accelerated filers, and on or after July 15, 2006, for nonaccelerated filers. Standard 2 imposes many new responsibilities on public companies’ auditors and, by extension, on the public companies themselves. In its over 200 pages, Standard 2 delineates the PCAOB’s expectations for an internal control audit.

Overview of an Internal Control Audit

Although Standard 2 defines an “audit” as an integrated audit of both the financial statements and internal control, separate examination of the internal control audit facilitates understanding. Standard 2 identifies the following important steps in an audit of internal control:

• Plan the audit.
• Evaluate management’s assessment process.
• Obtain an understanding of internal control.
• Test and evaluate design effectiveness.
• Test and evaluate operating effectiveness.
• Evaluate the sufficiency of testing.
• Formulate an opinion on the effectiveness of internal control over financial reporting.
• Issue a report on internal control.
• Communicate findings to the audit committee and management.

Although auditors routinely carry out some of the foregoing steps in a financial statement audit, the audit of internal control requires more extensive procedures, coupled with some requirements that break new ground. Key implementation issues include the following:

• Differentiating between management and auditor responsibilities;
• Identifying entities to include in the consolidated group;
• Selecting testing locations;
• Distinguishing design effectiveness from operating effectiveness;
• Considering issues related to the “as of” date;
• Deciding on the extent of control testing;
• Using the work of others;
• Distinguishing between a material weakness and a significant deficiency; and
• Reporting results to management and financial statement users.

Differentiating Between Management and Auditor Responsibilities

Management’s responsibilities. Standard 2 requires management to do the following:

• Accept responsibility for the effectiveness of the company’s internal control over financial reporting.
• Evaluate the effectiveness of internal control over financial reporting, using suitable control criteria such as the COSO framework or an alternative recognized framework developed by body of experts following due process.
• Support the evaluation with sufficient documented evidence.
• Present a written assessment about the effectiveness of the company’s internal control as of the end of the most recent fiscal year.

Management must perform procedures sufficient to support its evaluation of control effectiveness, and is prohibited by Standard 2 from using the auditor’s testing as part of the basis for its assessment of control effectiveness. Management’s failure to fulfill the foregoing responsibilities requires the auditor to disclaim an opinion on internal control due to a scope limitation.

Auditor’s responsibilities. Standard 2 requires the auditor to do the following:

• Understand and evaluate management’s process for assessing the effectiveness of the company’s internal control over financial reporting.
• Plan and conduct an audit of the company’s internal control.
• Based on this audit, provide an opinion on management’s written assessment about the effectiveness of the company’s internal control.

This opinion incorporates the auditor’s opinion on the effectiveness of the company’s internal control over financial reporting.

These responsibilities augment those required for the financial statement audit.

Included Entities

In general, the scope of the audit of internal control includes all entities over which management has the ability to affect internal control:

• Entities acquired on or before the date of management’s assessment as of the end of the fiscal year, including consolidated entities or those proportionately consolidated; and
• Those accounted for as discontinued operations at the end of the fiscal year.

In some situations, such as when management does not have the ability to affect the controls of an equity method investee, the auditor’s scope includes only the controls related to the investor’s financial reporting of its interest in the investee, rather than the controls in place at the investee. The applicable controls are those designed to ensure proper application of the equity method in reporting the company’s proportion of investee income or loss, the investment balance, adjustments, and disclosures. Variable interest entities (VIE), defined in FASB Interpretation 46, are treated in a similar fashion when management is not the primary beneficiary and does not consolidate the VIE. Importantly, the auditor must evaluate the reasonableness of management’s claims regarding its inability to affect controls at such entities.

Selecting Locations for Testing

In a multilocation environment, the auditor must decide where to focus control testing, typically by evaluating the set of locations and selecting a subset that offers an optimal combination of effectiveness and efficiency. Standard 2 recommends the following approach:

• Identify business units or locations that are individually important.
• Identify locations having specific risks. For example, financial trading firms are susceptible to counterparty risk. If the client concentrates a large number of forward contracts in a small number of institutions, failure of these institutions could lead to significant losses that may result in material errors, fraud, and other reporting improprieties.
• When, in the aggregate, the remaining locations are insignificant, no further action is required.
• If the remaining locations are significant when aggregated, the auditor should examine company-level controls over this group by checking documentation and testing these controls.

Company-level controls include those thought of as “general” or “disciplinary”—

• those pertaining to the control environment, such as the “tone” set by management;
• the internal audit function;
• supervisory controls to monitor operations;
• the risk assessment process; and
• controls over the process related to period-end reporting.

When the auditor cannot evaluate the effectiveness of company-wide controls without site visits, locations should be selected for testing. The Exhibit summarizes the preceding approach.

Design Versus Operating Effectiveness

Whereas design effectiveness pertains to whether a control is properly crafted, operating effectiveness deals with use of a properly designed control to prevent, detect, or correct misstatements or irregularities on a timely basis. For example, a daily reconciliation of cash receipts is not effectively designed when the cashier performs the reconciliation. But if an independent person is designated to perform the reconciliation and the other procedures are properly documented, the control is effectively designed. The control is not operating effectively when the independent reconciler either fails to perform the reconciliation daily or does so in a perfunctory manner. Design effectiveness of this control could be tested by reviewing documentation to ensure that the procedures are satisfactory. Operating effectiveness could be tested by examining the reconciler’s initials on the daily reconciliation sheet.

The “as of” Date

A striking difference between a financial statement and an internal control audit relates to the opportunity to correct deficiencies. Whereas a company can correct material misstatements detected during a financial statement audit by accepting the auditor’s proposed adjustments, if the auditor detects a material control weakness, it may not be possible to fix it in time. Because the auditor’s opinion is “as of” the balance sheet date, the auditor must issue an adverse opinion on internal control when material weaknesses exist, even when the company receives an unqualified opinion on the financial statements.
Material weaknesses can be corrected when caught in time.

Management must correct the control system at such a time that the auditor has sufficient time to test the modified controls. Accordingly, the auditor should begin the control audit to leave enough time for corrections.

Standard 2 indicates that the auditor’s opinion on internal control relates both to a point in time and taken as a whole:

To express an opinion on internal control over financial reporting effectiveness as of a point in time, the auditor should obtain evidence that internal control over financial reporting has operated effectively for a sufficient period of time, which may be less than the entire period (ordinarily one year) covered by the company’s financial statements. To express an opinion on internal control over financial reporting effectiveness taken as a whole, the auditor must obtain evidence about the effectiveness of controls over all relevant assertions related to all significant accounts and disclosures in the financial statements. This requires that the auditor test the design and operating effectiveness of controls he or she ordinarily would not test if expressing an opinion only on the financial statements.

Taken as a whole. The auditor exercises judgment to ascertain those accounts considered “significant” or more than material. The auditor also considers qualitative characteristics. For example, investment balances not material to the overall financial statements may obscure the true nature of the relationship, especially when the investment is in partially consolidated entities or involves debt guarantees. And certain accounts that are liquid or incorporate significant estimates are riskier than others. Examples include cash, marketable securities, and warranty liabilities.

Point in time. Internal control procedures can relate to either transaction flows or account balances, sometimes referred to as “stocks.” Examples of controls relating to transaction flows include approving cash disbursements; prelisting cash receipts; approving credit sales; and matching purchase orders, vendor invoices, and receiving reports when booking accounts payable. Controls over balances (stocks) include periodic reconciliation of bank accounts; reconciliation of subsidiary ledgers with control accounts; procedures for physical inventory counts; and controls governing the periodic preparation of financial statements. Overarching controls include the factors comprising the control environment. Overarching controls and those pertaining to flows operate continuously throughout the fiscal period; controls relating to balances typically operate less frequently. Thus bank accounts are reconciled monthly, whereas controls over cash flows are continuous.

Timing considerations. Controls must operate for a long enough period, which need not be an entire fiscal year, to provide sufficient confidence in the auditor’s control tests. Accordingly, the auditor must make several observations of controls that operate only at a point in time. Controls that operate infrequently should be tested closer to the “as of” date. These include controls over: the periodic preparation of financial statements; individual account balances; and nonroutine transactions. Consider a calendar-year company that begins the procedure of reconciling the accounts-receivable subsidiary ledger to the control account only at the end of December. The auditor might conclude that one observation is not sufficient to evaluate this control’s operating effectiveness.

These considerations suggest that an unqualified opinion on internal control should state: “The controls were effective for a sufficient period of time during the fiscal year to be able to support the conclusion that they were still effective at the end of the period.” Nevertheless, Standard 2 calls for expressing an opinion as of a point in time, the end of the fiscal year.

Extent of Testing

PCAOB Standard 2 requires the auditor to obtain evidence of the effectiveness of controls pertaining to all relevant assertions for all significant accounts each year; each year must stand on its own. It also calls for the auditor to vary the nature, extent, and timing of testing from year to year to introduce unpredictability and to respond to changing circumstances. Examples of variations include changing the number of tests performed and adjusting the combination of testing procedures.

How much testing? The auditor should generally perform sufficient testing to obtain a very high level of confidence, in the range of 95% to 99%, that the controls can prevent, detect, or correct material misstatements in any particular assertion. Many control procedures are difficult to quantify, however. Procedures such as approvals and reconciliations typically leave a documentary trail. On the other hand, because many controls involving segregation of functions and control environment factors, such as management’s philosophy and operating style, provide no documentary evidence of the control’s performance, the auditor should subjectively assess the probability of effectiveness.

The results of substantive testing provide another opportunity for assessing the effectiveness of controls. For example, if the auditor uncovers a previously unnoticed material misstatement of credit sales, then the auditor could easily conclude that controls over credit sales are ineffective, and decide that a material weakness exists requiring an adverse opinion on internal control. Even nonmaterial misstatements can signal ineffective controls.

Rotation of testing. Although Standard 2 precludes the rotation of testing over several fiscal periods, reduced testing seems reasonable when conditions have not changed significantly and controls are unaltered from one period to the next. For example, assume that extensive testing was conducted on controls over inventories in fiscal year 2004. If in 2005, tests to obtain an understanding of these controls indicate no significant changes, a company might reasonably decide to reduce testing of controls over inventories in 2005.

Using the Work of Others

An auditor may use the work of competent client personnel, as long as the auditor’s own work is the “principal evidence” supporting the opinion. Principal evidence should not be interpreted in a purely quantitative manner, as the auditor may be able to rely extensively on certain tests performed by client personnel but place little reliance on other tests.

The following considerations should be kept in mind when relying on the work of others:

• The greater the materiality of and the degree of judgment and estimations inherent in an account, the less the auditor should rely on client testing. Conversely, the auditor could rely on the testing of routine accounts requiring low-level judgments.
• The more pervasive the control and the higher the degree of judgment involved in evaluating a control’s effectiveness, the more the auditor should rely on her own testing. For example, reviewing control environment factors requires an auditor’s own tests, because of the qualitative nature of these controls. Extensive reliance could be placed on the client’s testing of more-routine controls, such as reconciliations, document matching, and programmed validity and logic checks.
• Where the potential for management override is substantial, the auditor should place little reliance on client testing.

Evaluating Weaknesses

To formulate an opinion on internal control, the auditor needs to evaluate all the evidence obtained, including that obtained while conducting the financial statement audit. An unqualified opinion is appropriate only in the absence of material weaknesses.

According to Standard 2, an internal control deficiency exists when the design or operation of a control does not allow for the timely prevention or detection of misstatements. It defines a significant deficiency as one that affects the company’s ability to reliably process and report financial data such that there is more than a remote likelihood that the financial statements will be impacted in a manner that is consequential but not material. For example, suppose a company does not reconcile its intercompany transactions. If the auditor expects the impact of any misstatement to be significant but not material, the control weakness would be considered a “significant deficiency.”

Standard 2 defines a material weakness as “a significant deficiency, or combination of significant deficiencies, that results in more than a remote likelihood that a material misstatement of the annual or interim financial statements will not be prevented or detected.” Identifying material weaknesses requires the auditor to examine identified deficiencies to determine whether any should be classified as “significant deficiencies,” and to consider whether any of the significant deficiencies are “material weaknesses.”

Evaluating Deficiencies

Considerable professional judgment is required when assessing the significance of a deficiency, including the auditor’s consideration of the following:

• The potential for a misstatement, rather than whether a misstatement has actually occurred;
• The impact of a deficiency, including the amounts of transactions exposed and the volume of transactions in the affected accounts;
• How the interaction of controls with other controls, their interdependence with other controls, and control redundancies affects their proper functioning.

To illustrate control interdependence and redundancies, consider an example where a storeroom clerk keeps the perpetual inventory records and takes the annual physical count. Although this weakness could be considered material, redundant controls reduce the risk. If the clerk is on one of several teams using established procedures, such as properly supervised counts, the control weakness is mitigated and would not typically be considered a material weakness.

Material Weaknesses Versus Significant Deficiencies

Differentiating a significant deficiency from a material weakness is subjective. The distinguishing characteristic of a material weakness is the existence of “more than a remote likelihood” that a material misstatement will not be prevented or detected. Although several examples in Appendix D of Standard 2 illustrate that distinction, determining just what constitutes a material weakness is difficult.

Although no definition of the term “remote” is offered in the standard, a practical approach to evaluating weaknesses consists of the following steps:

• Estimate the monetary effect of each weakness uncovered.
• Assign a “material misstatement likelihood factor” to each weakness—for example, remote, reasonably possible, or probable—similar to the labels found in SFAS 5, Accounting for Contingencies.
• Rank all weaknesses on the material misstatement likelihood factor.
• Denote all weaknesses with more than a remote likelihood as “material weaknesses.”
• Determine the significance of the remaining deficiencies by reviewing the estimated monetary impact of each.
• Examine those deficiencies designated “significant” to decide whether a combination thereof constitutes a material weakness.

Audit Reports

Standard 2 specifies the content of the report on internal control. Auditors should be aware of several factors:

• An auditor may provide either separate or combined reports on the financial statements and internal control.
• Whereas the opinion on the financial statements typically addresses multiple periods, the opinion on internal control covers only the most recent fiscal year.
• When an auditor issues separate reports, the annual report must contain both.
• The reports should have the same date, normally the last day of fieldwork.
• An auditor’s report on management’s assessment of internal control over financial reporting includes an opinion on the company’s internal control.

Report Modifications

The following situations call for the auditor to modify the “clean opinion” report:

• Inadequate management assessment or inappropriate management report. If an auditor concludes that management’s process for assessing internal control is inadequate, the auditor should modify the opinion for a scope limitation, which could result in a qualified opinion, a disclaimer of opinion, or withdrawal from the engagement. When management’s report is inappropriate, an auditor should include an explanatory paragraph describing the reasons for the inappropriateness.
• A material weakness exists in the company’s internal control. In this case, an auditor must render an adverse opinion on the effectiveness of internal control. An auditor may, in the same report, render an unqualified opinion on management’s assessment if it also concludes that internal control is not effective.
• Management or circumstances restrict the scope of the engagement. When management imposes restrictions, an auditor should withdraw from the engagement or disclaim an opinion on both management’s assessment and the effectiveness of internal control.
• The auditor’s report relies in part on the report of another auditor.
• A significant subsequent event occurred after the “as of” date.
• Management’s assessment contains additional information. New information could concern corrective action taken after management’s assessment, or indicate plans to implement new controls. The auditor should disclaim an opinion on the new information.

When the auditor issues an unqualified opinion on the financial statements but an adverse opinion on internal control, due to one or more material weaknesses, the report should indicate that the conduct of the financial statement audit took those material weaknesses into account. This information helps readers of the financial statements understand why the auditor gave an unqualified opinion on the financial statements. The auditor should include similar language when the adverse opinion on internal control affects the opinion on the financial statements.

Most Likely Reasons for Opinion Modifications

As a practical matter, opinion modifications are likely to arise from three circumstances:

• Material misstatements detected by the auditor were not identified by the company. This situation could result in an adverse opinion.
• Inadequate documentation. This situation is a control deficiency that may constitute a material weakness if extensive. In this case, the auditor renders an adverse opinion.
• Inadequate management assessment creates a scope limitation requiring a disclaimer, a qualified opinion on internal control, or withdrawal from the engagement.

Because it requires the auditor to go well beyond the review and evaluation of controls that was the norm for reporting on financial statements, Standard 2 promises to fundamentally alter both the control systems in public companies and auditors’ assessment of them, thereby providing additional assurance to users.

Close