[Federal Register Volume 69, Number 74 (Friday, April 16, 2004)]
[Notices]
[Pages 20672-20722]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 04-8412]



[[Page 20671]]

-----------------------------------------------------------------------

Part II





Securities and Exchange Commission





-----------------------------------------------------------------------



Public Company Accounting Oversight Board; Notice of Filing of Proposed 
Rule on Auditing Standard No. 2, An Audit of Internal Control Over 
Financial Reporting Performed in Conjunction With an Audit of Financial 
Statements; Notice

  Federal Register / Vol. 69, No. 74 / Friday, April 16, 2004 / 
Notices  

[[Page 20672]]


-----------------------------------------------------------------------

SECURITIES AND EXCHANGE COMMISSION

[Release No. 34-49544; File No. PCAOB-2004-03]


Public Company Accounting Oversight Board; Notice of Filing of 
Proposed Rule on Auditing Standard No. 2, An Audit of Internal Control 
Over Financial Reporting Performed in Conjunction With an Audit of 
Financial Statements

April 8, 2004.
    Pursuant to Section 107(b) of the Sarbanes-Oxley Act of 2002 (the 
``Act''), notice is hereby given that on March 18, 2004, the Public 
Company Accounting Oversight Board (the ``Board'' or the ``PCAOB'') 
filed with the Securities and Exchange Commission (the ``Commission'') 
the proposed rule described in Items I and II below, which items have 
been prepared by the Board. The Commission is publishing this notice to 
solicit comments on the proposed rule from interested persons.

I. Board's Statement of the Terms of Substance of the Proposed Rule

    On March 9, 2004, the Board adopted a rule, Auditing Standard No. 
2, An Audit of Internal Control Over Financial Reporting Performed in 
Conjunction With an Audit of Financial Statements (``the proposed 
rule'').
    The proposed rule text is set out below.

II. Board's Statement of the Purpose of, and Statutory Basis for, the 
Proposed Rule

    In its filing with the Commission, the Board included statements 
concerning the purpose of, and basis for, the proposed rule and 
discussed any comments it received on the proposed rule. The text of 
these statements may be examined at the places specified in Item IV 
below. The Board has prepared summaries, set forth in sections A, B, 
and C below, of the most significant aspects of such statements.

A. Board's Statement of the Purpose Of, and Statutory Basis for, the 
Proposed Rule

(a) Purpose
    Section 103(a)(1) of the Act authorized the PCAOB to establish, by 
rule, auditing standards to be used by registered public accounting 
firms in the preparation and issuance of audit reports, as required by 
the Act. PCAOB Rule 3100, ``Compliance With Auditing and Related 
Professional Practice Standards,'' requires auditors to comply with all 
applicable auditing and related professional practice standards 
established by the PCAOB. The text of the proposed rule, including an 
appendix of illustrative auditor's reports, is set out below.

Auditing Standard No. 2--An Audit of Internal Control Over Financial 
Reporting Performed in Conjunction With an Audit of Financial 
Statements

 
               Table of Contents                        Paragraph
 
Applicability of Standard......................  1-3
Auditor's Objective in an Audit of Internal      4-6
 Control Over Financial Reporting.
Definitions Related to Internal Control Over     7-12
 Financial Reporting.
Framework Used by Management to Conduct its      13-15
 Assessment.
    Committee of Sponsoring Organizations        14-15
     Framework.
Inherent Limitations in Internal Control Over    16
 Financial Reporting.
The Concept of Reasonable Assurance............  17-19
Management's Responsibilities in an Audit of     20-21
 Internal Control Over Financial Reporting.
Materiality Considerations in an Audit of        22-23
 Internal Control Over Financial Reporting.
Fraud Considerations in an Audit of Internal     24-26
 Control Over Financial Reporting.
Performing an Audit of Internal Control Over     27-141
 Financial Reporting.
    Applying General, Fieldwork, and Reporting   30-38
     Standards.
        Technical Training and Proficiency.....  31
        Independence...........................  32-35
        Due Professional Care..................  36
        Fieldwork and Reporting Standards......  37-38
    Planning the Engagement....................  39
    Evaluating Management's Assessment Process.  40-46
        Management's Documentation.............  42-46
    Obtaining an Understanding of Internal       47-87
     Control Over Financial Reporting.
        Identifying Company-Level Controls.....  52-54
        Evaluating the Effectiveness of the      55-59
         Audit Committee's Oversight of the
         Company's External Financial Reporting
         and Internal Control Over Financial
         Reporting.
        Identifying Significant Accounts.......  60-67
        Identifying Relevant Financial           68-70
         Statement Assertions.
        Identifying Significant Processes and    71-75
         Major Classes of Transactions.
        Understanding the Period-end Financial   76-78
         Reporting Process.
        Performing Walkthroughs................  79-82
        Identifying Controls to Test...........  83-87
    Testing and Evaluating Design Effectiveness  88-91
    Testing and Evaluating Operating             92-107
     Effectiveness.
        Nature of Tests of Controls............  93-97
        Timing of Tests of Controls............  98-103
        Extent of Tests of Controls............  104-105
        Use of Professional Skepticism when      106-107
         Evaluating the Results of Testing.
    Using the Work of Others...................  108-126
        Evaluating the Nature of the Controls    112-116
         Subjected to the Work of Others.
        Evaluating the Competence and            117-122
         Objectivity of Others.
        Testing the Work of Others.............  123-126
    Forming an Opinion on the Effectiveness of   127-141
     Internal Control Over Financial Reporting.
        Issuing an Unqualified Opinion.........  129
        Evaluating Deficiencies in Internal      130-141
         Control Over Financial Reporting.
Requirement for Written Representations........  142-144
Relationship of an Audit of Internal Control     145-158
 Over Financial Reporting to an Audit of
 Financial Statements.
    Tests of Controls in an Audit of Internal    147-149
     Control Over Financial Reporting.

[[Page 20673]]

 
    Tests of Controls in an Audit of Financial   150-151
     Statements.
    Effect of Tests of Controls on Substantive   152-156
     Procedures.
    Effect of Substantive Procedures on the      157-158
     Auditor's Conclusions About the Operating
     Effectiveness of Controls.
Documentation Requirements.....................  159-161
Reporting on Internal Control Over Financial     162-199
 Reporting.
    Management's Report........................  162-165
    Auditor's Evaluation of Management's Report  166
    Auditor's Report on Management's Assessment  167-199
     of Internal Control Over Financial
     Reporting.
        Separate or Combined Reports...........  169-170
        Report Date............................  171-172
        Report Modifications...................  173
        Management's Assessment Inadequate or    174
         Report Inappropriate.
        Material Weaknesses....................  175-177
        Scope Limitations......................  178-181
        Opinions Based, in Part, on the Report   182-185
         of Another Auditor.
        Subsequent Events......................  186-189
        Management's Report Containing           190-192
         Additional Information.
        Effect of Auditor's Adverse Opinion on   193-196
         Internal Control Over Financial
         Reporting on the Opinion on Financial
         Statements.
        Subsequent Discovery of Information      197
         Existing at the Date of the Auditor's
         Report on Internal Control Over
         Financial Reporting.
        Filings Under Federal Securities         198-199
         Statutes.
Auditor's Responsibilities for Evaluating        200-206
 Management's Certification Disclosures About
 Internal Control Over Financial Reporting.
    Required Management Certifications.........  200-201
    Auditor Evaluation Responsibilities........  202-206
Required Communications in an Audit of Internal  207-214
 Control Over Financial Reporting.
Effective Date.................................  215-216
 

Appendix A--Illustrative Reports on Internal Control Over Financial 
Reporting
Appendix B--Additional Performance Requirements and Directions; 
Extent-of-Testing Examples
Appendix C--Safeguarding of Assets
Appendix D--Examples of Significant Deficiencies and Material 
Weaknesses
Appendix E--Background and Basis for Conclusions

Applicability of Standard

    1. This standard establishes requirements and provides directions 
that apply when an auditor is engaged to audit both a company's 
financial statements and management's assessment of the effectiveness 
of internal control over financial reporting.

    Note: The term auditor includes both public accounting firms 
registered with the Public Company Accounting Oversight Board 
(``PCAOB'' or the ``Board'') and associated persons thereof.

    2. A company subject to the reporting requirements of the 
Securities Exchange Act of 1934 (an ``issuer'') is required to include 
in its annual report a report of management on the company's internal 
control over financial reporting. Registered investment companies, 
issuers of asset-backed securities, and nonpublic companies are not 
subject to the reporting requirements mandated by Section 404 of the 
Sarbanes-Oxley Act of 2002 (the ``Act'') (PL 107-204). The report of 
management is required to contain management's assessment of the 
effectiveness of the company's internal control over financial 
reporting as of the end of the company's most recent fiscal year, 
including a statement as to whether the company's internal control over 
financial reporting is effective. The auditor that audits the company's 
financial statements included in the annual report is required to 
attest to and report on management's assessment. The company is 
required to file the auditor's attestation report as part of the annual 
report.

    Note: The term issuer means an issuer (as defined in Section 3 
of the Securities Exchange Act of 1934), the securities of which are 
registered under Section 12 of that Act, or that is required to file 
reports under Section 15(d) of that Act, or that files or has filed 
a registration statement with the Securities and Exchange Commission 
(``SEC'' or ``Commission'') that has not yet become effective under 
the Securities Act of 1933, and that it has not withdrawn.


    Note: Various parts of this standard summarize legal 
requirements imposed on issuers by the SEC, as well as legal 
requirements imposed on auditors by regulatory authorities other 
than the PCAOB. These parts of the standard are intended to provide 
context and to promote the auditor's understanding of the 
relationship between his or her obligations under this standard and 
his or her other legal responsibilities. The standard does not 
incorporate these legal requirements by reference and is not an 
interpretation of those other requirements and should not be so 
construed. (This Note does not apply to references in the standard 
to the existing professional standards and the Board's interim 
auditing and related professional practice standards.)

    3. This standard is the standard on attestation engagements 
referred to in Section 404(b) of the Act. This standard is also the 
standard referred to in Section 103(a)(2)(A)(iii) of the Act. 
Throughout this standard, the auditor's attestation of management's 
assessment of the effectiveness of internal control over financial 
reporting required by Section 404(b) of the Act is referred to as the 
audit of internal control over financial reporting.

    Note: The two terms audit of internal control over financial 
reporting and attestation of management's assessment of the 
effectiveness of internal control over financial reporting refer to 
the same professional service. The first refers to the process, and 
the second refers to the result of that process.

Auditor's Objective in an Audit of Internal Control Over Financial 
Reporting

    4. The auditor's objective in an audit of internal control over 
financial reporting is to express an opinion on management's assessment 
of the effectiveness of the company's internal control over financial 
reporting. To form a basis for expressing such an opinion, the auditor 
must plan and perform the audit to obtain reasonable assurance about 
whether the company maintained, in all material respects, effective 
internal control over financial reporting as of the date specified in 
management's assessment. The auditor also must audit the company's 
financial statements as of the date specified in management's

[[Page 20674]]

assessment because the information the auditor obtains during a 
financial statement audit is relevant to the auditor's conclusion about 
the effectiveness of the company's internal control over financial 
reporting. Maintaining effective internal control over financial 
reporting means that no material weaknesses exist; therefore, the 
objective of the audit of internal control over financial reporting is 
to obtain reasonable assurance that no material weaknesses exist as of 
the date specified in management's assessment.
    5. To obtain reasonable assurance, the auditor evaluates the 
assessment performed by management and obtains and evaluates evidence 
about whether the internal control over financial reporting was 
designed and operated effectively. The auditor obtains this evidence 
from a number of sources, including using the work performed by others 
and performing auditing procedures himself or herself.
    6. The auditor should be aware that persons who rely on the 
information concerning internal control over financial reporting 
include investors, creditors, the board of directors and audit 
committee, and regulators in specialized industries, such as banking or 
insurance. The auditor should be aware that external users of financial 
statements are interested in information on internal control over 
financial reporting because it enhances the quality of financial 
reporting and increases their confidence in financial information, 
including financial information issued between annual reports, such as 
quarterly information. Information on internal control over financial 
reporting is also intended to provide an early warning to those inside 
and outside the company who are in a position to insist on improvements 
in internal control over financial reporting, such as the audit 
committee and regulators in specialized industries. Additionally, 
Section 302 of the Act and Securities Exchange Act Rule 13a-14(a) or 
15d-14(a),\1\ whichever applies, require management, with the 
participation of the principal executive and financial officers, to 
make quarterly and annual certifications with respect to the company's 
internal control over financial reporting.
---------------------------------------------------------------------------

    \1\ See 17 CFR 240.13a-14(a) or 17 CFR 240.15d-14(a), whichever 
applies.
---------------------------------------------------------------------------

Definitions Related to Internal Control Over Financial Reporting

    7. For purposes of management's assessment and the audit of 
internal control over financial reporting in this standard, internal 
control over financial reporting is defined as follows:
    A process designed by, or under the supervision of, the company's 
principal executive and principal financial officers, or persons 
performing similar functions, and effected by the company's board of 
directors, management, and other personnel, to provide reasonable 
assurance regarding the reliability of financial reporting and the 
preparation of financial statements for external purposes in accordance 
with generally accepted accounting principles and includes those 
policies and procedures that:
    (1) Pertain to the maintenance of records that, in reasonable 
detail, accurately and fairly reflect the transactions and dispositions 
of the assets of the company;
    (2) Provide reasonable assurance that transactions are recorded as 
necessary to permit preparation of financial statements in accordance 
with generally accepted accounting principles, and that receipts and 
expenditures of the company are being made only in accordance with 
authorizations of management and directors of the company; and
    (3) Provide reasonable assurance regarding prevention or timely 
detection of unauthorized acquisition, use or disposition of the 
company's assets that could have a material effect on the financial 
statements.

    Note: This definition is the same one used by the SEC in its 
rules requiring management to report on internal control over 
financial reporting, except the word ``registrant'' has been changed 
to ``company'' to conform to the wording in this standard. (See 
Securities Exchange Act Rules 13a-15(f) and 15d-15(f).\2\)

    \2\ See 17 CFR 240, 13a-15(f) and 15d-15(f).

    Note: Throughout this standard, internal control over financial 
reporting (singular) refers to the process described in this 
paragraph. Individual controls or subsets of controls are referred 
---------------------------------------------------------------------------
to as controls or controls over financial reporting.

    8. A control deficiency exists when the design or operation of a 
control does not allow management or employees, in the normal course of 
performing their assigned functions, to prevent or detect misstatements 
on a timely basis.
     A deficiency in design exists when (a) a control 
necessary to meet the control objective is missing or (b) an existing 
control is not properly designed so that, even if the control operates 
as designed, the control objective is not always met.
     A deficiency in operation exists when a properly 
designed control does not operate as designed, or when the person 
performing the control does not possess the necessary authority or 
qualifications to perform the control effectively.
    9. A significant deficiency is a control deficiency, or combination 
of control deficiencies, that adversely affects the company's ability 
to initiate, authorize, record, process, or report external financial 
data reliably in accordance with generally accepted accounting 
principles such that there is more than a remote likelihood that a 
misstatement of the company's annual or interim financial statements 
that is more than inconsequential will not be prevented or detected.

    Note: The term ``remote likelihood'' as used in the definitions 
of significant deficiency and material weakness (paragraph 10) has 
the same meaning as the term ``remote'' as used in Financial 
Accounting Standards Board Statement No. 5, Accounting for 
Contingencies (``FAS No. 5''). Paragraph 3 of FAS No. 5 states:
    When a loss contingency exists, the likelihood that the future 
event or events will confirm the loss or impairment of an asset or 
the incurrence of a liability can range from probable to remote. 
This Statement uses the terms probable, reasonably possible, and 
remote to identify three areas within that range, as follows:
    a. Probable. The future event or events are likely to occur.
    b. Reasonably possible. The chance of the future event or events 
occurring is more than remote but less than likely.
    c. Remote. The chance of the future events or events occurring 
is slight.
    Therefore, the likelihood of an event is ``more than remote'' 
when it is either reasonably possible or probable.


    Note: A misstatement is inconsequential if a reasonable person 
would conclude, after considering the possibility of further 
undetected misstatements, that the misstatement, either individually 
or when aggregated with other misstatements, would clearly be 
immaterial to the financial statements. If a reasonable person could 
not reach such a conclusion regarding a particular misstatement, 
that misstatement is more than inconsequential.

    10. A material weakness is a significant deficiency, or combination 
of significant deficiencies, that results in more than a remote 
likelihood that a material misstatement of the annual or interim 
financial statements will not be prevented or detected.

    Note: In evaluating whether a control deficiency exists and 
whether control deficiencies, either individually or in combination 
with other control deficiencies, are significant deficiencies or 
material weaknesses, the auditor should consider the definitions in 
paragraphs 8, 9 and 10, and the directions in paragraphs 130 through 
137. As explained in paragraph 23, the evaluation of the materiality 
of the control deficiency

[[Page 20675]]

should include both quantitative and qualitative considerations. 
Qualitative factors that might be important in this evaluation 
include the nature of the financial statement accounts and 
assertions involved and the reasonably possible future consequences 
of the deficiency. Furthermore, in determining whether a control 
deficiency or combination of deficiencies is a significant 
deficiency or a material weakness, the auditor should evaluate the 
effect of compensating controls and whether such compensating 
controls are effective.

    11. Controls over financial reporting may be preventive controls or 
detective controls.
     Preventive controls have the objective of 
preventing errors or fraud from occurring in the first place that could 
result in a misstatement of the financial statements.
     Detective controls have the objective of 
detecting errors or fraud that have already occurred that could result 
in a misstatement of the financial statements.
    12. Even well-designed controls that are operating as designed 
might not prevent a misstatement from occurring. However, this 
possibility may be countered by overlapping preventive controls or 
partially countered by detective controls. Therefore, effective 
internal control over financial reporting often includes a combination 
of preventive and detective controls to achieve a specific control 
objective. The auditor's procedures as part of either the audit of 
internal control over financial reporting or the audit of the financial 
statements are not part of a company's internal control over financial 
reporting.

Framework Used by Management To Conduct Its Assessment

    13. Management is required to base its assessment of the 
effectiveness of the company's internal control over financial 
reporting on a suitable, recognized control framework established by a 
body of experts that followed due-process procedures, including the 
broad distribution of the framework for public comment. In addition to 
being available to users of management's reports, a framework is 
suitable only when it:
     Is free from bias;
     Permits reasonably consistent qualitative and 
quantitative measurements of a company's internal control over 
financial reporting;
     Is sufficiently complete so that those relevant 
factors that would alter a conclusion about the effectiveness of a 
company's internal control over financial reporting are not omitted; 
and
     Is relevant to an evaluation of internal control 
over financial reporting.

Committee of Sponsoring Organizations Framework

    14. In the United States, the Committee of Sponsoring Organizations 
(''COSO'') of the Treadway Commission has published Internal Control--
Integrated Framework. Known as the COSO report, it provides a suitable 
and available framework for purposes of management's assessment. For 
that reason, the performance and reporting directions in this standard 
are based on the COSO framework. Other suitable frameworks have been 
published in other countries and may be developed in the future. Such 
other suitable frameworks may be used in an audit of internal control 
over financial reporting. Although different frameworks may not contain 
exactly the same elements as COSO, they should have elements that 
encompass, in general, all the themes in COSO. Therefore, the auditor 
should be able to apply the concepts and guidance in this standard in a 
reasonable manner.
    15. The COSO framework identifies three primary objectives of 
internal control: efficiency and effectiveness of operations, financial 
reporting, and compliance with laws and regulations. The COSO 
perspective on internal control over financial reporting does not 
ordinarily include the other two objectives of internal control, which 
are the effectiveness and efficiency of operations and compliance with 
laws and regulations. However, the controls that management designs and 
implements may achieve more than one objective. Also, operations and 
compliance with laws and regulations directly related to the 
presentation of and required disclosures in financial statements are 
encompassed in internal control over financial reporting. Additionally, 
not all controls relevant to financial reporting are accounting 
controls. Accordingly, all controls that could materially affect 
financial reporting, including controls that focus primarily on the 
effectiveness and efficiency of operations or compliance with laws and 
regulations and also have a material effect on the reliability of 
financial reporting, are a part of internal control over financial 
reporting. More information about the COSO framework is included in the 
COSO report and in AU sec. 319, Consideration of Internal Control in a 
Financial Statement Audit.\3\ The COSO report also discusses special 
considerations for internal control over financial reporting for small 
and medium-sized companies.
---------------------------------------------------------------------------

    \3\ The Board adopted the generally accepted auditing standards, 
as described in the AICPA Auditing Standards Board's (``ASB'') 
Statement on Auditing Standards No. 95, Generally Accepted Auditing 
Standards, as in existence on April 16, 2003, on an initial, 
transitional basis. The Statements on Auditing Standards promulgated 
by the ASB have been codified into the AICPA Professional Standards, 
Volume 1, as AU sections 100 through 900. References in this 
standard to AU sections refer to those generally accepted auditing 
standards, as adopted on an interim basis in PCAOB Rule 3200T.
---------------------------------------------------------------------------

Inherent Limitations in Internal Control Over Financial Reporting

    16. Internal control over financial reporting cannot provide 
absolute assurance of achieving financial reporting objectives because 
of its inherent limitations. Internal control over financial reporting 
is a process that involves human diligence and compliance and is 
subject to lapses in judgment and breakdowns resulting from human 
failures. Internal control over financial reporting also can be 
circumvented by collusion or improper management override. Because of 
such limitations, there is a risk that material misstatements may not 
be prevented or detected on a timely basis by internal control over 
financial reporting. However, these inherent limitations are known 
features of the financial reporting process. Therefore, it is possible 
to design into the process safeguards to reduce, though not eliminate, 
this risk.

The Concept of Reasonable Assurance

    17. Management's assessment of the effectiveness of internal 
control over financial reporting is expressed at the level of 
reasonable assurance. The concept of reasonable assurance is built into 
the definition of internal control over financial reporting and also is 
integral to the auditor's opinion.\4\ Reasonable assurance includes the 
understanding that there is a remote likelihood that material 
misstatements will not be prevented or detected on a timely basis. 
Although not absolute assurance, reasonable assurance is, nevertheless, 
a high level of assurance.
---------------------------------------------------------------------------

    \4\ See Final Rule: Management's Reports on Internal Control 
Over Financial Reporting and Certification of Disclosure in Exchange 
Act Periodic Reports, Securities and Exchange Commission Release No. 
33-8238 (June 5, 2003) [68 FR 36636] for further discussion of 
reasonable assurance.
---------------------------------------------------------------------------

    18. Just as there are inherent limitations on the assurance that 
effective internal control over financial reporting can provide, as 
discussed in paragraph 16, there are limitations on the amount of 
assurance the auditor can obtain as a result of performing his or her 
audit of internal control over financial reporting. Limitations arise 
because an audit is conducted on a test basis and requires the exercise 
of professional judgment. Nevertheless, the audit of internal control 
over financial

[[Page 20676]]

reporting includes obtaining an understanding of internal control over 
financial reporting, testing and evaluating the design and operating 
effectiveness of internal control over financial reporting, and 
performing such other procedures as the auditor considers necessary to 
obtain reasonable assurance about whether internal control over 
financial reporting is effective.
    19. There is no difference in the level of work performed or 
assurance obtained by the auditor when expressing an opinion on 
management's assessment of effectiveness or when expressing an opinion 
directly on the effectiveness of internal control over financial 
reporting. In either case, the auditor must obtain sufficient evidence 
to provide a reasonable basis for his or her opinion and the use and 
evaluation of management's assessment is inherent in expressing either 
opinion.

    Note: The auditor's report on internal control over financial 
reporting does not relieve management of its responsibility for 
assuring users of its financial reports about the effectiveness of 
internal control over financial reporting.

Management's Responsibilities in an Audit of Internal Control Over 
Financial Reporting

    20. For the auditor to satisfactorily complete an audit of internal 
control over financial reporting, management must do the following:\5\
---------------------------------------------------------------------------

    \5\ Management is required to fulfill these responsibilities. 
See Items 308(a) and (c) of Regulation S-B and S-K, 17 CFR 228.308 
(a) and (c) and 229.308 (a) and (c), respectively.
---------------------------------------------------------------------------

    a. Accept responsibility for the effectiveness of the company's 
internal control over financial reporting;
    b. Evaluate the effectiveness of the company's internal control 
over financial reporting using suitable control criteria;
    c. Support its evaluation with sufficient evidence, including 
documentation; and
    d. Present a written assessment of the effectiveness of the 
company's internal control over financial reporting as of the end of 
the company's most recent fiscal year.
    21. If the auditor concludes that management has not fulfilled the 
responsibilities enumerated in the preceding paragraph, the auditor 
should communicate, in writing, to management and the audit committee 
that the audit of internal control over financial reporting cannot be 
satisfactorily completed and that he or she is required to disclaim an 
opinion. Paragraphs 40 through 46 provide information for the auditor 
about evaluating management's process for assessing internal control 
over financial reporting.

Materiality Considerations in an Audit of Internal Control Over 
Financial Reporting

    22. The auditor should apply the concept of materiality in an audit 
of internal control over financial reporting at both the financial-
statement level and at the individual account-balance level. The 
auditor uses materiality at the financial-statement level in evaluating 
whether a deficiency, or combination of deficiencies, in controls is a 
significant deficiency or a material weakness. Materiality at both the 
financial-statement level and the individual account-balance level is 
relevant to planning the audit and designing procedures. Materiality at 
the account-balance level is necessarily lower than materiality at the 
financial-statement level.
    23. The same conceptual definition of materiality that applies to 
financial reporting applies to information on internal control over 
financial reporting, including the relevance of both quantitative and 
qualitative considerations.\6\
---------------------------------------------------------------------------

    \6\ AU sec. 312, Audit Risk and Materiality in Conducting an 
Audit, provides additional explanation of materiality.
---------------------------------------------------------------------------

     The quantitative considerations are essentially 
the same as in an audit of financial statements and relate to whether 
misstatements that would not be prevented or detected by internal 
control over financial reporting, individually or collectively, have a 
quantitatively material effect on the financial statements.
     The qualitative considerations apply to 
evaluating materiality with respect to the financial statements and to 
additional factors that relate to the perceived needs of reasonable 
persons who will rely on the information. Paragraph 6 describes some 
qualitative considerations.

Fraud Considerations in an Audit of Internal Control Over Financial 
Reporting

    24. The auditor should evaluate all controls specifically intended 
to address the risks of fraud that have at least a reasonably possible 
likelihood of having a material effect on the company's financial 
statements. These controls may be a part of any of the five components 
of internal control over financial reporting, as discussed in paragraph 
49. Controls related to the prevention and detection of fraud often 
have a pervasive effect on the risk of fraud. Such controls include, 
but are not limited to, the:
     Controls restraining misappropriation of company 
assets that could result in a material misstatement of the financial 
statements;
     Company's risk assessment processes;
     Code ethics/conduct provisions, especially those 
related to conflicts of interest, related party transactions, illegal 
acts, and the monitoring of the code by management and the audit 
committee or board;
     Adequacy of the internal audit activity and 
whether the internal audit function reports directly to the audit 
committee, as well as the extent of the audit committee's involvement 
and interaction with internal audit; and
     Adequacy of the company's procedures for 
handling complaints and for accepting confidential submissions of 
concerns about questionable accounting or auditing matters.
    25. Part of management's responsibility when designing a company's 
internal control over financial reporting is to design and implement 
programs and controls to prevent, deter, and detect fraud. Management, 
along with those who have responsibility for oversight of the financial 
reporting process (such as the audit committee), should set the proper 
tone; create and maintain a culture of honesty and high ethical 
standards; and establish appropriate controls to prevent, deter, and 
detect fraud. When management and those responsible for the oversight 
of the financial reporting process fulfill those responsibilities, the 
opportunities to commit fraud can be reduced significantly.
    26. In an audit of internal control over financial reporting, the 
auditor's evaluation of controls is interrelated with the auditor's 
evaluation of controls in a financial statement audit, as required by 
AU sec. 316, Consideration of Fraud in a Financial Statement Audit. 
Often, controls identified and evaluated by the auditor during the 
audit of internal control over financial reporting also address or 
mitigate fraud risks, which the auditor is required to consider in a 
financial statement audit. If the auditor identifies deficiencies in 
controls designed to prevent and detect fraud during the audit of 
internal control over financial reporting, the auditor should alter the 
nature, timing, or extent of procedures to be performed during the 
financial statement audit to be responsive to such deficiencies, as 
provided in paragraphs .44 and .45 of AU sec. 316.

[[Page 20677]]

Performing an Audit of Internal Control Over Financial Reporting

    27. In an audit of internal control over financial reporting, the 
auditor must obtain sufficient competent evidence about the design and 
operating effectiveness of controls over all relevant financial 
statement assertions related to all significant accounts and 
disclosures in the financial statements. The auditor must plan and 
perform the audit to obtain reasonable assurance that deficiencies 
that, individually or in the aggregate, would represent material 
weaknesses are identified. Thus, the audit is not designed to detect 
deficiencies in internal control over financial reporting that, 
individually or in the aggregate, are less severe than a material 
weakness. Because of the potential significance of the information 
obtained during the audit of the financial statements to the auditor's 
conclusions about the effectiveness of internal control over financial 
reporting, the auditor cannot audit internal control over financial 
reporting without also auditing the financial statements.

    Note: However, the auditor may audit the financial statements 
without also auditing internal control over financial reporting, for 
example, in the case of certain initial public offerings by a 
company. See the discussion beginning at paragraph 145 for more 
information about the importance of auditing both internal control 
over financial reporting as well as the financial statements when 
the auditor is engaged to audit internal control over financial 
reporting.

    28. The auditor must adhere to the general standards (See 
paragraphs 30 through 36) and fieldwork and reporting standards (See 
paragraph 37) in performing an audit of a company's internal control 
over financial reporting. This involves the following:
    a. Planning the engagement;
    b. Evaluating management's assessment process;
    c. Obtaining an understanding of internal control over financial 
reporting;
    d. Testing and evaluating design effectiveness of internal control 
over financial reporting;
    e. Testing and evaluating operating effectiveness of internal 
control over financial reporting; and
    f. Forming an opinion on the effectiveness of internal control over 
financial reporting.
    29. Even though some requirements of this standard are set forth in 
a manner that suggests a sequential process, auditing internal control 
over financial reporting involves a process of gathering, updating, and 
analyzing information. Accordingly, the auditor may perform some of the 
procedures and evaluations described in this section on ``Performing an 
Audit of Internal Control Over Financial Reporting'' concurrently.

Applying General, Fieldwork, and Reporting Standards

    30. The general standards (See AU sec. 150, Generally Accepted 
Auditing Standards) are applicable to an audit of internal control over 
financial reporting. These standards require technical training and 
proficiency as an auditor, independence in fact and appearance, and the 
exercise of due professional care, including professional skepticism.
    31. Technical Training and Proficiency. To perform an audit of 
internal control over financial reporting, the auditor should have 
competence in the subject matter of internal control over financial 
reporting.
    32. Independence. The applicable requirements of independence are 
largely predicated on four basic principles: (1) An auditor must not 
act as management or as an employee of the audit client, (2) an auditor 
must not audit his or her own work, (3) an auditor must not serve in a 
position of being an advocate for his or her client, and (4) an auditor 
must not have mutual or conflicting interests with his or her audit 
client.\7\ If the auditor were to design or implement controls, that 
situation would place the auditor in a management role and result in 
the auditor auditing his or her own work. These requirements, however, 
do not preclude the auditor from making substantive recommendations as 
to how management may improve the design or operation of the company's 
internal controls as a by-product of an audit.
---------------------------------------------------------------------------

    \7\ See the Preliminary Note of Rule 2-01 of Regulation S-X, 17 
CFR 210.2-01.
---------------------------------------------------------------------------

    33. The auditor must not accept an engagement to provide internal 
control-related services to an issuer for which the auditor also audits 
the financial statements unless that engagement has been specifically 
pre-approved by the audit committee. For any internal control services 
the auditor provides, management must be actively involved and cannot 
delegate responsibility for these matters to the auditor. Management's 
involvement must be substantive and extensive. Management's acceptance 
of responsibility for documentation and testing performed by the 
auditor does not by itself satisfy the independence requirements.
    34. Maintaining independence, in fact and appearance, requires 
careful attention, as is the case with all independence issues when 
work concerning internal control over financial reporting is performed. 
Unless the auditor and the audit committee are diligent in evaluating 
the nature and extent of services provided, the services might violate 
basic principles of independence and cause an impairment of 
independence in fact or appearance.
    35. The independent auditor and the audit committee have 
significant and distinct responsibilities for evaluating whether the 
auditor's services impair independence in fact or appearance. The test 
for independence in fact is whether the activities would impede the 
ability of anyone on the engagement team or in a position to influence 
the engagement team from exercising objective judgment in the audits of 
the financial statements or internal control over financial reporting. 
The test for independence in appearance is whether a reasonable 
investor, knowing all relevant facts and circumstances, would perceive 
an auditor as having interests which could jeopardize the exercise of 
objective and impartial judgments on all issues encompassed within the 
auditor's engagement.
    36. Due Professional Care. The auditor must exercise due 
professional care in an audit of internal control over financial 
reporting. One important tenet of due professional care is exercising 
professional skepticism. In an audit of internal control over financial 
reporting, exercising professional skepticism involves essentially the 
same considerations as in an audit of financial statements, that is, it 
includes a critical assessment of the work that management has 
performed in evaluating and testing controls.
    37. Fieldwork and Reporting Standards. This standard establishes 
the fieldwork and reporting standards applicable to an audit of 
internal control over financial reporting.
    38. The concept of materiality, as discussed in paragraphs 22 and 
23, underlies the application of the general and fieldwork standards.

Planning the Engagement

    39. The audit of internal control over financial reporting should 
be properly planned and assistants, if any, are to be properly 
supervised. When planning the audit of internal control over financial 
reporting, the auditor should evaluate how the following matters will 
affect the auditor's procedures:
     Knowledge of the company's internal control over 
financial reporting obtained during other engagements.
     Matters affecting the industry in which the 
company operates, such as financial reporting practices, economic 
conditions, laws and regulations, and technological changes.

[[Page 20678]]

     Matters relating to the company's business, 
including its organization, operating characteristics, capital 
structure, and distribution methods.
     The extent of recent changes, if any, in the 
company, its operations, or its internal control over financial 
reporting.
     Management's process for assessing the 
effectiveness of the company's internal control over financial 
reporting based upon control criteria.
     Preliminary judgments about materiality, risk, 
and other factors relating to the determination of material weaknesses.
     Control deficiencies previously communicated to 
the audit committee or management.
     Legal or regulatory matters of which the company 
is aware.
     The type and extent of available evidence 
related to the effectiveness of the company's internal control over 
financial reporting.
     Preliminary judgments about the effectiveness of 
internal control over financial reporting.
     The number of significant business locations or 
units, including management's documentation and monitoring of controls 
over such locations or business units. (Appendix B, paragraphs B1 
through B17, discusses factors the auditor should evaluate to determine 
the locations at which to perform auditing procedures.)

Evaluating Management's Assessment Process

    40. The auditor must obtain an understanding of, and evaluate, 
management's process for assessing the effectiveness of the company's 
internal control over financial reporting. When obtaining the 
understanding, the auditor should determine whether management has 
addressed the following elements:
     Determining which controls should be tested, 
including controls over all relevant assertions related to all 
significant accounts and disclosures in the financial statements. 
Generally, such controls include:

--Controls over initiating, authorizing, recording, processing, and 
reporting significant accounts and disclosures and related assertions 
embodied in the financial statements.
--Controls over the selection and application of accounting policies 
that are in conformity with generally accepted accounting principles.
--Antifraud programs and controls.
--Controls, including information technology general controls, on which 
other controls are dependent.
--Controls over significant nonroutine and nonsystematic transactions, 
such as accounts involving judgments and estimates.
--Company level controls (as described in paragraph 53), including:
--The control environment and
--Controls over the period-end financial reporting process, including 
controls over procedures used to enter transaction totals into the 
general ledger; to initiate, authorize, record, and process journal 
entries in the general ledger; and to record recurring and nonrecurring 
adjustments to the financial statements (for example, consolidating 
adjustments, report combinations, and reclassifications).

    Note: References to the period-end financial reporting process 
in this standard refer to the preparation of both annual and 
quarterly financial statements.

--Evaluating the likelihood that failure of the control could result in 
a misstatement, the magnitude of such a misstatement, and the degree to 
which other controls, if effective, achieve the same control 
objectives.
--Determining the locations or business units to include in the 
evaluation for a company with multiple locations or business units (See 
paragraphs B1 through B17).
--Evaluating the design effectiveness of controls.
--Evaluating the operating effectiveness of controls based on 
procedures sufficient to assess their operating effectiveness.
    Examples of such procedures include testing of the controls by 
internal audit, testing of controls by others under the direction of 
management, using a service organization's reports (See paragraphs B18 
through B29), inspection of evidence of the application of controls, or 
testing by means of a self-assessment process, some of which might 
occur as part of management's ongoing monitoring activities. Inquiry 
alone is not adequate to complete this evaluation. To evaluate the 
effectiveness of the company's internal control over financial 
reporting, management must have evaluated controls over all relevant 
assertions related to all significant accounts and disclosures.

--Determining the deficiencies in internal control over financial 
reporting that are of such a magnitude and likelihood of occurrence 
that they constitute significant deficiencies or material weaknesses.
--Communicating findings to the auditor and to others, if applicable.
--Evaluating whether findings are reasonable and support management's 
assessment.

    41. As part of the understanding and evaluation of management's 
process, the auditor should obtain an understanding of the results of 
procedures performed by others. Others include internal audit and third 
parties working under the direction of management, including other 
auditors and accounting professionals engaged to perform procedures as 
a basis for management's assessment. Inquiry of management and others 
is the beginning point for obtaining an understanding of internal 
control over financial reporting, but inquiry alone is not adequate for 
reaching a conclusion on any aspect of internal control over financial 
reporting effectiveness.

    Note: Management cannot use the auditor's procedures as part of 
the basis for its assessment of the effectiveness of internal 
control over financial reporting.

    42. Management's Documentation. When determining whether 
management's documentation provides reasonable support for its 
assessment, the auditor should evaluate whether such documentation 
includes the following:
     The design of controls over all relevant 
assertions related to all significant accounts and disclosures in the 
financial statements. The documentation should include the five 
components of internal control over financial reporting as discussed in 
paragraph 49, including the control environment and company-level 
controls as described in paragraph 53;
     Information about how significant transactions 
are initiated, authorized, recorded, processed and reported;
     Sufficient information about the flow of 
transactions to identify the points at which material misstatements due 
to error or fraud could occur;
     Controls designed to prevent or detect fraud, 
including who performs the controls and the related segregation of 
duties;
     Controls over the period-end financial reporting 
process;
     Controls over safeguarding of assets (See 
paragraphs C1 through C6); and
     The results of management's testing and 
evaluation.
    43. Documentation might take many forms, such as paper, electronic 
files, or other media, and can include a variety of information, 
including policy manuals, process models, flowcharts, job descriptions, 
documents, and forms. The form and extent of documentation will vary 
depending on the size, nature, and complexity of the company.
    44. Documentation of the design of controls over relevant 
assertions related to significant accounts and disclosures

[[Page 20679]]

is evidence that controls related to management's assessment of the 
effectiveness of internal control over financial reporting, including 
changes to those controls, have been identified, are capable of being 
communicated to those responsible for their performance, and are 
capable of being monitored by the company. Such documentation also 
provides the foundation for appropriate communication concerning 
responsibilities for performing controls and for the company's 
evaluation of and monitoring of the effective operation of controls.
    45. Inadequate documentation of the design of controls over 
relevant assertions related to significant accounts and disclosures is 
a deficiency in the company's internal control over financial 
reporting. As discussed in paragraph 138, the auditor should evaluate 
this documentation deficiency. The auditor might conclude that the 
deficiency is only a deficiency, or that the deficiency represents a 
significant deficiency or a material weakness. In evaluating the 
deficiency as to its significance, the auditor should determine whether 
management can demonstrate the monitoring component of internal control 
over financial reporting.
    46. Inadequate documentation also could cause the auditor to 
conclude that there is a limitation on the scope of the engagement.

Obtaining an Understanding of Internal Control Over Financial Reporting

    47. The auditor should obtain an understanding of the design of 
specific controls by applying procedures that include:
     Making inquiries of appropriate management, 
supervisory, and staff personnel;
     Inspecting company documents;
     Observing the application of specific controls; 
and
     Tracing transactions through the information 
system relevant to financial reporting.
    48. The auditor could also apply additional procedures to obtain an 
understanding of the design of specific controls.
    49. The auditor must obtain an understanding of the design of 
controls related to each component of internal control over financial 
reporting, as discussed below.
     Control Environment. Because of the pervasive 
effect of the control environment on the reliability of financial 
reporting, the auditor's preliminary judgment about its effectiveness 
often influences the nature, timing, and extent of the tests of 
operating effectiveness considered necessary. Weaknesses in the control 
environment should cause the auditor to alter the nature, timing, or 
extent of tests of operating effectiveness that otherwise should have 
been performed in the absence of the weaknesses.
     Risk Assessment. When obtaining an understanding 
of the company's risk assessment process, the auditor should evaluate 
whether management has identified the risks of material misstatement in 
the significant accounts and disclosures and related assertions of the 
financial statements and has implemented controls to prevent or detect 
errors or fraud that could result in material misstatements. For 
example, the risk assessment process should address how management 
considers the possibility of unrecorded transactions or identifies and 
analyzes significant estimates recorded in the financial statements. 
Risks relevant to reliable financial reporting also relate to specific 
events or transactions.
     Control Activities. The auditor's understanding 
of control activities relates to the controls that management has 
implemented to prevent or detect errors or fraud that could result in 
material misstatement in the accounts and disclosures and related 
assertions of the financial statements. For the purposes of evaluating 
the effectiveness of internal control over financial reporting, the 
auditor's understanding of control activities encompasses a broader 
range of accounts and disclosures than what is normally obtained for 
the financial statement audit.
     Information and Communication. The auditor's 
understanding of management's information and communication involves 
understanding the same systems and processes that he or she addresses 
in an audit of financial statements. In addition, this understanding 
includes a greater emphasis on comprehending the safeguarding controls 
and the processes for authorization of transactions and the maintenance 
of records, as well as the period-end financial reporting process 
(discussed further beginning at paragraph 76).
     Monitoring. The auditor's understanding of 
management's monitoring of controls extends to and includes its 
monitoring of all controls, including control activities, which 
management has identified and designed to prevent or detect material 
misstatement in the accounts and disclosures and related assertions of 
the financial statements.
    50. Some controls (such as company-level controls, described in 
paragraph 53) might have a pervasive effect on the achievement of many 
overall objectives of the control criteria. For example, information 
technology general controls over program development, program changes, 
computer operations, and access to programs and data help ensure that 
specific controls over the processing of transactions are operating 
effectively. In contrast, other controls are designed to achieve 
specific objectives of the control criteria. For example, management 
generally establishes specific controls, such as accounting for all 
shipping documents, to ensure that all valid sales are recorded.
    51. The auditor should focus on combinations of controls, in 
addition to specific controls in isolation, in assessing whether the 
objectives of the control criteria have been achieved. The absence or 
inadequacy of a specific control designed to achieve the objectives of 
a specific criterion might not be a deficiency if other controls 
specifically address the same criterion. Further, when one or more 
controls achieve the objectives of a specific criterion, the auditor 
might not need to evaluate other controls designed to achieve those 
same objectives.
    52. Identifying Company-Level Controls. Controls that exist at the 
company-level often have a pervasive impact on controls at the process, 
transaction, or application level. For that reason, as a practical 
consideration, it may be appropriate for the auditor to test and 
evaluate the design effectiveness of company-level controls first, 
because the results of that work might affect the way the auditor 
evaluates the other aspects of internal control over financial 
reporting.
    53. Company-level controls are controls such as the following:
     Controls within the control environment, 
including tone at the top, the assignment of authority and 
responsibility, consistent policies and procedures, and company-wide 
programs, such as codes of conduct and fraud prevention, that apply to 
all locations and business units (See paragraphs 113 through 115 for 
further discussion);
     Management's risk assessment process;
     Centralized processing and controls, including 
shared service environments;
     Controls to monitor results of operations;
     Controls to monitor other controls, including 
activities of the internal audit function, the audit committee, and 
self-assessment programs;
     The period-end financial reporting process; and

[[Page 20680]]

     Board-approved policies that address significant 
business control and risk management practices.

    Note: The controls listed above are not intended to be a 
complete list of company-level controls nor is a company required to 
have all the controls in the list to support its assessment of 
effective company-level controls. However, ineffective company-level 
controls are a deficiency that will affect the scope of work 
performed, particularly when a company has multiple locations or 
business units, as described in Appendix B.

    54. Testing company-level controls alone is not sufficient for the 
purpose of expressing an opinion on the effectiveness of a company's 
internal control over financial reporting.
    55. Evaluating the Effectiveness of the Audit Committee's Oversight 
of the Company's External Financial Reporting and Internal Control Over 
Financial Reporting. The company's audit committee plays an important 
role within the control environment and monitoring components of 
internal control over financial reporting. Within the control 
environment, the existence of an effective audit committee helps to set 
a positive tone at the top. Within the monitoring component, an 
effective audit committee challenges the company's activities in the 
financial arena.

    Note: Although the audit committee plays an important role 
within the control environment and monitoring components of internal 
control over financial reporting, management is responsible for 
maintaining effective internal control over financial reporting. 
This standard does not suggest that this responsibility has been 
transferred to the audit committee.


    Note: If no such committee exists with respect to the company, 
all references to the audit committee in this standard apply to the 
entire board of directors of the company.\8\ The auditor should be 
aware that companies whose securities are not listed on a national 
securities exchange or an automated inter-dealer quotation system of 
a national securities association (such as the New York Stock 
Exchange, American Stock Exchange, or NASDAQ) may not be required to 
have independent directors for their audit committees. In this case, 
the auditor should not consider the lack of independent directors at 
these companies indicative, by itself, of a control deficiency. 
Likewise, the independence requirements of Securities Exchange Act 
Rule 10A-3\9\ are not applicable to the listing of non-equity 
securities of a consolidated or at least 50 percent beneficially 
owned subsidiary of a listed issuer that is subject to the 
requirements of Securities Exchange Act Rule 10A-3(c)(2).\10\ 
Therefore, the auditor should interpret references to the audit 
committee in this standard, as applied to a subsidiary registrant, 
as being consistent with the provisions of Securities Exchange Act 
Rule 10A-3(c)(2).\11\ Furthermore, for subsidiary registrants, 
communications required by this standard to be directed to the audit 
committee should be made to the same committee or equivalent body 
that pre-approves the retention of the auditor by or on behalf of 
the subsidiary registrant pursuant to Rule 2-01(c)(7) of Regulation 
S-X\12\ (which might be, for example, the audit committee of the 
subsidiary registrant, the full board of the subsidiary registrant, 
or the audit committee of the subsidiary registrant's parent). In 
all cases, the auditor should interpret the terms ``board of 
directors'' and ``audit committee'' in this standard as being 
consistent with provisions for the use of those terms as defined in 
relevant SEC rules.

    \8\ See 15 U.S.C. 78c(a)58 and 15 U.S.C. 7201(a)(3).
    \9\ See 17 CFR 240.10A-3.
    \10\ See 17 CFR 240.10A-3(c)(2).
    \11\ See 17 CFR 240.10A-3(c)(2).
    \12\ See 17 CFR 210.2-01(c)(7).
---------------------------------------------------------------------------

    56. The company's board of directors is responsible for evaluating 
the performance and effectiveness of the audit committee; this standard 
does not suggest that the auditor is responsible for performing a 
separate and distinct evaluation of the audit committee. However, 
because of the role of the audit committee within the control 
environment and monitoring components of internal control over 
financial reporting, the auditor should assess the effectiveness of the 
audit committee as part of understanding and evaluating those 
components.
    57. The aspects of the audit committee's effectiveness that are 
important may vary considerably with the circumstances. The auditor 
focuses on factors related to the effectiveness of the audit 
committee's oversight of the company's external financial reporting and 
internal control over financial reporting, such as the independence of 
the audit committee members from management and the clarity with which 
the audit committee's responsibilities are articulated (for example, in 
the audit committee's charter) and how well the audit committee and 
management understand those responsibilities. The auditor might also 
consider the audit committee's involvement and interaction with the 
independent auditor and with internal auditors, as well as interaction 
with key members of financial management, including the chief financial 
officer and chief accounting officer.
    58. The auditor might also evaluate whether the right questions are 
raised and pursued with management and the auditor, including questions 
that indicate an understanding of the critical accounting policies and 
judgmental accounting estimates, and the responsiveness to issues 
raised by the auditor.
    59. Ineffective oversight by the audit committee of the company's 
external financial reporting and internal control over financial 
reporting should be regarded as at least a significant deficiency and 
is a strong indicator that a material weakness in internal control over 
financial reporting exists.
    60. Identifying Significant Accounts. The auditor should identify 
significant accounts and disclosures, first at the financial-statement 
level and then at the account or disclosure-component level. 
Determining specific controls to test begins by identifying significant 
accounts and disclosures within the financial statements. When 
identifying significant accounts, the auditor should evaluate both 
quantitative and qualitative factors.
    61. An account is significant if there is more than a remote 
likelihood that the account could contain misstatements that 
individually, or when aggregated with others, could have a material 
effect on the financial statements, considering the risks of both 
overstatement and understatement. Other accounts may be significant on 
a qualitative basis based on the expectations of a reasonable user. For 
example, investors might be interested in a particular financial 
statement account even though it is not quantitatively large because it 
represents an important performance measure.

    Note: For purposes of determining significant accounts, the 
assessment as to likelihood should be made without giving any 
consideration to the effectiveness of internal control over 
financial reporting.

    62. Components of an account balance subject to differing risks 
(inherent and control) or different controls should be considered 
separately as potential significant accounts. For instance, inventory 
accounts often consist of raw materials (purchasing process), work in 
process (manufacturing process), finished goods (distribution process), 
and an allowance for obsolescence.
    63. In some cases, separate components of an account might be a 
significant account because of the company's organizational structure. 
For example, for a company that has a number of separate business 
units, each with different management and accounting processes, the 
accounts at each separate business unit are considered individually as 
potential significant accounts.
    64. An account also may be considered significant because of the 
exposure to unrecognized obligations

[[Page 20681]]

represented by the account. For example, loss reserves related to a 
self-insurance program or unrecorded contractual obligations at a 
construction contracting subsidiary may have historically been 
insignificant in amount, yet might represent a more than remote 
likelihood of material misstatement due to the existence of material 
unrecorded claims.
    65. When deciding whether an account is significant, it is 
important for the auditor to evaluate both quantitative and qualitative 
factors, including the:
     Size and composition of the account;
     Susceptibility of loss due to errors or fraud;
     Volume of activity, complexity, and homogeneity 
of the individual transactions processed through the account;
     Nature of the account (for example, suspense 
accounts generally warrant greater attention);
     Accounting and reporting complexities associated 
with the account;
     Exposure to losses represented by the account 
(for example, loss accruals related to a consolidated construction 
contracting subsidiary);
     Likelihood (or possibility) of significant 
contingent liabilities arising from the activities represented by the 
account;
     Existence of related party transactions in the 
account; and
     Changes from the prior period in account 
characteristics (for example, new complexities or subjectivity or new 
types of transactions).
    66. For example, in a financial statement audit, the auditor might 
not consider the fixed asset accounts significant when there is a low 
volume of transactions and when inherent risk is assessed as low, even 
though the balances are material to the financial statements. 
Accordingly, he or she might decide to perform only substantive 
procedures on such balances. In an audit of internal control over 
financial reporting, however, such accounts are significant accounts 
because of their materiality to the financial statements.
    67. As another example, the auditor of the financial statements of 
a financial institution might not consider trust accounts significant 
to the institution's financial statements because such accounts are not 
included in the institution's balance sheet and the associated fee 
income generated by trust activities is not material. However, in 
determining whether trust accounts are a significant account for 
purposes of the audit of internal control over financial reporting, the 
auditor should assess whether the activities of the trust department 
are significant to the institution's financial reporting, which also 
would include considering the contingent liabilities that could arise 
if a trust department failed to fulfill its fiduciary responsibilities 
(for example, if investments were made that were not in accordance with 
stated investment policies). When assessing the significance of 
possible contingent liabilities, consideration of the amount of assets 
under the trust department's control may be useful. For this reason, an 
auditor who has not considered trust accounts significant accounts for 
purposes of the financial statement audit might determine that they are 
significant for purposes of the audit of internal control over 
financial reporting.
    68. Identifying Relevant Financial Statement Assertions. For each 
significant account, the auditor should determine the relevance of each 
of these financial statement assertions:\13\
---------------------------------------------------------------------------

    \13\ See AU sec. 326, Evidential Matter, which provides 
additional information on financial statement assertions.

     Existence or occurrence;
     Completeness;
     Valuation or allocation;
     Rights and obligations; and
     Presentation and disclosure.
    69. To identify relevant assertions, the auditor should determine 
the source of likely potential misstatements in each significant 
account. In determining whether a particular assertion is relevant to a 
significant account balance or disclosure, the auditor should evaluate:

     The nature of the assertion;
     The volume of transactions or data related to 
the assertion; and
     The nature and complexity of the systems, 
including the use of information technology by which the company 
processes and controls information supporting the assertion.
    70. Relevant assertions are assertions that have a meaningful 
bearing on whether the account is fairly stated. For example, valuation 
may not be relevant to the cash account unless currency translation is 
involved; however, existence and completeness are always relevant. 
Similarly, valuation may not be relevant to the gross amount of the 
accounts receivable balance, but is relevant to the related allowance 
accounts. Additionally, the auditor might, in some circumstances, focus 
on the presentation and disclosure assertion separately in connection 
with the period-end financial reporting process.
    71. Identifying Significant Processes and Major Classes of 
Transactions. The auditor should identify each significant process over 
each major class of transactions affecting significant accounts or 
groups of accounts. Major classes of transactions are those classes of 
transactions that are significant to the company's financial 
statements. For example, at a company whose sales may be initiated by 
customers through personal contact in a retail store or electronically 
through use of the internet, these types of sales would be two major 
classes of transactions within the sales process if they were both 
significant to the company's financial statements. As another example, 
at a company for which fixed assets is a significant account, recording 
depreciation expense would be a major class of transactions.
    72. Different types of major classes of transactions have different 
levels of inherent risk associated with them and require different 
levels of management supervision and involvement. For this reason, the 
auditor might further categorize the identified major classes of 
transactions by transaction type: routine, nonroutine, and estimation.
     Routine transactions are recurring financial 
activities reflected in the accounting records in the normal course of 
business (for example, sales, purchases, cash receipts, cash 
disbursements, payroll).
     Nonroutine transactions are activities that 
occur only periodically (for example, taking physical inventory, 
calculating depreciation expense, adjusting for foreign currencies). A 
distinguishing feature of nonroutine transactions is that data involved 
are generally not part of the routine flow of transactions.
     Estimation transactions are activities that 
involve management judgments or assumptions in formulating account 
balances in the absence of a precise means of measurement (for example, 
determining the allowance for doubtful accounts, establishing warranty 
reserves, assessing assets for impairment).
    73. Most processes involve a series of tasks such as capturing 
input data, sorting and merging data, making calculations, updating 
transactions and master files, generating transactions, and summarizing 
and displaying or reporting data. The processing procedures relevant 
for the auditor to understand the flow of transactions generally are 
those activities required to initiate, authorize, record, process and 
report transactions. Such activities include, for example, initially 
recording sales orders, preparing shipping

[[Page 20682]]

documents and invoices, and updating the accounts receivable master 
file. The relevant processing procedures also include procedures for 
correcting and reprocessing previously rejected transactions and for 
correcting erroneous transactions through adjusting journal entries.
    74. For each significant process, the auditor should:
     Understand the flow of transactions, including 
how transactions are initiated, authorized, recorded, processed, and 
reported.
     Identify the points within the process at which 
a misstatement--including a misstatement due to fraud--related to each 
relevant financial statement assertion could arise.
     Identify the controls that management has 
implemented to address these potential misstatements.
     Identify the controls that management has 
implemented over the prevention or timely detection of unauthorized 
acquisition, use, or disposition of the company's assets.

    Note: The auditor frequently obtains the understanding and 
identifies the controls described above as part of his or her 
performance of walkthroughs (as described beginning in paragraph 
79).

    75. The nature and characteristics of a company's use of 
information technology in its information system affect the company's 
internal control over financial reporting. AU sec. 319, Consideration 
of Internal Control in a Financial Statement Audit, paragraphs .16 
through .20, .30 through .32, and .77 through .79, discuss the effect 
of information technology on internal control over financial reporting.
    76. Understanding the Period-end Financial Reporting Process. The 
period-end financial reporting process includes the following:
     The procedures used to enter transaction totals 
into the general ledger;
     The procedures used to initiate, authorize, 
record, and process journal entries in the general ledger;
     Other procedures used to record recurring and 
nonrecurring adjustments to the annual and quarterly financial 
statements, such as consolidating adjustments, report combinations, and 
classifications; and
     Procedures for drafting annual and quarterly 
financial statements and related disclosures.
    77. As part of understanding and evaluating the period-end 
financial reporting process, the auditor should evaluate:

     The inputs, procedures performed, and outputs of 
the processes the company uses to produce its annual and quarterly 
financial statements;
     The extent of information technology involvement 
in each period-end financial reporting process element;
     Who participates from management;
     The number of locations involved;
     Types of adjusting entries (for example, 
standard, nonstandard, eliminating, and consolidating); and
     The nature and extent of the oversight of the 
process by appropriate parties, including management, the board of 
directors, and the audit committee.

    78. The period-end financial reporting process is always a 
significant process because of its importance to financial reporting 
and to the auditor's opinions on internal control over financial 
reporting and the financial statements. The auditor's understanding of 
the company's period-end financial reporting process and how it 
interrelates with the company's other significant processes assists the 
auditor in identifying and testing controls that are the most relevant 
to financial statement risks.
    79. Performing Walkthroughs. The auditor should perform at least 
one walkthrough for each major class of transactions (as identified in 
paragraph 71). In a walkthrough, the auditor traces a transaction from 
origination through the company's information systems until it is 
reflected in the company's financial reports. Walkthroughs provide the 
auditor with evidence to:

     Confirm the auditor's understanding of the 
process flow of transactions;
     Confirm the auditor's understanding of the 
design of controls identified for all five components of internal 
control over financial reporting, including those related to the 
prevention or detection of fraud;
     Confirm that the auditor's understanding of the 
process is complete by determining whether all points in the process at 
which misstatements related to each relevant financial statement 
assertion that could occur have been identified;
     Evaluate the effectiveness of the design of 
controls; and
     Confirm whether controls have been placed in 
operation.

    Note: The auditor can often gain an understanding of the 
transaction flow, identify and understand controls, and conduct the 
walkthrough simultaneously.

    80. The auditor's walkthroughs should encompass the entire process 
of initiating, authorizing, recording, processing, and reporting 
individual transactions and controls for each of the significant 
processes identified, including controls intended to address the risk 
of fraud. During the walkthrough, at each point at which important 
processing procedures or controls occur, the auditor should question 
the company's personnel about their understanding of what is required 
by the company's prescribed procedures and controls and determine 
whether the processing procedures are performed as originally 
understood and on a timely basis. (Controls might not be performed 
regularly but still be timely.) During the walkthrough, the auditor 
should be alert for exceptions to the company's prescribed procedures 
and controls.
    81. While performing a walkthrough, the auditor should evaluate the 
quality of the evidence obtained and perform walkthrough procedures 
that produce a level of evidence consistent with the objectives listed 
in paragraph 79. Rather than reviewing copies of documents and making 
inquiries of a single person at the company, the auditor should follow 
the process flow of actual transactions using the same documents and 
information technology that company personnel use and make inquiries of 
relevant personnel involved in significant aspects of the process or 
controls. To corroborate information at various points in the 
walkthrough, the auditor might ask personnel to describe their 
understanding of the previous and succeeding processing or control 
activities and to demonstrate what they do. In addition, inquiries 
should include follow-up questions that could help identify the abuse 
of controls or indicators of fraud. Examples of follow-up inquiries 
include asking personnel:

     What they do when they find an error or what 
they are looking for to determine if there is an error (rather than 
simply asking them if they perform listed procedures and controls); 
what kind of errors they have found; what happened as a result of 
finding the errors, and how the errors were resolved. If the person 
being interviewed has never found an error, the auditor should evaluate 
whether that situation is due to good preventive controls or whether 
the individual performing the control lacks the necessary skills.
     Whether they have been asked to override the 
process or controls, and if so, to describe the situation, why it 
occurred, and what happened.
    82. During the period under audit, when there have been significant 
changes in the process flow of transactions, including the supporting 
computer applications, the auditor should evaluate the nature of the

[[Page 20683]]

change(s) and the effect on related accounts to determine whether to 
walk through transactions that were processed both before and after the 
change.

    Note: Unless significant changes in the process flow of 
transactions, including the supporting computer applications, make 
it more efficient for the auditor to prepare new documentation of a 
walkthrough, the auditor may carry his or her documentation forward 
each year, after updating it for any changes that have taken place.

    83. Identifying Controls to Test. The auditor should obtain 
evidence about the effectiveness of controls (either by performing 
tests of controls himself or herself, or by using the work of others) 
\14\ for all relevant assertions related to all significant accounts 
and disclosures in the financial statements. After identifying 
significant accounts, relevant assertions, and significant processes, 
the auditor should evaluate the following to identify the controls to 
be tested:

    \14\ See paragraphs 108 through 126 for additional direction on 
using the work of others.
---------------------------------------------------------------------------

     Points at which errors or fraud could occur;
     The nature of the controls implemented by 
management;
     The significance of each control in achieving 
the objectives of the control criteria and whether more than one 
control achieves a particular objective or whether more than one 
control is necessary to achieve a particular objective; and
     The risk that the controls might not be 
operating effectively. Factors that affect whether the control might 
not be operating effectively include the following:

--Whether there have been changes in the volume or nature of 
transactions that might adversely affect control design or operating 
effectiveness;
--Whether there have been changes in the design of controls;
--The degree to which the control relies on the effectiveness of other 
controls (for example, the control environment or information 
technology general controls);
--Whether there have been changes in key personnel who perform the 
control or monitor its performance;
--Whether the control relies on performance by an individual or is 
automated; and
--The complexity of the control.

    84. The auditor should clearly link individual controls with the 
significant accounts and assertions to which they relate.
    85. The auditor should evaluate whether to test preventive 
controls, detective controls, or a combination of both for individual 
relevant assertions related to individual significant accounts. For 
instance, when performing tests of preventive and detective controls, 
the auditor might conclude that a deficient preventive control could be 
compensated for by an effective detective control and, therefore, not 
result in a significant deficiency or material weakness. For example, a 
monthly reconciliation control procedure, which is a detective control, 
might detect an out-of-balance situation resulting from an unauthorized 
transaction being initiated due to an ineffective authorization 
procedure, which is a preventive control. When determining whether the 
detective control is effective, the auditor should evaluate whether the 
detective control is sufficient to achieve the control objective to 
which the preventive control relates.

    Note: Because effective internal control over financial 
reporting often includes a combination of preventive and detective 
controls, the auditor ordinarily will test a combination of both.

    86. The auditor should apply tests of controls to those controls 
that are important to achieving each control objective. It is neither 
necessary to test all controls nor is it necessary to test redundant 
controls (that is, controls that duplicate other controls that achieve 
the same objective and already have been tested), unless redundancy is 
itself a control objective, as in the case of certain computer 
controls.
    87. Appendix B, paragraphs B1 through B17, provide additional 
direction to the auditor in determining which controls to test when a 
company has multiple locations or business units. In these 
circumstances, the auditor should determine significant accounts and 
their relevant assertions, significant processes, and major classes of 
transactions based on those that are relevant and significant to the 
consolidated financial statements. Having made those determinations in 
relation to the consolidated financial statements, the auditor should 
then apply the directions in Appendix B.

Testing and Evaluating Design Effectiveness

    88. Internal control over financial reporting is effectively 
designed when the controls complied with would be expected to prevent 
or detect errors or fraud that could result in material misstatements 
in the financial statements. The auditor should determine whether the 
company has controls to meet the objectives of the control criteria by:
     Identifying the company's control objectives in 
each area;
     Identifying the controls that satisfy each 
objective; and
     Determining whether the controls, if operating 
properly, can effectively prevent or detect errors or fraud that could 
result in material misstatements in the financial statements.
    89. Procedures the auditor performs to test and evaluate design 
effectiveness include inquiry, observation, walkthroughs, inspection of 
relevant documentation, and a specific evaluation of whether the 
controls are likely to prevent or detect errors or fraud that could 
result in misstatements if they are operated as prescribed by 
appropriately qualified persons.
    90. The procedures that the auditor performs in evaluating 
management's assessment process and obtaining an understanding of 
internal control over financial reporting also provide the auditor with 
evidence about the design effectiveness of internal control over 
financial reporting.
    91. The procedures the auditor performs to test and evaluate design 
effectiveness also might provide evidence about operating 
effectiveness.

Testing and Evaluating Operating Effectiveness

    92. An auditor should evaluate the operating effectiveness of a 
control by determining whether the control is operating as designed and 
whether the person performing the control possesses the necessary 
authority and qualifications to perform the control effectively.
    93. Nature of Tests of Controls. Tests of controls over operating 
effectiveness should include a mix of inquiries of appropriate 
personnel, inspection of relevant documentation, observation of the 
company's operations, and reperformance of the application of the 
control. For example, the auditor might observe the procedures for 
opening the mail and processing cash receipts to test the operating 
effectiveness of controls over cash receipts. Because an observation is 
pertinent only at the point in time at which it is made, the auditor 
should supplement the observation with inquiries of company personnel 
and inspection of documentation about the operation of such controls at 
other times. These inquiries might be made concurrently with performing 
walkthroughs.
    94. Inquiry is a procedure that consists of seeking information, 
both financial and nonfinancial, of knowledgeable persons throughout 
the

[[Page 20684]]

company. Inquiry is used extensively throughout the audit and often is 
complementary to performing other procedures. Inquiries may range from 
formal written inquiries to informal oral inquiries.
    95. Evaluating responses to inquiries is an integral part of the 
inquiry procedure. Examples of information that inquiries might provide 
include the skill and competency of those performing the control, the 
relative sensitivity of the control to prevent or detect errors or 
fraud, and the frequency with which the control operates to prevent or 
detect errors or fraud. Responses to inquiries might provide the 
auditor with information not previously possessed or with corroborative 
evidence. Alternatively, responses might provide information that 
differs significantly from other information the auditor obtains (for 
example, information regarding the possibility of management override 
of controls). In some cases, responses to inquiries provide a basis for 
the auditor to modify or perform additional procedures.
    96. Because inquiry alone does not provide sufficient evidence to 
support the operating effectiveness of a control, the auditor should 
perform additional tests of controls. For example, if the company 
implements a control activity whereby its sales manager reviews and 
investigates a report of invoices with unusually high or low gross 
margins, inquiry of the sales manager as to whether he or she 
investigates discrepancies would be inadequate. To obtain sufficient 
evidence about the operating effectiveness of the control, the auditor 
should corroborate the sales manager's responses by performing other 
procedures, such as inspecting reports or other documentation used in 
or generated by the performance of the control, and evaluate whether 
appropriate actions were taken regarding discrepancies.
    97. The nature of the control also influences the nature of the 
tests of controls the auditor can perform. For example, the auditor 
might examine documents regarding controls for which documentary 
evidence exists. However, documentary evidence regarding some aspects 
of the control environment, such as management's philosophy and 
operating style, might not exist. In circumstances in which documentary 
evidence of controls or the performance of controls does not exist and 
is not expected to exist, the auditor's tests of controls would consist 
of inquiries of appropriate personnel and observation of company 
activities. As another example, a signature on a voucher package to 
indicate that the signer approved it does not necessarily mean that the 
person carefully reviewed the package before signing. The package may 
have been signed based on only a cursory review (or without any 
review). As a result, the quality of the evidence regarding the 
effective operation of the control might not be sufficiently 
persuasive. If that is the case, the auditor should reperform the 
control (for example, checking prices, extensions, and additions) as 
part of the test of the control. In addition, the auditor might inquire 
of the person responsible for approving voucher packages what he or she 
looks for when approving packages and how many errors have been found 
within voucher packages. The auditor also might inquire of supervisors 
whether they have any knowledge of errors that the person responsible 
for approving the voucher packages failed to detect.
    98. Timing of Tests of Controls. The auditor must perform tests of 
controls over a period of time that is adequate to determine whether, 
as of the date specified in management's report, the controls necessary 
for achieving the objectives of the control criteria are operating 
effectively. The period of time over which the auditor performs tests 
of controls varies with the nature of the controls being tested and 
with the frequency with which specific controls operate and specific 
policies are applied. Some controls operate continuously (for example, 
controls over sales), while others operate only at certain times (for 
example, controls over the preparation of monthly or quarterly 
financial statements and controls over physical inventory counts).
    99. The auditor's testing of the operating effectiveness of such 
controls should occur at the time the controls are operating. Controls 
``as of'' a specific date encompass controls that are relevant to the 
company's internal control over financial reporting ``as of'' that 
specific date, even though such controls might not operate until after 
that specific date. For example, some controls over the period-end 
financial reporting process normally operate only after the ``as of'' 
date. Therefore, if controls over the December 31, 20X4 period-end 
financial reporting process operate in January 20X5, the auditor should 
test the control operating in January 20X5 to have sufficient evidence 
of operating effectiveness ``as of'' December 31, 20X4.
    100. When the auditor reports on the effectiveness of controls ``as 
of'' a specific date and obtains evidence about the operating 
effectiveness of controls at an interim date, he or she should 
determine what additional evidence to obtain concerning the operation 
of the control for the remaining period. In making that determination, 
the auditor should evaluate:
     The specific controls tested prior to the ``as 
of'' date and the results of those tests;
     The degree to which evidence about the operating 
effectiveness of those controls was obtained;
     The length of the remaining period; and
     The possibility that there have been any 
significant changes in internal control over financial reporting 
subsequent to the interim date.
    101. For controls over significant nonroutine transactions, 
controls over accounts or processes with a high degree of subjectivity 
or judgment in measurement, or controls over the recording of period-
end adjustments, the auditor should perform tests of controls closer to 
or at the ``as of'' date rather than at an interim date. However, the 
auditor should balance performing the tests of controls closer to the 
``as of'' date with the need to obtain sufficient evidence of operating 
effectiveness.
    102. Prior to the date specified in management's report, management 
might implement changes to the company's controls to make them more 
effective or efficient or to address control deficiencies. In that 
case, the auditor might not need to evaluate controls that have been 
superseded. For example, if the auditor determines that the new 
controls achieve the related objectives of the control criteria and 
have been in effect for a sufficient period to permit the auditor to 
assess their design and operating effectiveness by performing tests of 
controls,\15\ he or she will not need to evaluate the design and 
operating effectiveness of the superseded controls for purposes of 
expressing an opinion on internal control over financial reporting.
---------------------------------------------------------------------------

    \15\ Paragraph 179 provides reporting directions in these 
circumstances when the auditor has not been able to obtain evidence 
that the new controls were appropriately designed or have been 
operating effectively for a sufficient period of time.
---------------------------------------------------------------------------

    103. As discussed in paragraph 207, however, the auditor must 
communicate all identified significant deficiencies and material 
weaknesses in controls to the audit committee in writing. In addition, 
the auditor should evaluate how the design and operating effectiveness 
of the superseded controls relates to the auditor's reliance on 
controls for financial statement audit purposes.
    104. Extent of Tests of Controls. Each year the auditor must obtain 
sufficient evidence about whether the company's internal control over 
financial reporting,

[[Page 20685]]

including the controls for all internal control components, is 
operating effectively. This means that each year the auditor must 
obtain evidence about the effectiveness of controls for all relevant 
assertions related to all significant accounts and disclosures in the 
financial statements. The auditor also should vary from year to year 
the nature, timing, and extent of testing of controls to introduce 
unpredictability into the testing and respond to changes in 
circumstances. For example, each year the auditor might test the 
controls at a different interim period; increase or reduce the number 
and types of tests performed; or change the combination of procedures 
used.
    105. In determining the extent of procedures to perform, the 
auditor should design the procedures to provide a high level of 
assurance that the control being tested is operating effectively. In 
making this determination, the auditor should assess the following 
factors:
     Nature of the control. The auditor should 
subject manual controls to more extensive testing than automated 
controls. In some circumstances, testing a single operation of an 
automated control may be sufficient to obtain a high level of assurance 
that the control operated effectively, provided that information 
technology general controls also are operating effectively. For manual 
controls, sufficient evidence about the operating effectiveness of the 
controls is obtained by evaluating multiple operations of the control 
and the results of each operation. The auditor also should assess the 
complexity of the controls, the significance of the judgments that must 
be made in connection with their operation, and the level of competence 
of the person performing the controls that is necessary for the control 
to operate effectively. As the complexity and level of judgment 
increase or the level of competence of the person performing the 
control decreases, the extent of the auditor's testing should increase.
     Frequency of operation. Generally, the more 
frequently a manual control operates, the more operations of the 
control the auditor should test. For example, for a manual control that 
operates in connection with each transaction, the auditor should test 
multiple operations of the control over a sufficient period of time to 
obtain a high level of assurance that the control operated effectively. 
For controls that operate less frequently, such as monthly account 
reconciliations and controls over the period-end financial reporting 
process, the auditor may test significantly fewer operations of the 
control. However, the auditor's evaluation of each operation of 
controls operating less frequently is likely to be more extensive. For 
example, when evaluating the operation of a monthly exception report, 
the auditor should evaluate whether the judgments made with regard to 
the disposition of the exceptions were appropriate and adequately 
supported.

    Note: When sampling is appropriate and the population of 
controls to be tested is large, increasing the population size does 
not proportionately increase the required sample size.

     Importance of the control. Controls that are 
relatively more important should be tested more extensively. For 
example, some controls may address multiple financial statement 
assertions, and certain period-end detective controls might be 
considered more important than related preventive controls. The auditor 
should test more operations of such controls or, if such controls 
operate infrequently, the auditor should evaluate each operation of the 
control more extensively.
    106. Use of Professional Skepticism when Evaluating the Results of 
Testing. The auditor must conduct the audit of internal control over 
financial reporting and the audit of the financial statements with 
professional skepticism, which is an attitude that includes a 
questioning mind and a critical assessment of audit evidence. For 
example, even though a control is performed by the same employee whom 
the auditor believes performed the control effectively in prior 
periods, the control may not be operating effectively during the 
current period because the employee could have become complacent, 
distracted, or otherwise not be effectively carrying out his or her 
responsibilities. Also, regardless of any past experience with the 
entity or the auditor's beliefs about management's honesty and 
integrity, the auditor should recognize the possibility that a material 
misstatement due to fraud could be present. Furthermore, professional 
skepticism requires the auditor to consider whether evidence obtained 
suggests that a material misstatement due to fraud has occurred. In 
exercising professional skepticism in gathering and evaluating 
evidence, the auditor must not be satisfied with less-than-persuasive 
evidence because of a belief that management is honest.
    107. When the auditor identifies exceptions to the company's 
prescribed control procedures, he or she should determine, using 
professional skepticism, the effect of the exception on the nature and 
extent of additional testing that may be appropriate or necessary and 
on the operating effectiveness of the control being tested. A 
conclusion that an identified exception does not represent a control 
deficiency is appropriate only if evidence beyond what the auditor had 
initially planned and beyond inquiry supports that conclusion.

Using the Work of Others

    108. In all audits of internal control over financial reporting, 
the auditor must perform enough of the testing himself or herself so 
that the auditor's own work provides the principal evidence for the 
auditor's opinion. The auditor may, however, use the work of others to 
alter the nature, timing, or extent of the work he or she otherwise 
would have performed. For these purposes, the work of others includes 
relevant work performed by internal auditors, company personnel (in 
addition to internal auditors), and third parties working under the 
direction of management or the audit committee that provides 
information about the effectiveness of internal control over financial 
reporting.

    Note: Because the amount of work related to obtaining sufficient 
evidence to support an opinion about the effectiveness of controls 
is not susceptible to precise measurement, the auditor's judgment 
about whether he or she has obtained the principal evidence for the 
opinion will be qualitative as well as quantitative. For example, 
the auditor might give more weight to work he or she performed on 
pervasive controls and in areas such as the control environment than 
on other controls, such as controls over low-risk, routine 
transactions.

    109. The auditor should evaluate whether to use the work performed 
by others in the audit of internal control over financial reporting. To 
determine the extent to which the auditor may use the work of others to 
alter the nature, timing, or extent of the work the auditor would have 
otherwise performed, in addition to obtaining the principal evidence 
for his or her opinion, the auditor should:
    a. Evaluate the nature of the controls subjected to the work of 
others (See paragraphs 112 through 116);
    b. Evaluate the competence and objectivity of the individuals who 
performed the work (See paragraphs 117 through 122); and
    c. Test some of the work performed by others to evaluate the 
quality and effectiveness of their work (See paragraphs 123 through 
125).

    Note: AU sec. 322, The Auditor's Consideration of the Internal 
Audit Function in an Audit of Financial Statements, applies to using 
the work of internal auditors in an audit of the financial 
statements. The auditor

[[Page 20686]]

may apply the relevant concepts described in that section to using 
the work of others in the audit of internal control over financial 
reporting.

    110. The auditor must obtain sufficient evidence to support his or 
her opinion. Judgments about the sufficiency of evidence obtained and 
other factors affecting the auditor's opinion, such as the significance 
of identified control deficiencies, should be those of the auditor. 
Evidence obtained through the auditor's direct personal knowledge, 
observation, reperformance, and inspection is generally more persuasive 
than information obtained indirectly from others, such as from internal 
auditors, other company personnel, or third parties working under the 
direction of management.
    111. The requirement that the auditor's own work must provide the 
principal evidence for the auditor's opinion is one of the boundaries 
within which the auditor determines the work he or she must perform 
himself or herself in the audit of internal control over financial 
reporting. Paragraphs 112 through 125 provide more specific and 
definitive direction on how the auditor makes this determination, but 
the directions allow the auditor significant flexibility to use his or 
her judgment to determine the work necessary to obtain the principal 
evidence and to determine when the auditor can use the work of others 
rather than perform the work himself or herself. Regardless of the 
auditor's determination of the work that he or she must perform himself 
or herself, the auditor's responsibility to report on the effectiveness 
of internal control over financial reporting rests solely with the 
auditor; this responsibility cannot be shared with the other 
individuals whose work the auditor uses. Therefore, when the auditor 
uses the work of others, the auditor is responsible for the results of 
their work.
    112. Evaluating the Nature of the Controls Subjected to the Work of 
Others. The auditor should evaluate the following factors when 
evaluating the nature of the controls subjected to the work of others. 
As these factors increase in significance, the need for the auditor to 
perform his or her own work on those controls increases. As these 
factors decrease in significance, the need for the auditor to perform 
his or her own work on those controls decreases.
     The materiality of the accounts and disclosures 
that the control addresses and the risk of material misstatement.
     The degree of judgment required to evaluate the 
operating effectiveness of the control (that is, the degree to which 
the evaluation of the effectiveness of the control requires evaluation 
of subjective factors rather than objective testing).
     The pervasiveness of the control.
     The level of judgment or estimation required in 
the account or disclosure.
     The potential for management override of the 
control.
    113. Because of the nature of the controls in the control 
environment, the auditor should not use the work of others to reduce 
the amount of work he or she performs on controls in the control 
environment. The auditor should, however, consider the results of work 
performed in this area by others because it might indicate the need for 
the auditor to increase his or her work.
    114. The control environment encompasses the following factors:\16\
---------------------------------------------------------------------------

    \16\ See the COSO report and paragraph .110 of AU sec. 319, 
Internal Control in a Financial Statement Audit, for additional 
information about the factors included in the control environment.

     Integrity and ethical values;
     Commitment to competence;
     Board of directors or audit committee 
participation;
     Management's philosophy and operating style;
     Organizational structure;
     Assignment of authority and responsibility; and
     Human resource policies and procedures.

    115. Controls that are part of the control environment include, but 
are not limited to, controls specifically established to prevent and 
detect fraud that is at least reasonably possible to result in material 
misstatement of the financial statements.

    Note: The term ``reasonably possible'' has the same meaning as 
in FAS No. 5. See the first note to paragraph 9 for further 
discussion.

    116. The auditor should perform the walkthroughs (as discussed 
beginning at paragraph 79) himself or herself because of the degree of 
judgment required in performing this work. However, to provide 
additional evidence, the auditor may also review the work of others who 
have performed and documented walkthroughs. In evaluating whether his 
or her own evidence provides the principal evidence, the auditor's work 
on the control environment and in performing walkthroughs constitutes 
an important part of the auditor's own work.
    117. Evaluating the Competence and Objectivity of Others. The 
extent to which the auditor may use the work of others depends on the 
degree of competence and objectivity of the individuals performing the 
work. The higher the degree of competence and objectivity, the greater 
use the auditor may make of the work; conversely, the lower the degree 
of competence and objectivity, the less use the auditor may make of the 
work. Further, the auditor should not use the work of individuals who 
have a low degree of objectivity, regardless of their level of 
competence. Likewise, the auditor should not use the work of 
individuals who have a low level of competence regardless of their 
degree of objectivity.
    118. When evaluating the competence and objectivity of the 
individuals performing the tests of controls, the auditor should 
obtain, or update information from prior years, about the factors 
indicated in the following paragraph. The auditor should determine 
whether to test the existence and quality of those factors and, if so, 
the extent to which to test the existence and quality of those factors, 
based on the intended effect of the work of others on the audit of 
internal control over financial reporting.
    119. Factors concerning the competence of the individuals 
performing the tests of controls include:
     Their educational level and professional 
experience.
     Their professional certification and continuing 
education.
     Practices regarding the assignment of 
individuals to work areas.
     Supervision and review of their activities.
     Quality of the documentation of their work, 
including any reports or recommendations issued.
     Evaluation of their performance.
    120. Factors concerning the objectivity of the individuals 
performing the tests of controls include:
     The organizational status of the individuals 
responsible for the work of others (``testing authority'') in testing 
controls, including--
    a. Whether the testing authority reports to an officer of 
sufficient status to ensure sufficient testing coverage and adequate 
consideration of, and action on, the findings and recommendations of 
the individuals performing the testing.
    b. Whether the testing authority has direct access and reports 
regularly to the board of directors or the audit committee.
    c. Whether the board of directors or the audit committee oversees 
employment decisions related to the testing authority.
     Policies to maintain the individuals' 
objectivity about the areas being tested, including--
    a. Policies prohibiting individuals from testing controls in areas 
in which

[[Page 20687]]

relatives are employed in important or internal control-sensitive 
positions.
    b. Policies prohibiting individuals from testing controls in areas 
to which they were recently assigned or are scheduled to be assigned 
upon completion of their controls testing responsibilities.
    121. Internal auditors normally are expected to have greater 
competence with regard to internal control over financial reporting and 
objectivity than other company personnel. Therefore, the auditor may be 
able to use their work to a greater extent than the work of other 
company personnel. This is particularly true in the case of internal 
auditors who follow the International Standards for the Professional 
Practice of Internal Auditing issued by the Institute of Internal 
Auditors. If internal auditors have performed an extensive amount of 
relevant work and the auditor determines they possess a high degree of 
competence and objectivity, the auditor could use their work to the 
greatest extent an auditor could use the work of others. On the other 
hand, if the internal audit function reports solely to management, 
which would reduce internal auditors' objectivity, or if limited 
resources allocated to the internal audit function result in very 
limited testing procedures on its part or reduced competency of the 
internal auditors, the auditor should use their work to a much lesser 
extent and perform more of the testing himself or herself.
    122. When determining how the work of others will alter the nature, 
timing, or extent of the auditor's work, the auditor should assess the 
interrelationship of the nature of the controls, as discussed in 
paragraph 112, and the competence and objectivity of those who 
performed the work, as discussed in paragraphs 117 through 121. As the 
significance of the factors listed in paragraph 112 increases, the 
ability of the auditor to use the work of others decreases at the same 
time that the necessary level of competence and objectivity of those 
who perform the work increases. For example, for some pervasive 
controls, the auditor may determine that using the work of internal 
auditors to a limited degree would be appropriate and that using the 
work of other company personnel would not be appropriate because other 
company personnel do not have a high enough degree of objectivity as it 
relates to the nature of the controls.
    123. Testing the Work of Others. The auditor should test some of 
the work of others to evaluate the quality and effectiveness of the 
work. The auditor's tests of the work of others may be accomplished by 
either (a) testing some of the controls that others tested or (b) 
testing similar controls not actually tested by others.
    124. The nature and extent of these tests depend on the effect of 
the work of others on the auditor's procedures but should be sufficient 
to enable the auditor to make an evaluation of the overall quality and 
effectiveness of the work the auditor is considering. The auditor also 
should assess whether this evaluation has an effect on his or her 
conclusions about the competence and objectivity of the individuals 
performing the work.
    125. In evaluating the quality and effectiveness of the work of 
others, the auditor should evaluate such factors as to whether the:

     Scope of work is appropriate to meet the 
objectives.
     Work programs are adequate.
     Work performed is adequately documented, 
including evidence of supervision and review.
     Conclusions are appropriate in the 
circumstances.
     Reports are consistent with the results of the 
work performed.

    126. The following examples illustrate how to apply the directions 
discussed in this section:
     Controls over the period-end financial reporting 
process. Many of the controls over the period-end financial reporting 
process address significant risks of misstatement of the accounts and 
disclosures in the annual and quarterly financial statements, may 
require significant judgment to evaluate their operating effectiveness, 
may have a higher potential for management override, and may affect 
accounts that require a high level of judgment or estimation. 
Therefore, the auditor could determine that, based on the nature of 
controls over the period-end financial reporting process, he or she 
would need to perform more of the tests of those controls himself or 
herself. Further, because of the nature of the controls, the auditor 
should use the work of others only if the degree of competence and 
objectivity of the individuals performing the work is high; therefore, 
the auditor might use the work of internal auditors to some extent but 
not the work of others within the company.
     Information technology general controls. 
Information technology general controls are part of the control 
activities component of internal control; therefore, the nature of the 
controls might permit the auditor to use the work of others. For 
example, program change controls over routine maintenance changes may 
have a highly pervasive effect, yet involve a low degree of judgment in 
evaluating their operating effectiveness, can be subjected to objective 
testing, and have a low potential for management override. Therefore, 
the auditor could determine that, based on the nature of these program 
change controls, the auditor could use the work of others to a moderate 
extent so long as the degree of competence and objectivity of the 
individuals performing the test is at an appropriate level. On the 
other hand, controls to detect attempts to override controls that 
prevent unauthorized journal entries from being posted may have a 
highly pervasive effect, may involve a high degree of judgment in 
evaluating their operating effectiveness, may involve a subjective 
evaluation, and may have a reasonable possibility for management 
override. Therefore, the auditor could determine that, based on the 
nature of these controls over systems access, he or she would need to 
perform more of the tests of those controls himself or herself. 
Further, because of the nature of the controls, the auditor should use 
the work of others only if the degree of competence and objectivity of 
the individuals performing the tests is high.
     Management self-assessment of controls. As 
described in paragraph 40, management may test the operating 
effectiveness of controls using a self-assessment process. Because such 
an assessment is made by the same personnel who are responsible for 
performing the control, the individuals performing the self-assessment 
do not have sufficient objectivity as it relates to the subject matter. 
Therefore, the auditor should not use their work.
     Controls over the calculation of depreciation of 
fixed assets. Controls over the calculation of depreciation of fixed 
assets are usually not pervasive, involve a low degree of judgment in 
evaluating their operating effectiveness, and can be subjected to 
objective testing. If these conditions describe the controls over the 
calculation of depreciation of fixed assets and if there is a low 
potential for management override, the auditor could determine that, 
based on the nature of these controls, the auditor could use the work 
of others to a large extent (perhaps entirely) so long as the degree of 
competence and objectivity of the individuals performing the test is at 
an appropriate level.
     Alternating tests of controls. Many of the 
controls over accounts payable, including controls over cash 
disbursements, are usually not pervasive, involve a low degree of 
judgment in evaluating their operating

[[Page 20688]]

effectiveness, can be subjected to objective testing, and have a low 
potential for management override. When these conditions describe the 
controls over accounts payable, the auditor could determine that, based 
on the nature of these controls, he or she could use the work of others 
to a large extent (perhaps entirely) so long as the degree of 
competence and objectivity of the individuals performing the test is at 
an appropriate level. However, if the company recently implemented a 
major information technology change that significantly affected 
controls over cash disbursements, the auditor might decide to use the 
work of others to a lesser extent in the audit immediately following 
the information technology change and then return, in subsequent years, 
to using the work of others to a large extent in this area. As another 
example, the auditor might use the work of others for testing controls 
over the depreciation of fixed assets (as described in the point above) 
for several years' audits but decide one year to perform some extent of 
the work himself or herself to gain an understanding of these controls 
beyond that provided by performing a walkthrough.

Forming an Opinion on the Effectiveness of Internal Control Over 
Financial Reporting

    127. When forming an opinion on internal control over financial 
reporting, the auditor should evaluate all evidence obtained from all 
sources, including:
     The adequacy of the assessment performed by 
management and the results of the auditor's evaluation of the design 
and tests of operating effectiveness of controls;
     The negative results of substantive procedures 
performed during the financial statement audit (for example, recorded 
and unrecorded adjustments identified as a result of the performance of 
the auditing procedures); and
     Any identified control deficiencies.
    128. As part of this evaluation, the auditor should review all 
reports issued during the year by internal audit (or similar functions, 
such as loan review in a financial institution) that address controls 
related to internal control over financial reporting and evaluate any 
control deficiencies identified in those reports. This review should 
include reports issued by internal audit as a result of operational 
audits or specific reviews of key processes if those reports address 
controls related to internal control over financial reporting.
    129. Issuing an Unqualified Opinion. The auditor may issue an 
unqualified opinion only when there are no identified material 
weaknesses and when there have been no restrictions on the scope of the 
auditor's work. The existence of a material weakness requires the 
auditor to express an adverse opinion on the effectiveness of internal 
control over financial reporting (See paragraph 175), while a scope 
limitation requires the auditor to express a qualified opinion or a 
disclaimer of opinion, depending on the significance of the limitation 
in scope (See paragraph 178).
    130. Evaluating Deficiencies in Internal Control Over Financial 
Reporting. The auditor must evaluate identified control deficiencies 
and determine whether the deficiencies, individually or in combination, 
are significant deficiencies or material weaknesses. The evaluation of 
the significance of a deficiency should include both quantitative and 
qualitative factors.
    131. The auditor should evaluate the significance of a deficiency 
in internal control over financial reporting initially by determining 
the following:
     The likelihood that a deficiency, or a 
combination of deficiencies, could result in a misstatement of an 
account balance or disclosure; and
     The magnitude of the potential misstatement 
resulting from the deficiency or deficiencies.
    132. The significance of a deficiency in internal control over 
financial reporting depends on the potential for a misstatement, not on 
whether a misstatement actually has occurred.
    133. Several factors affect the likelihood that a deficiency, or a 
combination of deficiencies, could result in a misstatement of an 
account balance or disclosure. The factors include, but are not limited 
to, the following:
     The nature of the financial statement accounts, 
disclosures, and assertions involved; for example, suspense accounts 
and related party transactions involve greater risk.
     The susceptibility of the related assets or 
liability to loss or fraud; that is, greater susceptibility increases 
risk.
     The subjectivity, complexity, or extent of 
judgment required to determine the amount involved; that is, greater 
subjectivity, complexity, or judgment, like that related to an 
accounting estimate, increases risk.
     The cause and frequency of known or detected 
exceptions for the operating effectiveness of a control; for example, a 
control with an observed non-negligible deviation rate is a deficiency.
     The interaction or relationship of the control 
with other controls; that is, the interdependence or redundancy of the 
control.
     The interaction of the deficiencies; for 
example, when evaluating a combination of two or more deficiencies, 
whether the deficiencies could affect the same financial statement 
accounts and assertions.
     The possible future consequences of the 
deficiency.
    134. When evaluating the likelihood that a deficiency or 
combination of deficiencies could result in a misstatement, the auditor 
should evaluate how the controls interact with other controls. There 
are controls, such as information technology general controls, on which 
other controls depend. Some controls function together as a group of 
controls. Other controls overlap, in the sense that these other 
controls achieve the same objective.
    135. Several factors affect the magnitude of the misstatement that 
could result from a deficiency or deficiencies in controls. The factors 
include, but are not limited to, the following:
     The financial statement amounts or total of 
transactions exposed to the deficiency.
     The volume of activity in the account balance or 
class of transactions exposed to the deficiency that has occurred in 
the current period or that is expected in future periods.
    136. In evaluating the magnitude of the potential misstatement, the 
auditor should recognize that the maximum amount that an account 
balance or total of transactions can be overstated is generally the 
recorded amount. However, the recorded amount is not a limitation on 
the amount of potential understatement. The auditor also should 
recognize that the risk of misstatement might be different for the 
maximum possible misstatement than for lesser possible amounts.
    137. When evaluating the significance of a deficiency in internal 
control over financial reporting, the auditor also should determine the 
level of detail and degree of assurance that would satisfy prudent 
officials in the conduct of their own affairs that they have reasonable 
assurance that transactions are recorded as necessary to permit the 
preparation of financial statements in conformity with generally 
accepted accounting principles. If the auditor determines that the 
deficiency would prevent prudent officials in the conduct of their own 
affairs from concluding that they have reasonable assurance,\17\ then 
the auditor

[[Page 20689]]

should deem the deficiency to be at least a significant deficiency. 
Having determined in this manner that a deficiency represents a 
significant deficiency, the auditor must further evaluate the 
deficiency to determine whether individually, or in combination with 
other deficiencies, the deficiency is a material weakness.
---------------------------------------------------------------------------

    \17\ See SEC Staff Accounting Bulletin Topic 1M2, Immaterial 
Misstatements That Are Intentional, for further discussion about the 
level of detail and degree of assurance that would satisfy prudent 
officials in the conduct of their own affairs.

    Note: Paragraphs 9 and 10 provide the definitions of significant 
---------------------------------------------------------------------------
deficiency and material weakness, respectively.

    138. Inadequate documentation of the design of controls and the 
absence of sufficient documented evidence to support management's 
assessment of the operating effectiveness of internal control over 
financial reporting are control deficiencies. As with other control 
deficiencies, the auditor should evaluate these deficiencies as to 
their significance.
    139. The interaction of qualitative considerations that affect 
internal control over financial reporting with quantitative 
considerations ordinarily results in deficiencies in the following 
areas being at least significant deficiencies in internal control over 
financial reporting:
     Controls over the selection and application of 
accounting policies that are in conformity with generally accepted 
accounting principles;
     Antifraud programs and controls;
     Controls over non-routine and non-systematic 
transactions; and
     Controls over the period-end financial reporting 
process, including controls over procedures used to enter transaction 
totals into the general ledger; initiate, authorize, record, and 
process journal entries into the general ledger; and record recurring 
and nonrecurring adjustments to the financial statements.
    140. Each of the following circumstances should be regarded as at 
least a significant deficiency and as a strong indicator that a 
material weakness in internal control over financial reporting exists:
     Restatement of previously issued financial 
statements to reflect the correction of a misstatement.

    Note: The correction of a misstatement includes misstatements 
due to error or fraud; it does not include restatements to reflect a 
change in accounting principle to comply with a new accounting 
principle or a voluntary change from one generally accepted 
accounting principle to another generally accepted accounting 
principle.

     Identification by the auditor of a material 
misstatement in financial statements in the current period that was not 
initially identified by the company's internal control over financial 
reporting. (This is a strong indicator of a material weakness even if 
management subsequently corrects the misstatement.)
     Oversight of the company's external financial 
reporting and internal control over financial reporting by the 
company's audit committee is ineffective. (Paragraphs 55 through 59 
present factors to evaluate when determining whether the audit 
committee is ineffective.)
     The internal audit function or the risk 
assessment function is ineffective at a company for which such a 
function needs to be effective for the company to have an effective 
monitoring or risk assessment component, such as for very large or 
highly complex companies.

    Note: The evaluation of the internal audit or risk assessment 
functions is similar to the evaluation of the audit committee, as 
described in paragraphs 55 through 59, that is, the evaluation is 
made within the context of the monitoring and risk assessment 
components. The auditor is not required to make a separate 
evaluation of the effectiveness and performance of these functions. 
Instead, the auditor should base his or her evaluation on evidence 
obtained as part of evaluating the monitoring and risk assessment 
components of internal control over financial reporting.

     For complex entities in highly regulated 
industries, an ineffective regulatory compliance function. This relates 
solely to those aspects of the ineffective regulatory compliance 
function in which associated violations of laws and regulations could 
have a material effect on the reliability of financial reporting.
     Identification of fraud of any magnitude on the 
part of senior management.

    Note: The auditor is required to plan and perform procedures to 
obtain reasonable assurance that material misstatement caused by 
fraud is detected by the auditor. However, for the purposes of 
evaluating and reporting deficiencies in internal control over 
financial reporting, the auditor should evaluate fraud of any 
magnitude (including fraud resulting in immaterial misstatements) on 
the part of senior management of which he or she is aware. 
Furthermore, for the purposes of this circumstance, ``senior 
management'' includes the principal executive and financial officers 
signing the company's certifications as required under Section 302 
of the Act as well as any other member of management who play a 
significant role in the company's financial reporting process.

     Significant deficiencies that have been 
communicated to management and the audit committee remain uncorrected 
after some reasonable period of time.
     An ineffective control environment.
    141. Appendix D provides examples of significant deficiencies and 
material weaknesses.

Requirement for Written Representations

    142. In an audit of internal control over financial reporting, the 
auditor should obtain written representations from management:
    a. Acknowledging management's responsibility for establishing and 
maintaining effective internal control over financial reporting;
    b. Stating that management has performed an assessment of the 
effectiveness of the company's internal control over financial 
reporting and specifying the control criteria;
    c. Stating that management did not use the auditor's procedures 
performed during the audits of internal control over financial 
reporting or the financial statements as part of the basis for 
management's assessment of the effectiveness of internal control over 
financial reporting;
    d. Stating management's conclusion about the effectiveness of the 
company's internal control over financial reporting based on the 
control criteria as of a specified date;
    e. Stating that management has disclosed to the auditor all 
deficiencies in the design or operation of internal control over 
financial reporting identified as part of management's assessment, 
including separately disclosing to the auditor all such deficiencies 
that it believes to be significant deficiencies or material weaknesses 
in internal control over financial reporting;
    f. Describing any material fraud and any other fraud that, although 
not material, involves senior management or management or other 
employees who have a significant role in the company's internal control 
over financial reporting;
    g. Stating whether control deficiencies identified and communicated 
to the audit committee during previous engagements pursuant to 
paragraph 207 have been resolved, and specifically identifying any that 
have not; and
    h. Stating whether there were, subsequent to the date being 
reported on, any changes in internal control over financial reporting 
or other factors that might significantly affect internal control over 
financial reporting, including any corrective actions taken by 
management with regard to significant deficiencies and material 
weaknesses.
    143. The failure to obtain written representations from management, 
including management's refusal to furnish them, constitutes a 
limitation on the scope of the audit sufficient to preclude an 
unqualified opinion. As discussed further in paragraph 178,

[[Page 20690]]

when management limits the scope of the audit, the auditor should 
either withdraw from the engagement or disclaim an opinion. Further, 
the auditor should evaluate the effects of management's refusal on his 
or her ability to rely on other representations, including, if 
applicable, representations obtained in an audit of the company's 
financial statements.
    144. AU sec. 333, Management Representations, explains matters such 
as who should sign the letter, the period to be covered by the letter, 
and when to obtain an updating letter.

Relationship of an Audit of Internal Control over Financial Reporting 
to an Audit of Financial Statements

    145. The audit of internal control over financial reporting should 
be integrated with the audit of the financial statements. The 
objectives of the procedures for the audits are not identical, however, 
and the auditor must plan and perform the work to achieve the 
objectives of both audits.
    146. The understanding of internal control over financial reporting 
the auditor obtains and the procedures the auditor performs for 
purposes of expressing an opinion on management's assessment are 
interrelated with the internal control over financial reporting 
understanding the auditor obtains any procedures the auditor performs 
to assess control risk for purposes of expressing an opinion on the 
financial statements. As a result, it is efficient for the auditor to 
coordinate obtaining the understanding and performing the procedures.

Tests of Controls in an Audit of Internal Control Over Financial 
Reporting

    147. The objective of the tests of controls in an audit of internal 
control over financial reporting is to obtain evidence about the 
effectiveness of controls to support the auditor's opinion on whether 
management's assessment of the effectiveness of the company's internal 
control over financial reporting is fairly stated. The auditor's 
opinion relates to the effectiveness of the company's internal control 
over financial reporting as of a point in time and taken as a whole.
    148. To express an opinion on internal control over financial 
reporting effectiveness as of a point in time, the auditor should 
obtain evidence that internal control over financial reporting has 
operated effectively for a sufficient period of time, which may be less 
than the entire period (ordinarily one year) covered by the company's 
financial statements. To express an opinion on internal control over 
financial reporting effectiveness taken as a whole, the auditor must 
obtain evidence about the effectiveness of controls over all relevant 
assertions related to all significant accounts and disclosures in the 
financial statements. This requires that the auditor test the design 
and operating effectiveness of controls he or she ordinarily would not 
test if expressing an opinion only on the financial statements.
    149. When concluding on the effectiveness of internal control over 
financial reporting for purposes of expressing an opinion on 
management's assessment, the auditor should incorporate the results of 
any additional tests of controls performed to achieve the objective 
related to expressing an opinion on the financial statements, as 
discussed in the following section.

Tests of Controls in an Audit of Financial Statements

    150. To express an opinion on the financial statements, the auditor 
ordinarily performs tests of controls and substantive procedures. The 
objective of the tests of controls the auditor performs for this 
purpose is to assess control risk. To assess control risk for specific 
financial statement assertions at less than the maximum, the auditor is 
required to obtain evidence that the relevant controls operated 
effectively during the entire period upon which the auditor plans to 
place reliance on those controls. However, the auditor is not required 
to assess control risk at less than the maximum for all relevant 
assertions and, for a variety of reasons, the auditor may choose not to 
do so.\18\
---------------------------------------------------------------------------

    \18\ See paragraph 160 for additional documentation requirements 
when the auditor assesses control risk as other than low.
---------------------------------------------------------------------------

    151. When concluding on the effectiveness of controls for the 
purpose of assessing control risk, the auditor also should evaluate the 
results of any additional tests of controls performed to achieve the 
objective related to expressing an opinion on management's assessment, 
as discussed in paragraphs 147 through 149. Consideration of these 
results may require the auditor to alter the nature, timing, and extent 
of substantive procedures and to plan and perform further tests of 
controls, particularly in response to identified control deficiencies.

Effect of Tests of Controls on Substantive Procedures

    152. Regardless of the assessed level of control risk or the 
assessed risk of material misstatement in connection with the audit of 
the financial statements, the auditor should perform substantive 
procedures for all relevant assertions related to all significant 
accounts and disclosures. Performing procedures to express an opinion 
on internal control over financial reporting does not diminish this 
requirement.
    153. The substantive procedures that the auditor should perform 
consist of tests of details of transactions and balances and analytical 
procedures. Before using the results obtained from substantive 
analytical procedures, the auditor should either test the design and 
operating effectiveness of controls over financial information used in 
the substantive analytical procedures or perform other procedures to 
support the completeness and accuracy of the underlying information. 
For significant risks of material misstatement, it is unlikely that 
audit evidence obtained from substantive analytical procedures alone 
will be sufficient.
    154. When designing substantive analytical procedures, the auditor 
also should evaluate the risk of management override of controls. As 
part of this process, the auditor should evaluate whether such an 
override might have allowed adjustments outside of the normal period-
end financial reporting process to have been made to the financial 
statements. Such adjustments might have resulted in artificial changes 
to the financial statement relationships being analyzed, causing the 
auditor to draw erroneous conclusions. For this reason, substantive 
analytical procedures alone are not well suited to detecting fraud.
    155. The auditor's substantive procedures must include reconciling 
the financial statements to the accounting records. The auditor's 
substantive procedures also should include examining material 
adjustments made during the course of preparing the financial 
statements. Also, other auditing standards require auditors to perform 
specific tests of details in the financial statement audit. For 
instance, AU sec. 316, Consideration of Fraud in a Financial Statement 
Audit, requires the auditor to perform certain tests of details to 
further address the risk of management override, whether or not a 
specific risk of fraud has been identified. Paragraph .34 of AU Sec. 
330, The Confirmation Process, states that there is a presumption that 
the auditor will request the confirmation of accounts receivable. 
Similarly, paragraph .01 of AU Sec. 331, Inventories, states that 
observation of inventories is a generally accepted auditing procedure 
and that the auditor who issues an opinion without this procedure ``has 
the burden of justifying the opinion expressed.''

[[Page 20691]]

    156. If, during the audit of internal control over financial 
reporting, the auditor identifies a control deficiency, he or she 
should determine the effect on the nature, timing, and extent of 
substantive procedures to be performed to reduce the risk of material 
misstatement of the financial statements to an appropriately low level.

Effect of Substantive Procedures on the Auditor's Conclusions About the 
Operating Effectiveness of Controls

    157. In an audit of internal control over financial reporting, the 
auditor should evaluate the effect of the findings of all substantive 
auditing procedures performed in the audit of financial statements on 
the effectiveness of internal control over financial reporting. This 
evaluation should include, but not be limited to:
     The auditor's risk evaluations in connection 
with the selection and application of substantive procedures, 
especially those related to fraud (See paragraph 26);
     Findings with respect to illegal acts and 
related party transactions;
     Indications of management bias in making 
accounting estimates and in selecting accounting principles; and
     Misstatements detected by substantive 
procedures. The extent of such misstatements might alter the auditor's 
judgment about the effectiveness of controls.
    158. However, the absence of misstatements detected by substantive 
procedures does not provide evidence that controls related to the 
assertion being tested are effective.

Documentation Requirements

    159. In addition to the documentation requirements in AU sec. 339, 
Audit Documentation, the auditor should document:
     The understanding obtained and the evaluation of 
the design of each of the five components of the company's internal 
control over financial reporting;
     The process used to determine significant 
accounts and disclosures and major classes of transactions, including 
the determination of the locations of business units at which to 
perform testing;
     The identification of the points at which 
misstatements related to relevant financial statement assertions could 
occur within significant accounts and disclosures and major classes of 
transactions;
     The extent to which the auditor relied upon work 
performed by others as well as the auditor's assessment of their 
competence and objectivity;
     The evaluation of any deficiencies noted as a 
result of the auditor's testing; and
     Other findings that could result in a 
modification to the auditor's report.
    160. For a company that has effective internal control over 
financial reporting, the auditor ordinarily will be able to perform 
sufficient testing of controls to be able to assess control risk for 
all relevant assertions related to significant accounts and disclosures 
at a low level. If, however, the auditor assesses control risk as other 
than low for certain assertions or significant accounts, the auditor 
should document the reasons for that conclusion. Examples of when it is 
appropriate to assess control risk as other than low include:
     When a control over a relevant assertion related 
to a significant account or disclosure was superseded late in the year 
and only the new control was tested for operating effectiveness.
     When a material weakness existed during the 
period under audit and was corrected by the end of the period.
    161. The auditor also should document the effect of a conclusion 
that control risk is other than low for any relevant assertions related 
to any significant accounts in connection with the audit of the 
financial statements on his or her opinion on the audit of internal 
control over financial reporting.

Reporting on Internal Control Over Financial Reporting

Management's Report

    162. Management is required to include in its annual report its 
assessment of the effectiveness of the company's internal control over 
financial reporting in addition to its audited financial statements as 
of the end of the most recent fiscal year. Management's report on 
internal control over financial reporting is required to include the 
following:\19\
---------------------------------------------------------------------------

    \19\ See Item 308(a) of Regulation S-B and S-K, 17 CFR 
228.308(a) and 17 CFR 229.308(a), respectively.
---------------------------------------------------------------------------

     A statement of management's responsibility for 
establishing and maintaining adequate internal control over financial 
reporting for the company;
     A statement identifying the framework used by 
management to conduct the required assessment of the effectiveness of 
the company's internal control over financial reporting;
     An assessment of the effectiveness of the 
company's internal control over financial reporting as of the end of 
the company's most recent fiscal year, including an explicit statement 
as to whether that internal control over financial reporting is 
effective; and
     A statement that the registered public 
accounting firm that audited the financial statements included in the 
annual report has issued an attestation report on management's 
assessment of the company's internal control over financial reporting.
    163. Management should provide, both in its report on internal 
control over financial reporting and in its representation letter to 
the auditor, a written conclusion about the effectiveness of the 
company's internalcontrol over financial reporting. The conclusion 
about the effectiveness of a company's internal control over financial 
reporting can take many forms; however, management is required to state 
a direct conclusion about whether the company's internal control over 
financial reporting is effective. This standard, for example, includes 
the phrase ``management's assessment that W Company maintained 
effective internal control over financial reporting as of [date]'' to 
illustrate such a conclusion. Other phrases, such as ``management's 
assessment that W Company's internal control over financial reporting 
as of [date] is sufficient to meet the stated objectives,'' also might 
be used. However, the conclusion should not be so subjective (for 
example, ``very effective internal control'') that people having 
competence in and using the same or similar criteria would not 
ordinarily be able to arrive at similar conclusions.
    164. Management is precluded from concluding that the company's 
internal control over financial reporting is effective if there are one 
or more material weaknesses.\20\ In addition, management is required to 
disclose all material weaknesses that exist as of the end of the most 
recent fiscal year.
---------------------------------------------------------------------------

    \20\ See Item 308(a)(3) of Regulation S-B and S-K, 17 CFR 
228.308(a) and 17 CFR 229.308(a), respectively.
---------------------------------------------------------------------------

    165. Management might be able to accurately represent that internal 
control over financial reporting, as of the end of the company's most 
recent fiscal year, is effective even if one or more material 
weaknesses existed during the period. To make this representation, 
management must have changed the internal control over financial 
reporting to eliminate the material weaknesses sufficiently in advance 
of the ``as of'' date and have satisfactorily tested the effectiveness 
over a period of time that is adequate for it to determine whether, as 
of the end of the fiscal year, the design and

[[Page 20692]]

operation of internal control over financial reporting is 
effective.\21\
---------------------------------------------------------------------------

    \21\ However, when the reason for a change in internal control 
over financial reporting is the correction of a material weakness, 
management and the auditor should evaluate whether the reason for 
the change and the circumstances surrounding the change are material 
information necessary to make the disclosure about the change not 
misleading in a filing subject to certification under Securities 
Exchange Act Rule 13a-14(a) or 15d-14(a), 17 CFR 240.13a-14(a) or 17 
CFR 240.15d-14(a). See discussion beginning at paragraph 200 for 
further direction.
---------------------------------------------------------------------------

Auditor's Evaluation of Management's Report

    166. With respect to management's report on its assessment, the 
auditor should evaluate the following matters:
    a. Whether management has properly stated its responsibility for 
establishing and maintaining adequate internal control over financial 
reporting.
    b. Whether the framework used by management to conduct the 
evaluation is suitable. (As discussed in paragraph 14, the framework 
described in COSO constitutes a suitable and available framework.)
    c. Whether management's assessment of the effectiveness of internal 
control over financial reporting, as of the end of the company's most 
recent fiscal year, is free of material misstatement.
    d. Whether management has expressed its assessment in an acceptable 
form.

--Management is required to state whether the company's internal 
control over financial reporting is effective.
--A negative assurance statement indicating that, ``Nothing has come to 
management's attention to suggest that the company's internal control 
over financial reporting is not effective,'' is not acceptable.
--Management is not permitted to conclude that the company's internal 
control over financial reporting is effective if there are one or more 
material weaknesses in the company's internal control over financial 
reporting.

    e. Whether material weaknesses identified in the company's internal 
control over financial reporting, if any, have been properly disclosed, 
including material weaknesses corrected during the period.\22\
---------------------------------------------------------------------------

    \22\ See paragraph 206 for direction when a material weakness 
was corrected during the fourth quarter and the auditor believes 
that modification to the disclosures about changes in internal 
control over financial reporting are necessary for the annual 
certifications to be accurate and to comply with the requirements of 
Section 302 of the Act.
---------------------------------------------------------------------------

Auditor's Report on Management's Assessment of Internal Control Over 
Financial Reporting

    167. The auditor's report on management's assessment of the 
effectiveness of internal control over financial reporting must include 
the following elements:
    a. A title that includes the word independent;
    b. An identification of management's conclusion about the 
effectiveness of the company's internal control over financial 
reporting as of a specified date based on the control criteria [for 
example, criteria established in Internal Control-Integrated Framework 
issued by the Committee of Sponsoring Organizations of the Treadway 
Commission (COSO)];
    c. An identification of the title of the management report that 
includes management's assessment (the auditor should use the same 
description of the company's internal control over financial reporting 
as management uses in its report);
    d. A statement that the assessment is the responsibility of 
management;
    e. A statement that the auditor's responsibility is to express an 
opinion on the assessment and an opinion on the company's internal 
control over financial reporting based on his or her audit;
    f. A definition of internal control over financial reporting as 
stated in paragraph 7;
    g. A statement that the audit was conducted in accordance with the 
standards of the Public Company Accounting Oversight Board (United 
States);
    h. A statement that the standards of the Public Company Accounting 
Oversight Board require that the auditor plan and perform the audit to 
obtain reasonable assurance about whether effective internal control 
over financial reporting was maintained in all material respects;
    i. A statement that an audit includes obtaining an understanding of 
internal control over financial reporting, evaluating management's 
assessment, testing and evaluating the design and operating 
effectiveness of internal control, and performing such other procedures 
as the auditor considered necessary in the circumstances;
    j. A statement that the auditor believes the audit provides a 
reasonable basis for his or her opinions;
    k. A paragraph stating that, because of inherent limitations, 
internal control over financial reporting may not prevent or detect 
misstatements and that projections of any evaluation of effectiveness 
to future periods are subject to the risk that controls may become 
inadequate because of changes in conditions, or that the degree of 
compliance with the policies or procedures may deteriorate;
    l. The auditor's opinion on whether management's assessment of the 
effectiveness of the company's internal control over financial 
reporting as of the specified date is fairly stated, in all material 
respects, based on the control criteria (See discussion beginning at 
paragraph 162);
    m. The auditor's opinion on whether the company maintained, in all 
material respects, effective internal control over financial reporting 
as of the specified date, based on the control criteria;
    n. The manual or printed signature of the auditor's firm;
    o. The city and state (or city and country, in the case of non-U.S. 
auditors) from which the auditor's report has been issued; and
    p. The date of the audit report.
    168. Example A-1 in Appendix A is an illustrative auditor's report 
for an unqualified opinion on management's assessment of the 
effectiveness of the company's internal control over financial 
reporting and an unqualified opinion on the effectiveness of the 
company's internal control over financial reporting.
    169. Separate or Combined Reports. The auditor may choose to issue 
a combined report (that is, one report containing both an opinion on 
the financial statements and the opinions on internal control over 
financial reporting) or separate reports on the company's financial 
statements and on internal control over financial reporting. Example A-
7 in Appendix A is an illustrative combined audit report on internal 
control over financial reporting. Appendix A also includes examples of 
separate reports on internal control over financial reporting.
    170. If the auditor chooses to issue a separate report on internal 
control over financial reporting, he or she should add the following 
paragraph to the auditor's report on the financial statements:
    We also have audited, in accordance with the standards of the 
Public Company Accounting Oversight Board (United States), the 
effectiveness of W Company's internal control over financial reporting 
as of December 31, 20X3, based on [identify control criteria] and our 
report dated [date of report, which should be the same as the date of 
the report on the financial statements] expressed [include nature of 
opinions].


[[Page 20693]]


and add the following paragraph to the report on internal control over 
financial reporting:
    We have also audited, in accordance with the standards of the 
Public Company Accounting Oversight Board (United States), the 
[identify financial statements] of W Company and our report dated [date 
of report, which should be the same as the date of the report on the 
effectiveness of internal control over financial reporting] expressed 
[include nature of opinion].
    171. Report Date. As stated previously, the auditor cannot audit 
internal control over financial reporting without also auditing the 
financial statements. Therefore, the reports should be dated the same.
    172. When the auditor elects to issue a combined report on the 
audit of the financial statements and the audit of internal control 
over financial reporting, the audit opinion will address multiple 
reporting periods for the financial statements presented but only the 
end of the most recent fiscal year for the effectiveness of internal 
control over financial reporting and management's assessment of the 
effectiveness of internal control over financial reporting. See a 
combined report in Example A-7 in Appendix A.
    173. Report Modifications. The auditor should modify the standard 
report if any of the following conditions exist.
    a. Management's assessment is inadequate or management's report is 
inappropriate. (See paragraph 174.)
    b. There is a material weakness in the company's internal control 
over financial reporting. (See paragraphs 175 through 177.)
    c. There is a restriction on the scope of the engagement. (See 
paragraphs 178 through 181.)
    d. The auditor decides to refer to the report of other auditors as 
the basis, in part, for the auditor's own report. (See paragraphs 182 
through 185.)
    e. A significant subsequent event has occurred since the date being 
reported on. (See paragraphs 186 through 189.)
    f. There is other information contained in management's report on 
internal control over financial reporting. (See paragraphs 190 through 
192.)
    174. Management's Assessment Inadequate or Report Inappropriate. If 
the auditor determines that management's process for assessing internal 
control over financial reporting is inadequate, the auditor should 
modify his or her opinion for a scope limitation (discussed further 
beginning at paragraph 178). If the auditor determines that 
management's report is inappropriate, the auditor should modify his or 
her report to include, at a minimum, an explanatory paragraph 
describing the reasons for this conclusion.
    175. Material Weaknesses. Paragraphs 130 through 141 describe 
significant deficiencies and material weaknesses. If there are 
significant deficiencies that, individually or in combination, result 
in one or more material weaknesses, management is precluded from 
concluding that internal control over financial reporting is effective. 
In these circumstances, the auditor must express an adverse opinion on 
the company's internal control over financial reporting.
    176. When expressing an adverse opinion on the effectiveness of 
internal control over financial reporting because of a material 
weakness, the auditor's report must include:
     The definition of a material weakness, as 
provided in paragraph 10.
     A statement that a material weakness has been 
identified and included in management's assessment. (If the material 
weakness has not been included in management's assessment, this 
sentence should be modified to state that the material weakness has 
been identified but not included in management's assessment. In this 
case, the auditor also is required to communicate in writing to the 
audit committee that the material weakness was not disclosed or 
identified as a material weakness in management's report.)
     A description of any material weaknesses 
identified in a company's internal control over financial reporting. 
This description should provide the users of the audit report with 
specific information about the nature of any material weakness, and its 
actual and potential effect on the presentation of the company's 
financial statements issued during the existence of the weakness. This 
description also should address requirements described in paragraph 
194.
    177. Depending on the circumstances, the auditor may express both 
an unqualified opinion and an other-than-unqualified opinion within the 
same report on internal control over financial reporting. For example, 
if management makes an adverse assessment because a material weakness 
has been identified and not corrected (``* * * internal control over 
financial reporting is not effective * * *''), the auditor would 
express an unqualified opinion on management's assessment (``* * * 
management's assessment that internal control over financial reporting 
is not effective is fairly stated, in all material respects * * *''). 
At the same time, the auditor would express an adverse opinion about 
the effectiveness of internal control over financial reporting (``In 
our opinion, because of the effect of the material weakness described * 
* *, the company's internal control over financial reporting is not 
effective.''). Example A-2 in Appendix A illustrates the form of the 
report that is appropriate in this situation. Example A-6 in Appendix A 
illustrates a report that reflects disagreement between management and 
the auditor that a material weakness exists.
    178. Scope Limitations. The auditor can express an unqualified 
opinion on management's assessment of internal control over financial 
reporting and an unqualified opinion on the effectiveness of internal 
control over financial reporting only if the auditor has been able to 
apply all the procedures necessary in the circumstances. If there are 
restrictions on the scope of the engagement imposed by the 
circumstances, the auditor should withdraw from the engagement, 
disclaim an opinion, or express a qualified opinion. The auditor's 
decision depends on his or her assessment of the importance of the 
omitted procedure(s) to his or her ability to form an opinion on 
management's assessment of internal control over financial reporting 
and an opinion on the effectiveness of the company's internal control 
over financial reporting. However, when the restrictions are imposed by 
management, the auditor should withdraw from the engagement or disclaim 
an opinion on management's assessment of internal control over 
financial reporting and the effectiveness of internal control over 
financial reporting.
    179. For example, management might have identified a material 
weakness in its internal control over financial reporting prior to the 
date specified in its report and implemented controls to correct it. If 
management believes that the new controls have been operating for a 
sufficient period of time to determine that they are both effectively 
designed and operating, management would be able to include in its 
assessment its conclusion that internal control over financial 
reporting is effective as of the date specified. However, if the 
auditor disagrees with the sufficiency of the time period, he or she 
would be unable to obtain sufficient evidence that the new controls 
have been operating effectively for a sufficient period. In that case, 
the auditor should modify the opinion on the effectiveness of internal 
control over financial reporting and the opinion on management's 
assessment of internal

[[Page 20694]]

control over financial reporting because of a scope limitation.
    180. When the auditor plans to disclaim an opinion and the limited 
procedures performed by the auditor caused the auditor to conclude that 
a material weakness exists, the auditor's report should include:
     The definition of a material weakness, as 
provided in paragraph 10.
     A description of any material weaknesses 
identified in the company's internal control over financial reporting. 
This description should provide the users of the audit report with 
specific information about the nature of any material weakness, and its 
actual and potential effect on the presentation of the company's 
financial statements issued during the existence of the weakness. This 
description also should address the requirements in paragraph 194.
    181. Example A-3 in Appendix A illustrates the form of report when 
there is a limitation on the scope of the audit causing the auditor to 
issue qualified opinions. Example A-4 illustrates the form of report 
when restrictions on the scope of the audit cause the auditor to 
disclaim opinions.
    182. Opinions Based, in Part, on the Report of Another Auditor. 
When another auditor has audited the financial statements and internal 
control over financial reporting of one or more subsidiaries, 
divisions, branches, or components of the company, the auditor should 
determine whether he or she may serve as the principal auditor and use 
the work and reports of another auditor as a basis, in part, for his or 
her opinions. AU sec. 543, Part of Audit Performed by Other Independent 
Auditors, provides direction on the auditor's decision of whether to 
serve as the principal auditor of the financial statements. If the 
auditor decides it is appropriate to serve as the principal auditor of 
the financial statements, then that auditor also should be the 
principal auditor of the company's internal control over financial 
reporting. This relationship results from the requirement that an audit 
of the financial statements must be performed to audit internal control 
over financial reporting; only the principal auditor of the financial 
statements can be the principal auditor of internal control over 
financial reporting. In this circumstance, the principal auditor of the 
financial statements needs to participate sufficiently in the audit of 
internal control over financial reporting to provide a basis for 
serving as the principal auditor of internal control over financial 
reporting.
    183. When serving as the principal auditor of internal control over 
financial reporting, the auditor should decide whether to make 
reference in the report on internal control over financial reporting to 
the audit of internal control over financial reporting performed by the 
other auditor. In these circumstances, the auditor's decision is based 
on factors similar to those of the independent auditor who uses the 
work and reports of other independent auditors when reporting on a 
company's financial statements as described in AU sec. 543.
    184. The decision about whether to make reference to another 
auditor in the report on the audit of internal control over financial 
reporting might differ from the corresponding decision as it relates to 
the audit of the financial statements. For example, the audit report on 
the financial statements may make reference to the audit of a 
significant equity investment performed by another independent auditor, 
but the report on internal control over financial reporting might not 
make a similar reference because management's evaluation of internal 
control over financial reporting ordinarily would not extend to 
controls at the equity method investee.\23\
---------------------------------------------------------------------------

    \23\ See Appendix B, paragraph B15, for further discussion of 
the evaluation of the controls over financial reporting for an 
equity method investment.
---------------------------------------------------------------------------

    185. When the auditor decides to make reference to the report of 
the other auditor as a basis, in part, for his or her opinions, the 
auditor should refer to the report of the other auditor when describing 
the scope of the audit and when expressing the opinions.
    186. Subsequent Events. Changes in internal control over financial 
reporting or other factors that might significantly affect internal 
control over financial reporting might occur subsequent to the date as 
of which internal control over financial reporting is being audited but 
before the date of the auditor's report. The auditor should inquire of 
management whether there were any such changes or factors. As described 
in paragraph 142, the auditor should obtain written representations 
from management relating to such matters. Additionally, to obtain 
information about whether changes have occurred that might affect the 
effectiveness of the company's internal control over financial 
reporting and, therefore, the auditor's report, the auditor should 
inquire about and examine, for this subsequent period, the following:
     Relevant internal audit reports (or similar 
functions, such as loan review in a financial institution) issued 
during the subsequent period;
     Independent auditor reports (if other than the 
auditor's) of significant deficiencies or material weaknesses;
     Regulatory agency reports on the company's 
internal control over financial reporting; and
     Information about the effectiveness of the 
company's internal control over financial reporting obtained through 
other engagements.
    187. The auditor could inquire about and examine other documents 
for the subsequent period. Paragraphs .01 through .09 of AU sec. 560, 
Subsequent Events, provides direction on subsequent events for a 
financial statement audit that also may be helpful to the auditor 
performing an audit of internal control over financial reporting.
    188. If the auditor obtains knowledge about subsequent events that 
materially and adversely affect the effectiveness of the company's 
internal control over financial reporting as of the date specified in 
the assessment, the auditor should issue an adverse opinion on the 
effectiveness of internal control over financial reporting (and issue 
an adverse opinion on management's assessment of internal control over 
financial reporting if management's report does not appropriately 
assess the affect of the subsequent event). If the auditor is unable to 
determine the effect of the subsequent event on the effectiveness of 
the company's internal control over financial reporting, the auditor 
should disclaim opinions. As described in paragraph 190, the auditor 
should disclaim an opinion on management's disclosures about corrective 
actions taken by the company after the date of management's assessment, 
if any.
    189. The auditor may obtain knowledge about subsequent events with 
respect to conditions that did not exist at the date specified in the 
assessment but arose subsequent to that date. If a subsequent event of 
this type has a material effect on the company, the auditor should 
include in his or her report an explanatory paragraph describing the 
event and its effects or directing the reader's attention to the event 
and its effects as disclosed in management's report. Management's 
consideration of such events to be disclosed in its report should be 
limited to a change that has materially affected, or is reasonably 
likely to materially affect, the company's internal control over 
financial reporting.
    190. Management's Report Containing Additional Information. 
Management's report on internal control over financial reporting may 
contain information in addition to management's assessment of

[[Page 20695]]

the effectiveness of its internal control over financial reporting. 
Such information might include, for example:
     Disclosures about corrective actions taken by 
the company after the date of management's assessment;
     The company's plans to implement new controls; 
and
     A statement that management believes the cost of 
correcting a material weakness would exceed the benefits to be derived 
from implementing new controls.
    191. If management's assessment includes such additional 
information, the auditor should disclaim an opinion on the information. 
For example, the auditor should use the following language as the last 
paragraph of the report to disclaim an opinion on management's cost-
benefit statement:
    We do not express an opinion or any other form of assurance on 
management's statement referring to the costs and related benefits of 
implementing new controls.
    192. If the auditor believes that management's additional 
information contains a material misstatement of fact, he or she should 
discuss the matter with management. If the auditor concludes that there 
is a valid basis for concern, he or she should propose that management 
consult with some other party whose advice might be useful, such as the 
company's legal counsel. If, after discussing the matter with 
management and those management has consulted, the auditor concludes 
that a material misstatement of fact remains, the auditor should notify 
management and the audit committee, in writing, of the auditor's views 
concerning the information. The auditor also should consider consulting 
the auditor's legal counsel about further actions to be taken, 
including the auditor's responsibility under Section 10A of the 
Securities Exchange Act of 1934.\24\
---------------------------------------------------------------------------

    \24\ See Section 10A of the Securities Exchange Act of 1934, 15 
U.S.C. 78j-1.

    Note: If management makes the types of disclosures described in 
paragraph 190 outside its report on internal control over financial 
reporting and includes them elsewhere within its annual report on 
the company's financial statements, the auditor would not need to 
disclaim an opinion, as described in paragraph 191. However, in that 
situation, the auditor's responsibilities are the same as those 
described in paragraph 192 if the auditor believes that the 
---------------------------------------------------------------------------
additional information contains a material misstatement of fact.

    193. Effect of Auditor's Adverse Opinion on Internal Control Over 
Financial Reporting on the Opinion on Financial Statements. In some 
cases, the auditor's report on internal control over financial 
reporting might describe a material weakness that resulted in an 
adverse opinion on the effectiveness of internal control over financial 
reporting while the audit report on the financial statements remains 
unqualified. Consequently, during the audit of the financial 
statements, the auditor did not rely on that control. However, he or 
she performed additional substantive procedures to determine whether 
there was a material misstatement in the account related to the 
control. If, as a result of these procedures, the auditor determines 
that there was not a material misstatement in the account, he or she 
would be able to express an unqualified opinion on the financial 
statements.
    194. When the auditor's opinion on the financial statements is 
unaffected by the adverse opinion on the effectiveness of internal 
control over financial reporting, the report on internal control over 
financial reporting (or the combined report, if a combined report is 
issued) should include the following or similar language in the 
paragraph that describes the material weakness:
    This material weakness was considered in determining the nature, 
timing, and extent of audit tests applied in our audit of the 20X3 
financial statements, and this report does not affect our report dated 
[date of report] on those financial statements. [Revise this wording 
appropriately for use in a combined report.]
    195. Such disclosure is important to ensure that users of the 
auditor's report on the financial statements understand why the auditor 
issued an unqualified opinion on those statements.
    196. Disclosure is also important when the auditor's opinion on the 
financial statements is affected by the adverse opinion on the 
effectiveness of internal control over financial reporting. In that 
circumstance, the report on internal control over financial reporting 
(or the combined report, if a combined report is issued) should include 
the following or similar language in the paragraph that describes the 
material weakness:
    This material weakness was considered in determining the nature, 
timing, and extent of audit tests applied in our audit of the 20X3 
financial statements.
    197. Subsequent Discovery of Information Existing at the Date of 
the Auditor's Report on Internal Control Over Financial Reporting. 
After the issuance of the report on internal control over financial 
reporting, the auditor may become aware of conditions that existed at 
the report date that might have affected the auditor's opinions had he 
or she been aware of them. The auditor's evaluation of such subsequent 
information is similar to the auditor's evaluation of information 
discovered subsequent to the date of the report on an audit of 
financial statements, as described in AU sec. 561, Subsequent Discovery 
of Facts Existing at the Date of the Auditor's Report. That standard 
requires the auditor to determine whether the information is reliable 
and whether the facts existed at the date of his or her report. If so, 
the auditor should determine (1) whether the facts would have changed 
the report if he or she had been aware of them and (2) whether there 
are persons currently relying on or likely to rely on the auditor's 
report. For instance, if previously issued financial statements and the 
auditor's report have been recalled and reissued to reflect the 
correction of a misstatement, the auditor should presume that his or 
her report on the company's internal control over financial reporting 
as of same specified date also should be recalled and reissued to 
reflect the material weakness that existed at that date. Based on these 
considerations, paragraph .06 of AU sec. 561 provides detailed 
requirements for the auditor.
    198. Filings Under Federal Securities Statutes. AU sec. 711, 
Filings Under Federal Securities Statutes, describes the auditor's 
responsibilities when an auditor's report is included in registration 
statements, proxy statements, or periodic reports filed under the 
federal securities statutes. The auditor should also apply AU sec. 711 
with respect to the auditor's report on management's assessment of the 
effectiveness of internal control over financial reporting included in 
such filings. In addition, the direction in paragraph .10 of AU sec. 
711 to inquire of and obtain written representations from officers and 
other executives responsible for financial and accounting matters about 
whether any events have occurred that have a material effect on the 
audited financial statements should be extended to matters that could 
have a material effect on management's assessment of internal control 
over financial reporting.
    199. When the auditor has fulfilled these responsibilities and 
intends to consent to the inclusion of his or her report on 
management's assessment of the effectiveness of internal control over 
financial reporting in the securities filing, the auditor's consent 
should clearly indicate that both the audit report on financial 
statements and the audit report on management's assessment of the 
effectiveness of internal control over financial reporting

[[Page 20696]]

(or both opinions if a combined report is issued) are included in his 
or her consent.

Auditor's Responsibilities for Evaluating Management's Certification 
Disclosures About Internal Control Over Financial Reporting

Required Management Certifications

    200. Section 302 of the Act, and Securities Exchange Act Rule 13a-
14(a) or 15d-14(a), whichever applies,\25\ requires a company's 
management, with the participation of the principal executive and 
financial officers (the certifying officers), to make the following 
quarterly and annual certifications with respect to the company's 
internal control over financial reporting:
---------------------------------------------------------------------------

    \25\ See 17 CFR 240.13a-14a or 15d-14a, whichever applies.
---------------------------------------------------------------------------

     A statement that the certifying officers are 
responsible for establishing and maintaining internal control over 
financial reporting;
     A statement that the certifying officers have 
designed such internal control over financial reporting, or caused such 
internal control over financial reporting to be designed under their 
supervision, to provide reasonable assurance regarding the reliability 
of financial reporting and the preparation of financial statements for 
external purposes in accordance with generally accepted accounting 
principles; and
     A statement that the report discloses any 
changes in the company's internal control over financial reporting that 
occurred during the most recent fiscal quarter (the company's fourth 
fiscal quarter in the case of an annual report) that have materially 
affected, or are reasonably likely to materially affect, the company's 
internal control over financial reporting.
    201. When the reason for a change in internal control over 
financial reporting is the correction of a material weakness, 
management has a responsibility to determine and the auditor should 
evaluate whether the reason for the change and the circumstances 
surrounding that change are material information necessary to make the 
disclosure about the change not misleading.\26\
---------------------------------------------------------------------------

    \26\ See Securities Exchange Act Rule 12b-20, 17 CFR 240.12b-20.
---------------------------------------------------------------------------

Auditor Evaluation Responsibilities

    202. The auditor's responsibility as it relates to management's 
quarterly certifications on internal control over financial reporting 
is different from the auditor's responsibility as it relates to 
management's annual assessment of internal control over financial 
reporting. The auditor should perform limited procedures quarterly to 
provide a basis for determining whether he or she has become aware of 
any material modifications that, in the auditor's judgment, should be 
made to the disclosures about changes in internal control over 
financial reporting in order for the certifications to be accurate and 
to comply with the requirements of Section 302 of the Act.
    203. To fulfill this responsibility, the auditor should perform, on 
a quarterly basis, the following procedures:
     Inquire of management about significant changes 
in the design or operation of internal control over financial reporting 
as it relates to the preparation of annual as well as interim financial 
information that could have occurred subsequent to the preceding annual 
audit or prior review of interim financial information;
     Evaluate the implications of misstatements 
identified by the auditor as part of the auditor's required review of 
interim financial information (See AU sec. 722, Interim Financial 
Information) as it relates to effective internal control over financial 
reporting; and
     Determine, through a combination of observation 
and inquiry, whether any change in internal control over financial 
reporting has materially affected, or is reasonably likely to 
materially affect, the company's internal control over financial 
reporting.

    Note: Foreign private issuers filing Forms 20-F and 40-F are not 
subject to quarterly reporting requirements, therefore, the 
auditor's responsibilities would extend only to the certifications 
in the annual report of these companies.

    204. When matters come to auditor's attention that lead him or her 
to believe that modification to the disclosures about changes in 
internal control over financial reporting is necessary for the 
certifications to be accurate and to comply with the requirements of 
Section 302 of the Act and Securities Exchange Act Rule 13a-14(a) or 
15d-14(a), whichever applies,\27\ the auditor should communicate the 
matter(s) to the appropriate level of management as soon as 
practicable.
---------------------------------------------------------------------------

    \27\ See 17 CFR 240.13a-14(a) or 17 CFR 240.15d-14(a), whichever 
applies.
---------------------------------------------------------------------------

    205. If, in the auditor's judgment, management does not respond 
appropriately to the auditor's communication within a reasonable period 
of time, the auditor should inform the audit committee. If, in the 
auditor's judgment, the audit committee does not respond appropriately 
to the auditor's communication within a reasonable period of time, the 
auditor should evaluate whether to resign from the engagement. The 
auditor should evaluate whether to consult with his or her attorney 
when making these evaluations. In these circumstances, the auditor also 
has responsibilities under AU sec. 317, Illegal Acts by Clients, and 
Section 10A of the Securities Exchange Act of 1934.\28\ The auditor's 
responsibilities for evaluating the disclosures about changes in 
internal control over financial reporting do not diminish in any way 
management's responsibility for ensuring that its certifications comply 
with the requirements of Section 302 of the Act and Securities Exchange 
Act Rule 13a-14(a) or 15d-14(a), whichever applies.\29\
---------------------------------------------------------------------------

    \28\ See 15 U.S.C. 78j.
    \29\ See 17 CFR 240.13a-14(a) or 17 CFR 240.15d-14(a), whichever 
applies.
---------------------------------------------------------------------------

    206. If matters come to the auditor's attention as a result of the 
audit of internal control over financial reporting that lead him or her 
to believe that modifications to the disclosures about changes in 
internal control over financial reporting (addressing changes in 
internal control over financial reporting occurring during the fourth 
quarter) are necessary for the annual certifications to be accurate and 
to comply with the requirements of Section 302 of the Act and 
Securities Exchange Act Rule 13a-14(a) or 15d-14(a), whichever 
applies,\30\ the auditor should follow the same communication 
responsibilities as described in paragraphs 204 and 205. However, if 
management and the audit committee do not respond appropriately, in 
addition to the responsibilities described in the preceding two 
paragraphs, the auditor should modify his or her report on the audit of 
internal control over financial reporting to include an explanatory 
paragraph describing the reasons the auditor believes management's 
disclosures should be modified.
---------------------------------------------------------------------------

    \30\ See 17 CFR 240.13a-14(a) or 17 CFR 240.15d-14(a), whichever 
applies.
---------------------------------------------------------------------------

Required Communications in An Audit of Internal Control Over Financial 
Reporting

    207. The auditor must communicate in writing to management and the 
audit committee all significant deficiencies and material weaknesses 
identified during the audit. The written communication should be made 
prior to the issuance of the auditor's report on internal control over 
financial reporting. The auditor's communication should distinguish 
clearly between those matters considered to be significant

[[Page 20697]]

deficiencies and those considered to be material weaknesses, as defined 
in paragraphs 9 and 10, respectively.
    208. If a significant deficiency or material weakness exists 
because the oversight of the company's external financial reporting and 
internal control over financial reporting by the company's audit 
committee is ineffective, the auditor must communicate that specific 
significant deficiency or material weakness in writing to the board of 
directors.
    209. In addition, the auditor should communicate to management, in 
writing, all deficiencies in internal control over financial reporting 
(that is, those deficiencies in internal control over financial 
reporting that are of a lesser magnitude than significant deficiencies) 
identified during the audit and inform the audit committee when such a 
communication has been made. When making this communication, it is not 
necessary for the auditor to repeat information about such deficiencies 
that have been included in previously issued written communications, 
whether those communications were made by the auditor, internal 
auditors, or others within the organization. Furthermore, the auditor 
is not required to perform procedures sufficient to identify all 
control deficiencies; rather, the auditor should communicate 
deficiencies in internal control over financial reporting of which he 
or she is aware.

    Note: As part of his or her evaluation of the effectiveness of 
internal control over financial reporting, the auditor should 
determine whether control deficiencies identified by internal 
auditors and others within the company, for example, through ongoing 
monitoring activities and the annual assessment of internal control 
over financial reporting, are reported to appropriate levels of 
management in a timely manner. The lack of an internal process to 
report deficiencies in internal control to management on a timely 
basis represents a control deficiency that the auditor should 
evaluate as to severity.

    210. These written communications should state that the 
communication is intended solely for the information and use of the 
board of directors, audit committee, management, and others within the 
organization. When there are requirements established by governmental 
authorities to furnish such reports, specific reference to such 
regulatory agencies may be made.
    211. These written communications also should include the 
definitions of control deficiencies, significant deficiencies, and 
material weaknesses and should clearly distinguish to which category 
the deficiencies being communicated relate.
    212. Because of the potential for misinterpretation of the limited 
degree of assurance associated with the auditor issuing a written 
report representing that no significant deficiencies were noted during 
an audit of internal control over financial reporting, the auditor 
should not issue such representations.
    213. When auditing internal control over financial reporting, the 
auditor may become aware of fraud or possible illegal acts. If the 
matter involves fraud, it must be brought to the attention of the 
appropriate level of management. If the fraud involves senior 
management, the auditor must communicate the matter directly to the 
audit committee as described in AU sec. 316, Consideration of Fraud in 
a Financial Statement Audit. If the matter involves possible illegal 
acts, the auditor must assure himself or herself that the audit 
committee is adequately informed, unless the matter is clearly 
inconsequential, in accordance with AU sec. 317, Illegal Acts by 
Clients. The auditor also must determine his or her responsibilities 
under Section 10A of the Securities Exchange Act of 1934.\31\
---------------------------------------------------------------------------

    \31\ See 15 U.S.C. 78j-1.
---------------------------------------------------------------------------

    214. When timely communication is important, the auditor should 
communicate the preceding matters during the course of the audit rather 
than at the end of the engagement. The decision about whether to issue 
an interim communication should be determined based on the relative 
significance of the matters noted and the urgency of corrective follow-
up action required.

Effective Date

    215. Companies considered accelerated filers under Securities 
Exchange Act Rule 12b-2 \32\ are required to comply with the internal 
control reporting and disclosure requirements of Section 404 of the Act 
for fiscal years ending on or after November 15, 2004. (Other companies 
have until fiscal years ending on or after July 15, 2005, to comply 
with these internal control reporting and disclosure requirements.) 
Accordingly, independent auditors engaged to audit the financial 
statements of accelerated filers for fiscal years ending on or after 
November 15, 2004, also are required to audit and report on the 
company's internal control over financial reporting as of the end of 
such fiscal year. This standard is required to be complied with for 
such engagements, except as it relates to the auditor's 
responsibilities for evaluating management's certification disclosures 
about internal control over financial reporting. The auditor's 
responsibilities for evaluating management's certification disclosures 
about internal control over financial reporting described in paragraphs 
202 through 206 take effect beginning with the first quarter after the 
auditor's first audit report on the company's internal control over 
financial reporting.
---------------------------------------------------------------------------

    \32\ See 17 CFR 240.12b-2.
---------------------------------------------------------------------------

    216. Early compliance with this standard is permitted.

Appendix A--Illustrative Reports on Internal Control Over Financial 
Reporting

    A1. Paragraphs 167 through 199 of this standard provide 
direction on the auditor's report on management's assessment of 
internal control over financial reporting. The following examples 
illustrate how to apply that direction in several different 
situations.

Illustrative Report

Page

    Example A-1.--Expressing an Unqualified Opinion on Management's 
Assessment of the Effectiveness of Internal Control Over Financial 
Reporting and an Unqualified Opinion on the Effectiveness of 
Internal Control Over Financial Reporting (Separate Report)
    Example A-2.--Expressing an Unqualified Opinion on Management's 
Assessment of the Effectiveness of Internal Control Over Financial 
Reporting and an Adverse Opinion on the Effectiveness of Internal 
Control Over Financial Reporting Because of the Existence of a 
Material Weakness
    Example A-3.--Expressing a Qualified Opinion on Management's 
Assessment of the Effectiveness of Internal Control Over Financial 
Reporting and a Qualified Opinion on the Effectiveness of Internal 
Control Over Financial Reporting Because of a Limitation on the 
Scope of the Audit
    Example A-4.--Disclaiming an Opinion on Management's Assessment 
of the Effectiveness of Internal Control Over Financial Reporting 
and Disclaiming an Opinion on the Effectiveness of Internal Control 
Over Financial Reporting Because of a Limitation on the Scope of the 
Audit
    Example A-5.--Expressing an Unqualified Opinion on Management's 
Assessment of the Effectiveness of Internal Control Over Financial 
Reporting That Refers to the Report of Other Auditors As a Basis, in 
Part, for the Auditor's Opinion and an Unqualified Opinion on the 
Effectiveness of Internal Control Over Financial Reporting
    Example A-6.--Expressing an Adverse Opinion on Management's 
Assessment of the Effectiveness of Internal Control Over Financial 
Reporting and an Adverse Opinion on the Effectiveness of Internal 
Control Over Financial Reporting Because of the Existence of a 
Material Weakness
    Example A-7.--Expressing an Unqualified Opinion on Financial 
Statements, an Unqualified Opinion on Management's Assessment of the 
Effectiveness of Internal Control Over Financial Reporting, and an 
Unqualified Opinion on the Effectiveness of Internal Control Over 
Financial Reporting (Combined Report)

[[Page 20698]]

Example A-1.--Illustrative Report Expressing an Unqualified Opinion on 
Management's Assessment of the Effectiveness of Internal Control Over 
Financial Reporting and an Unqualified Opinion on the Effectiveness of 
Internal Control Over Financial Reporting (Separate Report) \33\
---------------------------------------------------------------------------

    \33\ If the auditor issues separate reports on the audit of 
internal control over financial reporting and the audit of the 
financial statements, both reports should include a statement that 
the audit was conducted in accordance with standards of the Public 
Company Accounting Oversight Board (United States).
---------------------------------------------------------------------------

Report of Independent Registered Public Accounting Firm

[Introductory Paragraph]

    We have audited management's assessment, included in the 
accompanying [title of management's report], that W Company 
maintained effective internal control over financial reporting as of 
December 31, 20X3, based on [Identify control criteria, for example, 
``criteria established in Internal Control--Integrated Framework 
issued by the Committee of Sponsoring Organizations of the Treadway 
Commission (COSO).'']. W Company's management is responsible for 
maintaining effective internal control over financial reporting and 
for its assessment of the effectiveness of internal control over 
financial reporting. Our responsibility is to express an opinion on 
management's assessment and an opinion on the effectiveness of the 
company's internal control over financial reporting based on our 
audit.

[Scope Paragraph]

    We conducted our audit in accordance with the standards of the 
Public Company Accounting Oversight Board (United States). Those 
standards require that we plan and perform the audit to obtain 
reasonable assurance about whether effective internal control over 
financial reporting was maintained in all material respects. Our 
audit included obtaining an understanding of internal control over 
financial reporting, evaluating management's assessment, testing and 
evaluating the design and operating effectiveness of internal 
control, and performing such other procedures as we considered 
necessary in the circumstances. We believe that our audit provides a 
reasonable basis for our opinion.

[Definition Paragraph]

    A company's internal control over financial reporting is a 
process designed to provide reasonable assurance regarding the 
reliability of financial reporting and the preparation of financial 
statements for external purposes in accordance with generally 
accepted accounting principles. A company's internal control over 
financial reporting includes those policies and procedures that (1) 
pertain to the maintenance of records that, in reasonable detail, 
accurately and fairly reflect the transactions and dispositions of 
the assets of the company; (2) provide reasonable assurance that 
transactions are recorded as necessary to permit preparation of 
financial statements in accordance with generally accepted 
accounting principles, and that receipts and expenditures of the 
company are being made only in accordance with authorizations of 
management and directors of the company; and (3) provide reasonable 
assurance regarding prevention or timely detection of unauthorized 
acquisition, use, or disposition of the company's assets that could 
have a material effect on the financial statements.

[Inherent Limitations Paragraph]

    Because of its inherent limitations, internal control over 
financial reporting may not prevent or detect misstatements. Also, 
projections of any evaluation of effectiveness to future periods are 
subject to the risk that controls may become inadequate because of 
changes in conditions, or that the degree of compliance with the 
policies or procedures may deteriorate.

[Opinion Paragraph]

    In our opinion, management's assessment that W Company 
maintained effective internal control over financial reporting as of 
December 31, 20X3, is fairly stated, in all material respects, based 
on [Identify control criteria, for example, ``criteria established 
in Internal Control--Integrated Framework issued by the Committee of 
Sponsoring Organizations of the Treadway Commission (COSO).'']. Also 
in our opinion, W Company maintained, in all material respects, 
effective internal control over financial reporting as of December 
31, 20X3, based on [Identify control criteria, for example, 
``criteria established in Internal Control--Integrated Framework 
issued by the Committee of Sponsoring Organizations of the Treadway 
Commission (COSO).''].

[Explanatory Paragraph]

    We have also audited, in accordance with the standards of the 
Public Company Accounting Oversight Board (United States), the 
[identify financial statements] of W Company and our report dated 
[date of report, which should be the same as the date of the report 
on the effectiveness of internal control over financial reporting] 
expressed [include nature of opinion].
    [Signature]
    [City and State or Country]
    [Date]

Example A-2.--Illustrative Report Expressing an Unqualified Opinion on 
Management's Assessment of the Effectiveness of Internal Control Over 
Financial Reporting and an Adverse Opinion on the Effectiveness of 
Internal Control Over Financial Reporting Because of the Existence of a 
Material Weakness

Report of Independent Registered Public Accounting Firm

[Introductory Paragraph]

    We have audited management's assessment, included in the 
accompanying [title of management's report], that W Company did not 
maintain effective internal control over financial reporting as of 
December 31, 20X3, because of the effect of [material weakness 
identified in management's assessment], based on [Identify criteria, 
for example, ``criteria established in Internal Control--Integrated 
Framework issued by the Committee of Sponsoring Organizations of the 
Treadway Commission (COSO).'']. W Company's management is 
responsible for maintaining effective internal control over 
financial reporting and for its assessment of the effectiveness of 
internal control over financial reporting. Our responsibility is to 
express an opinion on management's assessment and an opinion on the 
effectiveness of the company's internal control over financial 
reporting based on our audit.

[Scope Paragraph]

    We conducted our audit in accordance with the standards of the 
Public Company Accounting Oversight Board (United States). Those 
standards require that we plan and perform the audit to obtain 
reasonable assurance about whether effective internal control over 
financial reporting was maintained in all material respects. Our 
audit included obtaining an understanding of internal control over 
financial reporting, evaluating management's assessment, testing and 
evaluating the design and operating effectiveness of internal 
control, and performing such other procedures as we considered 
necessary in the circumstances. We believe that our audit provides a 
reasonable basis for our opinion.

[Definition Paragraph]

    A company's internal control over financial reporting is a 
process designed to provide reasonable assurance regarding the 
reliability of financial reporting and the preparation of financial 
statements for external purposes in accordance with generally 
accepted accounting principles. A company's internal control over 
financial reporting includes those policies and procedures that (1) 
pertain to the maintenance of records that, in reasonable detail, 
accurately and fairly reflect the transactions and dispositions of 
the assets of the company; (2) provide reasonable assurance that 
transactions are recorded as necessary to permit preparation of 
financial statements in accordance with generally accepted 
accounting principles, and that receipts and expenditures of the 
company are being made only in accordance with authorizations of 
management and directors of the company; and (3) provide reasonable 
assurance regarding prevention or timely detection of unauthorized 
acquisition, use, or disposition of the company's assets that could 
have a material effect on the financial statements.

[Inherent Limitations Paragraph]

    Because of its inherent limitations, internal control over 
financial reporting may not prevent or detect misstatements. Also, 
projections of any evaluation of effectiveness to future periods are 
subject to the risk that controls may become inadequate because of 
changes in conditions, or that the degree of compliance with the 
policies or procedures may deteriorate.

[[Page 20699]]

[Explanatory Paragraph]

    A material weakness is a control deficiency, or combination of 
control deficiencies, that results in more than a remote likelihood 
that a material misstatement of the annual or interim financial 
statements will not be prevented or detected. The following material 
weakness has been identified and included in management's 
assessment. [Include a description of the material weakness and its 
effect on the achievement of the objectives of the control 
criteria.] This material weakness was considered in determining the 
nature, timing, and extent of audit tests applied in our audit of 
the 20X3 financial statements, and this report does not affect our 
report dated [date of report, which should be the same as the date 
of this report on internal control] on those financial 
statements.\34\
---------------------------------------------------------------------------

    \34\ Modify this sentence when the auditor's opinion on the 
financial statements is affected by the adverse opinion on the 
effectiveness of internal control over financial reporting, as 
described in paragraph 196.
---------------------------------------------------------------------------

[Opinion Paragraph]

    In our opinion, management's assessment that W Company did not 
maintain effective internal control over financial reporting as of 
December 31, 20X3, is fairly stated, in all material respects, based 
on [Identify control criteria, for example, ``criteria established 
in Internal Control--Integrated Framework issued by the Committee of 
Sponsoring Organizations of the Treadway Commission (COSO).'']. 
Also, in our opinion, because of the effect of the material weakness 
described above on the achievement of the objectives of the control 
criteria, W Company has not maintained effective internal control 
over financial reporting as of December 31, 20X3, based on [Identify 
control criteria, for example, ``criteria established in Internal 
Control--Integrated Framework issued by the Committee of Sponsoring 
Organizations of the Treadway Commission (COSO).''].
    [Signature]
    [City and State or Country]
    [Date]

Example A-3.--Illustrative Report Expressing a Qualified Opinion on 
Management's Assessment of the Effectiveness of Internal Control Over 
Financial Reporting and a Qualified Opinion on the Effectiveness of 
Internal Control Over Financial Reporting Because of a Limitation on 
the Scope of the Audit

Report of Independent Registered Public Accounting Firm

[Introductory Paragraph]

    We have audited management's assessment, included in the 
accompanying [title of management's report], that W Company 
maintained effective internal control over financial reporting as of 
December 31, 20X3, based on [Identify control criteria, for example, 
``criteria established in Internal Control--Integrated Framework 
issued by the Committee of Sponsoring Organizations of the Treadway 
Commission (COSO).'']. W Company's management is responsible for 
maintaining effective internal control over financial reporting and 
for its assessment of the effectiveness of internal control over 
financial reporting. Our responsibility is to express an opinion on 
management's assessment and an opinion on the effectiveness of the 
company's internal control over financial reporting based on our 
audit.

[Scope Paragraph]

    Except as described below, we conducted our audit in accordance 
the standards of the Public Company Accounting Oversight Board 
(United States). Those standards require that we plan and perform 
the audit to obtain reasonable assurance about whether effective 
internal control over financial reporting was maintained in all 
material respects. Our audit included obtaining an understanding of 
internal control over financial reporting, evaluating management's 
assessment, testing and evaluating the design and operating 
effectiveness of internal control, and performing such other 
procedures as we considered necessary in the circumstances. We 
believe that our audit provides a reasonable basis for our opinion.

[Explanatory Paragraph That Describes Scope Limitation]

    A material weakness is a control deficiency, or combination of 
control deficiencies, that results in more than a remote likelihood 
that a material misstatement of the annual or interim financial 
statements will not be prevented or detected. The following material 
weakness has been identified and included in management's 
assessment.\35\ Prior to December 20, 20X3, W Company had an 
inadequate system for recording cash receipts, which could have 
prevented the Company from recording cash receipts on accounts 
receivable completely and properly. Therefore, cash received could 
have been diverted for unauthorized use, lost, or otherwise not 
properly recorded to accounts receivable. We believe this condition 
was a material weakness in the design or operation of the internal 
control of W Company in effect prior to December 20, 20X3. Although 
the Company implemented a new cash receipts system on December 20, 
20X3, the system has not been in operation for a sufficient period 
of time to enable us to obtain sufficient evidence about its 
operating effectiveness.
---------------------------------------------------------------------------

    \35\ If the auditor has identified a material weakness that is 
not included in management's assessment, add the following wording 
to the report: ``In addition, we have identified the following 
material weakness that has not been identified as a material 
weakness in management's assessment.''
---------------------------------------------------------------------------

[Definition Paragraph]

    A company's internal control over financial reporting is a 
process designed to provide reasonable assurance regarding the 
reliability of financial reporting and the preparation of financial 
statements for external purposes in accordance with generally 
accepted accounting principles. A company's internal control over 
financial reporting includes those policies and procedures that (1) 
pertain to the maintenance of records that, in reasonable detail, 
accurately and fairly reflect the transactions and dispositions of 
the assets of the company; (2) provide reasonable assurance that 
transactions are recorded as necessary to permit preparation of 
financial statements in accordance with generally accepted 
accounting principles, and that receipts and expenditures of the 
company are being made only in accordance with authorizations of 
management and directors of the company; and (3) provide reasonable 
assurance regarding prevention or timely detection of unauthorized 
acquisition, use, or disposition of the company's assets that could 
have a material effect on the financial statements.

[Inherent Limitations Paragraph]

    Because of its inherent limitations, internal control over 
financial reporting may not prevent or detect misstatements. Also, 
projections of any evaluation of effectiveness to future periods are 
subject to the risk that controls may become inadequate because of 
changes in conditions, or that the degree of compliance with the 
policies or procedures may deteriorate.

[Opinion Paragraph]

    In our opinion, except for the effect of matters we might have 
discovered had we been able to examine evidence about the 
effectiveness of the new cash receipts system, management's 
assessment that W Company maintained effective internal control over 
financial reporting as of December 31, 20X3, is fairly stated, in 
all material respects, based on [Identify control criteria, for 
example, ``criteria established in Internal Control--Integrated 
Framework issued by the Committee of Sponsoring Organizations of the 
Treadway Commission (COSO).'']. Also, in our opinion, except for the 
effect of matters we might have discovered had we been able to 
examine evidence about the effectiveness of the new cash receipts 
system, W Company maintained, in all material respects, effective 
internal control over financial reporting as of December 31, 20X3, 
based on [Identify control criteria, for example, ``criteria 
established in Internal Control--Integrated Framework issued by the 
Committee of Sponsoring Organizations of the Treadway Commission 
(COSO).''].

[Explanatory Paragraph]

    We have also audited, in accordance with the standards of the 
Public Company Accounting Oversight Board (United States), the 
[identify financial statements] of W Company and our report dated 
[date of report, which should be the same as the date of the report 
on the effectiveness of internal control over financial reporting] 
expressed [include nature of opinion].
    [Signature]
    [City and State or Country]
    [Date]

[[Page 20700]]

Example A-4.--Illustrative Report Disclaiming an Opinion on 
Management's Assessment of the Effectiveness of Internal Control Over 
Financial Reporting and Disclaiming an Opinion on the Effectiveness of 
Internal Control Over Financial Reporting Because of a Limitation on 
the Scope of the Audit

Report of Independent Registered Public Accounting Firm

[Introductory Paragraph]

    We were engaged to audit management's assessment included in the 
accompanying [title of management's report] that W Company 
maintained effective internal control over financial reporting as of 
December 31, 20X3 based on [Identify control criteria, for example, 
``criteria established in Internal Control--Integrated Framework 
issued by the Committee of Sponsoring Organizations of the Treadway 
Commission (COSO).'']. W Company's management is responsible for 
maintaining effective internal control over financial reporting and 
for its assessment of the effectiveness of internal control over 
financial reporting.

[Omit Scope Paragraph]

    [Explanatory paragraph that describes scope limitation] \36\
---------------------------------------------------------------------------

    \36\ If, through the limited procedures performed, the auditor 
concludes that a material weakness exists, the auditor should add 
the definition of material weakness (as provided in paragraph 10) to 
the explanatory paragraph. In addition, the auditor should include a 
description of the material weakness and its effect on the 
achievement of the objectives of the control criteria.
---------------------------------------------------------------------------

[Definition Paragraph]

    A company's internal control over financial reporting is a 
process designed to provide reasonable assurance regarding the 
reliability of financial reporting and the preparation of financial 
statements for external purposes in accordance with generally 
accepted accounting principles. A company's internal control over 
financial reporting includes those policies and procedures that (1) 
pertain to the maintenance of records that, in reasonable detail, 
accurately and fairly reflect the transactions and dispositions of 
the assets of the company; (2) provide reasonable assurance that 
transactions are recorded as necessary to permit preparation of 
financial statements in accordance with generally accepted 
accounting principles, and that receipts and expenditures of the 
company are being made only in accordance with authorizations of 
management and directors of the company; and (3) provide reasonable 
assurance regarding prevention or timely detection of unauthorized 
acquisition, use, or disposition of the company's assets that could 
have a material effect on the financial statements.

[Inherent Limitations Paragraph]

    Because of its inherent limitations, internal control over 
financial reporting may not prevent or detect misstatements. Also, 
projections of any evaluation of effectiveness to future periods are 
subject to the risk that controls may become inadequate because of 
changes in conditions, or that the degree of compliance with the 
policies or procedures may deteriorate.

[Opinion Paragraph]

    Since management [describe scope restrictions] and we were 
unable to apply other procedures to satisfy ourselves as to the 
effectiveness of the company's internal control over financial 
reporting, the scope of our work was not sufficient to enable us to 
express, and we do not express, an opinion either on management's 
assessment or on the effectiveness of the company's internal control 
over financial reporting.

[Explanatory Paragraph]

    We have also audited, in accordance with the standards of the 
Public Company Accounting Oversight Board (United States), the 
[identify financial statements] of W Company and our report dated 
[date of report, which should be the same as the date of the report 
on the effectiveness of internal control over financial reporting] 
expressed [include nature of opinion].
    [Signature]
    [City and State or Country]
    [Date]

Example A-5.--Illustrative Report Expressing an Unqualified Opinion on 
Management's Assessment of the Effectiveness of Internal Control Over 
Financial Reporting That Refers to the Report of Other Auditors as a 
Basis, in Part, for the Auditor's Opinion and an Unqualified Opinion on 
the Effectiveness of Internal Control Over Financial Reporting

Report of Independent Registered Public Accounting Firm

[Introductory Paragraph]

    We have audited management's assessment, included in the 
accompanying [title of management's report], that W Company 
maintained effective internal control over financial reporting as of 
December 31, 20X3, based on [Identify control criteria, for example, 
``criteria established in Internal Control--Integrated Framework 
issued by the Committee of Sponsoring Organizations of the Treadway 
Commission (COSO).'']. W Company's management is responsible for 
maintaining effective internal control over financial reporting and 
for its assessment of the effectiveness of internal control over 
financial reporting. Our responsibility is to express an opinion on 
management's assessment and an opinion on the effectiveness of the 
company's internal control over financial reporting based on our 
audit. We did not examine the effectiveness of internal control over 
financial reporting of B Company, a wholly owned subsidiary, whose 
financial statements reflect total assets and revenues constituting 
20 and 30 percent, respectively, of the related consolidated 
financial statement amounts as of and for the year ended December 
31, 20X3. The effectiveness of B Company's internal control over 
financial reporting was audited by other auditors whose report has 
been furnished to us, and our opinion, insofar as it relates to the 
effectiveness of B Company's internal control over financial 
reporting, is based solely on the report of the other auditors.

[Scope Paragraph]

    We conducted our audit in accordance with the standards of the 
Public Company Accounting Oversight Board (United States). Those 
standards require that we plan and perform the audit to obtain 
reasonable assurance about whether effective internal control over 
financial reporting was maintained in all material respects. Our 
audit included obtaining an understanding of internal control over 
financial reporting, evaluating management's assessment, testing and 
evaluating the design and operating effectiveness of internal 
control, and performing such other procedures as we considered 
necessary in the circumstances. We believe that our audit and the 
report of the other auditors provide a reasonable basis for our 
opinion.

[Definition Paragraph]

    A company's internal control over financial reporting is a 
process designed to provide reasonable assurance regarding the 
reliability of financial reporting and the preparation of financial 
statements for external purposes in accordance with generally 
accepted accounting principles. A company's internal control over 
financial reporting includes those policies and procedures that (1) 
pertain to the maintenance of records that, in reasonable detail, 
accurately and fairly reflect the transactions and dispositions of 
the assets of the company; (2) provide reasonable assurance that 
transactions are recorded as necessary to permit preparation of 
financial statements in accordance with generally accepted 
accounting principles, and that receipts and expenditures of the 
company are being made only in accordance with authorizations of 
management and directors of the company; and (3) provide reasonable 
assurance regarding prevention or timely detection of unauthorized 
acquisition, use, or disposition of the company's assets that could 
have a material effect on the financial statements.

[Inherent Limitations Paragraph]

    Because of its inherent limitations, internal control over 
financial reporting may not prevent or detect misstatements. Also, 
projections of any evaluation of effectiveness to future periods are 
subject to the risk that controls may become inadequate because of 
changes in conditions, or that the degree of compliance with the 
policies or procedures may deteriorate.

[Opinion Paragraph]

    In our opinion, based on our audit and the report of the other 
auditors, management's assessment that W Company maintained 
effective internal control over financial reporting as of December 
31, 20X3, is fairly stated, in all material respects, based on 
[Identify control criteria, for example, ``criteria established in 
Internal Control-Integrated Framework issued by the Committee of 
Sponsoring Organizations of the Treadway Commission (COSO).'']. 
Also, in our opinion, based on our audit and the report of the other 
auditors, W Company maintained, in all material respects, effective 
internal control over financial reporting as of December 31, 20X3, 
based on [Identify

[[Page 20701]]

control criteria, for example, criteria established in Internal 
Control--Integrated Framework issued by the Committee of Sponsoring 
Organizations of the Treadway Commission (COSO).''].

[Explanatory Paragraph]

    We have also audited, in accordance with the standards of the 
Public Company Accounting Oversight Board (United States), the 
[identify financial statements] of W Company and our report dated 
[date of report, which should be the same as the date of the report 
on the effectiveness of internal control over financial reporting] 
expressed [include nature of opinion].
    [Signature]
    [City and State or Country]
    [Date]

Example A-6.--Illustrative Report Expressing an Adverse Opinion on 
Management's Assessment of the Effectiveness of Internal Control Over 
Financial Reporting and an Adverse Opinion on the Effectiveness of 
Internal Control Over Financial Reporting Because of the Existence of a 
Material Weakness

Report of Independent Registered Public Accounting Firm

[Introductory Paragraph]

    We have audited management's assessment, included in the 
accompanying [title of management's report], that W Company 
maintained effective internal control over financial reporting as of 
December 31, 20X3, based on [Identify control criteria, for example, 
``criteria established in Internal Control-Integrated Framework 
issued by the Committee of Sponsoring Organizations of the Treadway 
Commission (COSO).'']. W Company's management is responsible for 
maintaining effective internal control over financial reporting and 
for its assessment of the effectiveness of internal control over 
financial reporting. Our responsibility is to express an opinion on 
management's assessment and an opinion on the effectiveness of the 
company's internal control over financial reporting based on our 
audit.

[Scope Paragraph]

    We conducted our audit in accordance with the standards of the 
Public Company Accounting Oversight Board (United States). Those 
standards require that we plan and perform the audit to obtain 
reasonable assurance about whether effective internal control over 
financial reporting was maintained in all material respects. Our 
audit included obtaining an understanding of internal control over 
financial reporting, evaluating management's assessment, testing and 
evaluating the design and operating effectiveness of internal 
control, and performing such other procedures as we considered 
necessary in the circumstances. We believe that our audit provides a 
reasonable basis for our opinion.

[Definition Paragraph]

    A company's internal control over financial reporting is a 
process designed to provide reasonable assurance regarding the 
reliability of financial reporting and the preparation of financial 
statements for external purposes in accordance with generally 
accepted accounting principles. A company's internal control over 
financial reporting includes those policies and procedures that (1) 
pertain to the maintenance of records that, in reasonable detail, 
accurately and fairly reflect the transactions and dispositions of 
the assets of the company; (2) provide reasonable assurance that 
transactions are recorded as necessary to permit preparation of 
financial statements in accordance with generally accepted 
accounting principles, and that receipts and expenditures of the 
company are being made only in accordance with authorizations of 
management and directors of the company; and (3) provide reasonable 
assurance regarding prevention or timely detection of unauthorized 
acquisition, use, or disposition of the company's assets that could 
have a material effect on the financial statements.

[Inherent Limitations Paragraph]

    Because of its inherent limitations, internal control over 
financial reporting may not prevent or detect misstatements. Also, 
projections of any evaluation of effectiveness to future periods are 
subject to the risk that controls may become inadequate because of 
changes in conditions, or that the degree of compliance with the 
policies or procedures may deteriorate.

[Explanatory Paragraph]

    A material weakness is a control deficiency, or combination of 
control deficiencies, that results in more than a remote likelihood 
that a material misstatement of the annual or interim financial 
statements will not be prevented or detected. We have identified the 
following material weakness that has not been identified as a 
material weakness in management's assessment [Include a description 
of the material weakness and its effect on the achievement of the 
objectives of the control criteria.] This material weakness was 
considered in determining the nature, timing, and extent of audit 
tests applied in our audit of the 20X3 financial statements, and 
this report does not affect our report dated [date of report, which 
should be the same as the date of this report on internal control] 
on those financial statements.\37\
---------------------------------------------------------------------------

    \37\ Modify this sentence when the auditor's opinion on the 
financial statements is affected by the adverse opinion on the 
effectiveness of internal control over financial reporting.
---------------------------------------------------------------------------

[Opinion Paragraph]

    In our opinion, because of the effect of the material weakness 
described above on the achievement of the objectives of the control 
criteria, management's assessment that W Company maintained 
effective internal control over financial reporting as of December 
31, 20X3, is not fairly stated, in all material respects, based on 
[Identify control criteria, for example, ``criteria established in 
Internal Control--Integrated Framework issued by the Committee of 
Sponsoring Organizations of the Treadway Commission (COSO).'']. 
Also, in our opinion, because of the effect of the material weakness 
described above on the achievement of the objectives of the control 
criteria, W Company has not maintained effective internal control 
over financial reporting as of December 31, 20X3, based on [Identify 
control criteria, for example, ``criteria established in Internal 
Control--Integrated Framework issued by the Committee of Sponsoring 
Organizations of the Treadway Commission (COSO).''].
    [Signature]
    [City and State or Country]
    [Date]

Example A-7.--Illustrative Combined Report Expressing an Unqualified 
Opinion on Financial Statements, an Unqualified Opinion on Management's 
Assessment of the Effectiveness of Internal Control Over Financial 
Reporting and an Unqualified Opinion on the Effectiveness of Internal 
Control Over Financial Reporting

Report of Independent Registered Public Accounting Firm

[Introductory Paragraph]

    We have audited the accompanying balance sheets of W Company as 
of December 31, 20X3 and 20X2, and the related statements of income, 
stockholders' equity and comprehensive income, and cash flows for 
each of the years in the three-year period ended December 31, 20X3. 
We also have audited management's assessment, included in the 
accompanying [title of management's report], that W Company 
maintained effective internal control over financial reporting as of 
December 31, 20X3, based on [Identify control criteria, for example, 
``criteria established in Internal Control--Integrated Framework 
issued by the Committee of Sponsoring Organizations of the Treadway 
Commission (COSO).'']. W Company's management is responsible for 
these financial statements, for maintaining effective internal 
control over financial reporting, and for its assessment of the 
effectiveness of internal control over financial reporting. Our 
responsibility is to express an opinion on these financial 
statements, an opinion on management's assessment, and an opinion on 
the effectiveness of the company's internal control over financial 
reporting based on our audits.

[Scope Paragraph]

    We conducted our audits in accordance with the standards of the 
Public Company Accounting Oversight Board (United States). Those 
standards require that we plan and perform the audits to obtain 
reasonable assurance about whether the financial statements are free 
of material misstatement and whether effective internal control over 
financial reporting was maintained in all material respects. Our 
audit of financial statements included examining, on a test basis, 
evidence supporting the amounts and disclosures in the financial 
statements, assessing the accounting principles used and significant 
estimates made by management, and evaluating the overall financial 
statement presentation. Our audit of internal control over financial 
reporting included obtaining an understanding of internal control 
over financial reporting, evaluating management's

[[Page 20702]]

assessment, testing and evaluating the design and operating 
effectiveness of internal control, and performing such other 
procedures as we considered necessary in the circumstances. We 
believe that our audits provide a reasonable basis for our opinions.

[Definition Paragraph]

    A company's internal control over financial reporting is a 
process designed to provide reasonable assurance regarding the 
reliability of financial reporting and the preparation of financial 
statements for external purposes in accordance with generally 
accepted accounting principles. A company's internal control over 
financial reporting includes those policies and procedures that (1) 
pertain to the maintenance of records that, in reasonable detail, 
accurately and fairly reflect the transactions and dispositions of 
the assets of the company; (2) provide reasonable assurance that 
transactions are recorded as necessary to permit preparation of 
financial statements in accordance with generally accepted 
accounting principles, and that receipts and expenditures of the 
company are being made only in accordance with authorizations of 
management and directors of the company; and (3) provide reasonable 
assurance regarding prevention or timely detection of unauthorized 
acquisition, use, or disposition of the company's assets that could 
have a material effect on the financial statements.

[Inherent Limitations Paragraph]

    Because of its inherent limitations, internal control over 
financial reporting may not prevent or detect misstatements. Also, 
projections of any evaluation of effectiveness to future periods are 
subject to the risk that controls may become inadequate because of 
changes in conditions, or that the degree of compliance with the 
policies or procedures may deteriorate.

[Opinion Paragraph]

    In our opinion, the financial statements referred to above 
present fairly, in all material respects, the financial position of 
W Company as of December 31, 20X3 and 20X2, and the results of its 
operations and its cash flows for each of the years in the three-
year period ended December 31, 20X3 in conformity with accounting 
principles generally accepted in the United States of America. Also 
in our opinion, management's assessment that W Company maintained 
effective internal control over financial reporting as of December 
31, 20X3, is fairly stated, in all material respects, based on 
[Identify control criteria, for example, ``criteria established in 
Internal Control--Integrated Framework issued by the Committee of 
Sponsoring Organizations of the Treadway Commission (COSO).'']. 
Furthermore, in our opinion, W Company maintained, in all material 
respects, effective internal control over financial reporting as of 
December 31, 20X3, based on [Identify control criteria, for example, 
``criteria established in Internal Control--Integrated Framework 
issued by the Committee of Sponsoring Organizations of the Treadway 
Commission (COSO).''].

[Signature]
[City and State or Country]
[Date]

Appendix B--Additional Performance Requirements and Directions; Extent-
of-Testing Examples

Tests To Be Performed When a Company Has Multiple Locations or Business 
Units

    B1. To determine the locations or business units for performing 
audit procedures, the auditor should evaluate their relative 
financial significance and the risk of material misstatement arising 
from them. In making this evaluation, the auditor should identify 
the locations or business units that are individually important, 
evaluate their documentation of controls, and test controls over 
significant accounts and disclosures. For locations or business 
units that contain specific risks that, by themselves, could create 
a material misstatement, the auditor should evaluate their 
documentation of controls and test controls over the specific risks.
    B2. The auditor should determine the other locations or business 
units that, when aggregated, represent a group with a level of 
financial significance that could create a material misstatement in 
the financial statements. For that group, the auditor should 
determine whether there are company-level controls in place. If so, 
the auditor should evaluate the documentation and test such company-
level controls. If not, the auditor should perform tests of controls 
at some of the locations or business units.
    B3. No further work is necessary on the remaining locations or 
businesses, provided that they are not able to create, either 
individually or in the aggregate, a material misstatement in the 
financial statements.

Locations or Business Units That Are Financially Significant

    B4. Because of the importance of financially significant 
locations or business units, the auditor should evaluate 
management's documentation of and perform tests of controls over all 
relevant assertions related to significant accounts and disclosures 
at each financially significant location or business unit, as 
discussed in paragraphs 83 through 105. Generally, a relatively 
small number of locations or business units will encompass a large 
portion of a company's operations and financial position, making 
them financially significant.
    B5. In determining the nature, timing, and extent of testing at 
the individual locations or business units, the auditor should 
evaluate each entity's involvement, if any, with a central 
processing or shared service environment.

Locations or Business Units That Involve Specific Risks

    B6. Although a location or business unit might not be 
individually financially significant, it might present specific 
risks that, by themselves, could create a material misstatement in 
the company's financial statements. The auditor should test the 
controls over the specific risks that could create a material 
misstatement in the company's financial statements. The auditor need 
not test controls over all relevant assertions related to all 
significant accounts at these locations or business units. For 
example, a business unit responsible for foreign exchange trading 
could expose the company to the risk of material misstatement, even 
though the relative financial significance of such transactions is 
low.

Locations or Business Units That Are Significant Only When 
Aggregated With Other Locations and Business Units

    B7. In determining the nature, timing, and extent of testing, 
the auditor should determine whether management has documented and 
placed in operation company-level controls (See paragraph 53) over 
individually unimportant locations and business units that, when 
aggregated with other locations or business units, might have a high 
level of financial significance. A high level of financial 
significance could create a greater than remote risk of material 
misstatement of the financial statements.
    B8. For the purposes of this evaluation, company-level controls 
are controls management has in place to provide assurance that 
appropriate controls exist throughout the organization, including at 
individual locations or business units.
    B9. The auditor should perform tests of company-level controls 
to determine whether such controls are operating effectively. The 
auditor might conclude that he or she cannot evaluate the operating 
effectiveness of such controls without visiting some or all of the 
locations or business units.
    B10. If management does not have company-level controls 
operating at these locations and business units, the auditor should 
determine the nature, timing, and extent of procedures to be 
performed at each location, business unit, or combination of 
locations and business units. When determining the locations or 
business units to visit and the controls to test, the auditor should 
evaluate the following factors:
     The relative financial significance of each 
location or business unit.
     The risk of material misstatement arising 
from each location or business unit.
     The similarity of business operations and 
internal control over financial reporting at the various locations 
or business units.
     The degree of centralization of processes and 
financial reporting applications.
     The effectiveness of the control environment, 
particularly management's direct control over the exercise of 
authority delegated to others and its ability to effectively 
supervise activities at the various locations or business units. An 
ineffective control environment over the locations or business units 
might constitute a material weakness.
     The nature and amount of transactions 
executed and related assets at the various locations or business 
units.
     The potential for material unrecognized 
obligations to exist at a location or business unit and the degree 
to which the location or business unit could create an obligation on 
the part of the company.
     Management's risk assessment process and 
analysis for excluding a location or business unit from its 
assessment of internal control over financial reporting.

[[Page 20703]]

    B11. Testing company-level controls is not a substitute for the 
auditor's testing of controls over a large portion of the company's 
operations or financial position. If the auditor cannot test a large 
portion of the company's operations and financial position by 
selecting a relatively small number of locations or business units, 
he or she should expand the number of locations or business units 
selected to evaluate internal control over financial reporting.

    Note:  The evaluation of whether controls over a large portion 
of the company's operations or financial position have been tested 
should be made at the overall level, not at the individual 
significant account level.

Locations and Business Units That Do Not Require Testing

    B12. No testing is required for locations or business units that 
individually, and when aggregated with others, could not result in a 
material misstatement to the financial statements.

Multi-Location Testing Considerations Flowchart

    B13. Illustration B-1 depicts how to apply the directions in 
this section to a hypothetical company with 150 locations or 
business units, along with the auditor's testing considerations for 
those locations or business units.
[GRAPHIC] [TIFF OMITTED] TN16AP04.006

Special Situations

    B14. The scope of the evaluation of the company's internal 
control over financial reporting should include entities that are 
acquired on or before the date of management's assessment and 
operations that are accounted for as discontinued operations on the 
date of management's assessment. The auditor should consider this 
multiple locations discussion in determining whether it will be 
necessary to test controls at these entities or operations.
    B15. For equity method investments, the evaluation of the 
company's internal control over financial reporting should include 
controls over the reporting in accordance with generally accepted 
accounting principles, in the company's financial statements, of the 
company's portion of the investees' income or loss, the investment 
balance, adjustments to the income or loss and investment balance, 
and related disclosures. The evaluation ordinarily would not extend 
to controls at the equity method investee.
    B16. In situations in which the SEC allows management to limit 
its assessment of internal control over financial reporting by 
excluding certain entities, the auditor may limit the audit in the 
same manner and report without reference to the limitation in scope. 
However, the auditor should evaluate the reasonableness of 
management's conclusion that the situation meets the criteria of the 
SEC's allowed exclusion and the appropriateness of any required 
disclosure related to such a limitation. If the auditor believes 
that management's disclosure about the limitation requires 
modification, the auditor should follow the same communication 
responsibilities as described in paragraphs 204 and 205. If 
management and the audit committee do not respond appropriately, in 
addition to fulfilling those responsibilities, the auditor should 
modify his or her report on the audit of internal control over 
financial reporting to include an explanatory paragraph describing 
the reasons why the auditor believes management's disclosure should 
be modified.
    B17. For example, for entities that are consolidated or 
proportionately consolidated, the evaluation of the company's 
internal control over financial reporting should include controls 
over significant accounts and processes that exist at the 
consolidated

[[Page 20704]]

or proportionately consolidated entity. In some instances, however, 
such as for some variable interest entities as defined in Financial 
Accounting Standards Board Interpretation No. 46, Consolidation of 
Variable Interest Entities, management might not be able to obtain 
the information necessary to make an assessment because it does not 
have the ability to control the entity. If management is allowed to 
limit its assessment by excluding such entities,\38\ the auditor may 
limit the audit in the same manner and report without reference to 
the limitation in scope. In this case, the evaluation of the 
company's internal control over financial reporting should include 
evaluation of controls over the reporting in accordance with 
generally accepted accounting principles, in the company's financial 
statements, of the company's portion of the entity's income or loss, 
the investment balance, adjustments to the income or loss and 
investment balances, and related disclosures. However, the auditor 
should evaluate the reasonableness of management's conclusion that 
it does not have the ability to obtain the necessary information as 
well as the appropriateness of any required disclosure related to 
such a limitation.
---------------------------------------------------------------------------

    \38\ It is our understanding that the SEC Staff may conclude 
that management can limit the scope of its assessment if it does not 
have the authority to affect, and therefore cannot assess, the 
controls in place over certain amounts. This would relate to 
entities that are consolidated or proportionately consolidated when 
the issuer does not have sufficient control over the entity to 
assess and affect controls. If management's report on its assessment 
of the effectiveness of internal control over financial reporting is 
limited in that manner, the SEC staff may permit the company to 
disclose this fact as well as information about the magnitude of the 
amounts included in the financial statements from entities whose 
controls cannot be assessed. This disclosure would be required in 
each filing, but outside of management's report on its assessment of 
the effectiveness of internal control over financial reporting.
---------------------------------------------------------------------------

Use of Service Organizations

    B18. AU sec. 324, Service Organizations, applies to the audit of 
financial statements of a company that obtains services from another 
organization that are part of its information system. The auditor 
may apply the relevant concepts described in AU sec. 324 to the 
audit of internal control over financial reporting. Further, 
although AU sec. 324 was designed to address auditor-to-auditor 
communications as part of the audit of financial statements, it also 
is appropriate for management to apply the relevant concepts 
described in that standard to its assessment of internal control 
over financial reporting.
    B19. Paragraph .03 of AU sec. 324 describes the situation in 
which a service organization's services are part of a company's 
information system. If the service organization's services are part 
of a company's information system, as described therein, then they 
are part of the information and communication component of the 
company's internal control over financial reporting. When the 
service organization's services are part of the company's internal 
control over financial reporting, management should consider the 
activities of the service organization in making its assessment of 
internal control over financial reporting, and the auditor should 
consider the activities of the service organization in determining 
the evidence required to support his or her opinion.

    Note: The use of a service organization does not reduce 
management's responsibility to maintain effective internal control 
over financial reporting.

    B20. Paragraphs .07 through .16 in AU sec. 324 describe the 
procedures that management and the auditor should perform with 
respect to the activities performed by the service organization. The 
procedures include:
    a. Obtaining an understanding of the controls at the service 
organization that are relevant to the entity's internal control and 
the controls at the user organization over the activities of the 
service organization, and
    b. Obtaining evidence that the controls that are relevant to 
management's assessment and the auditor's opinion are operating 
effectively.
    B21. Evidence that the controls that are relevant to 
management's assessment and the auditor's opinion are operating 
effectively may be obtained by following the procedures described in 
paragraph .12 of AU sec. 324. These procedures include:
    a. Performing tests of the user organization's controls over the 
activities of the service organization (for example, testing the 
user organization's independent reperformance of selected items 
processed by the service organization or testing the user 
organization's reconciliation of output reports with source 
documents).
    b. Performing tests of controls at the service organization.
    c. Obtaining a service auditor's report on controls placed in 
operation and tests of operating effectiveness, or a report on the 
application of agreed-upon procedures that describes relevant tests 
of controls.

    Note: The service auditor's report referred to above means a 
report with the service auditor's opinion on the service 
organization's description of the design of its controls, the tests 
of controls, and results of those tests performed by the service 
auditor, and the service auditor's opinion on whether the controls 
tested were operating effectively during the specified period (in 
other words, ``reports on controls placed in operation and tests of 
operating effectiveness'' described in paragraph .24b of AU sec. 
324). A service auditor's report that does not include tests of 
controls, results of the tests, and the service auditor's opinion on 
operating effectiveness (in other words, ``reports on controls 
placed in operation'' described in paragraph .24a of AU sec. 324) 
does not provide evidence of operating effectiveness. Furthermore, 
if the evidence regarding operating effectiveness of controls comes 
from an agreed-upon procedures report rather than a service 
auditor's report issued pursuant to AU sec. 324, management and the 
auditor should evaluate whether the agreed-upon procedures report 
provides sufficient evidence in the same manner described in the 
following paragraph.

    B22. If a service auditor's report on controls placed in 
operation and tests of operating effectiveness is available, 
management and the auditor may evaluate whether this report provides 
sufficient evidence to support the assessment and opinion, 
respectively. In evaluating whether such a service auditor's report 
provides sufficient evidence, management and the auditor should 
consider the following factors:
     The time period covered by the tests of 
controls and its relation to the date of management's assessment,
     The scope of the examination and applications 
covered, the controls tested, and the way in which tested controls 
relate to the company's controls,
     The results of those tests of controls and 
the service auditor's opinion on the operating effectiveness of the 
controls.

    Note: These factors are similar to factors the auditor would 
consider in determining whether the report provides sufficient 
evidence to support the auditor's assessed level of control risk in 
an audit of the financial statements as described in paragraph .16 
of AU sec. 324.

    B23. If the service auditor's report on controls placed in 
operation and tests of operating effectiveness contains a 
qualification that the stated control objectives might be achieved 
only if the company applies controls contemplated in the design of 
the system by the service organization, the auditor should evaluate 
whether the company is applying the necessary procedures. For 
example, completeness of processing payroll transactions might 
depend on the company's validation that all payroll records sent to 
the service organization were processed by checking a control total.
    B24. In determining whether the service auditor's report 
provides sufficient evidence to support management's assessment and 
the auditor's opinion, management and the auditor should make 
inquiries concerning the service auditor's reputation, competence, 
and independence. Appropriate sources of information concerning the 
professional reputation of the service auditor are discussed in 
paragraph .10a of AU sec. 543, Part of Audit Performed by Other 
Independent Auditors.
    B25. When a significant period of time has elapsed between the 
time period covered by the tests of controls in the service 
auditor's report and the date of management's assessment, additional 
procedures should be performed. The auditor should inquire of 
management to determine whether management has identified any 
changes in the service organization's controls subsequent to the 
period covered by the service auditor's report (such as changes 
communicated to management from the service organization, changes in 
personnel at the service organization with whom management 
interacts, changes in reports or other data received from the 
service organization, changes in contracts or service level 
agreements with the service organization, or errors identified in 
the service organization's processing). If management has identified 
such changes, the auditor should determine whether management has 
performed procedures to

[[Page 20705]]

evaluate the effect of such changes on the effectiveness of the 
company's internal control over financial reporting. The auditor 
also should consider whether the results of other procedures he or 
she performed indicate that there have been changes in the controls 
at the service organization that management has not identified.
    B26. The auditor should determine whether to obtain additional 
evidence about the operating effectiveness of controls at the 
service organization based on the procedures performed by management 
or the auditor and the results of those procedures and on an 
evaluation of the following factors. As these factors increase in 
significance, the need for the auditor to obtain additional evidence 
increases.
     The elapsed time between the time period 
covered by the tests of controls in the service auditor's report and 
the date of management's assessment,
     The significance of the activities of the 
service organization,
     Whether there are errors that have been 
identified in the service organization's processing, and
     The nature and significance of any changes in 
the service organization's controls identified by management or the 
auditor.
    B27. If the auditor concludes that additional evidence about the 
operating effectiveness of controls at the service organization is 
required, the auditor's additional procedures may include:
     Evaluating the procedures performed by 
management and the results of those procedures.
     Contacting the service organization, through 
the user organization, to obtain specific information.
     Requesting that a service auditor be engaged 
to perform procedures that will supply the necessary information.
     Visiting the service organization and 
performing such procedures.
    B28. Based on the evidence obtained, management and the auditor 
should determine whether they have obtained sufficient evidence to 
obtain the reasonable assurance necessary for their assessment and 
opinion, respectively.
    B29. The auditor should not refer to the service auditor's 
report when expressing an opinion on internal control over financial 
reporting.

Examples of Extent-of-Testing Decisions

    B30. As discussed throughout this standard, determining the 
effectiveness of a company's internal control over financial 
reporting includes evaluating the design and operating effectiveness 
of controls over all relevant assertions related to all significant 
accounts and disclosures in the financial statements. Paragraphs 88 
through 107 provide the auditor with directions about the nature, 
timing, and extent of testing of the design and operating 
effectiveness of internal control over financial reporting.
    B31. Examples B-1. through B-4 illustrate how to apply this 
information in various situations. These examples are for 
illustrative purposes only.

Example B-1.--Daily Programmed Application Control and Daily 
Information Technology-Dependent Manual Control

    The auditor has determined that cash and accounts receivable are 
significant accounts to the audit of XYZ Company's internal control 
over financial reporting. Based on discussions with company 
personnel and review of company documentation, the auditor learned 
that the company had the following procedures in place to account 
for cash received in the lockbox:
    a. The company receives a download of cash receipts from the 
banks.
    b. The information technology system applies cash received in 
the lockbox to individual customer accounts.
    c. Any cash received in the lockbox and not applied to a 
customer's account is listed on an exception report (Unapplied Cash 
Exception Report).
     Therefore, the application of cash to a 
customer's account is a programmed application control, while the 
review and follow-up of unapplied cash from the exception report is 
a manual control.
    To determine whether misstatements in cash (existence assertion) 
and accounts receivable (existence, valuation, and completeness) 
would be prevented or detected on a timely basis, the auditor 
decided to test the controls provided by the system in the daily 
reconciliation of lock box receipts to customer accounts, as well as 
the control over reviewing and resolving unapplied cash in the 
Unapplied Cash Exception Report.
    Nature, Timing, and Extent of Procedures. To test the programmed 
application control, the auditor:
     Identified, through discussion with company 
personnel, the software used to receive the download from the banks 
and to process the transactions and determined that the banks supply 
the download software.
    --The company uses accounting software acquired from a third-
party supplier. The software consists of a number of modules. The 
client modifies the software only for upgrades supplied by the 
supplier.
     Determined, through further discussion with 
company personnel, that the cash module operates the lockbox 
functionality and the posting of cash to the general ledger. The 
accounts receivable module posts the cash to individual customer 
accounts and produces the Unapplied Cash Exception Report, a 
standard report supplied with the package. The auditor agreed this 
information to the supplier's documentation.
     Identified, through discussions with company 
personnel and review of the supplier's documentation, the names, 
file sizes (in bytes), and locations of the executable files 
(programs) that operate the functionality under review. The auditor 
then identified the compilation dates of these programs and agreed 
them to the original installation date of the application.
     Identified the objectives of the programs to 
be tested. The auditor wanted to determine whether only appropriate 
cash items are posted to customers' accounts and matched to customer 
number, invoice number, amount, etc., and that there is a listing of 
inappropriate cash items (that is, any of the above items not 
matching) on the exception report.
    In addition, the auditor had evaluated and tested general 
computer controls, including program changes (for example, 
confirmation that no unauthorized changes are undertaken) and 
logical access (for example, data file access to the file downloaded 
from the banks and user access to the cash and accounts receivable 
modules) and concluded that they were operating effectively.
    To determine whether such programmed controls were operating 
effectively, the auditor performed a walkthrough in the month of 
July. The computer controls operate in a systematic manner, 
therefore, the auditor concluded that it was sufficient to perform a 
walkthrough for only the one item. During the walkthrough, the 
auditor performed and documented the following items:
    a. Selected one customer and agreed the amount billed to the 
customer to the cash received in the lockbox.
    b. Agreed the total of the lockbox report to the posting of cash 
receipts in the general ledger.
    c. Agreed the total of the cash receipt download from the bank 
to the lockbox report and supporting documentation.
    d. Selected one customer's remittance and agreed amount posted 
to the customer's account in the accounts receivable subsidiary 
ledger.
    To test the detective control of review and follow up on the 
Daily Unapplied Cash Exception Report, the auditor:
    a. Made inquiries of company personnel. To understand the 
procedures in place to ensure that all unapplied items are resolved, 
the time frame in which such resolution takes place, and whether 
unapplied items are handled properly within the system, the auditor 
discussed these matters with the employee responsible for reviewing 
and resolving the Daily Unapplied Cash Exception Reports. The 
auditor learned that, when items appear on the Daily-Unapplied Cash 
Exception Report, the employee must manually enter the correction 
into the system. The employee typically performs the resolution 
procedures the next business day. Items that typically appear on the 
Daily Unapplied Cash Exception Report relate to payments made by a 
customer without reference to an invoice number/purchase order 
number or to underpayments of an invoice due to quantity or pricing 
discrepancies.
    b. Observed personnel performing the control. The auditor then 
observed the employee reviewing and resolving a Daily Unapplied Cash 
Exception Report. The day selected contained four exceptions--three 
related to payments made by a customer without an invoice number, 
and one related to an underpayment due to a pricing discrepancy.
     For the pricing discrepancy, the employee 
determined, through discussions with a sales person, that the 
customer had been billed an incorrect price; a price break that the 
sales person had granted to the customer was not reflected on the 
customer's invoice. The employee resolved the pricing discrepancy, 
determined which invoices were being paid, and entered a correction

[[Page 20706]]

into the system to properly apply cash to the customer's account and 
reduce accounts receivable and sales accounts for the amount of the 
price break.
    c. Reperformed the control. Finally, the auditor selected 25 
Daily Unapplied Cash Exception Reports from the period January to 
September. For the reports selected, the auditor reperformed the 
follow-up procedures that the employee performed. For instance, the 
auditor inspected the documents and sources of information used in 
the follow-up and determined that the transaction was properly 
corrected in the system. The auditor also scanned other Daily 
Unapplied Cash Exception Reports to determine that the control was 
performed throughout the period of intended reliance.
    Because the tests of controls were performed at an interim date, 
the auditor had to determine whether there were any significant 
changes in the controls from interim to year-end. Therefore, the 
auditor asked company personnel about the procedures in place at 
year-end. Such procedures had not changed from the interim period, 
therefore, the auditor observed that the controls were still in 
place by scanning Daily Unapplied Cash Exception Reports to 
determine the control was performed on a timely basis during the 
period from September to year-end.
    Based on the auditor's procedures, the auditor concluded that 
the employee was clearing exceptions in a timely manner and that the 
control was operating effectively as of year-end.

Example B-2.--Monthly Manual Reconciliation

    The auditor determined that accounts receivable is a significant 
account to the audit of XYZ Company's internal control over 
financial reporting. Through discussions with company personnel and 
review of company documentation, the auditor learned that company 
personnel reconcile the accounts receivable subsidiary ledger to the 
general ledger on a monthly basis. To determine whether 
misstatements in accounts receivable (existence, valuation, and 
completeness) would be detected on a timely basis, the auditor 
decided to test the control provided by the monthly reconciliation 
process. Nature, Timing, and Extent of Procedures. The auditor 
tested the company's reconciliation control by selecting a sample of 
reconciliations based upon the number of accounts, the dollar value 
of the accounts, and the volume of transactions affecting the 
account. Because the auditor considered all other receivable 
accounts immaterial, and because such accounts had only minimal 
transactions flowing through them, the auditor decided to test only 
the reconciliation for the trade accounts receivable account. The 
auditor elected to perform the tests of controls over the 
reconciliation process in conjunction with the auditor's substantive 
procedures over the accounts receivable confirmation procedures, 
which were performed in July.
    To test the reconciliation process, the auditor:
    a. Made inquiries of personnel performing the control. The 
auditor asked the employee performing the reconciliation a number of 
questions, including the following:
     What documentation describes the account 
reconciliation process?
     How long have you been performing the 
reconciliation work?
     What is the reconciliation process for 
resolving reconciling items?
     How often are the reconciliations formally 
reviewed and signed off?
     If significant issues or reconciliation 
problems are noticed, to whose attention do you bring them?
     On average, how many reconciling items are 
there?
     How are old reconciling items treated?
     If need be, how is the system corrected for 
reconciling items?
     What is the general nature of these 
reconciling items?
    b. Observed the employee performing the control. The auditor 
observed the employee performing the reconciliation procedures. For 
nonrecurring reconciling items, the auditor observed whether each 
item included a clear explanation as to its nature, the action that 
had been taken to resolve it, and whether it had been resolved on a 
timely basis.
    c. Reperformed the control. Finally, the auditor inspected the 
reconciliations and reperfomed the reconciliation procedures. For 
the May and July reconciliations, the auditor traced the reconciling 
amounts to the source documents on a test basis. The only 
reconciling item that appeared on these reconciliations was cash 
received in the lockbox the previous day that had not been applied 
yet to the customer's account. The auditor pursued the items in each 
month's reconciliation to determine that the reconciling item 
cleared the following business day. The auditor also scanned through 
the file of all reconciliations prepared during the year and noted 
that they had been performed on a timely basis. To determine that 
the company had not made significant changes in its reconciliation 
control procedures from interim to year-end, the auditor made 
inquiries of company personnel and determined that such procedures 
had not changed from interim to year-end. Therefore, the auditor 
verified that controls were still in place by scanning the monthly 
account reconciliations to determine that the control was performed 
on a timely basis during the interim to year-end period.
    Based on the auditor's procedures, the auditor concluded that 
the reconciliation control was operating effectively as of year-end.

Example B-3.--Daily Manual Preventive Control

    The auditor determined that cash and accounts payable were 
significant accounts to the audit of the company's internal control 
over financial reporting. Through discussions with company 
personnel, the auditor learned that company personnel make a cash 
disbursement only after they have matched the vendor invoice to the 
receiver and purchase order. To determine whether misstatements in 
cash (existence) and accounts payable (existence, valuation, and 
completeness) would be prevented on a timely basis, the auditor 
tested the control over making a cash disbursement only after 
matching the invoice with the receiver and purchase.
    Nature, Timing, and Extent of Procedures. On a haphazard basis, 
the auditor selected 25 disbursements from the cash disbursement 
registers from January through September. In this example, the 
auditor deemed a test of 25 cash disbursement transactions an 
appropriate sample size because the auditor was testing a manual 
control performed as part of the routine processing of cash 
disbursement transactions through the system. Furthermore, the 
auditor expected no errors based on the results of company-level 
tests performed earlier. [If, however, the auditor had encountered a 
control exception, the auditor would have attempted to identify the 
root cause of the exception and tested an additional number of 
items. If another control exception had been noted, the auditor 
would have decided that this control was not effective. As a result, 
the auditor would have decided to increase the extent of substantive 
procedures to be performed in connection with the financial 
statement audit of the cash and accounts payable accounts.]
    a. After obtaining the related voucher package, the auditor 
examined the invoice to see if it included the signature or initials 
of the accounts payable clerk, evidencing the clerk's performance of 
the matching control. However, a signature on a voucher package to 
indicate signor approval does not necessarily mean that the person 
carefully reviewed it before signing. The voucher package may have 
been signed based on only a cursory review, or without any review.
    b. The auditor decided that the quality of the evidence 
regarding the effective operation of the control evidenced by a 
signature or initials was not sufficiently persuasive to ensure that 
the control operated effectively during the test period. In order to 
obtain additional evidence, the auditor reperformed the matching 
control corresponding to the signature, which included examining the 
invoice to determine that (a) its items matched to the receiver and 
purchase order and (b) it was mathematically accurate.
    Because the auditor performed the tests of controls at an 
interim date, the auditor updated the testing through the end of the 
year (initial tests are through September to December) by asking the 
accounts payable clerk whether the control was still in place and 
operating effectively. The auditor confirmed that understanding by 
performing a walkthrough of one transaction in December.
    Based on the auditor's procedures, the auditor concluded that 
the control over making a cash disbursement only after matching the 
invoice with the receiver and purchase was operating effectively as 
of year-end.

Example B-4.--Programmed Prevent Control and Weekly Information 
Technology-Dependent Manual Detective Control

    The auditor determined that cash, accounts payable, and 
inventory were significant accounts to the audit of the company's 
internal control over financial reporting. Through discussions with 
company personnel, the auditor learned that the

[[Page 20707]]

company's computer system performs a three-way match of the 
receiver, purchase order, and invoice. If there are any exceptions, 
the system produces a list of unmatched items that employees review 
and follow up on weekly.
    In this case, the computer match is a programmed application 
control, and the review and follow-up of the unmatched items report 
is a detective control. To determine whether misstatements in cash 
(existence) and accounts payable/inventory (existence, valuation, 
and completeness) would be prevented or detected on a timely basis, 
the auditor decided to test the programmed application control of 
matching the receiver, purchase order, and invoice as well as the 
review and follow-up control over unmatched items.
    Nature, Timing, and Extent of Procedures. To test the programmed 
application control, the auditor:
    a. Identified, through discussion with company personnel, the 
software used to process receipts and purchase invoices. The 
software used was a third-party package consisting of a number of 
modules.
    b. Determined, through further discussion with company 
personnel, that they do not modify the core functionality of the 
software, but sometimes make personalized changes to reports to meet 
the changing needs of the business. From previous experience with 
the company's information technology environment, the auditor 
believes that such changes are infrequent and that information 
technology process controls are well established.
    c. Established, through further discussion, that the inventory 
module operated the receiving functionality, including the matching 
of receipts to open purchase orders. Purchase invoices were 
processed in the accounts payable module, which matched them to an 
approved purchase order against which a valid receipt has been made. 
That module also produced the Unmatched Items Report, a standard 
report supplied with the package to which the company has not made 
any modifications. That information was agreed to the supplier's 
documentation and to documentation within the information technology 
department.
    d. Identified, through discussions with the client and review of 
the supplier's documentation, the names, file sizes (in bytes), and 
locations of the executable files (programs) that operate the 
functionality under review. The auditor then identified the 
compilation dates of the programs and agreed them to the original 
installation date of the application. The compilation date of the 
report code was agreed to documentation held within the information 
technology department relating to the last change made to that 
report (a change in formatting).
    e. Identified the objectives of the programs to be tested. The 
auditor wanted to determine whether appropriate items are received 
(for example, match a valid purchase order), appropriate purchase 
invoices are posted (for example, match a valid receipt and purchase 
order, non-duplicate reference numbers) and unmatched items (for 
example, receipts, orders or invoices) are listed on the exception 
report. The auditor then reperformed all those variations in the 
packages on a test-of-one basis to determine that the programs 
operated as described.
    In addition, the auditor had evaluated and tested general 
computer controls, including program changes (for example, 
confirmation that no unauthorized changes are undertaken to the 
functionality and that changes to reports are appropriately 
authorized, tested, and approved before being applied) and logical 
access (for example, user access to the inventory and accounts 
payable modules and access to the area on the system where report 
code is maintained), and concluded that they were operating 
effectively. (Since the computer is deemed to operate in a 
systematic manner, the auditor concluded that it was sufficient to 
perform a walkthrough for only the one item.)
    To determine whether the programmed control was operating 
effectively, the auditor performed a walkthrough in the month of 
July. As a result of the walkthrough, the auditor performed and 
documented the following items:
    a. Receiving cannot record the receipt of goods without matching 
the receipt to a purchase order on the system. The auditor tested 
that control by attempting to record the receipt of goods into the 
system without a purchase order. However, the system did not allow 
the auditor to do that. Rather, the system produced an error message 
stating that the goods could not be recorded as received without an 
active purchase order.
    b. An invoice will not be paid unless the system can match the 
receipt and vendor invoice to an approved purchase order. The 
auditor tested that control by attempting to approve an invoice for 
payment in the system. The system did not allow the auditor to do 
that. Rather, it produced an error message indicating that invoices 
could not be paid without an active purchase order and receiver.
    c. The system disallows the processing of invoices with 
identical vendor and identical invoice numbers. In addition, the 
system will not allow two invoices to be processed against the same 
purchase order unless the sum of the invoices is less than the 
amount approved on the purchase order. The auditor tested that 
control by attempting to process duplicate invoices. However, the 
system produced an error message indicating that the invoice had 
already been processed.
    d. The system compares the invoice amounts to the purchase 
order. If there are differences in quantity/extended price, and such 
differences fall outside a pre-approved tolerance, the system does 
not allow the invoice to be processed. The auditor tested that 
control by attempting to process an invoice that had quantity/price 
differences outside the tolerance level of 10 pieces, or $1,000. The 
system produced an error message indicating that the invoice could 
not be processed because of such differences.
    e. The system processes payments only for vendors established in 
the vendor master file. The auditor tested that control by 
attempting to process an invoice for a vendor that was not 
established in the vendor master file. However, the system did not 
allow the payment to be processed.
    f. The auditor tested user access to the vendor file and whether 
such users can make modifications to such file by attempting to 
access and make changes to the vendor tables. However, the system 
did not allow the auditor to perform that function and produced an 
error message stating that the user was not authorized to perform 
that function.
    g. The auditor verified the completeness and accuracy of the 
Unmatched Items Report by verifying that one unmatched item was on 
the report and one matched item was not on the report.

    Note: It is inadvisable for the auditor to have uncontrolled 
access to the company's systems in his or her attempts described 
above to record the receipt of goods without a purchase order, 
approve an invoice for payment, process duplicate invoices, etc. 
These procedures ordinarily are performed in the presence of 
appropriate company personnel so that they can be notified 
immediately of any breach to their systems.

    To test the detect control of review and follow up on the 
Unmatched Items Report, the auditor performed the following 
procedures in the month of July for the period January to July:
    a. Made inquiries of company personnel. To gain an understanding 
of the procedures in place to ensure that all unmatched items are 
followed-up properly and that corrections are made on a timely 
basis, the auditor made inquiries of the employee who follows up on 
the weekly-unmatched items reports. On a weekly basis, the control 
required the employee to review the Unmatched Items Report to 
determine why items appear on it. The employee's review includes 
proper follow-up on items, including determining whether:
     All open purchase orders are either closed or 
voided within an acceptable amount of time.
     The requesting party is notified periodically 
of the status of the purchase order and the reason for its current 
status.
     The reason the purchase order remains open is 
due to incomplete shipment of goods and, if so, whether the vendor 
has been notified.
     There are quantity problems that should be 
discussed with purchasing.
    b. Observed the performance of the control. The auditor observed 
the employee performing the control for the Unmatched Items Reports 
generated during the first week in July.
    c. Reperformed the control. The auditor selected five weekly 
Unmatched Items Reports, selected several items from each, and 
reperformed the procedures that the employee performed. The auditor 
also scanned other Unmatched Items Reports to determine that the 
control was performed throughout the period of intended reliance.
    To determine that the company had not made significant changes 
in their controls from interim to year-end, the auditor discussed 
with company personnel the procedures in place for making such 
changes. Since the procedures had not changed from interim to year-
end, the auditor observed that the controls were still in place by 
scanning the weekly Unmatched Items Reports to determine that the 
control was performed on a timely basis during the interim to year-
end period.

[[Page 20708]]

    Based on the auditor's procedures, the auditor concluded that 
the employee was clearing exceptions in a timely manner and that the 
control was operating effectively as of year-end.

Appendix C--Safeguarding of Assets

    C1. Safeguarding of assets is defined in paragraph 7 as those 
policies and procedures that ``provide reasonable assurance 
regarding prevention or timely detection of unauthorized 
acquisition, use or disposition of the company's assets that could 
have a material effect on the financial statements.'' This 
definition is consistent with the definition provided in the 
Committee of Sponsoring Organizations (COSO) of the Treadway 
Commission's Addendum, Reporting to External Parties, which provides 
the following definition of internal control over safeguarding of 
assets:
    Internal control over safeguarding of assets against 
unauthorized acquisition, use or disposition is a process, effected 
by an entity's board of directors, management and other personnel, 
designed to provide reasonable assurance regarding prevention or 
timely detection of unauthorized acquisition, use, or disposition of 
the entity's assets that could have a material effect on the 
financial statements. Such internal control can be judged effective 
if the board of directors and management have reasonable assurance 
that unauthorized acquisition, use or disposition of the entity's 
assets that could have a material effect on the financial statements 
is being prevented or detected on a timely basis.
    C2. For example, a company has safeguarding controls over 
inventory tags (preventive controls) and also performs periodic 
physical inventory counts (detective control) timely in relation to 
its quarterly and annual financial reporting dates. Although the 
physical inventory count does not safeguard the inventory from theft 
or loss, it prevents a material misstatement to the financial 
statements if performed effectively and timely.
    C3. Therefore, given that the definitions of material weakness 
and significant deficiency relate to the likelihood of misstatement 
of the financial statements, the failure of a preventive control 
such as inventory tags will not result in a significant deficiency 
or material weakness if the detective control (physical inventory) 
prevents a misstatement of the financial statements. The COSO 
Addendum also indicates that to the extent that such losses might 
occur, controls over financial reporting are effective if they 
provide reasonable assurance that those losses are properly 
reflected in the financial statements, thereby alerting financial 
statement users to consider the need for action.
    Note: Properly reflected in the financial statements includes 
both correctly recording the loss and adequately disclosing the 
loss.
    C4. Material weaknesses relating to controls over the 
safeguarding of assets would only exist when the company does not 
have effective controls (considering both safeguarding and other 
controls) to prevent or detect a material misstatement of the 
financial statements.
    C5. Furthermore, management's plans that could potentially 
affect financial reporting in future periods are not controls. For 
example, a company's business continuity or contingency planning has 
no effect on the company's current abilities to initiate, authorize, 
record, process, or report financial data. Therefore, a company's 
business continuity or contingency planning is not part of internal 
control over financial reporting.
    C6. The COSO Addendum provides further information about 
safeguarding of assets as it relates to internal control over 
financial reporting.

Appendix D--Examples of Significant Deficiencies and Material 
Weaknesses

    D1. Paragraph 8 of this standard defines a control deficiency. 
Paragraphs 9 and 10 go on to define a significant deficiency and a 
material weakness, respectively.
    D2. Paragraphs 22 through 23 of this standard discuss 
materiality in an audit of internal control over financial 
reporting, and paragraphs 130 through 140 provide additional 
direction on evaluating deficiencies in internal control over 
financial reporting.
    D3. The following examples illustrate how to evaluate the 
significance of internal control deficiencies in various situations. 
These examples are for illustrative purposes only.

Example D-1.--Reconciliations of Intercompany Accounts Are Not 
Performed on a Timely Basis

Scenario A--Significant Deficiency

    The company processes a significant number of routine 
intercompany transactions on a monthly basis. Individual 
intercompany transactions are not material and primarily relate to 
balance sheet activity, for example, cash transfers between business 
units to finance normal operations.
    A formal management policy requires monthly reconciliation of 
intercompany accounts and confirmation of balances between business 
units. However, there is not a process in place to ensure 
performance of these procedures. As a result, detailed 
reconciliations of intercompany accounts are not performed on a 
timely basis. Management does perform monthly procedures to 
investigate selected large-dollar intercompany account differences. 
In addition, management prepares a detailed monthly variance 
analysis of operating expenses to assess their reasonableness.
    Based only on these facts, the auditor should determine that 
this deficiency represents a significant deficiency for the 
following reasons: The magnitude of a financial statement 
misstatement resulting from this deficiency would reasonably be 
expected to be more than inconsequential, but less than material, 
because individual intercompany transactions are not material, and 
the compensating controls operating monthly should detect a material 
misstatement. Furthermore, the transactions are primarily restricted 
to balance sheet accounts. However, the compensating detective 
controls are designed only to detect material misstatements. The 
controls do not address the detection of misstatements that are more 
than inconsequential but less than material. Therefore, the 
likelihood that a misstatement that was more than inconsequential, 
but less than material, could occur is more than remote.

Scenario B--Material Weakness

    The company processes a significant number of intercompany 
transactions on a monthly basis. Intercompany transactions relate to 
a wide range of activities, including transfers of inventory with 
intercompany profit between business units, allocation of research 
and development costs to business units and corporate charges. 
Individual intercompany transactions are frequently material.
    A formal management policy requires monthly reconciliation of 
intercompany accounts and confirmation of balances between business 
units. However, there is not a process in place to ensure that these 
procedures are performed on a consistent basis. As a result, 
reconciliations of intercompany accounts are not performed on a 
timely basis, and differences in intercompany accounts are frequent 
and significant. Management does not perform any alternative 
controls to investigate significant intercompany account 
differences.
    Based only on these facts, the auditor should determine that 
this deficiency represents a material weakness for the following 
reasons: The magnitude of a financial statement misstatement 
resulting from this deficiency would reasonably be expected to be 
material, because individual intercompany transactions are 
frequently material and relate to a wide range of activities. 
Additionally, actual unreconciled differences in intercompany 
accounts have been, and are, material. The likelihood of such a 
misstatement is more than remote because such misstatements have 
frequently occurred and compensating controls are not effective, 
either because they are not properly designed or not operating 
effectively. Taken together, the magnitude and likelihood of 
misstatement of the financial statements resulting from this 
internal control deficiency meet the definition of a material 
weakness.

Example D-2.--Modifications to Standard Sales Contract Terms Not 
Reviewed To Evaluate Impact on Timing and Amount of Revenue Recognition

Scenario A--Significant Deficiency

    The company uses a standard sales contract for most 
transactions. Individual sales transactions are not material to the 
entity. Sales personnel are allowed to modify sales contract terms. 
The company's accounting function reviews significant or unusual 
modifications to the sales contract terms, but does not review 
changes in the standard shipping terms. The changes in the standard 
shipping terms could require a delay in the timing of revenue 
recognition. Management reviews gross margins on a monthly basis and 
investigates any significant or unusual relationships. In addition, 
management reviews the reasonableness of inventory levels at the end 
of each accounting period. The entity has

[[Page 20709]]

experienced limited situations in which revenue has been 
inappropriately recorded in advance of shipment, but amounts have 
not been material.
    Based only on these facts, the auditor should determine that 
this deficiency represents a significant deficiency for the 
following reasons: The magnitude of a financial statement 
misstatement resulting from this deficiency would reasonably be 
expected to be more than inconsequential, but less than material, 
because individual sales transactions are not material and the 
compensating detective controls operating monthly and at the end of 
each financial reporting period should reduce the likelihood of a 
material misstatement going undetected. Furthermore, the risk of 
material misstatement is limited to revenue recognition errors 
related to shipping terms as opposed to broader sources of error in 
revenue recognition. However, the compensating detective controls 
are only designed to detect material misstatements. The controls do 
not effectively address the detection of misstatements that are more 
than inconsequential but less than material, as evidenced by 
situations in which transactions that were not material were 
improperly recorded. Therefore, there is a more than remote 
likelihood that a misstatement that is more than inconsequential but 
less than material could occur.

Scenario B--Material Weakness

    The company has a standard sales contract, but sales personnel 
frequently modify the terms of the contract. The nature of the 
modifications can affect the timing and amount of revenue 
recognized. Individual sales transactions are frequently material to 
the entity, and the gross margin can vary significantly for each 
transaction.
    The company does not have procedures in place for the accounting 
function to regularly review modifications to sales contract terms. 
Although management reviews gross margins on a monthly basis, the 
significant differences in gross margins on individual transactions 
make it difficult for management to identify potential 
misstatements. Improper revenue recognition has occurred, and the 
amounts have been material. Based only on these facts, the auditor 
should determine that this deficiency represents a material weakness 
for the following reasons: The magnitude of a financial statement 
misstatement resulting from this deficiency would reasonably be 
expected to be material, because individual sales transactions are 
frequently material, and gross margin can vary significantly with 
each transaction (which would make compensating detective controls 
based on a reasonableness review ineffective). Additionally, 
improper revenue recognition has occurred, and the amounts have been 
material. Therefore, the likelihood of material misstatements 
occurring is more than remote. Taken together, the magnitude and 
likelihood of misstatement of the financial statements resulting 
from this internal control deficiency meet the definition of a 
material weakness.

Scenario C--Material Weakness

    The company has a standard sales contract, but sales personnel 
frequently modify the terms of the contract. Sales personnel 
frequently grant unauthorized and unrecorded sales discounts to 
customers without the knowledge of the accounting department. These 
amounts are deducted by customers in paying their invoices and are 
recorded as outstanding balances on the accounts receivable aging. 
Although these amounts are individually insignificant, they are 
material in the aggregate and have occurred consistently over the 
past few years.
    Based on only these facts, the auditor should determine that 
this deficiency represents a material weakness for the following 
reasons: The magnitude of a financial statement misstatement 
resulting from this deficiency would reasonably be expected to be 
material, because the frequency of occurrence allows insignificant 
amounts to become material in the aggregate. The likelihood of 
material misstatement of the financial statements resulting from 
this internal control deficiency is more than remote (even assuming 
that the amounts were fully reserved for in the company's allowance 
for uncollectible accounts) due to the likelihood of material 
misstatement of the gross accounts receivable balance. Therefore, 
this internal control deficiency meets the definition of a material 
weakness.

Example D-3.--Identification of Several Deficiencies

Scenario A--Material Weakness

    During its assessment of internal control over financial 
reporting, management identified the following deficiencies. Based 
on the context in which the deficiencies occur, management and the 
auditor agree that these deficiencies individually represent 
significant deficiencies:
     Inadequate segregation of duties over certain 
information system access controls.
     Several instances of transactions that were 
not properly recorded in subsidiary ledgers; transactions were not 
material, either individually or in the aggregate.
     A lack of timely reconciliations of the 
account balances affected by the improperly recorded transactions.
    Based only on these facts, the auditor should determine that the 
combination of these significant deficiencies represents a material 
weakness for the following reasons: Individually, these deficiencies 
were evaluated as representing a more than remote likelihood that a 
misstatement that is more than inconsequential, but less than 
material, could occur. However, each of these significant 
deficiencies affects the same set of accounts. Taken together, these 
significant deficiencies represent a more than remote likelihood 
that a material misstatement could occur and not be prevented or 
detected. Therefore, in combination, these significant deficiencies 
represent a material weakness.

Scenario B--Material Weakness

    During its assessment of internal control over financial 
reporting, management of a financial institution identifies 
deficiencies in: the design of controls over the estimation of 
credit losses (a critical accounting estimate); the operating 
effectiveness of controls for initiating, processing, and reviewing 
adjustments to the allowance for credit losses; and the operating 
effectiveness of controls designed to prevent and detect the 
improper recognition of interest income. Management and the auditor 
agree that, in their overall context, each of these deficiencies 
individually represent a significant deficiency.
    In addition, during the past year, the company experienced a 
significant level of growth in the loan balances that were subjected 
to the controls governing credit loss estimation and revenue 
recognition, and further growth is expected in the upcoming year. 
Based only on these facts, the auditor should determine that the 
combination of these significant deficiencies represents a material 
weakness for the following reasons:
     The balances of the loan accounts affected by 
these significant deficiencies have increased over the past year and 
are expected to increase in the future.
     This growth in loan balances, coupled with 
the combined effect of the significant deficiencies described, 
results in a more than remote likelihood that a material 
misstatement of the allowance for credit losses or interest income 
could occur.
    Therefore, in combination, these deficiencies meet the 
definition of a material weakness.

Appendix E--Background and Basis for Conclusions

 
               Table of Contents                        Paragraph
 
Introduction...................................  E1
Background.....................................  E2-E9
Fundamental Scope of the Auditors' Work in an    E10-E19
 Audit of Internal Control Over Financial
 Reporting.
Reference to Audit vs. Attestation.............  E20-E24
Form of the Auditor's Opinion..................  E25-E28
Use of the Work of Others......................  E29-E50
Walkthroughs...................................  E51-E57
Small Business Issues..........................  E58-E60
Evaluation of the Effectiveness of the Audit     E61-E69
 Committee.
Definitions of Significant Deficiency and        E70-E93
 Material Weakness.
Strong Indicators of Material Weaknesses and De  E94-E100
 Facto Significant Deficiencies.

[[Page 20710]]

 
Independence...................................  E101-E104
Requirement for Adverse Opinion When a Material  E105-E115
 Weakness Exists.
Rotating Tests of Controls.....................  E116-E122
Mandatory Integration with the Audit of the      E123-E130
 Financial Statements.
 

Introduction

    E1. This appendix summarizes factors that the Public Company 
Accounting Oversight Board (the ``Board'') deemed significant in 
reaching the conclusions in the standard. This appendix includes 
reasons for accepting certain views and rejecting others.

Background

    E2. Section 404(a) of the Sarbanes-Oxley Act of 2002 (the 
``Act''), and the Securities and Exchange Commission's (SEC) related 
implementing rules, require the management of a public company to 
assess the effectiveness of the company's internal control over 
financial reporting, as of the end of the company's most recent 
fiscal year. Section 404(a) of the Act also requires management to 
include in the company's annual report to shareholders management's 
conclusion as a result of that assessment of whether the company's 
internal control over financial reporting is effective.
    E3. Sections 103(a)(2)(A) and 404(b) of the Act direct the Board 
to establish professional standards governing the independent 
auditor's attestation and reporting on management's assessment of 
the effectiveness of internal control over financial reporting.
    E4. The backdrop for the development of the Board's first major 
auditing standard was, of course, the spectacular audit failures and 
corporate malfeasance that led to the passage of the Act. Although 
all of the various components of the Act work together to help 
restore investor confidence and help prevent the types of financial 
reporting breakdowns that lead to the loss of investor confidence, 
section 404 of the Act is certainly one of the most visible and 
tangible changes required by the Act.
    E5. The Board believes that effective controls provide the 
foundation for reliable financial reporting. Congress believed this 
too, which is why the new reporting by management and the auditor on 
the effectiveness of internal control over financial reporting 
received such prominent attention in the Act. Internal control over 
financial reporting enhances a company's ability to produce fair and 
complete financial reports. Without reliable financial reports, 
making good judgments and decisions about a company becomes very 
difficult for anyone, including the board of directors, management, 
employees, investors, lenders, customers, and regulators. The 
auditor's reporting on management's assessment of the effectiveness 
of internal control over financial reporting provides users of that 
report with important assurance about the reliability of the 
company's financial reporting.
    E6. The Board's efforts to develop this standard were an outward 
expression of the Board's mission, ``to protect the interests of 
investors and further the public interest in the preparation of 
informative, fair, and independent audit reports.'' As part of 
fulfilling that mission as it relates to this standard, the Board 
considered the advice that respected groups had offered to other 
auditing standards setters in the past. For example, the Public 
Oversight Board's Panel on Audit Effectiveness recommended that 
``auditing standards need to provide clear, concise and definitive 
imperatives for auditors to follow.''\39\ As another example, the 
International Organization of Securities Commissioners advised the 
International Auditing and Assurance Standards Board ``that the 
IAASB must take care to avoid language that could inadvertently 
encourage inappropriate shortcuts in audits, at a time when rigorous 
audits are needed more than ever to restore investor 
confidence.''\40\
---------------------------------------------------------------------------

    \39\ Panel on Audit Effectiveness, Report and Recommendations, 
sec. 2.228 (August 31, 2000).
    \40\ April 8, 2003 comment letter from the International 
Organization of Securities Commissions to the International Auditing 
and Assurance Standards Board regarding the proposed international 
standards on audit risk (Amendment to ISA 200, ``Objective and 
Principles Governing an Audit of Financial Statements;'' proposed 
ISAs, ``Understanding the Entity and Its Environment and Assessing 
the Risks of Material Misstatement;'' ``Auditor's Procedures in 
Response to Assessed Risks;'' and ``Audit Evidence'').
---------------------------------------------------------------------------

    E7. The Board understood that, to effectively fulfill its 
mission and for this standard to achieve its ultimate goal of 
restoring investor confidence by increasing the reliability of 
public company financial reporting, the Board's standard must 
contain clear directions to the auditor consistent with investor's 
expectations that the reliability of financial reporting be 
significantly improved. Just as important, the Board recognized that 
this standard must appropriately balance the costs to implement the 
standard's directions with the benefits of achieving these important 
goals. As a result, all of the Board's decisions about this standard 
were guided by the additional objective of creating a rational 
relationship between costs and benefits.
    E8. When the Board adopted its interim attestation standards in 
Rule 3300T on an initial, transitional basis, the Board adopted a 
pre-existing standard governing an auditor's attestation on internal 
control over financial reporting.\41\ As part of the Board's process 
of evaluating that pre-existing standard, the Board convened a 
public roundtable discussion on July 29, 2003 to discuss issues and 
hear views related to reporting on internal control over financial 
reporting. The participants at the roundtable included 
representatives from public companies, accounting firms, investor 
groups, and regulatory organizations. Based on comments made at the 
roundtable, advice from the Board's staff, and other input the Board 
received, the Board determined that the pre-existing standard 
governing an auditor's attestation on internal control over 
financial reporting was insufficient for effectively implementing 
the requirements of Section 404 of the Act and for the Board to 
appropriately discharge its standard-setting obligations under 
Section 103(a) of the Act. In response, the Board developed and 
issued, on October 7, 2003, a proposed auditing standard titled, An 
Audit of Internal Control Over Financial Reporting Performed in 
Conjunction with An Audit of Financial Statements.
---------------------------------------------------------------------------

    \41\ The pre-existing standard is Chapter 5, ``Reporting on an 
Entity's Internal Control Over Financial Reporting'' of Statement on 
Standards for Attestation Engagements (SSAE) No. 10, Attestation 
Standards: Revision and Recodification (AICPA, Professional 
Standards, Vol. 1, AT sec. 501). SSAE No. 10 has been codified into 
AICPA Professional Standards,Volume 1, as AT sections 101 through 
701.
---------------------------------------------------------------------------

    E9. The Board received 189 comment letters on a broad array of 
topics from a variety of commenters, including auditors, investors, 
internal auditors, issuers, regulators, and others. Those comments 
led to changes in the standard, intended to make the requirements of 
the standard clearer and more operational. This appendix summarizes 
significant views expressed in those comment letters and the Board's 
responses.

Fundamental Scope of the Auditor's Work in an Audit of Internal Control 
Over Financial Reporting

    E10. The proposed standard stated that the auditor's objective 
in an audit of internal control over financial reporting was to 
express an opinion on management's assessment of the effectiveness 
of the company's internal control over financial reporting. To 
render such an opinion, the proposed standard required the auditor 
to obtain reasonable assurance about whether the company maintained, 
in all material respects, effective internal control over financial 
reporting as of the date specified in management's report. To obtain 
reasonable assurance, the auditor was required to evaluate both 
management's process for making its assessment and the effectiveness 
of internal control over financial reporting.
    E11. Virtually all investors and auditors who submitted comment 
letters expressed support for this approach. Other commenters, 
primarily issuers, expressed concerns that this approach was 
contrary to the intent of Congress and, therefore, beyond what was 
specifically required by Section 404 of the Act. Further, issuers 
stated their views that this approach would lead to unnecessary and 
excessive costs. Some commenters in this group suggested the 
auditor's work should be limited to evaluating management's 
assessment process and the testing performed by management and 
internal audit. Others acknowledged that the auditor would need to 
test at least some controls directly in addition to evaluating and 
testing management's assessment process. However, these

[[Page 20711]]

commenters described various ways in which the auditor's own testing 
could be significantly reduced from the scope expressed in the 
proposed standard. For instance, they proposed that the auditor 
could be permitted to use the work of management and others to a 
much greater degree; that the auditor could use a ``risk analysis'' 
to identify only a few controls to be tested; and a variety of other 
methods to curtail the extent of the auditor's work. Of those 
opposed to the scope, most cited their belief that the scope of work 
embodied in the standard would lead to a duplication of effort 
between management and the auditor which would needlessly increase 
costs without adding significant value.
    E12. After considering the comments, the Board retained the 
approach described in the proposed standard. The Board concluded 
that the approach taken in the standard is consistent with the 
intent of Congress. Also, to provide the type of report, at the 
level of assurance called for in Sections 103 and 404, the Board 
concluded that the auditor must evaluate both management's 
assessment process and the effectiveness of internal control over 
financial reporting. Finally, the Board noted the majority of the 
cost to be borne by companies (and ultimately investors) results 
directly from the work the company will have to perform to maintain 
effective internal control over financial reporting and to comply 
with Section 404(a) of the Act. The cost of the auditor's work as 
described in this standard ultimately will represent a smaller 
portion of the total cost to companies of implementing Section 404.
    E13. The Board noted that large, federally insured financial 
institutions have had a similar internal control reporting 
requirement for over ten years. The Federal Deposit Insurance 
Corporation Improvement Act of 1991 (FDICIA) has required, since 
1993, managements of large financial institutions to make an 
assessment of internal control over financial reporting 
effectiveness and the institution's independent auditor to issue an 
attestation report on management's assessment.
    E14. The attestation standards under which FDICIA engagements 
are currently performed are clear that, when performing an 
examination of management's assertion on the effectiveness of 
internal control over financial reporting (management's report on 
the assessment required by Section 404(a) of the Act must include a 
statement as to whether the company's internal control over 
financial reporting is effective), the auditor may express an 
opinion either on management's assertion (that is, whether 
management's assessment about the effectiveness of the internal 
control over financial reporting is fairly stated) or directly on 
the subject matter (that is, whether the internal control over 
financial reporting is effective) because the level of work that 
must be performed is the same in either case.
    E15. The Board observed that Congress indicated an intent to 
require an examination level of work in Section 103(a) of the Act, 
which states, in part, that each registered public accounting firm 
shall: Describe in each audit report the scope of the auditor's 
testing of the internal control structure and procedures of the 
issuer, required by Section 404(b), and present (in such report or 
in a separate report)--
    (I) the findings of the auditor from such testing;
    (II) an evaluation of whether such internal control structure 
and procedures--
    (aa) include maintenance of records that in reasonable detail 
accurately reflect the transactions and dispositions of the assets 
of the issuer;
    (bb) provide reasonable assurance that transactions are recorded 
as necessary to permit preparation of financial statements in 
accordance with generally accepted accounting principles, and that 
receipts and expenditures of the issuer are being made only in 
accordance with authorizations of management and directors of the 
issuer; and
    (III) a description, at a minimum, of material weaknesses in 
such internal controls, and of any material noncompliance found on 
the basis of such testing. [emphasis added].
    E16. The Board concluded that the auditor must test internal 
control over financial reporting directly, in the manner and extent 
described in the standard, to make the evaluation described in 
Section 103. The Board also interpreted Section 103 to provide 
further support that the intent of Congress was to require an 
opinion on the effectiveness of internal control over financial 
reporting.
    E17. The Board concluded that the auditor must obtain a high 
level of assurance that the conclusion expressed in management's 
assessment is correct to provide an opinion on management's 
assessment. An auditing process restricted to evaluating what 
management has done would not provide the auditor with a 
sufficiently high level of assurance that management's conclusion is 
correct. Instead, it is necessary for the auditor to evaluate 
management's assessment process to be satisfied that management has 
an appropriate basis for its statement, or assertion, about the 
effectiveness of the company's internal control over financial 
reporting. It also is necessary for the auditor to directly test the 
effectiveness of internal control over financial reporting to be 
satisfied that management's conclusion is correct, and that 
management's assertion is fairly stated.
    E18. This testing takes on added importance with the public 
nature of the internal control reporting. Because of the auditor's 
association with a statement by management that internal control 
over financial reporting is effective, it is reasonable for a user 
of the auditor's report to expect that the auditor tested the 
effectiveness of internal control over financial reporting. For the 
auditor to do otherwise would create an expectation gap, in which 
the assurance that the auditor obtained is less than what users 
reasonably expect.
    E19. Auditors, investors, and the Federal bank regulators 
reaffirmed in their comment letters on the proposed auditing 
standard that the fundamental approach taken by the Board was 
appropriate and necessary. Investors were explicit in their 
expectation that the auditor must test the effectiveness of controls 
directly in addition to evaluating management's assessment process. 
Investors further recognized that this kind of assurance would come 
at a price and expressed their belief that the cost of the 
anticipated benefits was reasonable. The federal banking regulators, 
based on their experience examining financial institutions' internal 
control assessments and independent auditors' attestation reports 
under FDICIA, commented that the proposed auditing standard was a 
significant improvement over the existing attestation standard.

Reference To Audit vs. Attestation

    E20. The proposed standard referred to the attestation required 
by Section 404(b) of the Act as the audit of internal control over 
financial reporting instead of an attestation of management's 
assessment. The proposed standard took that approach both because 
the auditor's objective is to express an opinion on management's 
assessment of the effectiveness of internal control over financial 
reporting, just as the auditor's objective in an audit of the 
financial statements is to express an opinion on the fair 
presentation of the financial statements, and because the level of 
assurance obtained by the auditor is the same in both cases. 
Furthermore, the proposed standard described an integrated audit of 
the financial statements and internal control over financial 
reporting and allowed the auditor to express his or her opinions on 
the financial statements and on the effectiveness of internal 
control in separate reports or in a single, combined report.
    E21. Commenters' views on this matter frequently were related to 
their views on whether the proposed scope of the audit was 
appropriate. Those who agreed that the scope in the proposed 
standard was appropriate generally agreed that referring to the 
engagement as an audit was appropriate. On the other hand, 
commenters who objected to the scope of work described in the 
proposed standard often drew an important distinction between an 
audit and an attestation. Because Section 404 calls for an 
attestation, they believed it was inappropriate to call the 
engagement anything else (or to mandate a scope that called for a 
more extensive level of work).
    E22. Based, in part, on the Board's decisions about the scope of 
the audit of internal control over financial reporting, the Board 
concluded that the engagement should continue to be referred to as 
an ``audit.'' This term emphasizes the nature of the auditor's 
objective and communicates that objective most clearly to report 
users. Use of this term also is consistent with the integrated 
approach described in the standard and the requirement in Section 
404 of the Act that this reporting not be subject to a separate 
engagement.
    E23. Because the Board's standard on internal control is an 
auditing standard, it is preferable to use the term audit to 
describe the engagement rather than the term examination, which is 
used in the attestation standards to describe an engagement designed 
to provide a high level of assurance.
    E24. Finally, the Board believes that using the term audit helps 
dispel the misconception that an audit of internal

[[Page 20712]]

control over financial reporting is a different level of service 
than an attestation of management's assessment of internal control 
over financial reporting.

Form of the Auditor's Opinion

    E25. The proposed auditing standard required that the auditor's 
opinion in his or her report state whether management's assessment 
of the effectiveness of the company's internal control over 
financial reporting as of the specified date is fairly stated, in 
all material respects, based on the control criteria. However, the 
proposed standard also stated that nothing precluded the auditor 
from auditing management's assessment and opining directly on the 
effectiveness of internal control over financial reporting. This is 
because the scope of the work, as defined by the proposed standard, 
was the same, regardless of whether the auditor reports on 
management's assessment or directly on the effectiveness of internal 
control over financial reporting. The form of the opinion was 
essentially interchangeable between the two.
    E26. However, if the auditor planned to issue other than an 
unqualified opinion, the proposed standard required the auditor to 
report directly on the effectiveness of the company's internal 
control over financial reporting rather than on management's 
assessment. The Board initially concluded that expressing an opinion 
on management's assessment, in these circumstances, did not most 
effectively communicate the auditor's conclusion that internal 
control was not effective. For example, if management expresses an 
adverse assessment because a material weakness exists at the date of 
management's assessment (`` * * * internal control over financial 
reporting is not effective * * *'') and the auditor expresses his or 
her opinion on management's assessment (`` * * * management's 
assessment that internal control over financial reporting is not 
effective is fairly stated, in all material respects * * * ''), a 
reader might not be clear about the results of the auditor's testing 
and about the auditor's conclusions. The Board initially decided 
that reporting directly on the effectiveness of the company's 
internal control over financial reporting better communicates to 
report users the effect of such conditions, because direct reporting 
more clearly states the auditor's conclusions about the 
effectiveness of internal control over financial reporting (``In our 
opinion, because of the effect of the material weakness described * 
* *, the Company's internal control over financial reporting is not 
effective.'').
    E27. A number of commenters were supportive of the model 
described in the previous paragraph, as they agreed with the Board's 
reasoning. However, several commenters believed that report users 
would be confused as to why the form of the auditor's opinion would 
be different in various circumstances. These commenters thought that 
the auditor's opinion should be consistently expressed in all 
reports. Several auditors recommended that auditors always report 
directly on the effectiveness of the company's internal control over 
financial reporting. They reasoned that the scope of the audit--
which always would require the auditor to obtain reasonable 
assurance about whether the internal control over financial 
reporting was effective--would be more clearly communicated, in all 
cases, by the auditor reporting directly on the effectiveness of 
internal control over financial reporting. Other commenters 
suggested that the auditor always should express two opinions: one 
on management's assessment and one directly on the effectiveness of 
internal control over financial reporting. They believed the Act 
called for two opinions: Section 404 calls for an opinion on 
management's assessment, while Section 103 calls for an opinion 
directly on the effectiveness of internal control over financial 
reporting.
    E28. The Board believes that the reporting model in the proposed 
standard is appropriate. However, the Board concluded that the 
expression of two opinions--one on management's assessment and one 
on the effectiveness of internal control over financial reporting--
in all reports is a superior approach that balances the concerns of 
many different interested parties. This approach is consistent with 
the scope of the audit, results in more consistent reporting in 
differing circumstances, and makes the reports more easily 
understood by report users. Therefore, the standard requires that 
the auditor express two opinions in all reports on internal control 
over financial reporting.

Use of the Work of Others

    E29. After giving serious consideration to a rational 
relationship between costs and benefits, the Board decided to change 
the provisions in the proposed standard regarding using the work of 
others. The proposed standard required the auditor to evaluate 
whether to use the work of others, such as internal auditors and 
others working under the direction of management, and described an 
evaluation process focused on the competence and objectivity of the 
persons who performed the work that the auditor was required to use 
when determining the extent to which he or she could use the work of 
others.
    E30. The proposed standard also described two principles that 
limited the auditor's ability to use the work of others. First, the 
proposed standard defined three categories of controls and the 
extent to which the auditor could use the work of others in each of 
those categories:
     Controls for which the auditor should not 
rely on the work of others, such as controls in the control 
environment and controls specifically intended to prevent or detect 
fraud that is reasonably likely to have a material effect on the 
company's financial statements,
     Controls for which the auditor may rely on 
the work of others, but his or her reliance on the work of others 
should be limited, such as controls over nonroutine transactions 
that are considered high risk because they involve judgments and 
estimates, and
     Controls for which the auditor's reliance on 
the work of others is not specifically limited, such as controls 
over routine processing of significant accounts.
    E31. Second, the proposed standard required that, on an overall 
basis, the auditor's own work must provide the principal evidence 
for the audit opinion (this is referred to as the principal evidence 
provision).
    E32. In the proposed standard, these two principles provided the 
auditor with flexibility in using the work of others while 
preventing him or her from placing inappropriate over-reliance on 
the work of others. Although the proposed standard required the 
auditor to reperform some of the tests performed by others to use 
their work, it did not establish specific requirements for the 
extent of the reperformance. Rather, it allowed the auditor to use 
his or her judgment and the directions provided by the two 
principles discussed in the previous two paragraphs to determine the 
appropriate extent of reperformance.
    E33. The Board received a number of comments that agreed with 
the proposed three categories of controls and the principal evidence 
provision. However, most commenters expressed some level of concern 
with the categories, the principal evidence provision, or both.
    E34. Comments opposing or criticizing the categories of controls 
varied from general to very specific. In general terms, many 
commenters (particularly issuers) expressed concern that the 
categories described in the proposed standard were too restrictive. 
They believed the auditor should be able to use his or her judgment 
to determine in which areas and to what extent to rely on the work 
of others. Other commenters indicated that the proposed standard did 
not place enough emphasis on the work of internal auditors whose 
competence and objectivity, as well as adherence to professional 
standards of internal auditing, should clearly set their work apart 
from the work performed by others in the organization (such as 
management or third parties working under management's direction). 
Further, these commenters believed that the standard should clarify 
that the auditor should be able to use work performed by internal 
auditors extensively. In that case, their concerns about excessive 
cost also would be partially alleviated.
    E35. Other commenters expressed their belief that the proposed 
standard repudiated the approach established in AU sec. 322, The 
Auditor's Consideration of the Internal Audit Function in an Audit 
of Financial Statements, for the auditor's use of the work of 
internal auditors in a financial statement audit. Commenters also 
expressed very specific and pointed views on the three categories of 
controls. As defined in the proposed standard, the first category 
(in which the auditor should not use the work of others at all) 
included:
     Controls that are part of the control 
environment, including controls specifically established to prevent 
and detect fraud that is reasonably likely to result in material 
misstatement of the financial statements.
     Controls over the period-end financial 
reporting process, including controls over procedures used to enter 
transaction totals into the general ledger; to initiate, record, and 
process journal entries in the general ledger; and to record 
recurring and nonrecurring adjustments to the financial

[[Page 20713]]

statements (for example, consolidating adjustments, report 
combinations, and reclassifications).
     Controls that have a pervasive effect on the 
financial statements, such as certain information technology general 
controls on which the operating effectiveness of other controls 
depend.
     Walkthroughs.
    E36. Commenters expressed concern that the prohibition on using 
the work of others in these areas would (a) drive unnecessary and 
excessive costs, (b) not give appropriate recognition to those 
instances in which the auditor evaluated internal audit as having a 
high degree of competence and objectivity, and (c) be impractical 
due to resource constraints at audit firms. Although each individual 
area was mentioned, the strongest and most frequent objections were 
to the restrictions imposed over the inclusion in the first category 
of walkthroughs, controls over the period-end financial reporting 
process, and information technology general controls. Some 
commenters suggested the Board should consider moving these areas 
from the first category to the second category (in which using the 
work of others would be limited, rather than prohibited); others 
suggested removing any limitation on using the work of others in 
these areas altogether.
    E37. Commenters also expressed other concerns with respect to 
the three control categories. Several commenters asked for 
clarification on what constituted limited use of the work of others 
for areas included in the second category. Some commenters asked for 
clarification about the extent of reperformance necessary for the 
auditor to use the work of others. Other commenters questioned the 
meaning of the term without specific limitation in the third 
category by asking, did this mean that the auditor could use the 
work of others in these areas without performing or reperforming any 
work in those areas?
    E38. Although most commenters suggested that the principal 
evidence threshold for the auditor's own work be retained, some 
commenters objected to the principal evidence provision. Although 
many commenters identified the broad array of areas identified in 
the first category (in which the auditor should not use the work of 
others at all) as the key driver of excessive costs, others 
identified the principal evidence provision as the real source of 
their excessive cost concerns. Even if the categories were redefined 
in such a way as to permit the auditor to use the work of others in 
more areas, any associated decrease in audit cost would be limited 
by the principal evidence provision which, if retained, would still 
require significant original work on the part of the auditor. On the 
other hand, both investors and auditors generally supported 
retaining the principal evidence provision as playing an important 
role in ensuring the independence of the auditor's opinion and 
preventing inappropriate overreliance on the work of internal 
auditors and others.
    E39. Commenters who both supported and opposed the principal 
evidence provision indicated that implementing it would be 
problematic because the nature of the work in an audit of internal 
control over financial reporting does not lend itself to a purely 
quantitative measurement. Thus, auditors would be forced to use 
judgment when determining whether the principal evidence provision 
has been satisfied.
    E40. In response to the comments, the Board decided that some 
changes to the guidance on using the work of others were necessary. 
The Board did not intend to reject the concepts in AU sec. 322 and 
replace them with a different model. Although AU sec. 322 is 
designed to apply to an audit of financial statements, the Board 
concluded that the concepts contained in AU sec. 322 are sound and 
should be used in an audit of internal control over financial 
reporting, with appropriate modification to take into account the 
differences in the nature of the evidence necessary to support an 
opinion on financial statements and the evidence necessary to 
support an opinion on internal control effectiveness. The Board also 
wanted to make clear that the concepts in AU sec. 322 also may be 
applied, with appropriate auditor judgment, to the relevant work of 
others.
    E41. The Board remained concerned, however, with the possibility 
that auditors might overrely on the work of internal auditors and 
others. Inappropriate overreliance can occur in a variety of ways. 
For example, an auditor might rely on the work of a highly competent 
and objective internal audit function for proportionately too much 
of the evidence that provided the basis for the auditor's opinion. 
Inappropriate overreliance also occurs when the auditor incorrectly 
concludes that internal auditors have a high degree of competence 
and objectivity when they do not, perhaps because the auditor did 
not exercise professional skepticism or due professional care when 
making his or her evaluation. In either case, the result is the 
same: unacceptable risk that the auditor's conclusion that internal 
control over financial reporting is effective is incorrect. For 
example, federal bank regulators commented that, in their experience 
with FDICIA, auditors have a tendency to rely too heavily on the 
work of management and others, further noting that this situation 
diminishes the independence of the auditor's opinion on control 
effectiveness.
    E42. The Board decided to revise the categories of controls by 
focusing on the nature of the controls being tested, evaluating the 
competence and objectivity of the individuals performing the work, 
and testing the work of others. This allows the auditor to exercise 
substantial judgment based on the outcome of this work as to the 
extent to which he or she can make use of the work of internal 
auditors or others who are suitably qualified.
    E43. This standard emphasizes the direct relationship between 
the assessed level of competence and objectivity and the extent to 
which the auditor may use the work of others. The Board included 
this clarification to highlight the special status that a highly 
competent and objective internal auditor has in the auditor's work 
as well as to caution against inappropriate overreliance on the work 
of management and others who would be expected to have lower degrees 
of competence and objectivity in assessing controls. Indeed, the 
Board noted that, with regard to internal control over financial 
reporting, internal auditors would normally be assessed as having a 
higher degree of competence and objectivity than management or 
others and that an auditor will be able to rely to a greater extent 
on the work of a highly competent and objective internal auditor 
than on work performed by others within the company.
    E44. The Board concluded that the principal evidence provision 
is critical to preventing overreliance on the work of others in an 
audit of internal control over financial reporting. The requirement 
for the auditor to perform enough of the control testing himself or 
herself so that the auditor's own work provides the principal 
evidence for the auditor's opinion is of paramount importance to the 
auditor's assurance providing the level of reliability that 
investors expect. However, the Board also decided that the final 
standard should articulate clearly that the auditor's judgment about 
whether he or she has obtained the principal evidence required is 
qualitative as well as quantitative. Therefore, the standard now 
states, ``Because the amount of work related to obtaining sufficient 
evidence to support an opinion about the effectiveness of controls 
is not susceptible to precise measurement, the auditor's judgment 
about whether he or she has obtained the principal evidence for the 
opinion will be qualitative as well as quantitative. For example, 
the auditor might give more weight to work performed on pervasive 
controls and in areas such as the control environment than on other 
controls, such as controls over low-risk, routine transactions.''
    E45. The Board also concluded that a better balance could be 
achieved in the standard by instructing the auditor to factor into 
the determination of the extent to which to use the work of others 
an evaluation of the nature of the controls on which others 
performed their procedures.
    E46. Paragraph 112 of the standard provides the following 
factors the auditor should consider when evaluating the nature of 
the controls subjected to the work of others:
     The materiality of the accounts and 
disclosures that the control addresses and the risk of material 
misstatement.
     The degree of judgment required to evaluate 
the operating effectiveness of the control (that is, the degree to 
which the evaluation of the effectiveness of the control requires 
evaluation of subjective factors rather than objective testing).
     The pervasiveness of the control.
     The level of judgment or estimation required 
in the account or disclosure.
     The potential for management override of the 
control.
    E47. As these factors increase in significance, the need for the 
auditor to perform his or her own work on those controls increases. 
As these factors decrease in significance, the auditor may rely more 
on the work of others. Because of the nature of controls in the 
control environment, however, the standard does not allow the 
auditor to use the work of others to reduce the amount of work he or 
she performs on such controls. In addition, the standard also

[[Page 20714]]

does not allow the auditor to use the work of others in connection 
with the performance of walkthroughs of major classes of 
transactions because of the high degree of judgment required when 
performing them (See separate discussion in paragraphs E51 through 
E57).
    E48. The Board decided that this approach was responsive to 
those who believed that the auditor should be able to use his or her 
judgment in determining the extent to which to use the work of 
others. The Board designed the requirement that the auditor's own 
work must provide the principal evidence for the auditor's opinion 
as one of the boundaries within which the auditor determines the 
work he or she must perform himself or herself in the audit of 
internal control over financial reporting. The other instructions 
about using the work of others provide more specific direction about 
how the auditor makes this determination, but allow the auditor 
significant flexibility to use his or her judgment to determine the 
work necessary to obtain the principal evidence, and to determine 
when the auditor can use the work of others rather than perform the 
work himself or herself. Although some of the directions are 
specific and definitive, such as the directions for the auditor to 
perform tests of controls in the control environment and 
walkthroughs himself or herself, the Board decided that these areas 
were of such audit importance that the auditor should always perform 
this testing as part of obtaining the principal evidence for his or 
her opinion. The Board concluded that this approach appropriately 
balances the use of auditor judgment and the risk of inappropriate 
overreliance.
    E49. The Board was particularly concerned by comments that 
issuers might choose to reduce their internal audit staff or the 
extent of internal audit testing in the absence of a significant 
change in the proposed standard that would significantly increase 
the extent to which the auditor may use the work of internal 
auditors. The Board believes the standard makes clear that an 
effective internal audit function does permit the auditor to reduce 
the work that otherwise would be necessary.
    E50. Finally, as part of clarifying the linkage between the 
degree of competence and objectivity of the others and the ability 
to use their work, the Board decided that additional clarification 
should be provided on the extent of testing that should be required 
of the work of others. The Board noted that the interaction of the 
auditor performing walkthroughs of every significant process and the 
retention of the principal evidence provision precluded the need for 
the auditor to test the work of others in every significant account. 
However, testing the work of others is an important part of an 
ongoing assessment of their competence and objectivity. Therefore, 
as part of the emphasis on the direct relationship between the 
assessed level of competence and objectivity to the extent of the 
use of the work of others, additional provisions were added 
discussing how the results of the testing of the work of others 
might affect the auditor's assessment of competence and objectivity. 
The Board also concluded that testing the work of others should be 
clearly linked to an evaluation of the quality and effectiveness of 
their work.

Walkthroughs

    E51. The proposed standard included a requirement that the 
auditor perform walkthroughs, stating that the auditor should 
perform a walkthrough for all of the company's significant 
processes. In the walkthrough, the auditor was to trace all types of 
transactions and events, both recurring and unusual, from 
origination through the company's information systems until they 
were included in the company's financial reports. As stated in the 
proposed standard, walkthroughs provide the auditor with evidence 
to:
     Confirm the auditor's understanding of the 
process flow of transactions;
     Confirm the auditor's understanding of the 
design of controls identified for all five components of internal 
control over financial reporting, including those related to the 
prevention or detection of fraud;
     Confirm that the auditor's understanding of 
the process is complete by determining whether all points in the 
process at which misstatements related to each relevant financial 
statement assertion that could occur have been identified;
     Evaluate the effectiveness of the design of 
controls; and
     Confirm whether controls have been placed in 
operation.
    E52. A number of commenters expressed strong support for the 
requirement for the auditor to perform walkthroughs as described in 
the proposed standard. They agreed that auditors who did not already 
perform the type of walkthrough described in the proposed standard 
should perform them as a matter of good practice. These commenters 
further recognized that the first-hand understanding an auditor 
obtains from performing these walkthroughs puts the auditor in a 
much better position to design an effective audit and to evaluate 
the quality and effectiveness of the work of others. They considered 
the walkthrough requirement part of ``getting back to basics,'' 
which they viewed as a positive development.
    E53. Some commenters expressed general support for walkthroughs 
as required procedures, but had concerns about the scope of the 
work. A number of commenters suggested that requiring walkthroughs 
of all significant processes and all types of transactions would 
result in an overwhelming and unreasonable number of walkthroughs 
required. Commenters made various suggestions for alleviating this 
problem, including permitting the auditor to determine, using broad 
auditor judgment, which classes of transactions to walk through or 
refining the scope of ``all types of transactions'' to include some 
kind of consideration of risk and materiality.
    E54. Other commenters believed that required walkthroughs would 
result in excessive cost if the auditor were prohibited from using 
the work of others. These commenters suggested that the only way 
that required walkthroughs would be a reasonable procedure is to 
permit the auditor to use the work of others. Although commenters 
varied on whether the auditor's use of the work of others for 
walkthroughs should be liberal or limited, and whether it should 
include management or be limited to internal auditors, a large 
number of commenters suggested that limiting walkthroughs to only 
the auditor himself or herself was impractical.
    E55. The Board concluded that the objectives of the walkthroughs 
cannot be achieved second-hand. For the objectives to be effectively 
achieved, the auditor must perform the walkthroughs himself or 
herself. Several commenters who objected to the prohibition on using 
the work of internal auditors for walkthroughs described situations 
in which internal auditors would be better able to effectively 
perform walkthroughs because internal auditors understood the 
company's business and controls better than the external auditor and 
because the external auditor would struggle in performing 
walkthroughs due to a lack of understanding. The Board observed that 
these commenters' perspectives support the importance of requiring 
the external auditor to perform walkthroughs. If auditors struggle 
to initially perform walkthroughs because their knowledge of the 
company and its controls is weak, then that situation would only 
emphasize the necessity for the auditor to increase his or her level 
of understanding. After considering the nature and extent of the 
procedures that would be required to achieve these objectives, the 
Board concluded that performing walkthroughs would be the most 
efficient means of doing so. The first-hand understanding the 
auditor will obtain of the company's processes and its controls 
through the walkthroughs will translate into increased effectiveness 
and quality throughout the rest of the audit, in a way that cannot 
be achieved otherwise.
    E56. The Board also decided that the scope of the transactions 
that should be subjected to walkthroughs should be more narrowly 
defined. To achieve the objectives the Board intended for 
walkthroughs to accomplish, the auditor should not be forced to 
perform walkthroughs on what many commenters reasoned was an 
unreasonably large population. The Board decided that the auditor 
should be able to use judgment in considering risk and materiality 
to determine which transactions and events within a given 
significant process to walk through. As a result, the directions in 
the standard on determining significant processes and major classes 
of transactions were expanded, and the population of transactions 
for which auditors will be required to walk through narrowed by 
replacing ``all types of transactions'' with ``major classes of 
transactions.''
    E57. Although judgments of risk and materiality are inherent in 
identifying major classes of transactions, the Board decided to also 
remove from the standard the statement, ``walkthroughs are required 
procedures'' as a means of further clarifying that auditor judgment 
plays an important role in determining the major classes of 
transactions for which to perform a walkthrough. The Board observed 
that leading off the discussion of walkthroughs in the standard with 
such a sentence could be read as setting a tone that diminished the 
role of judgment

[[Page 20715]]

in selecting the transactions to walk through. As a result, the 
directions in the standard on performing walkthroughs begin with, 
``The auditor should perform at least one walkthrough for each major 
class of transactions * * *'' The Board's decision to eliminate the 
statement ``walkthroughs are required procedures'' should not be 
viewed as an indication that performing walkthroughs are optional 
under the standard's directions. The Board believes the auditor 
might be able to achieve the objectives of a walkthrough by 
performing a combination of procedures, including inquiry, 
inspection, observation, and reperformance; however, performing a 
walkthrough represents the most efficient and effective means of 
doing so. The auditor's work on the control environment and 
walkthroughs is an important part of the principal evidence that the 
auditor must obtain himself or herself.

Small Business Issues

    E58. Appendix E of the proposed standard discussed small and 
medium-sized company considerations. Comments were widely 
distributed on this topic. A number of commenters indicated that the 
proposed standard gave adequate consideration to how internal 
control is implemented in, and how the audit of internal control 
over financial reporting should be conducted at, small and medium-
sized companies. Other commenters, particularly smaller issuers and 
smaller audit firms, indicated that the proposed standard needed to 
provide much more detail on how internal control over financial 
reporting could be different at a small or medium-sized issuer and 
how the auditor's approach could differ. Some of these commenters 
indicated that the concepts articulated in the Board's proposing 
release concerning accommodations for small and medium-sized 
companies were not carried through to the proposed standard itself.
    E59. On the other hand, other commenters, particularly large 
audit firms and investors, expressed views that the proposed 
standard went too far in creating too much of an accommodation for 
small and medium-sized issuers. In fact, many believed that the 
proposed standard permitted those issuers to have less effective 
internal control over financial reporting than larger issuers, while 
providing guidance to auditors permitting them to perform less 
extensive testing at those small and medium-sized issuers than they 
might have at larger issuers. These commenters stressed that 
effective internal control over financial reporting is equally 
important at small and medium-sized issuers. Some commenters also 
expressed concerns that the guidance in proposed Appendix E appeared 
to emphasize that the actions of senior management, if carried out 
with integrity, could offset deficiencies in internal control over 
financial reporting, such as the lack of written policies and 
procedures. Because the risk of management override of controls is 
higher in these types of environments, such commenters were 
concerned that the guidance in proposed Appendix E might result in 
an increased fraud risk at small and medium-sized issuers. At a 
minimum, they argued, the interpretation of Appendix E might result 
in a dangerous expectation gap for users of their internal control 
reports. Some commenters who were of this view suggested that 
Appendix E be deleted altogether or replaced with a reference to the 
report of the Committee of Sponsoring Organizations (COSO) of the 
Treadway Commission, Internal Control-Integrated Framework, which 
they felt contained sufficient guidance on small and medium-sized 
company considerations.
    E60. Striking an appropriate balance regarding the needs of 
smaller issuers is particularly challenging. The Board considered 
cautionary views about the difficulty in expressing accommodations 
for small and medium-sized companies without creating an 
inappropriate second class of internal control effectiveness and 
audit assurance. Further, the Board noted that the COSO framework 
currently provides management and the auditor with more guidance and 
flexibility regarding small and medium-sized companies than the 
Board had provided in the proposed Appendix E. As a result, the 
Board eliminated proposed Appendix E and replaced the appendix with 
a reference to COSO in paragraph 15 of the standard. The Board 
believes providing internal control criteria for small and medium-
sized companies within the internal control framework is more 
appropriately within the purview of COSO. Furthermore, the COSO 
report was already tailored for special small and medium-sized 
company considerations. The Board decided that emphasizing the 
existing guidance within COSO was the best way of recognizing the 
special considerations that can and should be given to small and 
medium-sized companies without inappropriately weakening the 
standard to which these smaller entities should, nonetheless, be 
held. If additional tailored guidance on the internal control 
framework for small and medium-sized companies is needed, the Board 
encourages COSO, or some other appropriate body, to develop this 
guidance.

Evaluation of the Effectiveness of the Audit Committee

    E61. The proposed standard identified a number of circumstances 
that, because of their likely significant negative effect on 
internal control over financial reporting, are significant 
deficiencies as well as strong indicators that a material weakness 
exists. A particularly notable significant deficiency and strong 
indicator of a material weakness was the ineffective oversight by 
the audit committee of the company's external financial reporting 
and internal control over financial reporting. In addition, the 
proposed standard required the auditor to evaluate factors related 
to the effectiveness of the audit committee's oversight of the 
external financial reporting process and the internal control over 
financial reporting.
    E62. This provision related to evaluating the effectiveness of 
the audit committee was included in the proposed standard for two 
primary reasons. First, the Board initially decided that, because of 
the significant role that the audit committee has in the control 
environment and monitoring components of internal control over 
financial reporting, an ineffective audit committee is a gravely 
serious control weakness that is strongly indicative of a material 
weakness. Most auditors should have already been reaching this 
conclusion when confronted with an obviously ineffective audit 
committee. Second, highlighting the adverse consequences of an 
ineffective audit committee would, perhaps, further encourage weak 
audit committees to improve.
    E63. Investors supported this provision. They expressed an 
expectation that the auditor would evaluate the audit committee's 
effectiveness and speak up if the audit committee was determined to 
be ineffective. Investors drew a link among restoring their 
confidence, audit committees having new and enhanced 
responsibilities, and the need for assurance that audit committees 
are, in fact, meeting their responsibilities.
    E64. Auditors also were generally supportive of such an 
evaluation. However, many requested that the proposed standard be 
refined to clearly indicate that the auditor's responsibility to 
evaluate the effectiveness of the audit committee's oversight of the 
company's external financial reporting and internal control over 
financial reporting is not a separate and distinct evaluation. 
Rather, the evaluation is one element of the auditor's overall 
understanding and assessment of the company's control environment 
and monitoring components. Some commenters suggested that, in 
addition to needing clarification of the auditor's responsibility, 
the auditor would have difficulty in evaluating all of the factors 
listed in the proposed standard, because the auditor's normal 
interaction with the audit committee would not provide sufficient 
basis to conclude on some of those factors.
    E65. Issuers and some others were opposed to the auditor 
evaluating the effectiveness of the audit committee on the 
fundamental grounds that such an evaluation would represent an 
unacceptable conflict of interest. Several commenters shared the 
view that this provision would reverse an important improvement in 
governance and audit quality. Whereas the auditor was formerly 
retained and compensated by management, the Act made clear that 
these responsibilities should now be those of the audit committee. 
In this way, commenters saw a conflict of interest being remedied. 
Requiring the auditor to evaluate the effectiveness of the audit 
committee led commenters to conclude that the same kind of conflict 
of interest was being reestablished. These commenters also believed 
that the auditor would not have a sufficient basis on which to 
evaluate the effectiveness of the audit committee because the 
auditor does not have complete and free access to the audit 
committee, does not have appropriate expertise to evaluate audit 
committee members (who frequently are more experienced 
businesspeople than the auditor), does not have the legal expertise 
to make determinations about some of the specific factors listed in 
the proposed standard, and other shortcomings. These commenters also 
emphasized that the board of directors' evaluation of the audit 
committee is important and that the

[[Page 20716]]

proposed standard could be read to supplant this important 
evaluation with that of the auditor's.
    E66. The Board concluded that this provision should be retained 
but decided that clarification was needed to emphasize that the 
auditor's evaluation of the audit committee was not a separate 
evaluation but, rather, was made as part of the auditor's evaluation 
of the control environment and monitoring components of internal 
control over financial reporting. The Board reasoned that clarifying 
both this context and limitation on the auditor's evaluation of the 
audit committee would also address, to some degree, the conflict-of-
interest concerns raised by other commenters. The Board also 
observed, however, that conflict is, to some extent, inherent in the 
duties that society expects of auditors. Just as auditors were 
expected in the past to challenge management when the auditor 
believed a material misstatement of the financial statements or 
material weakness in internal control over financial reporting 
existed, the auditor similarly is expected to speak up when he or 
she believes the audit committee is ineffective in its oversight.
    E67. The Board decided that when the auditor is evaluating the 
control environment and monitoring components, if the auditor 
concludes that the audit committee's oversight of the company's 
external financial reporting and internal control over financial 
reporting is ineffective, the auditor should be strongly encouraged 
to consider that situation a material weakness and, at a minimum, a 
significant deficiency. The objective of the evaluation is not to 
grade the effectiveness of the audit committee along a scale. 
Rather, in the course of performing procedures related to evaluating 
the effectiveness of the control environment and monitoring 
components, including evaluating factors related to the 
effectiveness of the audit committee's oversight, if the auditor 
concludes that the audit committee's oversight of the external 
financial reporting and internal control over financial reporting is 
ineffective, then the auditor should consider that a strong 
indicator of a material weakness.
    E68. The Board concluded that several refinements should be made 
to this provision. As part of emphasizing that the auditor's 
evaluation of the audit committee is to be made as part of 
evaluating the control environment and not as a separate evaluation, 
the Board determined that the evaluation factors should be modified. 
The factors that addressed compliance with listing standards and 
sections of the Act were deleted, because those factors were 
specifically criticized in comment letters as being either outside 
the scope of the auditor's expertise or outside the scope of 
internal control over financial reporting. The Board also believed 
that those factors were not significant to the type of evaluation 
the auditor was expected to make of the audit committee. The Board 
decided to add the following factors, which are based closely on 
factors described in COSO, as relevant to evaluating those who 
govern, including the audit committee:
     Extent of direct and independent interaction 
with key members of financial management, including the chief 
financial officer and chief accounting officer.
     Degree to which difficult questions are 
raised and pursued with management and the auditor, including 
questions that indicate an understanding of the critical accounting 
policies and judgmental accounting estimates.
     Level of responsiveness to issues raised by 
the auditor, including those required to be communicated by the 
auditor to the audit committee.
    E69. The Board also concluded that the standard should 
explicitly acknowledge that the board of directors is responsible 
for evaluating the effectiveness of the audit committee and that the 
auditor's evaluation of the control environment is not intended to 
supplant those evaluations. In addition, the Board concluded that, 
in the event the auditor determines that the audit committee's 
oversight is ineffective, the auditor should communicate that 
finding to the full board of directors. This communication should 
occur regardless of whether the auditor concludes that the condition 
represents a significant deficiency or a material weakness, and the 
communication should take place in addition to the normal 
communication requirements that attach to those deficiencies.

Definitions of Significant Deficiency and Material Weakness

    E70. As part of developing the proposed standard, the Board 
evaluated the existing definitions of significant deficiency (which 
the SEC defined as being the same as a reportable condition) and 
material weakness to determine whether they would permit the most 
effective implementation of the internal control reporting 
requirements of the Act.
    E71. AU sec. 325, Communication of Internal Control Related 
Matters Noted in an Audit, defined a material weakness as follows:
    A material weakness in internal control is a reportable 
condition in which the design or operation of one or more of the 
internal control components does not reduce to a relatively low 
level the risk that misstatements caused by error or fraud in 
amounts that would be material in relation to the financial 
statements being audited may occur and not be detected within a 
timely period by employees in the normal course of performing their 
assigned functions.
    E72. The framework that defined a material weakness focused on 
likelihood of and magnitude for evaluating a weakness. The Board 
decided that this framework would facilitate effective 
implementation of the Act's internal control reporting requirements; 
therefore, the Board's proposed definitions focused on likelihood 
and magnitude. However, as part of these deliberations, the Board 
decided that likelihood and magnitude needed to be defined in terms 
that would encourage more consistent application.
    E73. Within the existing definition of material weakness, the 
magnitude of ``material in relation to the financial statements'' 
was well supported by the professional standards, SEC rules and 
guidance, and other literature. However, the Board decided that the 
definition of likelihood would be improved if it used ``more than 
remote'' instead of ``relatively low level.'' FASB Statement No. 5, 
Accounting for Contingencies (FAS No. 5) defines ``remote.'' The 
Board decided that, because auditors were familiar with the 
application of the likelihood definitions in FAS No. 5, using ``more 
than remote'' in the definition of material weakness would infuse 
the evaluation of whether a control deficiency was a material 
weakness with the additional consistency that the Board wanted to 
encourage.
    E74. AU sec. 325 defined reportable conditions as follows: * * * 
matters coming to the auditor's attention that, in his judgment, 
should be communicated to the audit committee because they represent 
significant deficiencies in the design or operation of internal 
control, which could adversely affect the organization's ability to 
initiate, record, process, and report financial data consistent with 
the assertions of management in the financial statements.
    E75. The Board observed that this definition makes the 
determination of whether a condition is reportable solely a matter 
of the auditor's judgment. The Board believed that this definition 
was insufficient for purposes of the Act because management also 
needs a definition to determine whether a deficiency is significant 
and that the definition should be the same as the definition used by 
the auditor. Furthermore, using this existing definition, the 
auditor's judgment could never be questioned.
    E76. The Board decided that the same framework that represented 
an appropriate framework for defining a material weakness also 
should be used for defining a significant deficiency. Although 
auditor judgment is integral and essential to the audit process 
(including in determining the severity of control weaknesses), 
auditors, nonetheless, must be accountable for their judgments. 
Increasing the accountability of auditors for their judgments about 
whether a condition represents a significant deficiency and 
increasing the consistency with which those judgments are made are 
interrelated. Hence, the same framework of likelihood and magnitude 
were applied in the Board's proposed definition of significant 
deficiency.
    E77. In applying the likelihood and magnitude framework to 
defining a significant deficiency, the Board decided that the ``more 
than remote'' likelihood of occurrence used in the definition of 
material weakness was the best benchmark. In terms of magnitude, the 
Board decided that ``more than inconsequential'' should be the 
threshold for a significant deficiency.
    E78. A number of commenters were supportive of the definitions 
in the proposed standard. These commenters believed the definitions 
were an improvement over the previous definitions, used terms 
familiar to auditors, and would promote increased consistency in 
evaluations.
    E79. Most commenters, however, objected to these definitions. 
The primary, over-arching objection was that these definitions set 
too low a threshold for the reporting of significant deficiencies. 
Some commenters focused on ``more than remote'' likelihood as the 
driver of an unreasonably low threshold, while others believed 
``more than

[[Page 20717]]

inconsequential'' in the definition of significant deficiency was 
the main culprit. While some commenters understood ``more than 
inconsequential'' well enough, others indicated significant concerns 
that this represented a new term of art that needed to be 
accompanied by a clear definition of ``inconsequential'' as well as 
supporting examples. Several commenters suggested retaining the 
likelihood and magnitude approach to a definition but suggested 
alternatives for likelihood (such as reasonably likely, reasonably 
possible, more likely than not, probable) and magnitude (such as 
material, significant, insignificant).
    E80. Some commenters suggested that the auditing standard retain 
the existing definitions of material weakness and significant 
deficiency, consistent with the SEC's final rules implementing 
Section 404. In their final rules, the SEC tied management's 
assessment to the existing definitions of material weakness and 
significant deficiency (through the existing definition of a 
reportable condition) in AU sec. 325. These commenters suggested 
that, if the auditing standard used a different definition, a 
dangerous disconnect would result, whereby management would be using 
one set of definitions under the SEC's rules and auditors would be 
using another set under the Board's auditing standards. They further 
suggested that, absent rulemaking by the SEC to change its 
definitions, the Board should simply defer to the existing 
definitions.
    E81. A number of other commenters questioned the reference to 
``a misstatement of the annual or interim financial statements'' in 
the definitions, with the emphasis on why ``interim'' financial 
statements were included in the definition, since Section 404 
required only an annual assessment of internal control over 
financial reporting effectiveness, made as of year-end. They 
questioned whether this definition implied that the auditor was 
required to identify deficiencies that could result in a 
misstatement in interim financial statements; they did not believe 
that the auditor should be required to plan his or her audit of 
internal control over financial reporting at a materiality level of 
the interim financial statements.
    E82. The Board ultimately concluded that focusing the 
definitions of material weakness and significant deficiency on 
likelihood of misstatement and magnitude of misstatement provides 
the best framework for evaluating deficiencies. Defaulting to the 
existing definitions would not best serve the public interest nor 
facilitate meaningful and effective implementation of the auditing 
standard.
    E83. The Board observed that the SEC's final rules requiring 
management to report on internal control over financial reporting 
define material weakness, for the purposes of the final rules, as 
having ``the same meaning as the definition under GAAS and 
attestation standards.'' Those rules state:
    The term ``significant deficiency'' has the same meaning as the 
term ``reportable condition'' as used in AU Sec.  325 and ATSec.  
501. The terms ``material weakness'' and ``significant deficiency'' 
both represent deficiencies in the design or operation of internal 
control that could adversely affect a company's ability to record, 
process, summarize and report financial data consistent with the 
assertions of management in the company's financial statements, with 
a ``material weakness'' constituting a greater deficiency than a 
``significant deficiency.'' Because of this relationship, it is our 
judgment that an aggregation of significant deficiencies could 
constitute a material weakness in a company's internal control over 
financial reporting.\42\
---------------------------------------------------------------------------

    \42\ See footnote 73 to Final Rule: Management's Reports on 
Internal Control Over Financial Reporting and Certification of 
Disclosure in Exchange Act Periodic Reports, Securities and Exchange 
Commission Release No. 33-8238 (June 5, 2003) [68 FR 36636].
---------------------------------------------------------------------------

    E84. The Board considered the SEC's choice to cross-reference to 
generally accepted auditing standards (GAAS) and the attestation 
standards as the means of defining these terms, rather than defining 
them outright within the final rules, noteworthy as it relates to 
the question of whether any disconnect could result between 
auditors' and managements' evaluations if the Board changed the 
definitions in its standards. Because the standard changes the 
definition of these terms within the interim standards, the Board 
believes the definitions are, therefore, changed for both auditors' 
and managements' purposes.
    E85. The Board noted that commenters who were concerned that the 
definitions in the proposed standard set too low of a threshold for 
significant deficiencies and material weaknesses believed that the 
proposed standard required that each control deficiency be evaluated 
in isolation. The intent of the proposed standard was that control 
deficiencies should first be evaluated individually; the 
determination as to whether they are significant deficiencies or 
material weaknesses should be made considering the effects of 
compensating controls. The effect of compensating controls should be 
taken into account when assessing the likelihood of a misstatement 
occurring and not being prevented or detected. The proposed standard 
illustrated this type of evaluation, including the effect of 
compensating controls when assessing likelihood, in the examples in 
Appendix D. Based on the comments received, however, the Board 
determined that additional clarification within the standard was 
necessary to emphasize the importance of considering compensating 
controls when evaluating the likelihood of a misstatement occurring. 
As a result, the note to paragraph 10 was added.
    E86. The Board concluded that considering the effect of 
compensating controls on the likelihood of a misstatement occurring 
and not being prevented or detected sufficiently addressed the 
concerns that the definitions set too low a threshold. For example, 
several issuer commenters cited concerns that the proposed 
definitions precluded a rational cost-benefit analysis of whether to 
correct a deficiency. These issuers believed they would be compelled 
to correct deficiencies (because the deficiencies would be 
considered to be at least significant deficiencies) in situations in 
which management had made a previous conscious decision that the 
costs of correcting the deficiency outweighed the benefits. The 
Board observed that, in cases in which management has determined not 
to correct a known deficiency based on a cost-benefit analysis, 
effective compensating controls usually lie at the heart of 
management's decision. The standard's use of ``likelihood'' in the 
definition of a significant deficiency or material weakness 
accommodates such a consideration of compensating controls. If a 
deficiency is effectively mitigated by compensating controls, then 
the likelihood of a misstatement occurring and not being prevented 
or detected may very well be remote.
    E87. The Board disagreed with comments that ``more than 
inconsequential'' was too low a threshold; however, the Board 
decided the term ``inconsequential'' needed additional clarity. The 
Board considered the term ``inconsequential'' in relation to the 
SEC's guidance on audit requirements and materiality. Section 
10A(b)(1)(B) \43\ describes the auditor's communication requirements 
when the auditor detects or otherwise becomes aware of information 
indicating that an illegal act has or may have occurred, ``unless 
the illegal act is clearly inconsequential.'' Staff Accounting 
Bulletin (SAB) No. 99, Materiality, provides the most recent and 
definitive guidance on the concept of materiality as it relates to 
the financial reporting of a public company. SAB No. 99 uses the 
term ``inconsequential'' in several places to draw a distinction 
between amounts that are not material. SAB No. 99 provides the 
following guidance to assess the significance of a misstatement:
---------------------------------------------------------------------------

    \43\ See Section 10A of the Securities Exchange Act of 1934, 15 
U.S.C. 78j-1.
---------------------------------------------------------------------------

    Though the staff does not believe that registrants need to make 
finely calibrated determinations of significance with respect to 
immaterial items, plainly it is ``reasonable'' to treat 
misstatements whose effects are clearly inconsequential differently 
than more significant ones.
    E88. The discussion in the previous paragraphs provided the 
Board's context for using ``material'' and ``more than 
inconsequential'' for the magnitude thresholds in the standard's 
definitions. ``More than inconsequential'' indicates an amount that 
is less than material yet has significance.
    E89. The Board also considered the existing guidance in the 
Board's interim standards for evaluating materiality and 
accumulating audit differences in a financial statement audit. 
Paragraph .41 of AU sec. 312, Audit Risk and Materiality in 
Conducting an Audit, states:
    In aggregating likely misstatements that the entity has not 
corrected, pursuant to paragraphs .34 and .35, the auditor may 
designate an amount below which misstatements need not be 
accumulated. This amount should be set so that any such 
misstatements, either individually or when aggregated with other 
such misstatements, would not be material to the financial 
statements, after the possibility of further undetected 
misstatements is considered.
    E90. The Board considered the discussion in AU sec. 312 that 
spoke specifically to

[[Page 20718]]

evaluating differences individually and in the aggregate, as well as 
to considering the possibility of additional undetected 
misstatements, important distinguishing factors that should be 
carried through to the evaluation of whether a control deficiency 
represents a significant deficiency because the magnitude of the 
potential misstatement is more than inconsequential.
    E91. The Board combined its understanding of the salient 
concepts in AU sec. 312 and the SEC guidance on materiality to 
develop the following definition of inconsequential:
    A misstatement is inconsequential if a reasonable person would 
conclude, after considering the possibility of further undetected 
misstatements, that the misstatement, either individually or when 
aggregated with other misstatements, would clearly be immaterial to 
the financial statements. If a reasonable person could not reach 
such a conclusion regarding a particular misstatement, that 
misstatement is more than inconsequential.
    E92. Finally, the inclusion of annual or interim financial 
statements in the definitions rather than just ``annual financial 
statements'' was intentional and, in the Board's opinion, closely 
aligned with the spirit of what Section 404 seeks to accomplish. 
However, the Board decided that this choice needed clarification 
within the auditing standard. The Board did not intend the inclusion 
of the interim financial statements in the definition to require the 
auditor to perform an audit of internal control over financial 
reporting at each interim date. Rather, the Board believed that the 
SEC's definition of internal control over financial reporting 
included all financial reporting that a public company makes 
publicly available. In other words, internal control over financial 
reporting includes controls over the preparation of annual and 
quarterly financial statements. Thus, an evaluation of internal 
control over financial reporting as of year-end encompasses controls 
over the annual financial reporting and quarterly financial 
reporting as such controls exist at that point in time.
    E93. Paragraphs 76 and 77 of the standard clarify this 
interpretation, as part of the discussion of the period-end 
financial reporting process. The period-end financial reporting 
process includes procedures to prepare both annual and quarterly 
financial statements.

Strong Indicators of Material Weaknesses and DeFacto Significant 
Deficiencies

    E94. The proposed standard identified a number of circumstances 
that, because of their likely significant negative effect on 
internal control over financial reporting, are significant 
deficiencies as well as strong indicators that a material weakness 
exists. The Board developed this list to promote increased rigor and 
consistency in auditors' evaluations of weaknesses. For the 
implementation of Section 404 of the Act to achieve its objectives, 
the public must have confidence that all material weaknesses that 
exist as of the company's year-end will be publicly reported. 
Historically, relatively few material weaknesses have been reported 
by the auditor to management and the audit committee. That condition 
is partly due to the nature of a financial statement audit. In an 
audit of only the financial statements, the auditor does not have a 
detection responsibility for material weaknesses in internal 
control; such a detection responsibility is being newly introduced 
for all public companies through Sections 103 and 404 of the Act. 
However, the Board was concerned about instances in which auditors 
had identified a condition that should have been, but was not, 
communicated as a material weakness. The intention of including the 
list of strong indicators of material weaknesses in the proposed 
standard was to bring further clarity to conditions that were likely 
to be material weaknesses in internal control and to create more 
consistency in auditors' evaluations.
    E95. Most commenters were generally supportive of a list of 
significant deficiencies and strong indicators of the existence of 
material weaknesses. They believed such a list provided instructive 
guidance to both management and the auditor. Some commenters, 
however, disagreed with the proposed approach of providing such a 
list. They believed that the determination of the significance of a 
deficiency should be left entirely to auditor judgment. A few 
commenters requested clarification of the term ``strong indicator'' 
and specific guidance on how and when a ``strong indicator'' could 
be overcome. A number of commenters expressed various concerns with 
individual circumstances included in the list.
     Restatement of previously issued financial 
statements to reflect the correction of a misstatement. Some 
commenters expressed concern about the kinds of restatements that 
would trigger this provision. A few mentioned the specific instance 
in which the restatement reflected the SEC's subsequent view of an 
accounting matter when the auditor, upon reevaluation, continued to 
believe that management had reasonable support for its original 
position. They believed this specific circumstance would not 
necessarily indicate a significant deficiency in internal control 
over financial reporting. Others commented that a restatement of 
previously issued financial statements would indicate a significant 
deficiency and strong indicator of a material weakness in the prior 
period but not necessarily in the current period.
     Identification by the auditor of a material 
misstatement in financial statements in the current period that was 
not initially identified by the company's internal control over 
financial reporting (even if management subsequently corrects the 
misstatement). Several commenters, issuers and auditors alike, 
expressed concern about including this circumstance on the list. 
They explained that, frequently, management is completing the 
preparation of the financial statements at the same time that the 
auditor is completing his or her auditing procedures. In the face of 
this ``strong indicator'' provision, a lively debate of ``who found 
it first'' would ensue whenever the auditor identifies a 
misstatement that management subsequently corrects. Another argument 
is that the company's controls would have detected a misstatement 
identified by the auditor if the controls had an opportunity to 
operate (that is, the auditor performed his or her testing before 
the company's controls had an opportunity to operate). Several 
issuers indicated that they would prevent this latter situation by 
delaying the auditor's work until the issuers had clearly completed 
their entire period-end financial reporting process--a delay they 
viewed as detrimental.
     For larger, more complex entities, the 
internal audit function or the risk assessment function is 
ineffective. Several commenters asked for specific factors the 
auditor was expected to use to assess the effectiveness of these 
functions.
     For complex entities in highly regulated 
industries, an ineffective regulatory compliance function. Several 
commenters, particularly issuers in highly regulated industries, 
objected to the inclusion of this circumstance because they believed 
this to be outside the scope of internal control over financial 
reporting. (They agreed that this would be an internal control-
related matter, but one that falls into operating effectiveness and 
compliance with laws and regulations, not financial reporting.) Many 
of these commenters suggested that this circumstance be deleted from 
the list altogether. Fewer commenters suggested that this problem 
could be addressed by simply clarifying that this circumstance is 
limited to situations in which the ineffective regulatory function 
relates solely to those aspects for which related violations of laws 
and regulations could have a direct and material effect on the 
financial statements.
     Identification of fraud of any magnitude on 
the part of senior management. Several commenters expressed concern 
that the inclusion of this circumstance created a detection 
responsibility for the auditor such that the auditor would have to 
plan and perform procedures to detect fraud of any magnitude on the 
part of senior management. Others expressed concern that 
identification of fraud on the part of senior management by the 
company's system of internal control over financial reporting might 
indicate that controls were operating effectively rather than 
indicating a significant deficiency or material weakness. Still 
others requested clarification on how to determine who constituted 
``senior management.''
    E96. A couple of commenters also suggested that an ineffective 
control environment should be added to the list.
    E97. The Board concluded that the list of significant 
deficiencies and strong indicators of material weakness should be 
retained. Such a list will promote consistency in auditors' and 
managements' evaluations of deficiencies consistent with the 
definitions of significant deficiency and material weakness. The 
Board also decided to retain the existing structure of the list. 
Although the standard leaves auditor judgment to determine whether 
those deficiencies are material weaknesses, the existence of one of 
the listed deficiencies is by definition a significant deficiency. 
Furthermore, the ``strong indicator'' construct allows the auditor 
to factor extenuating or unique circumstances into the evaluation 
and possibly to conclude that the situation does not represent a

[[Page 20719]]

material weakness, rather, only a significant deficiency.
    E98. The Board decided that further clarification was not 
necessary within the standard itself addressing specifically how and 
when a ``strong indicator'' can be overcome. The term ``strong 
indicator'' was selected as opposed to the stronger ``presumption'' 
or other such term precisely because the Board did not intend to 
provide detailed instruction on how to overcome such a presumption. 
It is, nevertheless, the Board's view that auditors should be biased 
toward considering the listed circumstances as material weaknesses.
    E99. The Board decided to clarify several circumstances included 
in the list:
     Restatement of previously issued financial 
statements to reflect the correction of a misstatement. The Board 
observed that the circumstance in which a restatement reflected the 
SEC's subsequent view of an accounting matter, when the auditor 
concluded that management had reasonable support for its original 
position, might present a good example of only a significant 
deficiency and not a material weakness. However, the Board concluded 
that requiring this situation to, nonetheless, be considered by 
definition a significant deficiency is appropriate, especially 
considering that the primary result of the circumstance being 
considered a significant deficiency is the communication of the 
matter to the audit committee. Although the audit committee might 
already be well aware of the circumstances of any restatement, a 
restatement to reflect the SEC's view on an accounting matter at 
least has implications for the quality of the company's accounting 
principles, which is already a required communication to the audit 
committee.
    With regard to a restatement being a strong indicator of a 
material weakness in the prior period but not necessarily the 
current period, the Board disagreed with these comments. By virtue 
of the restatement occurring during the current period, the Board 
views it as appropriate to consider that circumstance a strong 
indicator that a material weakness existed during the current 
period. Depending on the circumstances of the restatement, however, 
the material weakness may also have been corrected during the 
current period. The construct of the standard does not preclude 
management and the auditor from determining that the circumstance 
was corrected prior to year-end and, therefore, that a material 
weakness did not exist at year-end. The emphasis here is that the 
circumstance is a strong indicator that a material weakness exists; 
management and the auditor will separately need to determine whether 
it has been corrected. The Board decided that no further 
clarification was needed in this regard.
     Identification by the auditor of a material 
misstatement in financial statements in the current period that was 
not initially identified by the company's internal control over 
financial reporting (even if management subsequently corrects the 
misstatement). Regarding the ``who-found-it-first'' dilemma, the 
Board recognizes that this circumstance will present certain 
implementation challenges. However, the Board decided that none of 
those challenges were so significant as to require eliminating this 
circumstance from the list. When the Board developed the list of 
strong indicators, the Board observed that it is not uncommon for 
the financial statement auditor to identify material misstatements 
in the course of the audit that are corrected by management prior to 
the issuance of the company's financial statements. In some cases, 
management has relied on the auditor to identify misstatements in 
certain financial statement items and to propose corrections in 
amount, classification, or disclosure. With the introduction of the 
requirement for management and the auditor to report on the 
effectiveness of internal control over financial reporting, it 
becomes obvious that this situation is unacceptable, unless 
management is willing to accept other than an unqualified report on 
the internal control effectiveness. (This situation also raises the 
question as to the extent management may rely on the annual audit to 
produce accurate and fair financial statements without impairing the 
auditor's independence.) This situation is included on the list of 
strong indicators because the Board believes it will encourage 
management and auditors to evaluate this situation with intellectual 
honesty and to recognize, first, that the company's internal control 
should provide reasonable assurance that the company's financial 
statements are presented fairly in accordance with generally 
accepted accounting principles.
    Timing might be a concern for some issuers. However, to the 
extent that management takes additional steps to ensure that the 
financial information is correct prior to providing it to their 
auditors, this may, at times, result in an improved control 
environment. When companies and auditors work almost simultaneously 
on completing the preparation of the annual financial statements and 
the audit, respectively, the role of the auditor can blur with the 
responsibility of management. In the year-end rush to complete the 
annual report, some companies might have come to rely on their 
auditors as a ``control'' to further ensure no misstatements are 
accidentally reflected in the financial statements. The principal 
burden seems to be for management's work schedule and administration 
of their financial reporting deadlines to allow the auditor 
sufficient time to complete his or her procedures.
    Further, if the auditor initially identified a material 
misstatement in the financial statements but, given the 
circumstances, determined that management ultimately would have 
found the misstatement, the auditor could determine that the 
circumstance was a significant deficiency but not a material 
weakness. The Board decided to retain the provision that this 
circumstance is at least a significant deficiency because reporting 
such a circumstance to the audit committee would always be 
appropriate.
     For larger, more complex entities, the 
internal audit function or the risk assessment function is 
ineffective. Relatively few commenters requested clarification on 
how to evaluate these functions. The Board expects that most 
auditors will not have trouble making this evaluation. Similar to 
the audit committee evaluation, this evaluation is not a separate 
evaluation of the internal audit or risk assessment functions but, 
rather, is a way of requiring the auditor to speak up if either of 
these functions is obviously ineffective at an entity that needs 
them to have an effective monitoring or risk assessment component. 
Unlike the audit committee discussion, most commenters seemed to 
have understood that this was the context for the internal audit and 
risk assessment function evaluation. Nonetheless, the Board decided 
to add a clarifying note to this circumstance emphasizing the 
context.
     For complex entities in highly regulated 
industries, an ineffective regulatory compliance function. The Board 
decided that this circumstance, as described in the proposed 
standard, would encompass aspects that are outside internal control 
over financial reporting (which would, of course, be inappropriate 
for purposes of this standard given its definition of internal 
control over financial reporting). The Board concluded that this 
circumstance should be retained, though clarified, to only apply to 
those aspects of an ineffective regulatory compliance function that 
could have a material effect on the financial statements.
     Identification of fraud of any magnitude on 
the part of senior management. The Board did not intend to create 
any additional detection responsibility for the auditor; rather, it 
intended that this circumstance apply to fraud on the part of senior 
management that came to the auditor's attention, regardless of 
amount. The Board decided to clarify the standard to make this 
clear. The Board noted that identification of fraud by the company's 
system of internal control over financial reporting might indicate 
that controls were operating effectively, except when that fraud 
involves senior management. Because of the critical role of tone-at-
the-top in the overall effectiveness of the control environment and 
due to the significant negative evidence that fraud of any magnitude 
on the part of senior management reflects on the control 
environment, the Board decided that it is appropriate to include 
this circumstance in the list, regardless of whether the company's 
controls detected the fraud. The Board also decided to clarify who 
is included in ``senior management'' for this purpose.
    E100. The Board agreed that an ineffective control environment 
was a significant deficiency and a strong indicator that a material 
weakness exists and decided to add it to the list.

Independence

    E101. The proposed standard explicitly prohibited the auditor 
from accepting an engagement to provide an internal control-related 
service to an audit client that has not been specifically pre-
approved by the audit committee. In other words, the audit committee 
would not be able to pre-approve internal control-related services 
as a category. The Board did not propose any specific guidance on 
permissible internal control-related services in the proposed 
standard but, rather, indicated its intent to conduct an in-depth 
evaluation of independence

[[Page 20720]]

requirements in the future and highlighted its ability to amend the 
independence information included in the standard pending the 
outcome of that analysis.
    E102. Comments were evenly split among investors, auditors, and 
issuers who believed the existing guidance was sufficient versus 
those who believed the Board should provide additional guidance. 
Commenters who believed existing guidance was sufficient indicated 
that the SEC's latest guidance on independence needed to be given 
more time to take effect given its recency and because existing 
guidance was clear enough. Commenters who believed more guidance was 
necessary suggested various additions, from more specificity about 
permitted and prohibited services to a sweeping ban on any internal 
control-related work for an audit client. Other issuers commented 
about auditors participating in the Section 404 implementation 
process at their audit clients in a manner that could be perceived 
as affecting their independence.
    E103. Some commenters suggested that the SEC should change the 
pre-approval requirements on internal control-related services to 
specific pre-approval. Another commenter suggested that specific 
pre-approval of all internal control-related services would pose an 
unreasonable burden on the audit committee and suggested reverting 
to pre-approval by category.
    E104. The Board clearly has the authority to set independence 
standards as it may deem necessary or appropriate in the public 
interest or for the protection of investors. Given ongoing concerns 
about the appropriateness of auditors providing these types of 
services to audit clients, the fact-specific nature of each 
engagement, and the critical importance of ongoing audit committee 
oversight of these types of services, the Board continues to believe 
that specific pre-approval of internal control-related services is a 
logical step that should not pose a burden on the audit committee 
beyond that which effective oversight of financial reporting already 
entails. Therefore, the standard retains this provision unchanged.

Requirement for Adverse Opinion When a Material Weakness Exists

    E105. The existing attestation standard (AT sec. 501) provides 
that, when the auditor has identified a material weakness in 
internal control over financial reporting, depending on the 
significance of the material weakness and its effect on the 
achievement of the objectives of the control criteria, the auditor 
may qualify his or her opinion (``except for the effect of the 
material weakness, internal control over financial reporting was 
effective'') or express an adverse opinion (``internal control over 
financial reporting was not effective'').
    E106. The SEC's final rules implementing Section 404 state that, 
``Management is not permitted to conclude that the registrant's 
internal control over financial reporting is effective if there are 
one or more material weaknesses in the registrant's internal control 
over financial reporting.''
    In other words, in such a case, management must conclude that 
internal control over financial reporting is not effective (that is, 
a qualified or ``except-for'' conclusion is not acceptable).
    E107. The Board initially decided that the reporting model for 
the auditor should follow the required reporting model for 
management. Therefore, because management is required to express an 
``adverse'' conclusion in the event a material weakness exists, the 
auditor's opinion also must be adverse. The proposed standard did 
not permit a qualified audit opinion in the event of a material 
weakness.
    E108. Comments received on requiring an adverse opinion when a 
material weakness exists were split. A large number affirmed that 
this seemed to be the only logical approach, based on a 
philosophical belief that if a material weakness exists, then 
internal control over financial reporting is ineffective. These 
commenters suggested that permitting a qualified opinion would be 
akin to creating another category of control deficiency--material 
weaknesses that were really material (resulting in an adverse 
opinion) and material weaknesses that weren't so material (resulting 
in a qualified opinion).
    E109. A number of commenters agreed that the auditor's report 
must follow the same model as management's reporting, but they 
believe strongly that the SEC's guidance for management accommodated 
either a qualified or adverse opinion when a material weakness 
existed.
    E110. These commenters cited Section II.B.3.c of the SEC Final 
Rule and related footnote no. 72: The final rules therefore preclude 
management from determining that a company's internal control over 
financial reporting is effective if it identifies one or more 
material weaknesses in the company's internal control over financial 
reporting. This is consistent with interim attestation standards. 
See AT sec. 501.
    E111. They believe this reference to the interim attestation 
standard in the SEC Final Rule is referring to paragraph .37 of AT 
sec. 501, which states, in part, Therefore, the presence of a 
material weakness will preclude the practitioner from concluding 
that the entity has effective internal control. However, depending 
on the significance of the material weakness and its effect on the 
achievement of the objectives of the control criteria, the 
practitioner may qualify his or her opinion (that is, express an 
opinion that internal control is effective ``except for'' the 
material weakness noted) or may express an adverse opinion.
    E112. Their reading of the SEC Final Rule and the interim 
attestation standard led them to conclude that it would be 
appropriate for the auditor to express either an adverse opinion or 
a qualified ``except-for'' opinion about the effectiveness of the 
company's internal control over financial reporting depending on the 
circumstances.
    E113. Some commenters responded that they thought a qualified 
opinion would be appropriate in certain cases, such as an 
acquisition close to year-end (too close to be able to assess 
controls at the acquiree).
    E114. After additional consultation with the SEC staff about 
this issue, the Board decided to retain the proposed reporting model 
in the standard. The primary reason for that decision was the 
Board's continued understanding that the SEC staff would expect only 
an adverse conclusion from management (not a qualified conclusion) 
in the event a material weakness existed as of the date of 
management's report.
    E115. The commenters who suggested that a qualified opinion 
should be permitted in certain circumstances, such as an acquisition 
close to year-end, were essentially describing scope limitations. 
The standard permits a qualified opinion, a disclaimer of opinion, 
or withdrawal from the engagement if there are restrictions on the 
scope of the engagement. As it relates specifically to acquisitions 
near year-end, this is another case in which the auditor's model 
needs to follow the model that the SEC sets for management. The 
standard added a new paragraph to Appendix B permitting the auditor 
to limit the scope of his or her work (without referring to a scope 
limitation in the auditor's report) in the same manner that the SEC 
permits management to limit its assessment. In other words, if the 
SEC permits management to exclude an entity acquired late in the 
year from a company's assessment of internal control over financial 
reporting, then the auditor could do the same.

Rotating Tests of Controls

    E116. The proposed standard directed the auditor to perform 
tests of controls on ``relevant assertions'' rather than on 
``significant controls.'' To comply with those requirements, the 
auditor would be required to apply tests to those controls that are 
important to presenting each relevant assertion in the financial 
statements. The proposed standard emphasized controls that affect 
relevant assertions because those are the points at which 
misstatements could occur. However, it is neither necessary to test 
all controls nor to test redundant controls (unless redundancy is 
itself a control objective, as in the case of certain computer 
controls). Thus, the proposed standard encouraged the auditor to 
identify and test controls that addressed the primary areas in which 
misstatements could occur, yet limited the auditor's work to only 
the necessary controls.
    E117. Expressing the extent of testing in this manner also 
simplified other issues involving extent of testing decisions from 
year to year (the so-called ``rotating tests of controls'' issue). 
The proposed standard stated that the auditor should vary testing 
from year to year, both to introduce unpredictability into the 
testing and to respond to changes at the company. However, the 
proposed standard maintained that each year's audit must stand on 
its own. Therefore, the auditor must obtain evidence of the 
effectiveness of controls over all relevant assertions related to 
all significant accounts and disclosures every year.
    E118. Auditors and investors expressed support for these 
provisions as described in the proposed standard. In fact, some 
commenters compared the notion of rotating tests of control in an 
audit of internal control over financial reporting to an auditor 
testing accounts receivable only once every few years in a financial 
statement audit.

[[Page 20721]]

Permitting so-called rotation of testing would compromise the 
auditor's ability to obtain reasonable assurance that his or her 
opinion was correct.
    E119. Others, especially issuers concerned with limiting costs, 
strongly advocated some form of rotating tests of controls. Some 
commenters suggested that the auditor should have broad latitude to 
perform some cursory procedures to determine whether any changes had 
occurred in controls and, if not, to curtail any further testing in 
that area. Some suggested that testing as described in the proposed 
standard should be required in the first year of the audit (the 
``baseline'' year) and that in subsequent years the auditor should 
be able to reduce the required testing. Others suggested 
progressively less aggressive strategies for reducing the amount of 
work the auditor should be required to perform. In fact, several 
commenters (primarily internal auditors) described ``baselining'' 
controls as an important strategy to retain. They argued, for 
example, that IT application controls, once tested, could be relied 
upon (without additional testing) in subsequent years as long as 
general controls over program changes and access controls were 
effective and continued to be tested.
    E120. The Board concluded that each year's audit must stand on 
its own. Cumulative audit knowledge is not to be ignored; some 
natural efficiencies will emerge as the auditor repeats the audit 
process. For example, the auditor will frequently spend less time to 
obtain the requisite understanding of the company's internal control 
over financial reporting in subsequent years compared with the time 
necessary in the first year's audit of internal control over 
financial reporting. Also, to the extent that the auditor has 
previous knowledge of control weaknesses, his or her audit strategy 
should, of course, reflect that knowledge. For example, a pattern of 
mistakes in prior periods is usually a good indicator of the areas 
in which misstatements are likely to occur. However, the absence of 
fraud in prior periods is not a reasonable indicator of the 
likelihood of misstatement due to fraud.
    E121. However, the auditor needs to test controls every year, 
regardless of whether controls have obviously changed. Even if 
nothing else changed about the company--no changes in the business 
model, employees, organization, etc.--controls that were effective 
last year may not be effective this year due to error, complacency, 
distraction, and other human conditions that result in the inherent 
limitations in internal control over financial reporting.
    E122. What several commenters referred to as ``baselining'' 
(especially as it relates to IT controls) is more commonly referred 
to by auditors as ``benchmarking.'' This type of testing strategy 
for application controls is not precluded by the standard. However, 
the Board believes that providing a description of this approach is 
beyond the scope of this standard. For these reasons, the standard 
does not address it.

Mandatory Integration With the Audit of the Financial Statements

    E123. Section 404(b) of the Act provides that the auditor's 
attestation of management's assessment of internal control shall not 
be the subject of a separate engagement. Because the objectives of 
and work involved in performing both an attestation of management's 
assessment of internal control over financial reporting and an audit 
of the financial statements are closely interrelated, the proposed 
auditing standard introduced an integrated audit of internal control 
over financial reporting and audit of financial statements.
    E124. However, the proposed standard went even further. Because 
of the potential significance of the information obtained during the 
audit of the financial statements to the auditor's conclusions about 
the effectiveness of internal control over financial reporting, the 
proposed standard stated that the auditor could not audit internal 
control over financial reporting without also auditing the financial 
statements. (However, the proposed standard retained the auditor's 
ability to audit only the financial statements, which might be 
necessary in the case of certain initial public offerings.)
    E125. Although the Board solicited specific comment on whether 
the auditor should be prohibited from performing an audit of 
internal control over financial reporting without also performing an 
audit of the financial statements, few commenters focused on the 
significance of the potentially negative evidence that would be 
obtained during the audit of the financial statements or the 
implications of this prohibition. Most commenters focused on the 
wording of Section 404(b), which indicates that the auditor's 
attestation of management's assessment of internal control over 
financial reporting shall not be the subject of a separate 
engagement. Based on this information, most commenters saw the 
prohibition in the proposed standard as superfluous and benign.
    E126. Several commenters recognized the importance of the 
potentially negative evidence that might be obtained as part of the 
audit of the financial statements and expressed strong support for 
requiring that an audit of financial statements be performed to 
audit internal control over financial reporting.
    E127. Others recognized the implications of this prohibition and 
expressed concern: What if a company wanted or needed an opinion on 
the effectiveness of internal control over financial reporting as of 
an interim date? For the most part, these commenters (primarily 
issuers) objected to the implication that an auditor would have to 
audit a company's financial statements as of an interim date to 
enable him or her to audit and report on its internal control over 
financial reporting as of that same interim date. Other issuers 
expressed objections related to their desires to engage one auditor 
to provide an opinion on the effectiveness of internal control over 
financial reporting and another to audit the financial statements. 
Others requested clarification about which guidance would apply when 
other forms of internal control work were requested by companies.
    E128. The Board concluded that an auditor should perform an 
audit of internal control over financial reporting only when he or 
she has also audited company's financial statements. The auditor 
must audit the financial statements to have a high level of 
assurance that his or her conclusion on the effectiveness of 
internal control over financial reporting is correct. Inherent in 
the reasonable assurance provided by the auditor's opinion on 
internal control over financial reporting is a responsibility for 
the auditor to plan and perform his or her work to obtain reasonable 
assurance that material weaknesses, if they exist, are detected. As 
previously discussed, this standard states that the identification 
by the auditor of a material misstatement in the financial 
statements that was not initially identified by the company's 
internal control over financial reporting, is a strong indicator of 
a material weakness. Without performing a financial statement audit, 
the auditor would not have reasonable assurance that he or she had 
detected all material misstatements. The Board believes that 
allowing the auditor to audit internal control over financial 
reporting without also auditing the financial statements would not 
provide the auditor with a high level of assurance and would mislead 
investors in terms of the level of assurance obtained.
    E129. In response to other concerns, the Board noted that an 
auditor can report on the effectiveness of internal control over 
financial reporting using existing AT sec. 501 for purposes other 
than satisfying the requirements of Section 404. This standard 
supersedes AT sec. 501 only as it relates to complying with Section 
404 of the Act.
    E130. Although reporting under the remaining provisions of AT 
sec. 501 is currently permissible, the Board believes reports issued 
for public companies under the remaining provisions of AT sec. 501 
will be infrequent. In any event, additional rulemaking might be 
necessary to prevent confusion that might arise from reporting on 
internal control engagements under two different standards. For 
example, explanatory language could be added to reports issued under 
AT sec. 501 to clarify that an audit of financial statements was not 
performed in conjunction with the attestation on internal control 
over financial reporting and that such a report is not the report 
resulting from an audit of internal control over financial reporting 
performed in conjunction with an audit of the financial statements 
under this standard. This report modification would alert report 
readers, particularly if such a report were to appear in an SEC 
filing or otherwise be made publicly available, that the assurance 
obtained by the auditor in that engagement is different from the 
assurance that would have been obtained by the auditor for Section 
404 purposes. Another example of the type of change that might be 
necessary in separate rulemaking to AT sec. 501 would be to 
supplement the performance directions to be comparable to those in 
this standard. Auditors should remain alert for additional 
rulemaking by the Board that affects AT sec. 501.
(b) Statutory Basis
    The statutory basis for the proposed rule is Title I of the Act.

[[Page 20722]]

B. Board's Statement on Burden on Competition

    The Board does not believe that the proposed rule will result in 
any burden on competition that is not necessary or appropriate in 
furtherance of the purposes of the Act. Pursuant to Sections 404 and 
103 of the Act, each registered public accounting firm that prepares or 
issues the audit report for an issuer shall attest to, and report on, 
the assessment of internal control made by the management of the 
issuer. Although compliance with the proposed rule will impose costs, 
those costs are necessary in order to implement the requirements of 
Sections 103 and 404 of the Act and will be imposed in a way that does 
not disproportionately or unnecessarily burden competition.

C. Board's Statement on Comments on the Proposed Rule Received from 
Members, Participants or Others

    The Board released the proposed rule for public comment in PCAOB 
Release No. 2003-017 (October 7, 2003). A copy of PCAOB Release No. 
2003-017 and the comment letters received in response to the PCAOB's 
request for comment are available on the PCAOB's web site at 
www.pcaobus.org. The Board received 193 written comments. The Board has 
clarified and modified certain aspects of the proposed rule and the 
instructions to the related form in response to comments it received, 
as discussed in Appendix E, Background and Basis for Conclusions, to 
the proposed rule.

III. Date of Effectiveness of the Proposed Rule and Timing for 
Commission Action

    Within 60 days of the date of publication of this notice in the 
Federal Register or within such longer period (i) as the Commission may 
designate up to 90 days of such date if it finds such longer period to 
be appropriate and publishes its reasons for so finding or (ii) as to 
which the Board consents the Commission will:
    (a) By order approve such proposed rule; or
    (b) Institute proceedings to determine whether the proposed rule 
should be disapproved.

IV. Solicitation of Comments

    Interested persons are invited to submit written data, views and 
arguments concerning the foregoing, including whether the proposed rule 
is consistent with the requirements of Title I of the Act. Comments may 
be submitted electronically or by paper. Electronic comments may be 
submitted by: (1) Electronic form on the SEC Web site (http://www.sec.gov) or (2) e-mail to [email protected]. Mail paper 
comments in triplicate to Jonathan G. Katz, Secretary, Securities and 
Exchange Commission, 450 Fifth Street, NW, Washington, DC 20549-0609. 
All submissions should refer to File No. PCAOB-2004-03; this file 
number should be included on the subject line if e-mail is used. To 
help us process and review your comments more efficiently, please use 
only one method. The Commission will post all comments on the 
Commission's Internet Web site (http://www.sec.gov). Comments are also 
available for public inspection and copying in the Commission's Public 
Reference Room, 450 Fifth Street, NW, Washington, DC 20549. We do not 
edit personal identifying information from submissions. You should 
submit only information that you wish to make available publicly. All 
comments should be submitted on or before May 7, 2004.

    By the Commission.
J. Lynn Taylor,
Assistant Secretary.
[FR Doc. 04-8412 Filed 4-15-04; 8:45 am]
BILLING CODE 8010-01-P