[Federal Register Volume 72, Number 112 (Tuesday, June 12, 2007)]
[Notices]
[Pages 32340-32368]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: E7-11311]


-----------------------------------------------------------------------

SECURITIES AND EXCHANGE COMMISSION

[Release No. 34-55876; File No. PCAOB-2007-02]


Public Company Accounting Oversight Board; Notice of Filing of 
Proposed Rule on Auditing Standard No. 5, an Audit of Internal Control 
Over Financial Reporting That Is Integrated With an Audit of Financial 
Statements, and Related Independence Rule and Conforming Amendments

June 7, 2007.
    Pursuant to Section 107(b) of the Sarbanes-Oxley Act of 2002 (the 
``Act''), notice is hereby given that on May 25, 2007, the Public 
Company Accounting Oversight Board (the ``Board'' or the ``PCAOB'') 
filed with the Securities and Exchange Commission (the ``Commission'' 
or ``SEC'') the proposed rules described in Items I and II below, which 
items have been prepared by the Board. The Commission is publishing 
this notice to solicit comments on the proposed rules from interested 
persons. The text of the proposed rules consists of proposed Auditing 
Standard No. 5, An Audit of Internal Control Over Financial Reporting 
That is Integrated with an Audit of Financial Statements, and Related 
Independence Rule and conforming amendments to its auditing standards.

I. Board's Statement of the Terms of Substance of the Proposed Rules

    On May 24, 2007, the Board adopted Auditing Standard No. 5, An 
Audit of Internal Control Over Financial Reporting That is Integrated 
with an Audit of Financial Statements (``Auditing Standard No. 5''); 
Rule 3525, Audit Committee Pre-Approval of Non-Audit Services Related 
to Internal Control Over Financial Reporting, and conforming amendments 
to its auditing standards. The proposed rule text is set out below.

Auditing Standard No. 5--An Audit of Internal Control Over Financial 
Reporting That Is Integrated With an Audit of Financial Statements

Table of Contents

 
                                                               Paragraph
 
Introduction................................................         1-8
    Integrating the Audits..................................         6-8
Planning the Audit..........................................        9-20
    Role of Risk Assessment.................................       10-12
    Scaling the Audit.......................................          13
    Addressing the Risk of Fraud............................       14-15
    Using the Work of Others................................       16-19
    Materiality.............................................          20
Using a Top-Down Approach...................................       21-41
    Identifying Entity-Level Controls.......................       22-27
        Control Environment.................................          25
        Period-end Financial Reporting Process..............       26-27
    Identifying Significant Accounts and Disclosures and           28-33
     Their Relevant Assertions..............................
    Understanding Likely Sources of Misstatement............       34-38
        Performing Walkthroughs.............................       37-38
    Selecting Controls to Test..............................       39-41
Testing Controls............................................       42-61
    Testing Design Effectiveness............................       42-43
    Testing Operating Effectiveness.........................       44-45
    Relationship of Risk to the Evidence to be Obtained.....       46-56
        Nature of Tests of Controls.........................       50-51
        Timing of Tests of Controls.........................       52-53
        Extent of Tests of Controls.........................          54
        Roll-Forward Procedures.............................       55-56
    Special Considerations for Subsequent Years' Audits.....       57-61
Evaluating Identified Deficiencies..........................       62-70
    Indicators of Material Weaknesses.......................       69-70
Wrapping-Up.................................................       71-84
    Forming an Opinion......................................       71-74
    Obtaining Written Representations.......................       75-77
    Communicating Certain Matters...........................       78-84
Reporting on Internal Control...............................       85-98
    Separate or Combined Reports............................       86-88
    Report Date.............................................          89
    Material Weaknesses.....................................       90-92
    Subsequent Events.......................................       93-98
 

Appendices

 
 
 
Appendix A--Definitions.....................................      A1-A11
Appendix B--Special Topics..................................      B1-B33
    Integration of Audits...................................       B1-B9
    Multiple Locations Scoping Decisions....................     B10-B16
    Use of Service Organizations............................     B17-B27
    Benchmarking of Automated Controls......................     B28-B33
Appendix C--Special Reporting Situations....................      C1-C17

[[Page 32341]]

 
    Report Modifications....................................      C1-C15
    Filings Under Federal Securities Statutes...............     C16-C17
 

Introduction

    1. This standard establishes requirements and provides direction 
that applies when an auditor is engaged to perform an audit of 
management's assessment \1\ of the effectiveness of internal control 
over financial reporting (``the audit of internal control over 
financial reporting'') that is integrated with an audit of the 
financial statements.\2\
---------------------------------------------------------------------------

    \1\ Terms defined in Appendix A, Definitions, are set in 
boldface type (italics in the Federal Register printing) the first 
time they appear.
    \2\ This auditing standard supersedes Auditing Standard No. 2, 
An Audit of Internal Control Over Financial Reporting Performed in 
Conjunction with An Audit of Financial Statements, and is the 
standard on attestation engagements referred to in Section 404(b) of 
the Act. It also is the standard referred to in Section 
103(a)(2)(A)(iii) of the Act.
---------------------------------------------------------------------------

    2. Effective internal control over financial reporting provides 
reasonable assurance regarding the reliability of financial reporting 
and the preparation of financial statements for external purposes.\3\ 
If one or more material weaknesses exist, the company's internal 
control over financial reporting cannot be considered effective.\4\
---------------------------------------------------------------------------

    \3\ See Securities Exchange Act Rules 13a-15(f) and 15d-15(f), 
17 CFR Sec. Sec.  240.13a-15(f) and 240.15d-15(f); Paragraph A5.
    \4\ See Item 308 of Regulation S-K, 17 CFR 229.308.
---------------------------------------------------------------------------

    3. The auditor's objective in an audit of internal control over 
financial reporting is to express an opinion on the effectiveness of 
the company's internal control over financial reporting. Because a 
company's internal control cannot be considered effective if one or 
more material weaknesses exist, to form a basis for expressing an 
opinion, the auditor must plan and perform the audit to obtain 
competent evidence that is sufficient to obtain reasonable assurance 
\5\ about whether material weaknesses exist as of the date specified in 
management's assessment. A material weakness in internal control over 
financial reporting may exist even when financial statements are not 
materially misstated.
---------------------------------------------------------------------------

    \5\ See AU sec. 230, Due Professional Care in the Performance of 
Work, for further discussion of the concept of reasonable assurance 
in an audit.
---------------------------------------------------------------------------

    4. The general standards \6\ are applicable to an audit of internal 
control over financial reporting. Those standards require technical 
training and proficiency as an auditor, independence, and the exercise 
of due professional care, including professional skepticism. This 
standard establishes the fieldwork and reporting standards applicable 
to an audit of internal control over financial reporting.
---------------------------------------------------------------------------

    \6\ See AU sec. 150, Generally Accepted Auditing Standards.
---------------------------------------------------------------------------

    5. The auditor should use the same suitable, recognized control 
framework to perform his or her audit of internal control over 
financial reporting as management uses for its annual evaluation of the 
effectiveness of the company's internal control over financial 
reporting.\7\
---------------------------------------------------------------------------

    \7\ See Securities Exchange Act Rules 13a-15(c) and 15d-15(c), 
17 CFR 240.13a-15(c) and 240.15d-15(c). SEC rules require management 
to base its evaluation of the effectiveness of the company's 
internal control over financial reporting on a suitable, recognized 
control framework (also known as control criteria) established by a 
body or group that followed due-process procedures, including the 
broad distribution of the framework for public comment. For example, 
the report of the Committee of Sponsoring Organizations of the 
Treadway Commission (known as the COSO report) provides such a 
framework, as does the report published by the Financial Reporting 
Council, Internal Control Revised Guidance for Directors on the 
Combined Code, October 2005 (known as the Turnbull Report).
---------------------------------------------------------------------------

Integrating the Audits

    6. The audit of internal control over financial reporting should be 
integrated with the audit of the financial statements. The objectives 
of the audits are not identical, however, and the auditor must plan and 
perform the work to achieve the objectives of both audits.
    7. In an integrated audit of internal control over financial 
reporting and the financial statements, the auditor should design his 
or her testing of controls to accomplish the objectives of both audits 
simultaneously--
     To obtain sufficient evidence to support the auditor's 
opinion on internal control over financial reporting as of year-end, 
and
     To obtain sufficient evidence to support the auditor's 
control risk assessments for purposes of the audit of financial 
statements.
    8. Obtaining sufficient evidence to support control risk 
assessments as low for purposes of the financial statement audit 
ordinarily allows the auditor to reduce the amount of audit work that 
otherwise would have been necessary to opine on the financial 
statements. (See Appendix B for additional direction on integration.)

    Note: In some circumstances, particularly in some audits of 
smaller and less complex companies, the auditor might choose not to 
assess control risk as low for purposes of the audit of the 
financial statements. In such circumstances, the auditor's tests of 
the operating effectiveness of controls would be performed 
principally for the purpose of supporting his or her opinion on 
whether the company's internal control over financial reporting is 
effective as of year-end. The results of the auditor's financial 
statement auditing procedures also should inform his or her risk 
assessments in determining the testing necessary to conclude on the 
effectiveness of a control.

Planning the Audit

    9. The auditor should properly plan the audit of internal control 
over financial reporting and properly supervise any assistants. When 
planning an integrated audit, the auditor should evaluate whether the 
following matters are important to the company's financial statements 
and internal control over financial reporting and, if so, how they will 
affect the auditor's procedures--
     Knowledge of the company's internal control over financial 
reporting obtained during other engagements performed by the auditor;
     Matters affecting the industry in which the company 
operates, such as financial reporting practices, economic conditions, 
laws and regulations, and technological changes;
     Matters relating to the company's business, including its 
organization, operating characteristics, and capital structure;
     The extent of recent changes, if any, in the company, its 
operations, or its internal control over financial reporting;
     The auditor's preliminary judgments about materiality, 
risk, and other factors relating to the determination of material 
weaknesses;
     Control deficiencies previously communicated to the audit 
committee \8\ or management;
---------------------------------------------------------------------------

    \8\ If no audit committee exists, all references to the audit 
committee in this standard apply to the entire board of directors of 
the company. See 15 U.S.C. 78c(a)58 and 7201(a)(3).
---------------------------------------------------------------------------

     Legal or regulatory matters of which the company is aware;
     The type and extent of available evidence related to the 
effectiveness of the company's internal control over financial 
reporting;
     Preliminary judgments about the effectiveness of internal 
control over financial reporting;
     Public information about the company relevant to the 
evaluation of the likelihood of material financial statement 
misstatements and the effectiveness of the company's internal control 
over financial reporting;
     Knowledge about risks related to the company evaluated as 
part of the auditor's client acceptance and retention evaluation; and

[[Page 32342]]

     The relative complexity of the company's operations.

    Note: Many smaller companies have less complex operations. 
Additionally, some larger, complex companies may have less complex 
units or processes. Factors that might indicate less complex 
operations include: fewer business lines; less complex business 
processes and financial reporting systems; more centralized 
accounting functions; extensive involvement by senior management in 
the day-to-day activities of the business; and fewer levels of 
management, each with a wide span of control.

Role of Risk Assessment

    10. Risk assessment underlies the entire audit process described by 
this standard, including the determination of significant accounts and 
disclosures and relevant assertions, the selection of controls to test, 
and the determination of the evidence necessary for a given control.
    11. A direct relationship exists between the degree of risk that a 
material weakness could exist in a particular area of the company's 
internal control over financial reporting and the amount of audit 
attention that should be devoted to that area. In addition, the risk 
that a company's internal control over financial reporting will fail to 
prevent or detect misstatement caused by fraud usually is higher than 
the risk of failure to prevent or detect error. The auditor should 
focus more of his or her attention on the areas of highest risk. On the 
other hand, it is not necessary to test controls that, even if 
deficient, would not present a reasonable possibility of material 
misstatement to the financial statements.
    12. The complexity of the organization, business unit, or process, 
will play an important role in the auditor's risk assessment and the 
determination of the necessary procedures.

Scaling the Audit

    13. The size and complexity of the company, its business processes, 
and business units, may affect the way in which the company achieves 
many of its control objectives. The size and complexity of the company 
also might affect the risks of misstatement and the controls necessary 
to address those risks. Scaling is most effective as a natural 
extension of the risk-based approach and applicable to the audits of 
all companies. Accordingly, a smaller, less complex company, or even a 
larger, less complex company might achieve its control objectives 
differently than a more complex company.\9\
---------------------------------------------------------------------------

    \9\ The SEC Advisory Committee on Smaller Public Companies 
considered a company's size with respect to compliance with the 
internal control reporting provisions of the Act. See Advisory 
Committee on Smaller Public Companies to the United States 
Securities and Exchange Commission, Final Report, at p. 5 (April 23, 
2006).
---------------------------------------------------------------------------

Addressing the Risk of Fraud

    14. When planning and performing the audit of internal control over 
financial reporting, the auditor should take into account the results 
of his or her fraud risk assessment.\10\ As part of identifying and 
testing entity-level controls, as discussed beginning at paragraph 22, 
and selecting other controls to test, as discussed beginning at 
paragraph 39, the auditor should evaluate whether the company's 
controls sufficiently address identified risks of material misstatement 
due to fraud and controls intended to address the risk of management 
override of other controls. Controls that might address these risks 
include--
---------------------------------------------------------------------------

    \10\ See paragraphs .19 through .42 of AU sec. 316, 
Consideration of Fraud in a Financial Statement Audit, regarding 
identifying risks that may result in material misstatement due to 
fraud.
---------------------------------------------------------------------------

     Controls over significant, unusual transactions, 
particularly those that result in late or unusual journal entries;
     Controls over journal entries and adjustments made in the 
period-end financial reporting process;
     Controls over related party transactions;
     Controls related to significant management estimates; and
     Controls that mitigate incentives for, and pressures on, 
management to falsify or inappropriately manage financial results.
    15. If the auditor identifies deficiencies in controls designed to 
prevent or detect fraud during the audit of internal control over 
financial reporting, the auditor should take into account those 
deficiencies when developing his or her response to risks of material 
misstatement during the financial statement audit, as provided in AU 
sec. 316.44 and .45.

Using the Work of Others

    16. The auditor should evaluate the extent to which he or she will 
use the work of others to reduce the work the auditor might otherwise 
perform himself or herself. AU sec. 322, The Auditor's Consideration of 
the Internal Audit Function in an Audit of Financial Statements, 
applies in an integrated audit of the financial statements and internal 
control over financial reporting.
    17. For purposes of the audit of internal control, however, the 
auditor may use the work performed by, or receive direct assistance 
from, internal auditors, company personnel (in addition to internal 
auditors), and third parties working under the direction of management 
or the audit committee that provides evidence about the effectiveness 
of internal control over financial reporting. In an integrated audit of 
internal control over financial reporting and the financial statements, 
the auditor also may use this work to obtain evidence supporting the 
auditor's assessment of control risk for purposes of the audit of the 
financial statements.
    18. The auditor should assess the competence and objectivity of the 
persons whose work the auditor plans to use to determine the extent to 
which the auditor may use their work. The higher the degree of 
competence and objectivity, the greater use the auditor may make of the 
work. The auditor should apply paragraphs .09 through .11 of AU sec. 
322 to assess the competence and objectivity of internal auditors. The 
auditor should apply the principles underlying those paragraphs to 
assess the competence and objectivity of persons other than internal 
auditors whose work the auditor plans to use.

    Note: For purposes of using the work of others, competence means 
the attainment and maintenance of a level of understanding and 
knowledge that enables that person to perform ably the tasks 
assigned to them, and objectivity means the ability to perform those 
tasks impartially and with intellectual honesty. To assess 
competence, the auditor should evaluate factors about the person's 
qualifications and ability to perform the work the auditor plans to 
use. To assess objectivity, the auditor should evaluate whether 
factors are present that either inhibit or promote a person's 
ability to perform with the necessary degree of objectivity the work 
the auditor plans to use.


    Note: The auditor should not use the work of persons who have a 
low degree of objectivity, regardless of their level of competence. 
Likewise, the auditor should not use the work of persons who have a 
low level of competence regardless of their degree of objectivity. 
Personnel whose core function is to serve as a testing or compliance 
authority at the company, such as internal auditors, normally are 
expected to have greater competence and objectivity in performing 
the type of work that will be useful to the auditor.

    19. The extent to which the auditor may use the work of others in 
an audit of internal control also depends on the risk associated with 
the control being tested. As the risk associated with a control 
increases, the need for the auditor to perform his or her own work on 
the control increases.

[[Page 32343]]

Materiality

    20. In planning the audit of internal control over financial 
reporting, the auditor should use the same materiality considerations 
he or she would use in planning the audit of the company's annual 
financial statements.\11\
---------------------------------------------------------------------------

    \11\ See AU sec. 312, Audit Risk and Materiality in Conducting 
an Audit, which provides additional explanation of materiality.
---------------------------------------------------------------------------

Using a Top-Down Approach

    21. The auditor should use a top-down approach to the audit of 
internal control over financial reporting to select the controls to 
test. A top-down approach begins at the financial statement level and 
with the auditor's understanding of the overall risks to internal 
control over financial reporting. The auditor then focuses on entity-
level controls and works down to significant accounts and disclosures 
and their relevant assertions. This approach directs the auditor's 
attention to accounts, disclosures, and assertions that present a 
reasonable possibility of material misstatement to the financial 
statements and related disclosures. The auditor then verifies his or 
her understanding of the risks in the company's processes and selects 
for testing those controls that sufficiently address the assessed risk 
of misstatement to each relevant assertion.

    Note: The top-down approach describes the auditor's sequential 
thought process in identifying risks and the controls to test, not 
necessarily the order in which the auditor will perform the auditing 
procedures.

Identifying Entity-Level Controls

    22. The auditor must test those entity-level controls that are 
important to the auditor's conclusion about whether the company has 
effective internal control over financial reporting. The auditor's 
evaluation of entity-level controls can result in increasing or 
decreasing the testing that the auditor otherwise would have performed 
on other controls.
    23. Entity-level controls vary in nature and precision--
     Some entity-level controls, such as certain control 
environment controls, have an important, but indirect, effect on the 
likelihood that a misstatement will be detected or prevented on a 
timely basis. These controls might affect the other controls the 
auditor selects for testing and the nature, timing, and extent of 
procedures the auditor performs on other controls.
     Some entity-level controls monitor the effectiveness of 
other controls. Such controls might be designed to identify possible 
breakdowns in lower-level controls, but not at a level of precision 
that would, by themselves, sufficiently address the assessed risk that 
misstatements to a relevant assertion will be prevented or detected on 
a timely basis. These controls, when operating effectively, might allow 
the auditor to reduce the testing of other controls.
     Some entity-level controls might be designed to operate at 
a level of precision that would adequately prevent or detect on a 
timely basis misstatements to one or more relevant assertions. If an 
entity-level control sufficiently addresses the assessed risk of 
misstatement, the auditor need not test additional controls relating to 
that risk.
    24. Entity-level controls include--
     Controls related to the control environment;
     Controls over management override;

    Note: Controls over management override are important to 
effective internal control over financial reporting for all 
companies, and may be particularly important at smaller companies 
because of the increased involvement of senior management in 
performing controls and in the period-end financial reporting 
process. For smaller companies, the controls that address the risk 
of management override might be different from those at a larger 
company. For example, a smaller company might rely on more detailed 
oversight by the audit committee that focuses on the risk of 
management override.

     The company's risk assessment process;
     Centralized processing and controls, including shared 
service environments;
     Controls to monitor results of operations;
     Controls to monitor other controls, including activities 
of the internal audit function, the audit committee, and self-
assessment programs;
     Controls over the period-end financial reporting process; 
and
     Policies that address significant business control and 
risk management practices.
    25. Control Environment. Because of its importance to effective 
internal control over financial reporting, the auditor must evaluate 
the control environment at the company. As part of evaluating the 
control environment, the auditor should assess--
     Whether management's philosophy and operating style 
promote effective internal control over financial reporting;
     Whether sound integrity and ethical values, particularly 
of top management, are developed and understood; and
     Whether the Board or audit committee understands and 
exercises oversight responsibility over financial reporting and 
internal control.
    26. Period-end Financial Reporting Process. Because of its 
importance to financial reporting and to the auditor's opinions on 
internal control over financial reporting and the financial statements, 
the auditor must evaluate the period-end financial reporting process. 
The period-end financial reporting process includes the following--
     Procedures used to enter transaction totals into the 
general ledger;
     Procedures related to the selection and application of 
accounting policies;
     Procedures used to initiate, authorize, record, and 
process journal entries in the general ledger;
     Procedures used to record recurring and nonrecurring 
adjustments to the annual and quarterly financial statements; and
     Procedures for preparing annual and quarterly financial 
statements and related disclosures.

    Note: Because the annual period-end financial reporting process 
normally occurs after the ``as-of'' date of management's assessment, 
those controls usually cannot be tested until after the as-of date.

    27. As part of evaluating the period-end financial reporting 
process, the auditor should assess--
     Inputs, procedures performed, and outputs of the processes 
the company uses to produce its annual and quarterly financial 
statements;
     The extent of information technology (``IT'') involvement 
in the period-end financial reporting process;
     Who participates from management;
     The locations involved in the period-end financial 
reporting process;
     The types of adjusting and consolidating entries; and
     The nature and extent of the oversight of the process by 
management, the board of directors, and the audit committee.

    Note: The auditor should obtain sufficient evidence of the 
effectiveness of those quarterly controls that are important to 
determining whether the company's controls sufficiently address the 
assessed risk of misstatement to each relevant assertion as of the 
date of management's assessment. However, the auditor is not 
required to obtain sufficient evidence for each quarter 
individually.

Identifying Significant Accounts and Disclosures and Their Relevant 
Assertions

    28. The auditor should identify significant accounts and 
disclosures and their relevant assertions. Relevant assertions are 
those financial statement assertions that have a reasonable possibility 
of containing a misstatement

[[Page 32344]]

that would cause the financial statements to be materially misstated. 
The financial statement assertions include \12\--
---------------------------------------------------------------------------

    \12\ See AU sec. 326, Evidential Matter, which provides 
additional information on financial statement assertions.
---------------------------------------------------------------------------

     Existence or occurrence
     Completeness
     Valuation or allocation
     Rights and obligations
     Presentation and disclosure

    Note: The auditor may base his or her work on assertions that 
differ from those in this standard if the auditor has selected and 
tested controls over the pertinent risks in each significant account 
and disclosure that have a reasonable possibility of containing 
misstatements that would cause the financial statements to be 
materially misstated.

    29. To identify significant accounts and disclosures and their 
relevant assertions, the auditor should evaluate the qualitative and 
quantitative risk factors related to the financial statement line items 
and disclosures. Risk factors relevant to the identification of 
significant accounts and disclosures and their relevant assertions 
include--
     Size and composition of the account;
     Susceptibility to misstatement due to errors or fraud;
     Volume of activity, complexity, and homogeneity of the 
individual transactions processed through the account or reflected in 
the disclosure;
     Nature of the account or disclosure;
     Accounting and reporting complexities associated with the 
account or disclosure;
     Exposure to losses in the account;
     Possibility of significant contingent liabilities arising 
from the activities reflected in the account or disclosure;
     Existence of related party transactions in the account; 
and
     Changes from the prior period in account or disclosure 
characteristics.
    30. As part of identifying significant accounts and disclosures and 
their relevant assertions, the auditor also should determine the likely 
sources of potential misstatements that would cause the financial 
statements to be materially misstated. The auditor might determine the 
likely sources of potential misstatements by asking himself or herself 
``what could go wrong?'' within a given significant account or 
disclosure.
    31. The risk factors that the auditor should evaluate in the 
identification of significant accounts and disclosures and their 
relevant assertions are the same in the audit of internal control over 
financial reporting as in the audit of the financial statements; 
accordingly, significant accounts and disclosures and their relevant 
assertions are the same for both audits.

    Note: In the financial statement audit, the auditor might 
perform substantive auditing procedures on financial statement 
accounts, disclosures and assertions that are not determined to be 
significant accounts and disclosures and relevant assertions.\13\

    \13\ This is because his or her assessment of the risk that 
undetected misstatement would cause the financial statements to be 
materially misstated is unacceptably high (see AU sec. 312.39 for 
further discussion about undetected misstatement) or as a means of 
introducing unpredictability in the procedures performed (see 
paragraph 61 and AU sec. 316.50 for further discussion about 
predictability of auditing procedures).

    32. The components of a potential significant account or disclosure 
might be subject to significantly differing risks. If so, different 
controls might be necessary to adequately address those risks.
    33. When a company has multiple locations or business units, the 
auditor should identify significant accounts and disclosures and their 
relevant assertions based on the consolidated financial statements. 
Having made those determinations, the auditor should then apply the 
direction in Appendix B for multiple locations scoping decisions.

Understanding Likely Sources of Misstatement

    34. To further understand the likely sources of potential 
misstatements, and as a part of selecting the controls to test, the 
auditor should achieve the following objectives--
     Understand the flow of transactions related to the 
relevant assertions, including how these transactions are initiated, 
authorized, processed, and recorded;
     Verify that the auditor has identified the points within 
the company's processes at which a misstatement--including a 
misstatement due to fraud--could arise that, individually or in 
combination with other misstatements, would be material;
     Identify the controls that management has implemented to 
address these potential misstatements; and
     Identify the controls that management has implemented over 
the prevention or timely detection of unauthorized acquisition, use, or 
disposition of the company's assets that could result in a material 
misstatement of the financial statements.
    35. Because of the degree of judgment required, the auditor should 
either perform the procedures that achieve the objectives in paragraph 
34 himself or herself or supervise the work of others who provide 
direct assistance to the auditor, as described in AU sec. 322.
    36. The auditor also should understand how IT affects the company's 
flow of transactions. The auditor should apply paragraphs .16 through 
.20, .30 through .32, and .77 through .79, of AU sec. 319, 
Consideration of Internal Control in a Financial Statement Audit, which 
discuss the effect of information technology on internal control over 
financial reporting and the risks to assess.

    Note: The identification of risks and controls within IT is not 
a separate evaluation. Instead, it is an integral part of the top-
down approach used to identify significant accounts and disclosures 
and their relevant assertions, and the controls to test, as well as 
to assess risk and allocate audit effort as described by this 
standard.

    37. Performing Walkthroughs. Performing walkthroughs will 
frequently be the most effective way of achieving the objectives in 
paragraph 34. In performing a walkthrough, the auditor follows a 
transaction from origination through the company's processes, including 
information systems, until it is reflected in the company's financial 
records, using the same documents and information technology that 
company personnel use. Walkthrough procedures usually include a 
combination of inquiry, observation, inspection of relevant 
documentation, and re-performance of controls.
    38. In performing a walkthrough, at the points at which important 
processing procedures occur, the auditor questions the company's 
personnel about their understanding of what is required by the 
company's prescribed procedures and controls. These probing questions, 
combined with the other walkthrough procedures, allow the auditor to 
gain a sufficient understanding of the process and to be able to 
identify important points at which a necessary control is missing or 
not designed effectively. Additionally, probing questions that go 
beyond a narrow focus on the single transaction used as the basis for 
the walkthrough allow the auditor to gain an understanding of the 
different types of significant transactions handled by the process.

Selecting Controls To Test

    39. The auditor should test those controls that are important to 
the auditor's conclusion about whether the company's controls 
sufficiently address the assessed risk of misstatement to each relevant 
assertion.

[[Page 32345]]

    40. There might be more than one control that addresses the 
assessed risk of misstatement to a particular relevant assertion; 
conversely, one control might address the assessed risk of misstatement 
to more than one relevant assertion. It is neither necessary to test 
all controls related to a relevant assertion nor necessary to test 
redundant controls, unless redundancy is itself a control objective.
    41. The decision as to whether a control should be selected for 
testing depends on which controls, individually or in combination, 
sufficiently address the assessed risk of misstatement to a given 
relevant assertion rather than on how the control is labeled (e.g., 
entity-level control, transaction-level control, control activity, 
monitoring control, preventive control, detective control).

Testing Controls

Testing Design Effectiveness

    42. The auditor should test the design effectiveness of controls by 
determining whether the company's controls, if they are operated as 
prescribed by persons possessing the necessary authority and competence 
to perform the control effectively, satisfy the company's control 
objectives and can effectively prevent or detect errors or fraud that 
could result in material misstatements in the financial statements.

    Note: A smaller, less complex company might achieve its control 
objectives in a different manner from a larger, more complex 
organization. For example, a smaller, less complex company might 
have fewer employees in the accounting function, limiting 
opportunities to segregate duties and leading the company to 
implement alternative controls to achieve its control objectives. In 
such circumstances, the auditor should evaluate whether those 
alternative controls are effective.

    43. Procedures the auditor performs to test design effectiveness 
include a mix of inquiry of appropriate personnel, observation of the 
company's operations, and inspection of relevant documentation. 
Walkthroughs that include these procedures ordinarily are sufficient to 
evaluate design effectiveness.

Testing Operating Effectiveness

    44. The auditor should test the operating effectiveness of a 
control by determining whether the control is operating as designed and 
whether the person performing the control possesses the necessary 
authority and competence to perform the control effectively.

    Note: In some situations, particularly in smaller companies, a 
company might use a third party to provide assistance with certain 
financial reporting functions. When assessing the competence of 
personnel responsible for a company's financial reporting and 
associated controls, the auditor may take into account the combined 
competence of company personnel and other parties that assist with 
functions related to financial reporting.

    45. Procedures the auditor performs to test operating effectiveness 
include a mix of inquiry of appropriate personnel, observation of the 
company's operations, inspection of relevant documentation, and re-
performance of the control.

Relationship of Risk to the Evidence To Be Obtained

    46. For each control selected for testing, the evidence necessary 
to persuade the auditor that the control is effective depends upon the 
risk associated with the control. The risk associated with a control 
consists of the risk that the control might not be effective and, if 
not effective, the risk that a material weakness would result. As the 
risk associated with the control being tested increases, the evidence 
that the auditor should obtain also increases.

    Note: Although the auditor must obtain evidence about the 
effectiveness of controls for each relevant assertion, the auditor 
is not responsible for obtaining sufficient evidence to support an 
opinion about the effectiveness of each individual control. Rather, 
the auditor's objective is to express an opinion on the company's 
internal control over financial reporting overall. This allows the 
auditor to vary the evidence obtained regarding the effectiveness of 
individual controls selected for testing based on the risk 
associated with the individual control.

    47. Factors that affect the risk associated with a control 
include--
     The nature and materiality of misstatements that the 
control is intended to prevent or detect;
     The inherent risk associated with the related account(s) 
and assertion(s);
     Whether there have been changes in the volume or nature of 
transactions that might adversely affect control design or operating 
effectiveness;
     Whether the account has a history of errors;
     The effectiveness of entity-level controls, especially 
controls that monitor other controls;
     The nature of the control and the frequency with which it 
operates;
     The degree to which the control relies on the 
effectiveness of other controls (e.g., the control environment or 
information technology general controls);
     The competence of the personnel who perform the control or 
monitor its performance and whether there have been changes in key 
personnel who perform the control or monitor its performance;
     Whether the control relies on performance by an individual 
or is automated (i.e., an automated control would generally be expected 
to be lower risk if relevant information technology general controls 
are effective); and

    Note: A less complex company or business unit with simple 
business processes and centralized accounting operations might have 
relatively simple information systems that make greater use of off-
the-shelf packaged software without modification. In the areas in 
which off-the-shelf software is used, the auditor's testing of 
information technology controls might focus on the application 
controls built into the pre-packaged software that management relies 
on to achieve its control objectives and the IT general controls 
that are important to the effective operation of those application 
controls.

     The complexity of the control and the significance of the 
judgments that must be made in connection with its operation.

    Note: Generally, a conclusion that a control is not operating 
effectively can be supported by less evidence than is necessary to 
support a conclusion that a control is operating effectively.

    48. When the auditor identifies deviations from the company's 
controls, he or she should determine the effect of the deviations on 
his or her assessment of the risk associated with the control being 
tested and the evidence to be obtained, as well as on the operating 
effectiveness of the control.

    Note: Because effective internal control over financial 
reporting cannot, and does not, provide absolute assurance of 
achieving the company's control objectives, an individual control 
does not necessarily have to operate without any deviation to be 
considered effective.

    49. The evidence provided by the auditor's tests of the 
effectiveness of controls depends upon the mix of the nature, timing, 
and extent of the auditor's procedures. Further, for an individual 
control, different combinations of the nature, timing, and extent of 
testing may provide sufficient evidence in relation to the risk 
associated with the control.

    Note: Walkthroughs usually consist of a combination of inquiry 
of appropriate personnel, observation of the company's operations, 
inspection of relevant documentation, and re-performance of the 
control and might provide sufficient evidence of operating 
effectiveness, depending on the risk associated with the control 
being tested, the specific procedures performed as part of the 
walkthrough and the results of those procedures.

    50. Nature of Tests of Controls. Some types of tests, by their 
nature, produce

[[Page 32346]]

greater evidence of the effectiveness of controls than other tests. The 
following tests that the auditor might perform are presented in order 
of the evidence that they ordinarily would produce, from least to most: 
inquiry, observation, inspection of relevant documentation, and re-
performance of a control.

    Note: Inquiry alone does not provide sufficient evidence to 
support a conclusion about the effectiveness of a control.

    51. The nature of the tests of effectiveness that will provide 
competent evidence depends, to a large degree, on the nature of the 
control to be tested, including whether the operation of the control 
results in documentary evidence of its operation. Documentary evidence 
of the operation of some controls, such as management's philosophy and 
operating style, might not exist.

    Note: A smaller, less complex company or unit might have less 
formal documentation regarding the operation of its controls. In 
those situations, testing controls through inquiry combined with 
other procedures, such as observation of activities, inspection of 
less formal documentation, or re-performance of certain controls, 
might provide sufficient evidence about whether the control is 
effective.

    52. Timing of Tests of Controls. Testing controls over a greater 
period of time provides more evidence of the effectiveness of controls 
than testing over a shorter period of time. Further, testing performed 
closer to the date of management's assessment provides more evidence 
than testing performed earlier in the year. The auditor should balance 
performing the tests of controls closer to the as-of date with the need 
to test controls over a sufficient period of time to obtain sufficient 
evidence of operating effectiveness.
    53. Prior to the date specified in management's assessment, 
management might implement changes to the company's controls to make 
them more effective or efficient or to address control deficiencies. If 
the auditor determines that the new controls achieve the related 
objectives of the control criteria and have been in effect for a 
sufficient period to permit the auditor to assess their design and 
operating effectiveness by performing tests of controls, he or she will 
not need to test the design and operating effectiveness of the 
superseded controls for purposes of expressing an opinion on internal 
control over financial reporting. If the operating effectiveness of the 
superseded controls is important to the auditor's control risk 
assessment, the auditor should test the design and operating 
effectiveness of those superseded controls, as appropriate. (See 
additional direction on integration beginning at paragraph B1.)
    54. Extent of Tests of Controls. The more extensively a control is 
tested, the greater the evidence obtained from that test.
    55. Roll-Forward Procedures. When the auditor reports on the 
effectiveness of controls as of a specific date and obtains evidence 
about the operating effectiveness of controls at an interim date, he or 
she should determine what additional evidence concerning the operation 
of the controls for the remaining period is necessary.
    56. The additional evidence that is necessary to update the results 
of testing from an interim date to the company's year-end depends on 
the following factors--
     The specific control tested prior to the as-of date, 
including the risks associated with the control and the nature of the 
control, and the results of those tests;
     The sufficiency of the evidence of effectiveness obtained 
at an interim date;
     The length of the remaining period; and
     The possibility that there have been any significant 
changes in internal control over financial reporting subsequent to the 
interim date.

    Note: In some circumstances, such as when evaluation of the 
foregoing factors indicates a low risk that the controls are no 
longer effective during the roll-forward period, inquiry alone might 
be sufficient as a roll-forward procedure.

Special Considerations for Subsequent Years' Audits

    57. In subsequent years' audits, the auditor should incorporate 
knowledge obtained during past audits he or she performed of the 
company's internal control over financial reporting into the decision-
making process for determining the nature, timing, and extent of 
testing necessary. This decision-making process is described in 
paragraphs 46 through 56.
    58. Factors that affect the risk associated with a control in 
subsequent years' audits include those in paragraph 47 and the 
following --
     The nature, timing, and extent of procedures performed in 
previous audits,
     The results of the previous years' testing of the control, 
and
     Whether there have been changes in the control or the 
process in which it operates since the previous audit.
    59. After taking into account the risk factors identified in 
paragraphs 47 and 58, the additional information available in 
subsequent years' audits might permit the auditor to assess the risk as 
lower than in the initial year. This, in turn, might permit the auditor 
to reduce testing in subsequent years.
    60. The auditor may also use a benchmarking strategy for automated 
application controls in subsequent years' audits. Benchmarking is 
described further beginning at paragraph B28.
    61. In addition, the auditor should vary the nature, timing, and 
extent of testing of controls from year to year to introduce 
unpredictability into the testing and respond to changes in 
circumstances. For this reason, each year the auditor might test 
controls at a different interim period, increase or reduce the number 
and types of tests performed, or change the combination of procedures 
used.

Evaluating Identified Deficiencies

    62. The auditor must evaluate the severity of each control 
deficiency that comes to his or her attention to determine whether the 
deficiencies, individually or in combination, are material weaknesses 
as of the date of management's assessment. In planning and performing 
the audit, however, the auditor is not required to search for 
deficiencies that, individually or in combination, are less severe than 
a material weakness.
    63. The severity of a deficiency depends on--
     Whether there is a reasonable possibility that the 
company's controls will fail to prevent or detect a misstatement of an 
account balance or disclosure; and
     The magnitude of the potential misstatement resulting from 
the deficiency or deficiencies.
    64. The severity of a deficiency does not depend on whether a 
misstatement actually has occurred but rather on whether there is a 
reasonable possibility that the company's controls will fail to prevent 
or detect a misstatement.
    65. Risk factors affect whether there is a reasonable possibility 
that a deficiency, or a combination of deficiencies, will result in a 
misstatement of an account balance or disclosure. The factors include, 
but are not limited to, the following--
     The nature of the financial statement accounts, 
disclosures, and assertions involved;
     The susceptibility of the related asset or liability to 
loss or fraud;
     The subjectivity, complexity, or extent of judgment 
required to determine the amount involved;
     The interaction or relationship of the control with other 
controls,

[[Page 32347]]

including whether they are interdependent or redundant;
     The interaction of the deficiencies; and
     The possible future consequences of the deficiency.

    Note: The evaluation of whether a control deficiency presents a 
reasonable possibility of misstatement can be made without 
quantifying the probability of occurrence as a specific percentage 
or range.


    Note: Multiple control deficiencies that affect the same 
financial statement account balance or disclosure increase the 
likelihood of misstatement and may, in combination, constitute a 
material weakness, even though such deficiencies may individually be 
less severe. Therefore, the auditor should determine whether 
individual control deficiencies that affect the same significant 
account or disclosure, relevant assertion, or component of internal 
control collectively result in a material weakness.

    66. Factors that affect the magnitude of the misstatement that 
might result from a deficiency or deficiencies in controls include, but 
are not limited to, the following--
     The financial statement amounts or total of transactions 
exposed to the deficiency; and
     The volume of activity in the account balance or class of 
transactions exposed to the deficiency that has occurred in the current 
period or that is expected in future periods.
    67. In evaluating the magnitude of the potential misstatement, the 
maximum amount that an account balance or total of transactions can be 
overstated is generally the recorded amount, while understatements 
could be larger. Also, in many cases, the probability of a small 
misstatement will be greater than the probability of a large 
misstatement.
    68. The auditor should evaluate the effect of compensating controls 
when determining whether a control deficiency or combination of 
deficiencies is a material weakness. To have a mitigating effect, the 
compensating control should operate at a level of precision that would 
prevent or detect a misstatement that could be material.

Indicators of Material Weaknesses

    69. Indicators of material weaknesses in internal control over 
financial reporting include--
     Identification of fraud, whether or not material, on the 
part of senior management; \14\
---------------------------------------------------------------------------

    \14\ For the purpose of this indicator, the term ``senior 
management'' includes the principal executive and financial officers 
signing the company's certifications as required under Section 302 
of the Act as well as any other members of senior management who 
play a significant role in the company's financial reporting 
process.
---------------------------------------------------------------------------

     Restatement of previously issued financial statements to 
reflect the correction of a material misstatement; \15\
---------------------------------------------------------------------------

    \15\ See Financial Accounting Standards Board Statement No. 154, 
Accounting Changes and Error Corrections, regarding the correction 
of a misstatement.
---------------------------------------------------------------------------

     Identification by the auditor of a material misstatement 
of financial statements in the current period in circumstances that 
indicate that the misstatement would not have been detected by the 
company's internal control over financial reporting; and
     Ineffective oversight of the company's external financial 
reporting and internal control over financial reporting by the 
company's audit committee.
    70. When evaluating the severity of a deficiency, or combination of 
deficiencies, the auditor also should determine the level of detail and 
degree of assurance that would satisfy prudent officials in the conduct 
of their own affairs that they have reasonable assurance that 
transactions are recorded as necessary to permit the preparation of 
financial statements in conformity with generally accepted accounting 
principles. If the auditor determines that a deficiency, or combination 
of deficiencies, might prevent prudent officials in the conduct of 
their own affairs from concluding that they have reasonable assurance 
that transactions are recorded as necessary to permit the preparation 
of financial statements in conformity with generally accepted 
accounting principles, then the auditor should treat the deficiency, or 
combination of deficiencies, as an indicator of a material weakness.

Wrapping-Up

Forming an Opinion

    71. The auditor should form an opinion on the effectiveness of 
internal control over financial reporting by evaluating evidence 
obtained from all sources, including the auditor's testing of controls, 
misstatements detected during the financial statement audit, and any 
identified control deficiencies.

    Note: As part of this evaluation, the auditor should review 
reports issued during the year by internal audit (or similar 
functions) that address controls related to internal control over 
financial reporting and evaluate control deficiencies identified in 
those reports.

    72. After forming an opinion on the effectiveness of the company's 
internal control over financial reporting, the auditor should evaluate 
the presentation of the elements that management is required, under the 
SEC's rules, to present in its annual report on internal control over 
financial reporting.\16\
---------------------------------------------------------------------------

    \16\ See Item 308(a) of Regulations S-B and S-K, 17 CFR 
228.308(a) and 229.308(a).
---------------------------------------------------------------------------

    73. If the auditor determines that any required elements of 
management's annual report on internal control over financial reporting 
are incomplete or improperly presented, the auditor should follow the 
direction in paragraph C2.
    74. The auditor may form an opinion on the effectiveness of 
internal control over financial reporting only when there have been no 
restrictions on the scope of the auditor's work. A scope limitation 
requires the auditor to disclaim an opinion or withdraw from the 
engagement (see paragraphs C3 through C7).

Obtaining Written Representations

    75. In an audit of internal control over financial reporting, the 
auditor should obtain written representations from management--
    a. Acknowledging management's responsibility for establishing and 
maintaining effective internal control over financial reporting;
    b. Stating that management has performed an evaluation and made an 
assessment of the effectiveness of the company's internal control over 
financial reporting and specifying the control criteria;
    c. Stating that management did not use the auditor's procedures 
performed during the audits of internal control over financial 
reporting or the financial statements as part of the basis for 
management's assessment of the effectiveness of internal control over 
financial reporting;
    d. Stating management's conclusion, as set forth in its assessment, 
about the effectiveness of the company's internal control over 
financial reporting based on the control criteria as of a specified 
date;
    e. Stating that management has disclosed to the auditor all 
deficiencies in the design or operation of internal control over 
financial reporting identified as part of management's evaluation, 
including separately disclosing to the auditor all such deficiencies 
that it believes to be significant deficiencies or material weaknesses 
in internal control over financial reporting;
    f. Describing any fraud resulting in a material misstatement to the 
company's financial statements and any other fraud that does not result 
in a material misstatement to the company's financial statements but 
involves senior management or management or other

[[Page 32348]]

employees who have a significant role in the company's internal control 
over financial reporting;
    g. Stating whether control deficiencies identified and communicated 
to the audit committee during previous engagements pursuant to 
paragraphs 77 and 79 have been resolved,\*\ and specifically 
identifying any that have not; and
---------------------------------------------------------------------------

    \*\ PCAOB staff have told the Commission staff that the 
references to paragraphs 77 and 79 in paragraph 75.g. of the 
proposed rule should instead refer to paragraphs 78 and 80, and that 
this typographical error will be corrected. Telephone conversation 
between Sharon Virag, Associate Chief Auditor, PCAOB, and Brian 
Croteau, Associate Chief Accountant, SEC, on June 4, 2007.
---------------------------------------------------------------------------

    h. Stating whether there were, subsequent to the date being 
reported on, any changes in internal control over financial reporting 
or other factors that might significantly affect internal control over 
financial reporting, including any corrective actions taken by 
management with regard to significant deficiencies and material 
weaknesses.
    76. The failure to obtain written representations from management, 
including management's refusal to furnish them, constitutes a 
limitation on the scope of the audit. As discussed further in paragraph 
C3, when the scope of the audit is limited, the auditor should either 
withdraw from the engagement or disclaim an opinion. Further, the 
auditor should evaluate the effects of management's refusal on his or 
her ability to rely on other representations, including those obtained 
in the audit of the company's financial statements.
    77. AU sec. 333, Management Representations, explains matters such 
as who should sign the letter, the period to be covered by the letter, 
and when to obtain an updated letter.

Communicating Certain Matters

    78. The auditor must communicate, in writing, to management and the 
audit committee all material weaknesses identified during the audit. 
The written communication should be made prior to the issuance of the 
auditor's report on internal control over financial reporting.
    79. If the auditor concludes that the oversight of the company's 
external financial reporting and internal control over financial 
reporting by the company's audit committee is ineffective, the auditor 
must communicate that conclusion in writing to the board of directors.
    80. The auditor also should consider whether there are any 
deficiencies, or combinations of deficiencies, that have been 
identified during the audit that are significant deficiencies and must 
communicate such deficiencies, in writing, to the audit committee.
    81. The auditor also should communicate to management, in writing, 
all deficiencies in internal control over financial reporting (i.e., 
those deficiencies in internal control over financial reporting that 
are of a lesser magnitude than material weaknesses) identified during 
the audit and inform the audit committee when such a communication has 
been made. When making this communication, it is not necessary for the 
auditor to repeat information about such deficiencies that has been 
included in previously issued written communications, whether those 
communications were made by the auditor, internal auditors, or others 
within the organization.
    82. The auditor is not required to perform procedures that are 
sufficient to identify all control deficiencies; rather, the auditor 
communicates deficiencies in internal control over financial reporting 
of which he or she is aware.
    83. Because the audit of internal control over financial reporting 
does not provide the auditor with assurance that he or she has 
identified all deficiencies less severe than a material weakness, the 
auditor should not issue a report stating that no such deficiencies 
were noted during the audit.
    84. When auditing internal control over financial reporting, the 
auditor may become aware of fraud or possible illegal acts. In such 
circumstances, the auditor must determine his or her responsibilities 
under AU sec. 316, Consideration of Fraud in a Financial Statement 
Audit, AU sec. 317, Illegal Acts by Clients, and Section 10A of the 
Securities Exchange Act of 1934.\17\
---------------------------------------------------------------------------

    \17\ See 15 U.S.C. 78j-1.
---------------------------------------------------------------------------

Reporting on Internal Control

    85. The auditor's report on the audit of internal control over 
financial reporting must include the following elements \18\--
---------------------------------------------------------------------------

    \18\ See Appendix C, which provides direction on modifications 
to the author's report that are required in certain circumstances.
---------------------------------------------------------------------------

    a. A title that includes the word independent;
    b. A statement that management is responsible for maintaining 
effective internal control over financial reporting and for assessing 
the effectiveness of internal control over financial reporting;
    c. An identification of management's report on internal control;
    d. A statement that the auditor's responsibility is to express an 
opinion on the company's internal control over financial reporting 
based on his or her audit;
    e. A definition of internal control over financial reporting as 
stated in paragraph A5;
    f. A statement that the audit was conducted in accordance with the 
standards of the Public Company Accounting Oversight Board (United 
States);
    g. A statement that the standards of the Public Company Accounting 
Oversight Board require that the auditor plan and perform the audit to 
obtain reasonable assurance about whether effective internal control 
over financial reporting was maintained in all material respects;
    h. A statement that an audit includes obtaining an understanding of 
internal control over financial reporting, assessing the risk that a 
material weakness exists, testing and evaluating the design and 
operating effectiveness of internal control based on the assessed risk, 
and performing such other procedures as the auditor considered 
necessary in the circumstances;
    i. A statement that the auditor believes the audit provides a 
reasonable basis for his or her opinion;
    j. A paragraph stating that, because of inherent limitations, 
internal control over financial reporting may not prevent or detect 
misstatements and that projections of any evaluation of effectiveness 
to future periods are subject to the risk that controls may become 
inadequate because of changes in conditions, or that the degree of 
compliance with the policies or procedures may deteriorate;
    k. The auditor's opinion on whether the company maintained, in all 
material respects, effective internal control over financial reporting 
as of the specified date, based on the control criteria;
    l. The manual or printed signature of the auditor's firm;
    m. The city and state (or city and country, in the case of non-U.S. 
auditors) from which the auditor's report has been issued; and
    n. The date of the audit report.

Separate or Combined Reports

    86. The auditor may choose to issue a combined report (i.e., one 
report containing both an opinion on the financial statements and an 
opinion on internal control over financial reporting) or separate 
reports on the company's financial statements and on internal control 
over financial reporting.
    87. The following example combined report expressing an unqualified 
opinion on financial statements and an unqualified opinion on internal 
control over financial reporting illustrates the report elements 
described in this section.

[[Page 32349]]

Report of Independent Registered Public Accounting Firm

[Introductory paragraph]

    We have audited the accompanying balance sheets of W Company as 
of December 31, 20X8 and 20X7, and the related statements of income, 
stockholders' equity and comprehensive income, and cash flows for 
each of the years in the three-year period ended December 31, 20X8. 
We also have audited W Company's internal control over financial 
reporting as of December 31, 20X8, based on [Identify control 
criteria, for example, ``criteria established in Internal Control--
Integrated Framework issued by the Committee of Sponsoring 
Organizations of the Treadway Commission (COSO).'']. W Company's 
management is responsible for these financial statements, for 
maintaining effective internal control over financial reporting, and 
for its assessment of the effectiveness of internal control over 
financial reporting, included in the accompanying [title of 
management's report]. Our responsibility is to express an opinion on 
these financial statements and an opinion on the company's internal 
control over financial reporting based on our audits.

[Scope paragraph]

    We conducted our audits in accordance with the standards of the 
Public Company Accounting Oversight Board (United States). Those 
standards require that we plan and perform the audits to obtain 
reasonable assurance about whether the financial statements are free 
of material misstatement and whether effective internal control over 
financial reporting was maintained in all material respects. Our 
audits of the financial statements included examining, on a test 
basis, evidence supporting the amounts and disclosures in the 
financial statements, assessing the accounting principles used and 
significant estimates made by management, and evaluating the overall 
financial statement presentation. Our audit of internal control over 
financial reporting included obtaining an understanding of internal 
control over financial reporting, assessing the risk that a material 
weakness exists, and testing and evaluating the design and operating 
effectiveness of internal control based on the assessed risk. Our 
audits also included performing such other procedures as we 
considered necessary in the circumstances. We believe that our 
audits provide a reasonable basis for our opinions.

[Definition paragraph]

    A company's internal control over financial reporting is a 
process designed to provide reasonable assurance regarding the 
reliability of financial reporting and the preparation of financial 
statements for external purposes in accordance with generally 
accepted accounting principles. A company's internal control over 
financial reporting includes those policies and procedures that (1) 
Pertain to the maintenance of records that, in reasonable detail, 
accurately and fairly reflect the transactions and dispositions of 
the assets of the company; (2) provide reasonable assurance that 
transactions are recorded as necessary to permit preparation of 
financial statements in accordance with generally accepted 
accounting principles, and that receipts and expenditures of the 
company are being made only in accordance with authorizations of 
management and directors of the company; and (3) provide reasonable 
assurance regarding prevention or timely detection of unauthorized 
acquisition, use, or disposition of the company's assets that could 
have a material effect on the financial statements.

[Inherent limitations paragraph]

    Because of its inherent limitations, internal control over 
financial reporting may not prevent or detect misstatements. Also, 
projections of any evaluation of effectiveness to future periods are 
subject to the risk that controls may become inadequate because of 
changes in conditions, or that the degree of compliance with the 
policies or procedures may deteriorate.

[Opinion paragraph]

    In our opinion, the financial statements referred to above 
present fairly, in all material respects, the financial position of 
W Company as of December 31, 20X8 and 20X7, and the results of its 
operations and its cash flows for each of the years in the three-
year period ended December 31, 20X8 in conformity with accounting 
principles generally accepted in the United States of America. Also 
in our opinion, W Company maintained, in all material respects, 
effective internal control over financial reporting as of December 
31, 20X8, based on [Identify control criteria, for example, 
``criteria established in Internal Control--Integrated Framework 
issued by the Committee of Sponsoring Organizations of the Treadway 
Commission (COSO).''].

[Signature]

[City and State or Country]

[Date]

    88. If the auditor chooses to issue a separate report on internal 
control over financial reporting, he or she should add the following 
paragraph to the auditor's report on the financial statements--

    We also have audited, in accordance with the standards of the 
Public Company Accounting Oversight Board (United States), W 
Company's internal control over financial reporting as of December 
31, 20X8, based on [identify control criteria] and our report dated 
[date of report, which should be the same as the date of the report 
on the financial statements] expressed [include nature of opinion].

    The auditor also should add the following paragraph to the report 
on internal control over financial reporting--

    We also have audited, in accordance with the standards of the 
Public Company Accounting Oversight Board (United States), the 
[identify financial statements] of W Company and our report dated 
[date of report, which should be the same as the date of the report 
on the effectiveness of internal control over financial reporting] 
expressed [include nature of opinion].

Report Date

    89. The auditor should date the audit report no earlier than the 
date on which the auditor has obtained sufficient competent evidence to 
support the auditor's opinion. Because the auditor cannot audit 
internal control over financial reporting without also auditing the 
financial statements, the reports should be dated the same.

Material Weaknesses

    90. Paragraphs 62 through 70 describe the evaluation of 
deficiencies. If there are deficiencies that, individually or in 
combination, result in one or more material weaknesses, the auditor 
must express an adverse opinion on the company's internal control over 
financial reporting, unless there is a restriction on the scope of the 
engagement.\19\
---------------------------------------------------------------------------

    \19\ See paragraph C3 for direction when the scope of the 
engagement has been limited.
---------------------------------------------------------------------------

    91. When expressing an adverse opinion on internal control over 
financial reporting because of a material weakness, the auditor's 
report must include--
     The definition of a material weakness, as provided in 
paragraph A7.
     A statement that a material weakness has been identified 
and an identification of the material weakness described in 
management's assessment.

    Note: If the material weakness has not been included in 
management's assessment, the report should be modified to state that 
a material weakness has been identified but not included in 
management's assessment. Additionally, the auditor's report should 
include a description of the material weakness, which should provide 
the users of the audit report with specific information about the 
nature of the material weakness and its actual and potential effect 
on the presentation of the company's financial statements issued 
during the existence of the weakness. In this case, the auditor also 
should communicate in writing to the audit committee that the 
material weakness was not disclosed or identified as a material 
weakness in management's assessment. If the material weakness has 
been included in management's assessment but the auditor concludes 
that the disclosure of the material weakness is not fairly presented 
in all material respects, the auditor's report should describe this 
conclusion as well as the information necessary to fairly describe 
the material weakness.

    92. The auditor should determine the effect his or her adverse 
opinion on internal control has on his or her opinion on the financial 
statements. Additionally, the auditor should disclose whether his or 
her opinion on the financial statements was affected by the adverse 
opinion on internal control over financial reporting.


[[Page 32350]]


    Note: If the auditor issues a separate report on internal 
control over financial reporting in this circumstance, the 
disclosure required by this paragraph may be combined with the 
report language described in paragraphs 88 and 91. The auditor may 
present the combined language either as a separate paragraph or as 
part of the paragraph that identifies the material weakness.

Subsequent Events

    93. Changes in internal control over financial reporting or other 
factors that might significantly affect internal control over financial 
reporting might occur subsequent to the date as of which internal 
control over financial reporting is being audited but before the date 
of the auditor's report. The auditor should inquire of management 
whether there were any such changes or factors and obtain written 
representations from management relating to such matters, as described 
in paragraph 75h.
    94. To obtain additional information about whether changes have 
occurred that might affect the effectiveness of the company's internal 
control over financial reporting and, therefore, the auditor's report, 
the auditor should inquire about and examine, for this subsequent 
period, the following--
     Relevant internal audit (or similar functions, such as 
loan review in a financial institution) reports issued during the 
subsequent period,
     Independent auditor reports (if other than the auditor's) 
of deficiencies in internal control,
     Regulatory agency reports on the company's internal 
control over financial reporting, and
     Information about the effectiveness of the company's 
internal control over financial reporting obtained through other 
engagements.
    95. The auditor might inquire about and examine other documents for 
the subsequent period. Paragraphs .01 through .09 of AU sec. 560, 
Subsequent Events, provide direction on subsequent events for a 
financial statement audit that also may be helpful to the auditor 
performing an audit of internal control over financial reporting.
    96. If the auditor obtains knowledge about subsequent events that 
materially and adversely affect the effectiveness of the company's 
internal control over financial reporting as of the date specified in 
the assessment, the auditor should issue an adverse opinion on internal 
control over financial reporting (and follow the direction in paragraph 
C2 if management's assessment states that internal control over 
financial reporting is effective). If the auditor is unable to 
determine the effect of the subsequent event on the effectiveness of 
the company's internal control over financial reporting, the auditor 
should disclaim an opinion. As described in paragraph C13, the auditor 
should disclaim an opinion on management's disclosures about corrective 
actions taken by the company after the date of management's assessment, 
if any.
    97. The auditor may obtain knowledge about subsequent events with 
respect to conditions that did not exist at the date specified in the 
assessment but arose subsequent to that date and before issuance of the 
auditor's report. If a subsequent event of this type has a material 
effect on the company's internal control over financial reporting, the 
auditor should include in his or her report an explanatory paragraph 
describing the event and its effects or directing the reader's 
attention to the event and its effects as disclosed in management's 
report.
    98. After the issuance of the report on internal control over 
financial reporting, the auditor may become aware of conditions that 
existed at the report date that might have affected the auditor's 
opinion had he or she been aware of them. The auditor's evaluation of 
such subsequent information is similar to the auditor's evaluation of 
information discovered subsequent to the date of the report on an audit 
of financial statements, as described in AU sec. 561, Subsequent 
Discovery of Facts Existing at the Date of the Auditor's Report.

Appendix A--Definitions

    A1. For purposes of this standard, the terms listed below are 
defined as follows--
    A2. A control objective provides a specific target against which 
to evaluate the effectiveness of controls. A control objective for 
internal control over financial reporting generally relates to a 
relevant assertion and states a criterion for evaluating whether the 
company's control procedures in a specific area provide reasonable 
assurance that a misstatement or omission in that relevant assertion 
is prevented or detected by controls on a timely basis.
    A3. A deficiency in internal control over financial reporting 
exists when the design or operation of a control does not allow 
management or employees, in the normal course of performing their 
assigned functions, to prevent or detect misstatements on a timely 
basis.
     A deficiency in design exists when (a) A control 
necessary to meet the control objective is missing or (b) an 
existing control is not properly designed so that, even if the 
control operates as designed, the control objective would not be 
met.
     A deficiency in operation exists when a properly 
designed control does not operate as designed, or when the person 
performing the control does not possess the necessary authority or 
competence to perform the control effectively.
    A4. Financial statements and related disclosures refers to a 
company's financial statements and notes to the financial statements 
as presented in accordance with generally accepted accounting 
principles (``GAAP''). References to financial statements and 
related disclosures do not extend to the preparation of management's 
discussion and analysis or other similar financial information 
presented outside a company's GAAP-basis financial statements and 
notes.
    A5. Internal control over financial reporting is a process 
designed by, or under the supervision of, the company's principal 
executive and principal financial officers, or persons performing 
similar functions, and effected by the company's board of directors, 
management, and other personnel, to provide reasonable assurance 
regarding the reliability of financial reporting and the preparation 
of financial statements for external purposes in accordance with 
GAAP and includes those policies and procedures that--
    (1) Pertain to the maintenance of records that, in reasonable 
detail, accurately and fairly reflect the transactions and 
dispositions of the assets of the company;
    (2) Provide reasonable assurance that transactions are recorded 
as necessary to permit preparation of financial statements in 
accordance with generally accepted accounting principles, and that 
receipts and expenditures of the company are being made only in 
accordance with authorizations of management and directors of the 
company; and
    (3) Provide reasonable assurance regarding prevention or timely 
detection of unauthorized acquisition, use, or disposition of the 
company's assets that could have a material effect on the financial 
statements.\1\
---------------------------------------------------------------------------

    \1\ See Securities Exchange Act Rules 13a-15(f) and 15d-15(f), 
17 CFR 240.13a-15(f) and 240.15d-15(f).

    Note: The auditor's procedures as part of either the audit of 
internal control over financial reporting or the audit of the 
financial statements are not part of a company's internal control 
---------------------------------------------------------------------------
over financial reporting.


    Note: Internal control over financial reporting has inherent 
limitations. Internal control over financial reporting is a process 
that involves human diligence and compliance and is subject to 
lapses in judgment and breakdowns resulting from human failures. 
Internal control over financial reporting also can be circumvented 
by collusion or improper management override. Because of such 
limitations, there is a risk that material misstatements will not be 
prevented or detected on a timely basis by internal control over 
financial reporting. However, these inherent limitations are known 
features of the financial reporting process. Therefore, it is 
possible to design into the process safeguards to reduce, though not 
eliminate, this risk.

    A6. Management's assessment is the assessment described in Item 
308(a)(3) of Regulations S-B and S-K that is included in 
management's annual report on internal control over financial 
reporting.\2\
---------------------------------------------------------------------------

    \2\ See 17 CFR 228.308(a)(3) and 229.308(a)(3).
---------------------------------------------------------------------------

    A7. A material weakness is a deficiency, or a combination of 
deficiencies, in internal

[[Page 32351]]

control over financial reporting, such that there is a reasonable 
possibility that a material misstatement of the company's annual or 
interim financial statements will not be prevented or detected on a 
---------------------------------------------------------------------------
timely basis.

    Note: There is a reasonable possibility of an event, as used in 
this standard, when the likelihood of the event is either 
``reasonably possible'' or ``probable,'' as those terms are used in 
Financial Accounting Standards Board Statement No. 5, Accounting for 
Contingencies (``FAS 5'').\3\

    \3\ See FAS 5, paragraph 3.
---------------------------------------------------------------------------

    A8. Controls over financial reporting may be preventive controls 
or detective controls. Effective internal control over financial 
reporting often includes a combination of preventive and detective 
controls.
     Preventive controls have the objective of preventing 
errors or fraud that could result in a misstatement of the financial 
statements from occurring.
     Detective controls have the objective of detecting 
errors or fraud that has already occurred that could result in a 
misstatement of the financial statements.
    A9. A relevant assertion is a financial statement assertion that 
has a reasonable possibility of containing a misstatement or 
misstatements that would cause the financial statements to be 
materially misstated. The determination of whether an assertion is a 
relevant assertion is based on inherent risk, without regard to the 
effect of controls.
    A10. An account or disclosure is a significant account or 
disclosure if there is a reasonable possibility that the account or 
disclosure could contain a misstatement that, individually or when 
aggregated with others, has a material effect on the financial 
statements, considering the risks of both overstatement and 
understatement. The determination of whether an account or 
disclosure is significant is based on inherent risk, without regard 
to the effect of controls.
    A11. A significant deficiency is a deficiency, or a combination 
of deficiencies, in internal control over financial reporting that 
is less severe than a material weakness, yet important enough to 
merit attention by those responsible for oversight of the company's 
financial reporting.

Appendix B--Special Topics

Integration of Audits

    B1. Tests of Controls in an Audit of Internal Control. The 
objective of the tests of controls in an audit of internal control 
over financial reporting is to obtain evidence about the 
effectiveness of controls to support the auditor's opinion on the 
company's internal control over financial reporting. The auditor's 
opinion relates to the effectiveness of the company's internal 
control over financial reporting as of a point in time and taken as 
a whole.
    B2. To express an opinion on internal control over financial 
reporting as of a point in time, the auditor should obtain evidence 
that internal control over financial reporting has operated 
effectively for a sufficient period of time, which may be less than 
the entire period (ordinarily one year) covered by the company's 
financial statements. To express an opinion on internal control over 
financial reporting taken as a whole, the auditor must obtain 
evidence about the effectiveness of selected controls over all 
relevant assertions. This requires that the auditor test the design 
and operating effectiveness of controls he or she ordinarily would 
not test if expressing an opinion only on the financial statements.
    B3. When concluding on the effectiveness of internal control 
over financial reporting for purposes of expressing an opinion on 
internal control over financial reporting, the auditor should 
incorporate the results of any additional tests of controls 
performed to achieve the objective related to expressing an opinion 
on the financial statements, as discussed in the following section.
    B4. Tests of Controls in an Audit of Financial Statements. To 
express an opinion on the financial statements, the auditor 
ordinarily performs tests of controls and substantive procedures. 
The objective of the tests of controls the auditor performs for this 
purpose is to assess control risk. To assess control risk for 
specific financial statement assertions at less than the maximum, 
the auditor is required to obtain evidence that the relevant 
controls operated effectively during the entire period upon which 
the auditor plans to place reliance on those controls. However, the 
auditor is not required to assess control risk at less than the 
maximum for all relevant assertions and, for a variety of reasons, 
the auditor may choose not to do so.
    B5. When concluding on the effectiveness of controls for the 
purpose of assessing control risk, the auditor also should evaluate 
the results of any additional tests of controls performed to achieve 
the objective related to expressing an opinion on the company's 
internal control over financial reporting, as discussed in paragraph 
B2. Consideration of these results may require the auditor to alter 
the nature, timing, and extent of substantive procedures and to plan 
and perform further tests of controls, particularly in response to 
identified control deficiencies.
    B6. Effect of Tests of Controls on Substantive Procedures. If, 
during the audit of internal control over financial reporting, the 
auditor identifies a deficiency, he or she should determine the 
effect of the deficiency, if any, on the nature, timing, and extent 
of substantive procedures to be performed to reduce audit risk in 
the audit of the financial statements to an appropriately low level.
    B7. Regardless of the assessed level of control risk or the 
assessed risk of material misstatement in connection with the audit 
of the financial statements, the auditor should perform substantive 
procedures for all relevant assertions. Performing procedures to 
express an opinion on internal control over financial reporting does 
not diminish this requirement.
    B8. Effect of Substantive Procedures on the Auditor's 
Conclusions About the Operating Effectiveness of Controls. In an 
audit of internal control over financial reporting, the auditor 
should evaluate the effect of the findings of the substantive 
auditing procedures performed in the audit of financial statements 
on the effectiveness of internal control over financial reporting. 
This evaluation should include, at a minimum--
     The auditor's risk assessments in connection with the 
selection and application of substantive procedures, especially 
those related to fraud.
     Findings with respect to illegal acts and related party 
transactions.
     Indications of management bias in making accounting 
estimates and in selecting accounting principles.
     Misstatements detected by substantive procedures. The 
extent of such misstatements might alter the auditor's judgment 
about the effectiveness of controls.
    B9. To obtain evidence about whether a selected control is 
effective, the control must be tested directly; the effectiveness of 
a control cannot be inferred from the absence of misstatements 
detected by substantive procedures. The absence of misstatements 
detected by substantive procedures, however, should inform the 
auditor's risk assessments in determining the testing necessary to 
conclude on the effectiveness of a control.

Multiple Locations Scoping Decisions

    B10. In determining the locations or business units at which to 
perform tests of controls, the auditor should assess the risk of 
material misstatement to the financial statements associated with 
the location or business unit and correlate the amount of audit 
attention devoted to the location or business unit with the degree 
of risk.

    Note: The auditor may eliminate from further consideration 
locations or business units that, individually or when aggregated 
with others, do not present a reasonable possibility of material 
misstatement to the company's consolidated financial statements.

    B11. In assessing and responding to risk, the auditor should 
test controls over specific risks that present a reasonable 
possibility of material misstatement to the company's consolidated 
financial statements. In lower-risk locations or business units, the 
auditor first might evaluate whether testing entity-level controls, 
including controls in place to provide assurance that appropriate 
controls exist throughout the organization, provides the auditor 
with sufficient evidence.
    B12. In determining the locations or business units at which to 
perform tests of controls, the auditor may take into account work 
performed by others on behalf of management. For example, if the 
internal auditors' planned procedures include relevant audit work at 
various locations, the auditor may coordinate work with the internal 
auditors and reduce the number of locations or business units at 
which the auditor would otherwise need to perform auditing 
procedures.
    B13. The direction in paragraph 61 regarding special 
considerations for subsequent years' audits means that the auditor 
should vary the nature, timing, and extent of testing of controls at 
locations or business units from year to year.
    B14. Special Situations. The scope of the audit should include 
entities that are acquired on or before the date of management's 
assessment and operations that are accounted for as discontinued 
operations on the date of management's

[[Page 32352]]

assessment. The direction in this multiple-locations discussion 
describes how to determine whether it is necessary to test controls 
at these entities or operations.
    B15. For equity method investments, the scope of the audit 
should include controls over the reporting in accordance with 
generally accepted accounting principles, in the company's financial 
statements, of the company's portion of the investees' income or 
loss, the investment balance, adjustments to the income or loss and 
investment balance, and related disclosures. The audit ordinarily 
would not extend to controls at the equity method investee.
    B16. In situations in which the SEC allows management to limit 
its assessment of internal control over financial reporting by 
excluding certain entities, the auditor may limit the audit in the 
same manner. In these situations, the auditor's opinion would not be 
affected by a scope limitation. However, the auditor should include, 
either in an additional explanatory paragraph or as part of the 
scope paragraph in his or her report, a disclosure similar to 
management's regarding the exclusion of an entity from the scope of 
both management's assessment and the auditor's audit of internal 
control over financial reporting. Additionally, the auditor should 
evaluate the reasonableness of management's conclusion that the 
situation meets the criteria of the SEC's allowed exclusion and the 
appropriateness of any required disclosure related to such a 
limitation. If the auditor believes that management's disclosure 
about the limitation requires modification, the auditor should 
follow the same communication responsibilities that are described in 
paragraphs .29 through .32 of AU sec. 722, Interim Financial 
Information. If management and the audit committee do not respond 
appropriately, in addition to fulfilling those responsibilities, the 
auditor should modify his or her report on the audit of internal 
control over financial reporting to include an explanatory paragraph 
describing the reasons why the auditor believes management's 
disclosure requires modification.

Use of Service Organizations

    B17. AU sec. 324, Service Organizations, applies to the audit of 
financial statements of a company that obtains services from another 
organization that are part of the company's information system. The 
auditor may apply the relevant concepts described in AU sec. 324 to 
the audit of internal control over financial reporting.
    B18. AU sec. 324.03 describes the situation in which a service 
organization's services are part of a company's information system. 
If the service organization's services are part of a company's 
information system, as described therein, then they are part of the 
information and communication component of the company's internal 
control over financial reporting. When the service organization's 
services are part of the company's internal control over financial 
reporting, the auditor should include the activities of the service 
organization when determining the evidence required to support his 
or her opinion.
    B19. AU sec. 324.07 through .16 describe the procedures that the 
auditor should perform with respect to the activities performed by 
the service organization. The procedures include--
    a. Obtaining an understanding of the controls at the service 
organization that are relevant to the entity's internal control and 
the controls at the user organization over the activities of the 
service organization, and
    b. Obtaining evidence that the controls that are relevant to the 
auditor's opinion are operating effectively.
    B20. Evidence that the controls that are relevant to the 
auditor's opinion are operating effectively may be obtained by 
following the procedures described in AU sec. 324.12. These 
procedures include--
    a. Obtaining a service auditor's report on controls placed in 
operation and tests of operating effectiveness, or a report on the 
application of agreed-upon procedures that describes relevant tests 
of controls.

    Note: The service auditor's report referred to above means a 
report with the service auditor's opinion on the service 
organization's description of the design of its controls, the tests 
of controls, and results of those tests performed by the service 
auditor, and the service auditor's opinion on whether the controls 
tested were operating effectively during the specified period (in 
other words, ``reports on controls placed in operation and tests of 
operating effectiveness'' described in AU sec. 324.24b). A service 
auditor's report that does not include tests of controls, results of 
the tests, and the service auditor's opinion on operating 
effectiveness (in other words, ``reports on controls placed in 
operation'' described in AU sec. 324.24a) does not provide evidence 
of operating effectiveness. Furthermore, if the evidence regarding 
operating effectiveness of controls comes from an agreed-upon 
procedures report rather than a service auditor's report issued 
pursuant to AU sec. 324, the auditor should evaluate whether the 
agreed-upon procedures report provides sufficient evidence in the 
same manner described in the following paragraph.

    b. Performing tests of the user organization's controls over the 
activities of the service organization (e.g., testing the user 
organization's independent re-performance of selected items 
processed by the service organization or testing the user 
organization's reconciliation of output reports with source 
documents).
    c. Performing tests of controls at the service organization.
    B21. If a service auditor's report on controls placed in 
operation and tests of operating effectiveness is available, the 
auditor may evaluate whether this report provides sufficient 
evidence to support his or her opinion. In evaluating whether such a 
service auditor's report provides sufficient evidence, the auditor 
should assess the following factors--
     The time period covered by the tests of controls and 
its relation to the as-of date of management's assessment,
     The scope of the examination and applications covered, 
the controls tested, and the way in which tested controls relate to 
the company's controls, and
     The results of those tests of controls and the service 
auditor's opinion on the operating effectiveness of the controls.

    Note: These factors are similar to factors the auditor would 
consider in determining whether the report provides sufficient 
evidence to support the auditor's assessed level of control risk in 
an audit of the financial statements, as described in AU sec. 
324.16.

    B22. If the service auditor's report on controls placed in 
operation and tests of operating effectiveness contains a 
qualification that the stated control objectives might be achieved 
only if the company applies controls contemplated in the design of 
the system by the service organization, the auditor should evaluate 
whether the company is applying the necessary procedures.
    B23. In determining whether the service auditor's report 
provides sufficient evidence to support the auditor's opinion, the 
auditor should make inquiries concerning the service auditor's 
reputation, competence, and independence. Appropriate sources of 
information concerning the professional reputation of the service 
auditor are discussed in paragraph .10a of AU sec. 543, Part of 
Audit Performed by Other Independent Auditors.
    B24. When a significant period of time has elapsed between the 
time period covered by the tests of controls in the service 
auditor's report and the date specified in management's assessment, 
additional procedures should be performed. The auditor should 
inquire of management to determine whether management has identified 
any changes in the service organization's controls subsequent to the 
period covered by the service auditor's report (such as changes 
communicated to management from the service organization, changes in 
personnel at the service organization with whom management 
interacts, changes in reports or other data received from the 
service organization, changes in contracts or service level 
agreements with the service organization, or errors identified in 
the service organization's processing). If management has identified 
such changes, the auditor should evaluate the effect of such changes 
on the effectiveness of the company's internal control over 
financial reporting. The auditor also should evaluate whether the 
results of other procedures he or she performed indicate that there 
have been changes in the controls at the service organization.
    B25. The auditor should determine whether to obtain additional 
evidence about the operating effectiveness of controls at the 
service organization based on the procedures performed by management 
or the auditor and the results of those procedures and on an 
evaluation of the following risk factors. As risk increases, the 
need for the auditor to obtain additional evidence increases.
     The elapsed time between the time period covered by the 
tests of controls in the service auditor's report and the date 
specified in management's assessment,
     The significance of the activities of the service 
organization,

[[Page 32353]]

     Whether there are errors that have been identified in 
the service organization's processing, and
     The nature and significance of any changes in the 
service organization's controls identified by management or the 
auditor.
    B26. If the auditor concludes that additional evidence about the 
operating effectiveness of controls at the service organization is 
required, the auditor's additional procedures might include--
     Evaluating procedures performed by management and the 
results of those procedures.
     Contacting the service organization, through the user 
organization, to obtain specific information.
     Requesting that a service auditor be engaged to perform 
procedures that will supply the necessary information.
     Visiting the service organization and performing such 
procedures.
    B27. The auditor should not refer to the service auditor's 
report when expressing an opinion on internal control over financial 
reporting.

Benchmarking of Automated Controls

    B28. Entirely automated application controls are generally not 
subject to breakdowns due to human failure. This feature allows the 
auditor to use a ``benchmarking'' strategy.
    B29. If general controls over program changes, access to 
programs, and computer operations are effective and continue to be 
tested, and if the auditor verifies that the automated application 
control has not changed since the auditor established a baseline 
(i.e., last tested the application control), the auditor may 
conclude that the automated application control continues to be 
effective without repeating the prior year's specific tests of the 
operation of the automated application control. The nature and 
extent of the evidence that the auditor should obtain to verify that 
the control has not changed may vary depending on the circumstances, 
including depending on the strength of the company's program change 
controls.
    B30. The consistent and effective functioning of the automated 
application controls may be dependent upon the related files, 
tables, data, and parameters. For example, an automated application 
for calculating interest income might be dependent on the continued 
integrity of a rate table used by the automated calculation.
    B31. To determine whether to use a benchmarking strategy, the 
auditor should assess the following risk factors. As these factors 
indicate lower risk, the control being evaluated might be well-
suited for benchmarking. As these factors indicate increased risk, 
the control being evaluated is less suited for benchmarking. These 
factors are--
     The extent to which the application control can be 
matched to a defined program within an application.
     The extent to which the application is stable (i.e., 
there are few changes from period to period).
     The availability and reliability of a report of the 
compilation dates of the programs placed in production. (This 
information may be used as evidence that controls within the program 
have not changed.)
    B32. Benchmarking automated application controls can be 
especially effective for companies using purchased software when the 
possibility of program changes is remote--e.g., when the vendor does 
not allow access or modification to the source code.
    B33. After a period of time, the length of which depends upon 
the circumstances, the baseline of the operation of an automated 
application control should be reestablished. To determine when to 
reestablish a baseline, the auditor should evaluate the following 
factors--
     The effectiveness of the IT control environment, 
including controls over application and system software acquisition 
and maintenance, access controls and computer operations.
     The auditor's understanding of the nature of changes, 
if any, on the specific programs that contain the controls.
     The nature and timing of other related tests.
     The consequences of errors associated with the 
application control that was benchmarked.
     Whether the control is sensitive to other business 
factors that may have changed. For example, an automated control may 
have been designed with the assumption that only positive amounts 
will exist in a file. Such a control would no longer be effective if 
negative amounts (credits) begin to be posted to the account.

Appendix C--Special Reporting Situations

Report Modifications

    C1. The auditor should modify his or her report if any of the 
following conditions exist.
    a. Elements of management's annual report on internal control 
are incomplete or improperly presented,
    b. There is a restriction on the scope of the engagement,
    c. The auditor decides to refer to the report of other auditors 
as the basis, in part, for the auditor's own report,
    d. There is other information contained in management's annual 
report on internal control over financial reporting, or
    e. Management's annual certification pursuant to Section 302 of 
the Sarbanes-Oxley Act is misstated.
    C2. Elements of Management's Annual Report on Internal Control 
Over Financial Reporting Are Incomplete or Improperly Presented. If 
the auditor determines that elements of management's annual report 
on internal control over financial reporting are incomplete or 
improperly presented, the auditor should modify his or her report to 
include an explanatory paragraph describing the reasons for this 
determination. If the auditor determines that the required 
disclosure about a material weakness is not fairly presented in all 
material respects, the auditor should follow the direction in 
paragraph 91.
    C3. Scope Limitations. The auditor can express an opinion on the 
company's internal control over financial reporting only if the 
auditor has been able to apply the procedures necessary in the 
circumstances. If there are restrictions on the scope of the 
engagement, the auditor should withdraw from the engagement or 
disclaim an opinion. A disclaimer of opinion states that the auditor 
does not express an opinion on the effectiveness of internal control 
over financial reporting.
    C4. When disclaiming an opinion because of a scope limitation, 
the auditor should state that the scope of the audit was not 
sufficient to warrant the expression of an opinion and, in a 
separate paragraph or paragraphs, the substantive reasons for the 
disclaimer. The auditor should not identify the procedures that were 
performed nor include the statements describing the characteristics 
of an audit of internal control over financial reporting (paragraph 
85 g, h, and i); to do so might overshadow the disclaimer.
    C5. When the auditor plans to disclaim an opinion and the 
limited procedures performed by the auditor caused the auditor to 
conclude that a material weakness exists, the auditor's report also 
should include--
     The definition of a material weakness, as provided in 
paragraph A7.
     A description of any material weaknesses identified in 
the company's internal control over financial reporting. This 
description should provide the users of the audit report with 
specific information about the nature of any material weakness and 
its actual and potential effect on the presentation of the company's 
financial statements issued during the existence of the weakness. 
This description also should address the requirements in paragraph 
91.
    C6. The auditor may issue a report disclaiming an opinion on 
internal control over financial reporting as soon as the auditor 
concludes that a scope limitation will prevent the auditor from 
obtaining the reasonable assurance necessary to express an opinion. 
The auditor is not required to perform any additional work prior to 
issuing a disclaimer when the auditor concludes that he or she will 
not be able to obtain sufficient evidence to express an opinion.

    Note: In this case, in following the direction in paragraph 89 
regarding dating the auditor's report, the report date is the date 
that the auditor has obtained sufficient competent evidence to 
support the representations in the auditor's report.

    C7. If the auditor concludes that he or she cannot express an 
opinion because there has been a limitation on the scope of the 
audit, the auditor should communicate, in writing, to management and 
the audit committee that the audit of internal control over 
financial reporting cannot be satisfactorily completed.
    C8. Opinions Based, in Part, on the Report of Another Auditor. 
When another auditor has audited the financial statements and 
internal control over financial reporting of one or more 
subsidiaries, divisions, branches, or components of the company, the 
auditor should determine whether he or she may serve as the 
principal auditor and use the work and reports of another auditor as 
a basis, in part, for his or her opinion. AU sec. 543, Part of Audit 
Performed by Other Independent Auditors, provides direction on

[[Page 32354]]

the auditor's decision of whether to serve as the principal auditor 
of the financial statements. If the auditor decides it is 
appropriate to serve as the principal auditor of the financial 
statements, then that auditor also should be the principal auditor 
of the company's internal control over financial reporting. This 
relationship results from the requirement that an audit of the 
financial statements must be performed to audit internal control 
over financial reporting; only the principal auditor of the 
financial statements can be the principal auditor of internal 
control over financial reporting. In this circumstance, the 
principal auditor of the financial statements must participate 
sufficiently in the audit of internal control over financial 
reporting to provide a basis for serving as the principal auditor of 
internal control over financial reporting.
    C9. When serving as the principal auditor of internal control 
over financial reporting, the auditor should decide whether to make 
reference in the report on internal control over financial reporting 
to the audit of internal control over financial reporting performed 
by the other auditor. In these circumstances, the auditor's decision 
is based on factors analogous to those of the auditor who uses the 
work and reports of other independent auditors when reporting on a 
company's financial statements as described in AU sec. 543.
    C10. The decision about whether to make reference to another 
auditor in the report on the audit of internal control over 
financial reporting might differ from the corresponding decision as 
it relates to the audit of the financial statements. For example, 
the audit report on the financial statements may make reference to 
the audit of a significant equity investment performed by another 
independent auditor, but the report on internal control over 
financial reporting might not make a similar reference because 
management's assessment of internal control over financial reporting 
ordinarily would not extend to controls at the equity method 
investee.\1\
---------------------------------------------------------------------------

    \1\ See paragraph B15, for further discussion of the evaluation 
of the controls over financial reporting for an equity method 
investment.
---------------------------------------------------------------------------

    C11. When the auditor decides to make reference to the report of 
the other auditor as a basis, in part, for his or her opinion on the 
company's internal control over financial reporting, the auditor 
should refer to the report of the other auditor when describing the 
scope of the audit and when expressing the opinion.
    C12. Management's Annual Report on Internal Control Over 
Financial Reporting Containing Additional Information. Management's 
annual report on internal control over financial reporting may 
contain information in addition to the elements described in 
paragraph 72 that are subject to the auditor's evaluation.
    C13. If management's annual report on internal control over 
financial reporting could reasonably be viewed by users of the 
report as including such additional information, the auditor should 
disclaim an opinion on the information.
    C14. If the auditor believes that management's additional 
information contains a material misstatement of fact, he or she 
should discuss the matter with management. If, after discussing the 
matter with management, the auditor concludes that a material 
misstatement of fact remains, the auditor should notify management 
and the audit committee, in writing, of the auditor's views 
concerning the information. AU sec. 317, Illegal Acts by Clients and 
Section 10A of the Securities Exchange Act of 1934 may also require 
the auditor to take additional action.\2\
---------------------------------------------------------------------------

    \2\ See 15 U.S.C. 78j-1.

    Note: If management makes the types of disclosures described in 
paragraph C12 outside its annual report on internal control over 
financial reporting and includes them elsewhere within its annual 
report on the company's financial statements, the auditor would not 
need to disclaim an opinion. However, in that situation, the 
auditor's responsibilities are the same as those described in this 
paragraph if the auditor believes that the additional information 
---------------------------------------------------------------------------
contains a material misstatement of fact.

    C15. Management's Annual Certification Pursuant to Section 302 
of the Sarbanes-Oxley Act is Misstated. If matters come to the 
auditor's attention as a result of the audit of internal control 
over financial reporting that lead him or her to believe that 
modifications to the disclosures about changes in internal control 
over financial reporting (addressing changes in internal control 
over financial reporting occurring during the fourth quarter) are 
necessary for the annual certifications to be accurate and to comply 
with the requirements of Section 302 of the Act and Securities 
Exchange Act Rule 13a-14(a) or 15d-14(a), whichever applies,\3\ the 
auditor should follow the communication responsibilities as 
described in AU sec. 722 Interim Financial Information, for any 
interim period. However, if management and the audit committee do 
not respond appropriately, in addition to the responsibilities 
described in AU sec. 722, the auditor should modify his or her 
report on the audit of internal control over financial reporting to 
include an explanatory paragraph describing the reasons the auditor 
believes management's disclosures should be modified.
---------------------------------------------------------------------------

    \3\ See 17 CFR 240.13a-14(a) and 240.15d-14(a).
---------------------------------------------------------------------------

Filings Under Federal Securities Statutes

    C16. AU sec. 711, Filings Under Federal Securities Statutes, 
describes the auditor's responsibilities when an auditor's report is 
included in registration statements, proxy statements, or periodic 
reports filed under the federal securities statutes. The auditor 
should apply AU sec. 711 with respect to the auditor's report on 
internal control over financial reporting included in such filings. 
In addition, the auditor should extend the direction in AU sec. 
711.10 to inquire of and obtain written representations from 
officers and other executives responsible for financial and 
accounting matters about whether any events have occurred that have 
a material effect on the audited financial statements to matters 
that could have a material effect on internal control over financial 
reporting.
    C17. When the auditor has fulfilled these responsibilities and 
intends to consent to the inclusion of his or her report on internal 
control over financial reporting in the securities filing, the 
auditor's consent should clearly indicate that both the audit report 
on financial statements and the audit report on internal control 
over financial reporting (or both opinions if a combined report is 
issued) are included in his or her consent.

Rule 3525: Audit Committee Pre-Approval of Non-Audit Services Related 
to Internal Control Over Financial Reporting

    In connection with seeking audit committee pre-approval to 
perform for an audit client any permissible non-audit service 
related to internal control over financial reporting, a registered 
public accounting firm shall--
    (a) Describe, in writing, to the audit committee of the issuer 
the scope of the service;
    (b) Discuss with the audit committee of the issuer the potential 
effects of the service on the independence of the firm; and

    Note: Independence requirements provide that an auditor is not 
independent of his or her audit client if the auditor is not, or a 
reasonable investor with knowledge of all relevant facts and 
circumstances would conclude that the auditor is not, capable of 
exercising objective and impartial judgment on all issues 
encompassed within the accountant's engagement. Several principles 
guide the application of this general standard, including whether 
the auditor assumes a management role or audits his or her own work. 
Therefore, an auditor would not be independent if, for example, 
management had delegated its responsibility for internal control 
over financial reporting to the auditor or if the auditor had 
designed or implemented the audit client's internal control over 
financial reporting.

    (c) Document the substance of its discussion with the audit 
committee of the issuer.

Conforming Amendments to PCAOB Auditing Standards

AU sec. 230, ``Due Professional Care in the Performance of Work''

    Statement on Auditing Standards (``SAS'') No. 1, ``Codification 
of Auditing Standards and Procedures,'' section 230, ``Due 
Professional Care in the Performance of Work'' (AU sec. 230, ``Due 
Professional Care in the Performance of Work''), as amended, is 
amended as follows--
    a. Paragraph .10 is replaced with--
    The exercise of due professional care allows the auditor to 
obtain reasonable assurance about whether the financial statements 
are free of material misstatement, whether caused by error or fraud, 
or whether any material weaknesses exist as of the date of 
management's assessment. Absolute assurance is not attainable 
because of the nature of audit evidence and the characteristics of 
fraud. Although not absolute assurance, reasonable assurance is a 
high level of assurance. Therefore, an audit conducted in accordance 
with the standards of the Public Company Accounting Oversight Board 
(United States) may not detect a material weakness in internal 
control over

[[Page 32355]]

financial reporting or a material misstatement to the financial 
statements.
    b. The term ``financial statements'' within the first sentence 
of paragraph .13 is replaced with the term ``financial statements or 
internal control over financial reporting.''
    c. The second sentence of paragraph .13 is replaced with--
    Therefore, the subsequent discovery that either a material 
misstatement, whether from error or fraud, exists in the financial 
statements or a material weakness in internal control over financial 
reporting exists does not, in and of itself, evidence (a) Failure to 
obtain reasonable assurance, (b) inadequate planning, performance, 
or judgment, (c) the absence of due professional care, or (d) a 
failure to comply with the standards of the Public Company 
Accounting Oversight Board (United States).

 AU sec. 310, ``Appointment of the Independent Auditor''

    SAS No. 1, ``Codification of Auditing Standards and 
Procedures,'' section 310, ``Appointment of the Independent 
Auditor'' (AU sec. 310, ``Appointment of the Independent Auditor''), 
as amended, is amended as follows--
    a. The third bullet point of paragraph .06 is replaced with--
    Management is responsible for establishing and maintaining 
effective internal control over financial reporting. If, in an 
integrated audit of financial statements and internal control over 
financial reporting, the auditor concludes that he or she cannot 
express an opinion on internal control over financial reporting 
because there has been a limitation on the scope of the audit, he or 
she should communicate, in writing, to management and the audit 
committee that the audit of internal control over financial 
reporting cannot be satisfactorily completed.
    b. The eighth bullet point of paragraph .06 is amended as 
follows--
    Under Integrated audit of financial statements and internal 
control over financial reporting, the last sub-bullet point is 
replaced with the following--
    To the board of directors--any conclusion that the audit 
committee's oversight of the company's external financial reporting 
and internal control over financial reporting is ineffective.
    Under Audit of financial statements, the last sub-bullet is 
replaced with the following--
    To the board of directors--if the auditor becomes aware that the 
oversight of the company's external financial reporting and internal 
control over financial reporting by the audit committee is 
ineffective, that conclusion.

AU sec. 311, ``Planning and Supervision''

    SAS No. 22, ``Planning and Supervision'' (AU sec. 311, 
``Planning and Supervision''), as amended, is amended as follows--
    Within the note to paragraph 1, the reference to paragraph 39 of 
PCAOB Auditing Standard No. 2 is replaced with a reference to 
paragraph 9 of PCAOB Auditing Standard No. 5, An Audit of Internal 
Control Over Financial Reporting That Is Integrated with An Audit of 
Financial Statements.

AU sec. 312, ``Audit Risk and Materiality in Conducting an Audit''

    SAS No. 47, ``Audit Risk and Materiality in Conducting an 
Audit'' (AU sec. 312, ``Audit Risk and Materiality in Conducting an 
Audit''), as amended, is amended as follows--
    a. Within the note to paragraph 3, the reference to paragraphs 
22-23 of PCAOB Auditing Standard No. 2 is replaced with a reference 
to paragraph 20 of PCAOB Auditing Standard No. 5, An Audit of 
Internal Control Over Financial Reporting That Is Integrated with An 
Audit of Financial Statements.
    b. Within the note to paragraph 7, the reference to paragraphs 
24-26 of PCAOB Auditing Standard No. 2 is replaced with a reference 
to paragraphs 14-15 of PCAOB Auditing Standard No. 5, An Audit of 
Internal Control Over Financial Reporting That Is Integrated with An 
Audit of Financial Statements.
    c. The note to paragraph 12 is replaced with--

    Note: When performing an integrated audit of financial 
statements and internal control over financial reporting, refer to 
paragraphs 9 and 20 of PCAOB Auditing Standard No. 5, An Audit of 
Internal Control Over Financial Reporting That Is Integrated with An 
Audit of Financial Statements, regarding planning considerations and 
materiality, respectively.

    d. Within the note to paragraph 18, the reference to Appendix B, 
Additional Performance Requirements and Directions; Extent-of-
Testing Examples of PCAOB Auditing Standard No. 2 is replaced with a 
reference to paragraphs B10-B16 of Appendix B, Special Topics, of 
PCAOB Auditing Standard No. 5, An Audit of Internal Control Over 
Financial Reporting That Is Integrated with An Audit of Financial 
Statements.
    e. Within the note to paragraph 30, the reference to paragraphs 
147-149 of PCAOB Auditing Standard No. 2 is replaced with a 
reference to paragraphs 6-8 and paragraphs B1-B5 of Appendix B, 
Special Topics, of PCAOB Auditing Standard No. 5, An Audit of 
Internal Control Over Financial Reporting That Is Integrated with An 
Audit of Financial Statements.

AU sec. 313, ``Substantive Tests Prior to the Balance-Sheet Date''

    SAS No. 45, ``Omnibus Statement on Auditing Standards--1983'' 
(AU sec. 313, ``Substantive Tests Prior to the Balance-Sheet 
Date''), is amended as follows--
    Within the note to paragraph 1, the reference to paragraphs 98-
103 of PCAOB Auditing Standard No. 2 is replaced with a reference to 
paragraphs 52-53 of PCAOB Auditing Standard No. 5, An Audit of 
Internal Control Over Financial Reporting That Is Integrated with An 
Audit of Financial Statements.

AU sec. 315, ``Communications Between Predecessor and Successor 
Auditors''

    SAS No. 84, ``Communications Between Predecessor and Successor 
Auditors'' (AU sec. 315, ``Communications Between Predecessor and 
Successor Auditors''), as amended, is amended as follows--
    The last sentence of paragraph 16 is replaced with--
    Furthermore, the predecessor auditor is not a specialist as 
defined in AU sec. 336, Using the Work of a Specialist, nor does the 
predecessor auditor's work constitute the work of others as 
described in AU sec. 322, The Auditor's Consideration of the 
Internal Audit Function in an Audit of Financial Statements, or 
paragraphs 16-19 of PCAOB Auditing Standard No. 5, An Audit of 
Internal Control Over Financial Reporting That Is Integrated with An 
Audit of Financial Statements.

AU sec. 316, ``Consideration of Fraud in a Financial Statement 
Audit''

    SAS No. 99, ``Consideration of Fraud in a Financial Statement 
Audit'' (AU sec. 316, ``Consideration of Fraud in a Financial 
Statement Audit''), is amended as follows--
    Within the note to paragraph 1, the reference to paragraphs 24-
26 of PCAOB Auditing Standard No. 2 is replaced with a reference to 
paragraphs 14-15 of PCAOB Auditing Standard No. 5, An Audit of 
Internal Control Over Financial Reporting That Is Integrated with An 
Audit of Financial Statements.

AU sec. 319, ``Consideration of Internal Control in a Financial 
Statement Audit''

    SAS No. 55, ``Consideration of Internal Control in a Financial 
Statement Audit'' (AU sec. 319, ``Consideration of Internal Control 
in a Financial Statement Audit''), as amended, is amended as 
follows--
    a. The note to paragraph 2 is replaced with--

    Note: Refer to paragraph A9 of Appendix A, Definitions, of PCAOB 
Auditing Standard No. 5, An Audit of Internal Control Over Financial 
Reporting That Is Integrated with An Audit of Financial Statements 
for the definition of a relevant assertion and paragraphs 28-33 of 
PCAOB Auditing Standard No. 5, An Audit of Internal Control Over 
Financial Reporting That Is Integrated with An Audit of Financial 
Statements for discussion of identifying relevant assertions.

    b. Within the note to paragraph 9, the reference to Appendix B, 
Additional Performance Requirements and Directions; Extent of 
Testing Examples, of PCAOB Auditing Standard No. 2 is replaced with 
a reference to paragraphs B10-B16 of Appendix B, Special Topics, of 
PCAOB Auditing Standard No. 5, An Audit of Internal Control Over 
Financial Reporting That Is Integrated with An Audit of Financial 
Statements.
    c. The last sentence of paragraph 33 is deleted.
    d. The note to paragraph 65 is deleted.
    e. The note to paragraph 83 is deleted.
    f. Within the note to paragraph 97, the reference to paragraphs 
104-105 of PCAOB Auditing Standard No. 2 is replaced with a 
reference to paragraph 54 of PCAOB Auditing Standard No. 5, An Audit 
of Internal Control Over Financial Reporting That Is Integrated with 
An Audit of Financial Statements.
    g. The appendix at paragraph 110 is deleted.

[[Page 32356]]

AU sec. 322, ``The Auditor's Consideration of the Internal Audit 
Function in an Audit of Financial Statements''

    SAS No. 65, ``The Auditor's Consideration of the Internal Audit 
Function in an Audit of Financial Statements'' (AU sec. 322, ``The 
Auditor's Consideration of the Internal Audit Function in an Audit 
of Financial Statements''), is amended as follows--
    a. Within the note to paragraph 1, the reference to paragraphs 
108-126 of PCAOB Auditing Standard No. 2 is replaced with a 
reference to paragraphs 16-19 of PCAOB Auditing Standard No. 5, An 
Audit of Internal Control Over Financial Reporting That Is 
Integrated with An Audit of Financial Statements.
    b. The note to paragraph 20 is deleted.
    c. Within the note to paragraph 22, the reference to paragraph 
122 of PCAOB Auditing Standard No. 2 is replaced with a reference to 
paragraphs 18-19 of PCAOB Auditing Standard No. 5, An Audit of 
Internal Control Over Financial Reporting That Is Integrated with An 
Audit of Financial Statements.

AU sec. 324, ``Service Organizations''

    SAS No. 70, ``Service Organizations'' (AU sec. 324, ``Service 
Organizations''), as amended, is amended as follows--
    Within the note to paragraph 1, the reference to Appendix B, 
Additional Performance Requirements and Directions; Extent-of-
Testing Examples, of PCAOB Auditing Standard No. 2 is replaced with 
a reference to paragraphs B17-B27 of Appendix B, Special Topics, of 
PCAOB Auditing Standard No. 5, An Audit of Internal Control Over 
Financial Reporting That Is Integrated with An Audit of Financial 
Statements.

AU sec. 325, ``Communications About Control Deficiencies in an 
Audit of Financial Statements'' \4\
---------------------------------------------------------------------------

    \4\ When the Board adopted Auditing Standard No. 2, it 
superseded SAS No. 60 in the context of an integrated audit of 
financial statements and internal control over financial reporting 
by paragraphs 207-214 of Auditing Standard No. 2. See PCAOB Release 
No. 2004-008, Conforming Amendments to PCAOB Interim Standards 
Resulting From the Adoption of PCAOB Auditing Standard No. 2, ``An 
Audit of Internal Control Over Financial Reporting Performed in 
Conjunction with An Audit of Financial Statements'' (Sept. 15, 
2004). As a result of superseding Auditing Standard No. 2, 
paragraphs 78-84 of Auditing Standard No. 5, An Audit of Internal 
Control Over Financial Reporting That Is Integrated with An Audit of 
Financial Statements, now supersede SAS No. 60 in the context of an 
integrated audit.
---------------------------------------------------------------------------

    AU sec. 325, ``Communications About Control Deficiencies in an 
Audit of Financial Statements'' is amended as follows--
    a. The first bullet point before paragraph 1 is amended as 
follows--
    The reference to paragraphs 207-214 of PCAOB Auditing Standard 
No. 2 is replaced with a reference to paragraphs 78-84 of PCAOB 
Auditing Standard No. 5, An Audit of Internal Control Over Financial 
Reporting That Is Integrated with An Audit of Financial Statements.
    b. The first bullet point in paragraph 1 is replaced with--
    A deficiency in design exists when (a) A control necessary to 
meet the control objective is missing or (b) an existing control is 
not properly designed so that, even if the control operates as 
designed, the control objective would not be met.
    c. Paragraph 2 is replaced with--
    A significant deficiency is a deficiency, or a combination of 
deficiencies, in internal control over financial reporting, that is 
less severe than a material weakness yet important enough to merit 
attention by those responsible for oversight of the company's 
financial reporting.
    d. The notes to paragraph 2 are deleted.
    e. Paragraph 3 is replaced with--
    A material weakness is a deficiency, or a combination of 
deficiencies, in internal control over financial reporting, such 
that there is a reasonable possibility that a material misstatement 
of the company's annual or interim financial statements will not be 
prevented or detected on a timely basis.

    Note: There is a reasonable possibility of an event when the 
likelihood of the event is either ``reasonably possible'' or 
``probable,'' as those terms are used in paragraph 3 of Financial 
Accounting Standards Board Statement No. 5, Accounting for 
Contingencies.


    Note: In evaluating whether a deficiency exists and whether 
deficiencies, either individually or in combination with other 
deficiencies, are material weaknesses, the auditor should follow the 
direction in paragraphs 62-70 of PCAOB Auditing Standard No. 5, An 
Audit of Internal Control Over Financial Reporting That Is 
Integrated with An Audit of Financial Statements.

    f. Paragraph 5 is replaced with--
    If oversight of the company's external financial reporting and 
internal control over financial reporting by the company's audit 
committee is ineffective, that circumstance should be regarded as an 
indicator that a material weakness in internal control over 
financial reporting exists. Although there is not an explicit 
requirement to evaluate the effectiveness of the audit committee's 
oversight in an audit of only the financial statements, if the 
auditor becomes aware that the oversight of the company's external 
financial reporting and internal control over financial reporting by 
the company's audit committee is ineffective, the auditor must 
communicate that information in writing to the board of directors.
    g. The last sentence of paragraph 9 is replaced with--
    In an audit of financial statements only, auditing 
interpretation 1 to AU sec. 325, ``Reporting on the Existence of 
Material Weaknesses,'' continues to apply except that the term 
``reportable condition'' means ``significant deficiency'' as defined 
in paragraph 2 of this standard.

AU sec. 9325, ``Communication of Internal Control Related Matters 
Noted in an Audit: Auditing Interpretations of Section 325''

    AU sec. 9325, ``Communication of Internal Control Related 
Matters Noted in an Audit: Auditing Interpretations of Section 325'' 
is amended as follows--
    The note prior to paragraph 1 is replaced with--

    Note: In an audit of financial statements only, auditing 
interpretation 1 to AU sec. 325, ``Reporting on the Existence of 
Material Weaknesses,'' continues to apply except that the term 
``reportable condition'' means ``significant deficiency'' as defined 
in paragraph 2 of this standard. Within the example report within 
paragraph 4 of the interpretation, the third sentence is replaced 
with the definition of a material weakness in paragraph A7 of 
Appendix A, Definitions, of PCAOB Auditing Standard No. 5, An Audit 
of Internal Control Over Financial Reporting That Is Integrated with 
An Audit of Financial Statements.

AU sec. 328, ``Auditing Fair Value Measurements and Disclosures''

    SAS No. 101, ``Auditing Fair Value Measurements and 
Disclosures'' (AU sec. 328, ``Auditing Fair Value Measurements and 
Disclosures''), is amended as follows--
    The first sentence of paragraph 41 is replaced with--
    Events and transactions that occur after the balance-sheet date 
but before the date of the auditor's report (for example, a sale of 
an investment shortly after the balance-sheet date), may provide 
audit evidence regarding management's fair value measurements as of 
the balance-sheet date \7\

    \7\ The auditor's consideration of a subsequent event or 
transaction, as contemplated in this paragraph, is a substantive 
test and thus differs from the review of subsequent events performed 
pursuant to section 560, Subsequent Events.

AU sec. 332, ``Auditing Derivative Instruments, Hedging Activities, 
and Investments in Securities''

    SAS No. 92, ``Auditing Derivative Instruments, Hedging 
Activities, and Investments in Securities'' (AU sec. 332, ``Auditing 
Derivative Instruments, Hedging Activities, and Investments in 
Securities''), is amended as follows--
    The note to paragraph 11 is replaced with--

    Note: When performing an integrated audit of financial 
statements and internal control over financial reporting, paragraph 
39 of PCAOB Auditing Standard No. 5, An Audit of Internal Control 
Over Financial Reporting That Is Integrated with An Audit of 
Financial Statements, states ``[t]he auditor should test those 
controls that are important to the auditor's conclusion about 
whether the company's controls sufficiently address the assessed 
risk of misstatement to each relevant assertion.'' Therefore, in an 
integrated audit of financial statements and internal control over 
financial reporting, if there are relevant assertions related to the 
company's investment in derivatives and securities, the auditor's 
understanding of controls should include controls over derivatives 
and securities transactions from their initiation to their inclusion 
in the financial statements and should encompass controls placed in 
operation by the entity and service organizations whose services are 
part of the entity's information system.


[[Page 32357]]



AU sec. 333, ``Management Representations''

    SAS No. 85, ``Management Representations'' (AU sec. 333, 
``Management Representations''), as amended, is amended as follows--
    a. Within the note to paragraph 5, the reference to paragraphs 
142-144 of PCAOB Auditing Standard No. 2 is replaced with a 
reference to paragraphs 75-77 of PCAOB Auditing Standard No. 5, An 
Audit of Internal Control Over Financial Reporting That Is 
Integrated with An Audit of Financial Statements.
    b. The second sentence of paragraph 9 is replaced with--
    Because the auditor is concerned with events occurring through 
the date of his or her report that may require adjustment to or 
disclosure in the financial statements, the representations should 
be made as of the date of the auditor's report.

AU sec. 9337, ``Inquiry of a Client's Lawyer Concerning Litigation, 
Claims, and Assessments: Auditing Interpretations of Section 337''

    AU sec. 9337, ``Inquiry of a Client's Lawyer Concerning 
Litigation, Claims, and Assessments: Auditing Interpretations of 
Section 337'' is amended as follows--
    a. The last sentence of paragraph 4 is replaced with--
    What is the relationship between the effective date of the 
lawyer's response and the date of the auditor's report?
    b. Paragraph 5 is replaced with--
    Interpretation--Section 560.10 through .12 indicates that the 
auditor is concerned with events, which may require adjustment to, 
or disclosure in, the financial statements, occurring through the 
date of his or her report. Therefore, the latest date of the period 
covered by the lawyer's response (the ``effective date'') should be 
as close to the date of the auditor's report as is practicable in 
the circumstances. Consequently, specifying the effective date of 
the lawyer's response to reasonably approximate the expected date of 
the auditor's report will in most instances obviate the need for an 
updated response from the lawyer.

AU sec. 341, ``The Auditor's Consideration of an Entity's Ability 
to Continue as a Going Concern''

    SAS No. 59, ``The Auditor's Consideration of an Entity's Ability 
to Continue as a Going Concern'' (AU sec. 341, ``The Auditor's 
Consideration of an Entity's Ability to Continue as a Going 
Concern''), as amended, is amended as follows--
    The second sentence of paragraph 2 is replaced with--
    The auditor's evaluation is based on his or her knowledge of 
relevant conditions and events that exist at or have occurred prior 
to the date of the auditor's report.

AU sec. 342, ``Auditing Accounting Estimates''

    SAS No. 57, ``Auditing Accounting Estimates'' (AU sec. 342, 
``Auditing Accounting Estimates''), is amended as follows--
    a. Subparagraph c. of paragraph 10 is replaced with--
    c. Review subsequent events or transactions occurring prior to 
the date of the auditor's report.
    b. Paragraph 13 is replaced with--
    Review subsequent events or transactions. Events or transactions 
sometimes occur subsequent to the date of the balance sheet, but 
prior to the date of the auditor's report, that are important in 
identifying and evaluating the reasonableness of accounting 
estimates or key factors or assumptions used in the preparation of 
the estimate. In such circumstances, an evaluation of the estimate 
or of a key factor or assumption may be minimized or unnecessary as 
the event or transaction can be used by the auditor in evaluating 
their reasonableness.

AU sec. 380, ``Communication With Audit Committees''

    SAS No. 61, ``Communication With Audit Committees'' (AU sec. 
380, ``Communication With Audit Committees''), as amended, is 
amended as follows--
    Within footnote 1 to paragraph 1, the reference to PCAOB 
Auditing Standard No. 2 is replaced with a reference to PCAOB 
Auditing Standard No. 5, An Audit of Internal Control Over Financial 
Reporting That Is Integrated with An Audit of Financial Statements.

AU sec. 508, ``Reports on Audited Financial Statements''

    SAS No. 58, ``Reports on Audited Financial Statements'' (AU sec. 
508, ``Reports on Audited Financial Statements''), as amended, is 
amended as follows--
    Within the note to paragraph 1, the reference to paragraphs 162-
199 of PCAOB Auditing Standard No. 2 is replaced with a reference to 
paragraphs 85-98 of PCAOB Auditing Standard No. 5, An Audit of 
Internal Control Over Financial Reporting That Is Integrated with An 
Audit of Financial Statements and Appendix C, Special Reporting 
Situations, of PCAOB Auditing Standard No. 5, An Audit of Internal 
Control Over Financial Reporting That Is Integrated with An Audit of 
Financial Statements. The sentence that reads ``In addition, see 
Appendix A, Illustrative Reports on Internal Control Over Financial 
Reporting, of PCAOB Auditing Standard No. 2, which includes an 
illustrative combined audit report and examples of separate 
reports,'' is replaced with, ``In addition, see paragraphs 86-88 of 
PCAOB Auditing Standard No. 5, An Audit of Internal Control Over 
Financial Reporting That Is Integrated with An Audit of Financial 
Statements which includes an illustrative combined audit report.''

AU sec. 530, ``Dating of the Independent Auditor's Report''

    SAS No. 1, ``Codification of Auditing Standards and 
Procedures,'' section 530, ``Dating of the Independent Auditor's 
Report'' (AU sec. 530, ``Dating of the Independent Auditor's 
Report''), as amended, is amended as follows--
    a. Paragraph .01 is replaced with--
    The auditor should date the audit report no earlier than the 
date on which the auditor has obtained sufficient competent evidence 
to support the auditor's opinion. Paragraph .05 describes the 
procedure to be followed when a subsequent event occurring after the 
report date is disclosed in the financial statements.

    Note: When performing an integrated audit of financial 
statements and internal control over financial reporting, the 
auditor's reports on the company's financial statements and on 
internal control over financial reporting should be dated the same 
date.


    Note: If the auditor concludes that a scope limitation will 
prevent the auditor from obtaining the reasonable assurance 
necessary to express an opinion on the financial statements, then 
the auditor's report date is the date that the auditor has obtained 
sufficient competent evidence to support the representations in the 
auditor's report.

    b. Paragraph .05 is replaced with--
    The independent auditor has two methods for dating the report 
when a subsequent event disclosed in the financial statements occurs 
after the auditor has obtained sufficient competent evidence on 
which to base his or her opinion, but before the issuance of the 
related financial statements. The auditor may use ``dual dating,'' 
for example, ``February 16, 20----, except for Note ----, as to 
which the date is March 1, 20----,'' or may date the report as of 
the later date. In the former instance, the responsibility for 
events occurring subsequent to the original report date is limited 
to the specific event referred to in the note (or otherwise 
disclosed). In the latter instance, the independent auditor's 
responsibility for subsequent events extends to the later report 
date and, accordingly, the procedures outlined in section 560.12 
generally should be extended to that date.
    c. Within the heading before paragraph .03, the reference to 
``completion of field work'' is replaced with ``the date of the 
independent auditor's report.''

AU sec. 543, ``Part of Audit Performed by Other Independent 
Auditors''

    SAS No. 1, ``Codification of Auditing Standards and 
Procedures,'' section 543, ``Part of Audit Performed by Other 
Independent Auditors'' (AU sec. 543, ``Part of Audit Performed by 
Other Independent Auditors''), as amended, is amended as follows--
    Within the note to paragraph .01, the reference to paragraphs 
182-185 of PCAOB Auditing Standard No. 2 is replaced with a 
reference to paragraphs C8-C11 of Appendix C, Special Reporting 
Situations, of PCAOB Auditing Standard No. 5, An Audit of Internal 
Control Over Financial Reporting That Is Integrated with An Audit of 
Financial Statements.

AU sec. 560, ``Subsequent Events''

    SAS No. 1, ``Codification of Auditing Standards and 
Procedures,'' section 560, ``Subsequent Events'' (AU sec. 560, 
``Subsequent Events''), as amended, is amended as follows--
    a. Within the note to paragraph .01, the reference to paragraphs 
186-189 of PCAOB Auditing Standard No. 2 is replaced with a 
reference to paragraphs 93-97 of PCAOB Auditing Standard No. 5, An 
Audit of Internal Control Over Financial Reporting That Is 
Integrated with An Audit of Financial Statements.

[[Page 32358]]

    b. The second sentence of paragraph .12 is replaced with--
    These procedures should be performed at or near the date of the 
auditor's report.

AU sec. 561, ``Subsequent Discovery of Facts Existing at the Date 
of the Auditor's Report''

    SAS No. 1, ``Codification of Auditing Standards and 
Procedures,'' section 561, ``Subsequent Discovery of Facts Existing 
at the Date of the Auditor's Report'' (AU sec. 561, ``Subsequent 
Discovery of Facts Existing at the Date of the Auditor's Report''), 
as amended, is amended as follows--
    Within the note to paragraph .01, the reference to paragraph 197 
of PCAOB Auditing Standard No. 2 is replaced with a reference to 
paragraph 98 of PCAOB Auditing Standard No. 5, An Audit of Internal 
Control Over Financial Reporting That Is Integrated with An Audit of 
Financial Statements.

AU sec. 711, ``Filings Under Federal Securities Statutes''

    SAS No. 37, ``Filings Under Federal Securities Statutes'' (AU 
sec. 711, ``Filings Under Federal Securities Statutes''), is amended 
as follows--
    a. Within the note to paragraph 2, the reference to paragraphs 
198-199 of PCAOB Auditing Standard No. 2 is replaced with a 
reference to paragraphs C16-C17 of Appendix C, Special Reporting 
Situations, of PCAOB Auditing Standard No. 5, An Audit of Internal 
Control Over Financial Reporting That Is Integrated with An Audit of 
Financial Statements.
    b. The third sentence of paragraph 10 is replaced with--
    The likelihood that the auditor will discover subsequent events 
necessarily decreases following the date of the auditor's report, 
and, as a practical matter, after that time the independent auditor 
may rely, for the most part, on inquiries of responsible officials 
and employees.

AU sec. 722, ``Interim Financial Information''

    SAS No. 100, ``Interim Financial Information'' (AU sec. 722, 
``Interim Financial Information''), is amended as follows--
    a. The following is inserted after the first sentence of 
paragraph 3--
    The SEC also requires management, with the participation of the 
principal executive and financial officers (the certifying officers) 
to make certain quarterly and annual certifications with respect to 
the company's internal control over financial reporting.\2\

    \2\ See Section 302 of the Sarbanes-Oxley Act of 2002, and 
Securities Exchange Act Rule 13a-14(a) or 15d-14(a), (17 CFR 
240.13a-14a or 17 CFR 240.15d-14a), whichever applies.

    b. The note to paragraph 3 is deleted.
    c. The following is added to the end of paragraph 7--
    Likewise, the auditor's responsibility as it relates to 
management's quarterly certifications on internal control over 
financial reporting is different from the auditor's responsibility 
as it relates to management's annual assessment of internal control 
over financial reporting. The auditor should perform limited 
procedures quarterly to provide a basis for determining whether he 
or she has become aware of any material modifications that, in the 
auditor's judgment, should be made to the disclosures about changes 
in internal control over financial reporting in order for the 
certifications to be accurate and to comply with the requirements of 
Section 302 of the Act.

    Note: The auditor's responsibilities for evaluating management's 
certification disclosures about internal control over financial 
reporting take effect beginning with the first quarter after the 
company's first annual assessment of internal control over financial 
reporting as described in Item 308(a)(3) of Regulations S-B and S-K.

    d. The following lettered section is added to the end of 
paragraph 18--
    g. Evaluating management's quarterly certifications about 
internal control over financial reporting by performing the 
following procedures--
     Inquiring of management about significant changes in 
the design or operation of internal control over financial reporting 
as it relates to the preparation of annual as well as interim 
financial information that could have occurred subsequent to the 
preceding annual audit or prior review of interim financial 
information;
     Evaluating the implications of misstatements identified 
by the auditor as part of the auditor's other interim review 
procedures as they relate to effective internal control over 
financial reporting; and
     Determining, through a combination of observation and 
inquiry, whether any change in internal control over financial 
reporting has materially affected, or is reasonably likely to 
materially affect, the company's internal control over financial 
reporting.
    e. Paragraph 29 is replaced with--
    As a result of conducting a review of interim financial 
information, the accountant may become aware of matters that cause 
him or her to believe that--
    a. Material modification should be made to the interim financial 
information for it to conform with generally accepted accounting 
principles;
    b. Modification to the disclosures about changes in internal 
control over financial reporting is necessary for the certifications 
to be accurate and to comply with the requirements of Section 302 of 
the Act and Securities Exchange Act Rule 13a-14(a) or 15d-14(a), 
whichever applies; and
    c. The entity filed the Form 10-Q or Form 10-QSB before the 
completion of the review.
    In such circumstances, the accountant should communicate the 
matter(s) to the appropriate level of management as soon as 
practicable.
    f. Paragraph 32 is replaced with--
    If the auditor becomes aware of information indicating that 
fraud or an illegal act has or may have occurred, the auditor must 
also determine his or her responsibilities under AU sec. 316, 
Consideration of Fraud in a Financial Statement Audit, AU sec. 317, 
Illegal Acts by Clients, and Section 10A of the Securities Exchange 
Act of 1934.\1\

    \1\ See 15 U.S.C. 78j-1

    g. Within paragraph 33, the third sentence is replaced with--
    A significant deficiency is a deficiency, or a combination of 
deficiencies, in internal control over financial reporting, that is 
less severe than a material weakness yet important enough to merit 
attention by those responsible for oversight of the company's 
financial reporting.

Auditing Standard No. 3, Audit Documentation

    Auditing Standard No. 3, Audit Documentation is amended as 
follows--
    Within footnote 2 to paragraph 6, the reference to paragraphs 
68-70 of Auditing Standard No. 2 is replaced with a reference to 
paragraphs 28-33 of Auditing Standard No. 5, An Audit of Internal 
Control Over Financial Reporting That Is Integrated with An Audit of 
Financial Statements.

Auditing Standard No. 4, Reporting on Whether a Previously Reported 
Material Weakness Continues to Exist

    Auditing Standard No. 4, Reporting on Whether a Previously 
Reported Material Weakness Continues to Exist is amended as 
follows--
    a. Within note 1 to paragraph 1, the reference to Auditing 
Standard No. 2 is replaced with a reference to Auditing Standard No. 
5, An Audit of Internal Control Over Financial Reporting That Is 
Integrated with An Audit of Financial Statements.
    b. Within paragraph 2, the two references to Auditing Standard 
No. 2 are replaced with references to Auditing Standard No. 5, An 
Audit of Internal Control Over Financial Reporting That Is 
Integrated with An Audit of Financial Statements.
    c. Within the note to paragraph 2, the reference to Auditing 
Standard No. 2 is replaced with a reference to Auditing Standard No. 
5, An Audit of Internal Control Over Financial Reporting That Is 
Integrated with An Audit of Financial Statements.
    d. Within paragraph 4, the reference to Auditing Standard No. 2 
is replaced with a reference to Auditing Standard No. 5, An Audit of 
Internal Control Over Financial Reporting That Is Integrated with An 
Audit of Financial Statements.
    e. Paragraph 9 is replaced with--
    The terms internal control over financial reporting, deficiency, 
significant deficiency, and material weakness have the same meanings 
as the definitions of those terms in Appendix A, Definitions, of 
Auditing Standard No. 5, An Audit of Internal Control Over Financial 
Reporting That Is Integrated with An Audit of Financial Statements.
    f. The first sentence of paragraph 10 is replaced with--
    Paragraph 5 of Auditing Standard No. 5, An Audit of Internal 
Control Over Financial Reporting That Is Integrated with An Audit of 
Financial Statements, states ``[t]he auditor should use the same 
suitable, recognized control framework to perform his or her audit 
of internal control over financial reporting as management uses for 
its annual evaluation of the effectiveness of the company's internal 
control over financial reporting.''
    g. Within the note to paragraph 10, the reference to Auditing 
Standard No. 2 in the first sentence is replaced with a reference to 
Auditing Standard No. 5, An Audit of

[[Page 32359]]

Internal Control Over Financial Reporting That Is Integrated with An 
Audit of Financial Statements, and the last sentence is amended as 
follows--
    More information about the COSO framework is included within the 
COSO report.
    h. Paragraph 11 is replaced with--
    The terms relevant assertion and control objective have the same 
meaning as the definitions of those terms in Appendix A, 
Definitions, of Auditing Standard No. 5, An Audit of Internal 
Control Over Financial Reporting That Is Integrated with An Audit of 
Financial Statements.
    i. Paragraph 13 is replaced with--
    In an audit of internal control over financial reporting, the 
auditor should test the design effectiveness of controls by 
determining whether the company's controls, if they are operated as 
prescribed by persons possessing the necessary authority and 
competence to perform the control effectively, satisfy the company's 
control objectives and can effectively prevent or detect errors or 
fraud that could result in material misstatements in the financial 
statements.\2\

    \2\ See paragraph 42 of Auditing Standard No. 5, An Audit of 
Internal Control Over Financial Reporting That Is Integrated with An 
Audit of Financial Statements.

    j. Within the note to paragraph 17, the reference to Auditing 
Standard No. 2 is replaced with a reference to Auditing Standard No. 
5, An Audit of Internal Control Over Financial Reporting That Is 
Integrated with An Audit of Financial Statements.
    k. Within note 2 to paragraph 18, the reference to Auditing 
Standard No. 2 is replaced with a reference to Auditing Standard No. 
5, An Audit of Internal Control Over Financial Reporting That Is 
Integrated with An Audit of Financial Statements.
    l. Within paragraph 21, the last sentence is deleted.
    m. Within paragraph 23, the reference to paragraphs 22 and 23 of 
Auditing Standard No. 2 is replaced with a reference to paragraph 20 
of Auditing Standard No. 5, An Audit of Internal Control Over 
Financial Reporting That Is Integrated with An Audit of Financial 
Statements. Additionally, the second sentence is deleted.
    n. Within paragraph 24, the reference to paragraph 39 of 
Auditing Standard No. 2 is replaced with a reference to paragraph 9 
of Auditing Standard No. 5, An Audit of Internal Control Over 
Financial Reporting That Is Integrated with An Audit of Financial 
Statements.
    o. Within paragraph 25, the reference to Auditing Standard No. 2 
is replaced with a reference to Auditing Standard No. 5, An Audit of 
Internal Control Over Financial Reporting That Is Integrated with An 
Audit of Financial Statements.
    p. Within the note to paragraph 25, the two references to 
Auditing Standard No. 2 are replaced with references to Auditing 
Standard No. 5, An Audit of Internal Control Over Financial 
Reporting That Is Integrated with An Audit of Financial Statements.
    q. Within subparagraph a. of paragraph 26, the reference to 
paragraphs 47 through 51 of Auditing Standard No. 2 is replaced with 
a reference to paragraphs 22-27 of Auditing Standard No. 5, An Audit 
of Internal Control Over Financial Reporting That Is Integrated with 
An Audit of Financial Statements.
    r. Subparagraph b. of paragraph 26 is replaced with--
    Perform the procedures described in paragraphs 34-38 of Auditing 
Standard No. 5, An Audit of Internal Control Over Financial 
Reporting That Is Integrated with An Audit of Financial Statements, 
for those transactions that are directly affected by controls 
specifically identified by management as addressing the material 
weakness.
    s. The note to subparagraph b. of paragraph 26 is deleted.
    t. Within paragraph 27, the reference to Auditing Standard No. 2 
is replaced with a reference to Auditing Standard No. 5, An Audit of 
Internal Control Over Financial Reporting That Is Integrated with An 
Audit of Financial Statements.
    u. The note to paragraph 28 is deleted.
    v. Within paragraph 31, the reference to paragraphs 88 through 
91 of Auditing Standard No. 2 is replaced with a reference to 
paragraphs 42-43 of Auditing Standard No. 5, An Audit of Internal 
Control Over Financial Reporting That Is Integrated with An Audit of 
Financial Statements.
    w. Paragraph 32 is replaced with--
    Consistent with the direction in paragraphs 44-45 of Auditing 
Standard No. 5, An Audit of Internal Control Over Financial 
Reporting That Is Integrated with An Audit of Financial Statements, 
the auditor should test the operating effectiveness of a specified 
control by determining whether the specified control operated as 
designed and whether the person performing the control possesses the 
necessary authority and qualifications to perform the control 
effectively. In determining the nature, timing, and extent of tests 
of controls, the auditor should apply paragraphs 50-54 of Auditing 
Standard No. 5.
    x. Paragraph 33 is replaced with--
    The auditor should perform tests of the specified controls over 
a period of time that is adequate to determine whether, as of the 
date specified in management's assertion, the controls necessary for 
achieving the stated control objective are operating effectively. 
The timing of the auditor's tests should vary with the risk 
associated with the control being tested. For example, a 
transaction-based, daily reconciliation generally would permit the 
auditor to obtain sufficient evidence as to its operating 
effectiveness in a shorter period of time than a pervasive, entity-
level control, such as any of those described in paragraphs 22-24 of 
Auditing Standard No. 5, An Audit of Internal Control Over Financial 
Reporting That Is Integrated with An Audit of Financial Statements. 
Additionally, the auditor typically will be able to obtain 
sufficient evidence as to the operating effectiveness of controls 
over the company's period-end financial reporting process only by 
testing those controls in connection with a period-end.
    y. Within paragraph 35, the reference to paragraphs B1 through 
B13 of Appendix B of Auditing Standard No. 2 is replaced with a 
reference to paragraphs B10-B16 of Appendix B, Special Topics, of 
Auditing Standard No. 5, An Audit of Internal Control Over Financial 
Reporting That Is Integrated with An Audit of Financial Statements.
    z. Within paragraph 36, the reference to paragraphs 109 through 
115 and 117 through 125 of Auditing Standard No. 2 is replaced with 
a reference to paragraphs 16-19 of Auditing Standard No. 5, An Audit 
of Internal Control Over Financial Reporting That Is Integrated with 
An Audit of Financial Statements.
    aa. The second sentence of paragraph 37 is replaced with--
    Therefore, if the auditor has been engaged to report on more 
than one material weakness or on more than one stated control 
objective, the auditor must evaluate whether he or she has obtained 
sufficient evidence that the control objectives related to each of 
the material weaknesses identified in management's assertion are 
achieved.
    bb. The first two sentences of paragraph 38 are replaced with--
    Paragraphs 18-19 of Auditing Standard No. 5, An Audit of 
Internal Control Over Financial Reporting That Is Integrated with An 
Audit of Financial Statements, should be applied in the context of 
the engagement to report on whether a previously reported material 
weakness continues to exist.
    cc. The note to paragraph 38 is deleted.
    dd. The note to paragraph 39 is deleted.
    ee. Paragraph 42 is replaced with--
    Management may conclude that a previously reported material 
weakness no longer exists because its severity has been sufficiently 
reduced such that it is no longer a material weakness.
    ff. Subparagraph f. of paragraph 44 is replaced with--
    Describing any fraud resulting in a material misstatement to the 
company's financial statements and any other fraud that does not 
result in a misstatement in the company's financial statements but 
involves senior management or management or other employees who have 
a significant role in the company's internal control over financial 
reporting and that has occurred or come to management's attention 
since the date of management's most recent annual assessment of 
internal control over financial reporting.
    gg. Within the note to subparagraph b. of paragraph 51, the 
reference to Auditing Standard No. 2 is replaced with a reference to 
Auditing Standard No. 5, An Audit of Internal Control Over Financial 
Reporting That Is Integrated with An Audit of Financial Statements.
    hh. Within the note to subparagraph l. of paragraph 51, the 
reference to Auditing Standard No. 2 is replaced with a reference to 
Auditing Standard No. 5, An Audit of Internal Control Over Financial 
Reporting That Is Integrated with An Audit of Financial Statements.
    ii. Within the note to the second bullet point of subparagraph 
o. of paragraph 51, the reference to Auditing Standard No. 2 is 
replaced with a reference to Auditing Standard No. 5, An Audit of 
Internal Control Over Financial Reporting That Is Integrated with An 
Audit of Financial Statements.
    jj. Within paragraph 52, the reference to Auditing Standard No. 
2 is replaced with a

[[Page 32360]]

reference to Auditing Standard No. 5, An Audit of Internal Control 
Over Financial Reporting That Is Integrated with An Audit of 
Financial Statements.
    kk. Within paragraph 63, the reference to paragraphs 202 through 
206 of Auditing Standard No. 2 is replaced with a reference to 
paragraphs 7 and 29-32 of AU sec. 722, Interim Financial 
Information.
    ll. Within paragraph 64, the reference to paragraphs 202 through 
206 of Auditing Standard No. 2 is replaced with a reference to 
paragraphs 7 and 29-32 of AU sec. 722, Interim Financial 
Information.

II. Board's Statement of the Purpose of, and Statutory Basis for, the 
Proposed Rules

    In its filing with the Commission, the Board included statements 
concerning the purpose of, and basis for, the proposed rule and 
discussed any comments it received on the proposed rule. The text of 
these statements may be examined at the places specified in Item IV 
below. The Board has prepared summaries, set forth in sections A, B, 
and C below, of the most significant aspects of such statements.

A. Board's Statement of the Purpose of, and Statutory Basis for, 
the Proposed Rules

(a) Purpose

    In 2002, Congress passed the Act, which, among other things, 
established new provisions related to internal control over 
financial reporting. Section 404 of the Act requires company 
management to assess and report on the effectiveness of the 
company's internal control. It also requires a company's independent 
auditor, registered with the Board, to attest to management's 
disclosures regarding the effectiveness of its internal control. As 
directed by Sections 103 and 404 of the Act, the Board established a 
standard to govern the newly required audit by adopting Auditing 
Standard No. 2, An Audit of Internal Control Over Financial 
Reporting Performed in Conjunction with an Audit of Financial 
Statements (``Auditing Standard No. 2''). The SEC approved Auditing 
Standard No. 2 on June 17, 2004.
    Since Auditing Standard No. 2 became effective, the Board has 
closely monitored the progress registered firms have made in 
implementing its requirements. The PCAOB's monitoring has included 
gathering information during inspections of registered public 
accounting firms; participating, along with the SEC, in two 
roundtable discussions with representatives of issuers, auditors, 
investor groups, and others; meeting with its Standing Advisory 
Group; receiving feedback from participants in the Board's Forums on 
Auditing in the Small Business Environment; and reviewing academic, 
government, and other reports and studies.
    As a result of this monitoring, two basic propositions emerged. 
First, the audit of internal control over financial reporting has 
produced significant benefits, including an enhanced focus on 
corporate governance and controls and higher quality financial 
reporting. Second, these benefits have come at a significant cost. 
Costs have been greater than expected and, at times, the related 
effort has appeared greater than necessary to conduct an effective 
audit of internal control over financial reporting.
    As part of a four-point plan to improve implementation of the 
internal control requirements, the Board determined to amend 
Auditing Standard No. 2. On December 19, 2006, the Board proposed 
for comment a new standard on auditing internal control, An Audit of 
Internal Control Over Financial Reporting That Is Integrated with an 
Audit of Financial Statements, that would replace Auditing Standard 
No. 2. After careful consideration of the comments it received and 
the input from the SEC, the Board has refined its proposals to 
provide additional clarity and further help auditors to focus on the 
most important matters. The Board adopted the revised standard on 
auditing internal control as Auditing Standard No. 5, to supersede 
Auditing Standard No. 2.
    Under Section 10A(i) of the Exchange Act, as amended by Section 
202 of the Act, all non-audit services that the auditor proposes to 
perform for an issuer client ``shall be pre-approved by the audit 
committee of the issuer.'' Rule 3525 would further implement the 
Act's pre-approval requirement by requiring auditors to take certain 
steps as part of seeking audit committee pre-approval of internal 
control related non-audit services. These steps are intended to 
ensure that audit committees are provided relevant information for 
them to make an informed decision on how the performance of internal 
control-related services may affect independence. Rule 3525 requires 
a registered public accounting firm that seeks pre-approval of an 
issuer audit client's audit committee to perform internal control-
related non-audit services that are not otherwise prohibited by the 
Act or the rules of the SEC or the Board to: Describe, in writing, 
to the audit committee the scope of the proposed service; discuss 
with the audit committee the potential effects of the proposed 
service on the firm's independence; and document the substance of 
the firm's discussion with the audit committee.
    The conforming amendments update the Board's other auditing 
standards in light of Auditing Standard No. 5, move information 
contained in Auditing Standard No. 2 to the Board's interim 
standards, and change the existing requirement that ``generally, the 
date of completion of the field work should be used as the date of 
the independent auditor's report'' to ``the auditor should date the 
audit report no earlier than the date on which the auditor has 
obtained sufficient competent evidence to support the auditor's 
opinion.'' This change is consistent with a recent change adopted by 
both the International Auditing and Assurance Standards Board and 
the AICPA Auditing Standards Board.

(b) Statutory Basis

    The statutory basis for the proposed rule is Title I and II and 
Section 404 of the Act.

B. Board's Statement on Burden on Competition

    The Board does not believe that the proposed rule will result in 
any burden on competition that is not necessary or appropriate in 
furtherance of the purposes of the Act. The proposed rules would 
apply equally to all registered public accounting firms and their 
associated persons. Moreover, Auditing Standard No. 5 explains how 
to tailor internal control audits to fit the size and complexity of 
the company being audited.

C. Board's Statement on Comments on the Proposed Rule Received From 
Members, Participants or Others

    The Board released the proposed rules for public comment in 
Release No. 2006-007 (December 19, 2006). A copy of Release No. 
2006-007 and the comment letters received in response to the PCAOB's 
request for comment are available on the PCAOB's Web site at http://www.pcaobus.org. The Board received 175 written comments. The Board 
also discussed the proposals with its Standing Advisory Group on 
February 22, 2007.\1\ The Board has clarified and modified certain 
aspects of the proposed rules in response to the comments it 
received, as discussed below.
---------------------------------------------------------------------------

    \1\ A transcript of the portion of the meeting that related to 
the proposals and an archived web cast of the entire meeting are 
available on the Board's Web site at http://www.pcaobus.org/Standards/Standing_Advisory_Group/Meetings/2007/02-22/SAG_Transcript.pdf.
---------------------------------------------------------------------------

    The Board issued these proposals with the primary objectives of 
focusing auditors on the most important matters in the audit of 
internal control over financial reporting and eliminating procedures 
that the Board believes are unnecessary to an effective audit of 
internal control. The proposals were designed to both increase the 
likelihood that material weaknesses in companies' internal control 
will be found before they cause material misstatement of the 
financial statements and steer the auditor away from procedures that 
are not necessary to achieve the intended benefits. The Board also 
sought to make the internal control audit more clearly scalable for 
smaller and less complex public companies and to make the text of 
the standard easier to understand. In formulating these proposals, 
the Board re-evaluated every significant aspect of Auditing Standard 
No. 2.
    A large majority of commenters were generally supportive of the 
Board's proposals, particularly the top-down, risk-based approach 
and focus on the most important matters. Based on the comments 
received, the Board believes that the proposal achieves, in large 
part, the objectives the Board set out when deciding to amend 
Auditing Standard No. 2. Many commenters also offered suggestions to 
improve the final standard, which the Board has carefully analyzed.
    In considering the comments received and formulating a final 
standard, the Board closely coordinated its work with the SEC, which 
proposed guidance for management on evaluating internal control at 
the same time that the Board issued its proposals.\2\ In addition to 
its role in implementing Section 404(a) of the Act, the SEC must 
approve new PCAOB auditing standards before they can become 
effective.\3\ On April 4, 2007, the Commission held a public meeting 
to discuss the Board's proposals and the coordination of those 
proposals with the Commission's

[[Page 32361]]

proposed management guidance. At the meeting, the SEC staff provided 
the Commission its analysis of the public comments on the PCAOB's 
proposal and the proposed management guidance. The Commission 
endorsed the recommendations of its staff and directed its staff to 
focus its remaining work in four areas:
---------------------------------------------------------------------------

    \2\ See Securities Exchange Act Release No. 54976 (Dec. 20, 
2006).
    \3\ See Section 107 of the Act.
---------------------------------------------------------------------------

     ``Aligning the PCAOB's new auditing standard * * * with 
the SEC's proposed new management guidance under Section 404, 
particularly with regard to prescriptive requirements, definitions, 
and terms'';
     ``Scaling the 404 audit to account for the particular 
facts and circumstances of companies, particularly smaller 
companies'';
     ``Encouraging auditors to use professional judgment in 
the 404 process, particularly in using risk-assessment''; and
     ``Following a principles-based approach to determining 
when and to what extent the auditor can use the work of others.'' 
\4\
---------------------------------------------------------------------------

    \4\ See SEC Press Release, ``SEC Commissioners Endorse Improved 
Sarbanes-Oxley Implementation To Ease Smaller Company Burdens, 
Focusing Effort On `What Truly Matters' '' (Apr. 4, 2007).
---------------------------------------------------------------------------

    After careful consideration of the comments it received and the 
input from the SEC, the Board has refined its proposals to provide 
additional clarity and further help auditors to focus on the most 
important matters. The Board has decided to adopt the revised 
standard on auditing internal control as Auditing Standard No. 5, to 
supersede Auditing Standard No. 2. The Board has also decided to 
adopt the independence rule and conforming amendments to the 
auditing standards.\5\
---------------------------------------------------------------------------

    \5\ As discussed below, the Board has determined not to adopt 
the proposed auditing standard on considering and using the work of 
others.
---------------------------------------------------------------------------

Notable Areas of Change in the Final Standard

    The Board believes that the changes made to the proposal reflect 
refinements, rather than significant shifts in approach. This 
section describes the areas of change to the proposals that are most 
notable. Additional discussion of comments received on the proposals 
and the Board's response is included below.

Alignment With Management Guidance

    On December 20, 2006, the SEC issued proposed guidance to help 
management evaluate internal control for purposes of its annual 
assessment. In formulating a new standard on auditing internal 
control, the Board sought to describe an audit process that would be 
coordinated with management's evaluation process. Many commenters 
suggested, however, that the SEC's management guidance and the 
Board's standard should be more closely aligned.
    After considering the comments in this area, the Board has 
decided to make changes that will improve the coordination between 
the SEC's management guidance and the Board's standard. In doing so, 
the Board has been mindful of the inherent differences in the roles 
of management and the auditor. Management's daily involvement with 
its internal control system provides it with knowledge and 
information that may influence its judgments about how best to 
evaluate internal control and the sufficiency of the evidence it 
needs for its annual assessment. Management also should be able to 
rely on self-assessment and, more generally, the monitoring 
component of internal control, provided the monitoring component is 
properly designed and operates effectively.
    The auditor is required to provide an independent opinion on the 
effectiveness of the company's internal control over financial 
reporting. The auditor does not have the familiarity with the 
company's controls that management has and does not interact with or 
observe these controls with the same frequency as management. 
Therefore, the auditor cannot obtain sufficient evidence to support 
an opinion on the effectiveness of internal control based solely on 
observation of or interaction with the company's controls. Rather, 
the auditor needs to perform procedures such as inquiry, 
observation, and inspection of documents, or walkthroughs, which 
consist of a combination of those procedures, in order to fully 
understand and identify the likely sources of potential 
misstatements, while management might be aware of those risk areas 
on an on-going basis.
    The Board believes, however, that the general concepts necessary 
to an understanding of internal control should be described in the 
same way in the Board's standard and in the SEC's guidance. 
Accordingly, the Board has decided to use the same definition of 
material weakness in its standard that the SEC uses in its final 
management guidance and related rules. In addition, the Board is 
adopting the definition of significant deficiencies that the SEC has 
proposed. The final standard and final management guidance also 
describe the same indicators of a material weakness. In addition, as 
described more fully below, the final standard on auditing internal 
control uses the term ``entity-level controls'' instead of 
``company-level controls,'' which was used in the proposed standard, 
in order to use the same term as the SEC uses in its final 
management guidance.\6\ Auditing Standard No. 5's discussion of the 
effect of these controls is also consistent with the discussion of 
the same topic in the SEC's final guidance.
---------------------------------------------------------------------------

    \6\ These terms were used interchangeably in the proposed 
standard and SEC's proposed management guidance and, for these 
purposes, they mean the same thing. See Securities Exchange Act 
Release No. 54976 (Dec. 20, 2006), at 12 fn. 29.
---------------------------------------------------------------------------

The Top-Down Approach

    The proposed standard on auditing internal control was 
structured around the top-down approach to identifying the most 
important controls to test. This approach follows the same 
principles that apply to the financial statement audit--the auditor 
determines the areas of focus through the identification of 
significant accounts and disclosures and relevant assertions. Under 
the proposed standard, the auditor would specifically identify major 
classes of transactions and significant processes before identifying 
the controls to test.
    In response to comments about the level of detail in the 
requirements of the proposed standard, the Board has reconsidered 
whether the final standard should include the identification of 
major classes of transactions and significant processes as a 
specifically required step in the top-down approach. As a practical 
matter, the auditor will generally need to understand the company's 
processes to appropriately identify the correct controls to test. 
The Board believes, however, that specific requirements directing 
the auditor how to obtain that understanding are unnecessary and 
could contribute to a ``checklist approach'' to compliance, 
particularly for auditors who have a longstanding familiarity with 
the company. Accordingly, the Board has removed the requirements to 
identify major classes of transactions and significant processes 
from the final standard. While this should allow auditors to apply 
more professional judgment as they work through the top-down 
approach, the end point is the same as in the proposed standard--the 
requirement to test those controls that address the assessed risk of 
misstatement to each relevant assertion.\7\
---------------------------------------------------------------------------

    \7\ See paragraph 21.
---------------------------------------------------------------------------

Emphasis on Fraud Controls

    The proposed standard on auditing internal control discussed 
fraud controls and the auditor's procedures related to these 
controls among the testing concepts included near the end of the 
standard. Commenters suggested that the placement of the discussion, 
or the lack of specificity regarding the controls that should be 
deemed fraud controls, failed to properly emphasize these controls 
or provide auditors with sufficient direction on how to test fraud 
controls. In response, the Board has made several changes in the 
final standard.
    First, the discussion of fraud risk and anti-fraud controls has 
been moved closer to the beginning of the standard to emphasize to 
auditors the relative importance of these matters in assessing risk 
throughout the top-down approach.\8\ Incorporating the auditor's 
fraud risk assessment--required in the financial statement audit--
into the auditor's planning process for the audit of internal 
control should promote audit quality as well as better integration. 
While internal control cannot provide absolute assurance that fraud 
will be prevented or detected, these controls should help to reduce 
instances of fraud, and, therefore, a concerted focus on fraud 
controls in the internal control audit should enhance investor 
protection. Second, management fraud has also been identified in the 
final standard as an area of higher risk; accordingly, the auditor 
should focus more of his or her attention on this area.\9\ Finally, 
the standard, as adopted, provides additional guidance on the types 
of controls that might address fraud risk.\10\
---------------------------------------------------------------------------

    \8\ See paragraphs 14 and 15.
    \9\ See paragraph 11.
    \10\ See paragraph 14.
---------------------------------------------------------------------------

Entity-Level Controls

    The proposed standard on auditing internal control emphasized 
entity-level controls because of their importance both to the 
auditor's ability to appropriately tailor the audit through a top-
down approach--

[[Page 32362]]

specifically by identifying and testing the most important 
controls--and to effective internal control. Additionally, the 
proposed standard emphasized that these controls might, depending on 
the circumstances, allow the auditor to reduce the testing of 
controls at the process level. Commenters suggested that the 
proposed standard did not provide enough direction on how entity-
level controls can significantly reduce testing, and some suggested 
that controls that operate at the level of precision necessary to do 
so are uncommon. Many commenters suggested incorporating in the 
final standard the discussion of direct versus indirect entity-level 
controls that was included in the SEC's proposed management 
guidance.
    The Board continues to believe that entity-level controls, 
depending on how they are designed and operate, can reduce the 
testing of other controls related to a relevant assertion. This is 
either because the entity-level control sufficiently addresses the 
risk related to the relevant assertion, or because the entity-level 
controls provide some assurance so that the testing of other 
controls related to that assertion can be reduced. In response to 
comments and in order to clarify these concepts, the Board included 
in the final standard a discussion of three broad categories of 
entity-level controls, which vary in nature and precision, along 
with an explanation of how each category might have a different 
effect on the performance of tests of other controls.\11\
---------------------------------------------------------------------------

    \11\ See paragraph 23. The Board believes that expertise of 
auditors and companies in the area of entity-level controls will 
continue to evolve. For example, the Committee of Sponsoring 
Organizations of the Treadway Commission has begun a project on the 
monitoring component of internal control that may provide some 
guidance in this area.
---------------------------------------------------------------------------

    The final standard explains that some controls, such as certain 
control environment controls, have an important, but indirect 
effect, on the likelihood that a misstatement will be detected or 
prevented on a timely basis. These controls might affect the other 
controls the auditor selects for testing and the nature, timing, and 
extent of procedures the auditor performs on other controls.
    The final standard explains that other entity-level controls may 
not operate at the level of precision necessary to eliminate the 
need for testing of other controls, but can reduce the required 
level of testing of other controls, sometimes substantially. This is 
because the auditor obtains some of the supporting evidence related 
to a control from an entity-level control and the remaining 
necessary evidence from the testing of the control at the process 
level. Controls that monitor the operation of other controls are the 
best example of these types of controls. These monitoring controls 
help provide assurance that the controls that address a particular 
risk are effective and, therefore, they can provide some evidence 
about the effectiveness of those lower-level controls, reducing the 
testing of those controls that otherwise would be necessary.
    Lastly, the final standard explains that some entity-level 
controls might operate at a level of precision that, without the 
need for other controls, sufficiently addresses the risk of 
misstatement to a relevant assertion. If a control sufficiently 
addresses the risk in this manner, the auditor does not need to test 
other controls related to that risk.

Walkthroughs

    The proposed standard on auditing internal control would have 
required auditors to perform a walkthrough of each significant 
process each year. This proposed requirement represented a change 
from Auditing Standard No. 2, which required a walkthrough of each 
major class of transactions within a significant process. Commenters 
were split on the question of whether the re-calibration from major 
class of transactions to significant process in the proposed 
standard would result in a reduction of effort. Some issuers and 
auditors suggested that walkthroughs are already being performed on 
significant processes, while other issuers and auditors commented 
that this proposed requirement would make a difference. A few 
commenters suggested that a walkthrough of each significant process 
was insufficient and would negatively affect audit quality, but many 
others stated that walkthroughs should not be required at all.
    In evaluating these comments, the Board focused principally on 
the objectives it believes are achieved through a properly performed 
walkthrough. The Board firmly believes that those objectives should 
be met for the auditor to verify that he or she has a sufficient 
understanding of the points within the processes where misstatements 
could occur and to properly identify the controls to test.\12\ 
Procedures that fulfill those objectives also play an important role 
in the evaluation of the effectiveness of the design of the 
controls. The Board believes that, in some instances, the 
requirement to perform a walkthrough may have overshadowed the 
objectives it was meant to achieve. This may have resulted in some 
walkthroughs being performed to meet the requirement but failing to 
achieve the intended purpose.
---------------------------------------------------------------------------

    \12\ See paragraph 34, which describes these objectives.
---------------------------------------------------------------------------

    The final standard, therefore, focuses specifically on achieving 
certain important objectives, and the performance requirement is 
based on fulfilling those objectives as they relate to the 
understanding of likely sources of misstatement and the selection of 
controls to test.\13\ While a walkthrough will frequently be the 
best way of attaining these goals, the auditor's focus should be on 
the objectives, not on the mechanics of the walkthrough. In some 
cases, other procedures may be equally or more effective means of 
achieving them.
---------------------------------------------------------------------------

    \13\ See paragraph 34.
---------------------------------------------------------------------------

Evaluation and Communication of Deficiencies

    The proposed standard on auditing internal control required the 
auditor to evaluate the severity of identified control deficiencies 
to determine whether they are significant deficiencies or material 
weaknesses. It then required the auditor to communicate, in writing, 
to management and the audit committee all significant deficiencies 
and material weaknesses identified during the audit. The proposed 
standard defined ``significant deficiency'' as ``a control 
deficiency, or combination of control deficiencies, such that there 
is a reasonable possibility that a significant misstatement of the 
company's annual or interim financial statements will not be 
prevented or detected.'' The term ``significant misstatement'' was 
defined, in turn, to mean ``a misstatement that is less than 
material yet important enough to merit attention by those 
responsible for oversight of the company's financial reporting.''
    Commenters generally supported the proposed definition of the 
term ``significant misstatement,'' though some were concerned that 
it was too subjective. Other commenters questioned whether the 
standard should include a definition of significant deficiency and a 
requirement to communicate significant deficiencies to the audit 
committee. At least one commenter suggested that the term be removed 
from the standard.
    After considering these comments, the Board has determined to 
make changes to the definition of significant deficiency and related 
requirements.\14\ The Board continues to believe that the standard 
should require auditors to provide relevant information about 
important control deficiencies--even those less severe than a 
material weakness--to management and to the audit committee. The 
final standard, therefore, requires the auditor to consider and 
communicate any identified significant deficiencies to the audit 
committee. In order to emphasize that the auditor need not scope the 
audit to identify all significant deficiencies, however, the Board 
placed these provisions in the section of the final standard that 
describes communications requirements.\15\
---------------------------------------------------------------------------

    \14\ The Board also made minor changes to the definition of 
material weakness in order to use the same definition in the SEC's 
management guidance and related rule. In the final standard, 
material weakness is defined as ``a deficiency, or a combination of 
deficiencies, in internal control over financial reporting, such 
that there is a reasonable possibility that a material misstatement 
of the company's annual or interim financial statements will not be 
prevented or detected on a timely basis.''
    \15\ See paragraph 80. The final standard also includes the 
proposed requirement for the auditor to communicate, in writing, to 
management, all deficiencies in internal control identified during 
the audit and inform the audit committee when such a communication 
has been made, and the proposed requirement to inform, when 
applicable, the board of directors of the auditor's conclusion that 
the audit committee's oversight is ineffective. See paragraphs 79 
and 81. Some commenters believed that the requirement to communicate 
all identified deficiencies to management would result in an 
unnecessary administrative exercise. The Board continues to believe, 
however, that auditors should provide information about identified 
control deficiencies to management.
---------------------------------------------------------------------------

    The relatively minor changes that the Board made to the 
definition of significant deficiency are also intended to focus the 
auditor on the communication requirement and away from scoping 
issues. The final definition is based on the proposed definition of 
``significant misstatement,'' which commenters generally supported, 
and is aligned with the SEC's proposed definition of the same term. 
Under the final standard, a significant deficiency is ``a 
deficiency, or a

[[Page 32363]]

combination of deficiencies, in internal control over financial 
reporting that is less severe than a material weakness yet important 
enough to merit attention by those responsible for oversight of the 
company's financial reporting.''

Scaling the Audit

    The proposed standard on auditing internal control indicated 
that a company's size and complexity are important considerations 
and that the procedures an auditor should perform depend upon where 
along the size and complexity continuum a company falls. The 
proposed standard included a section on scaling the audit for 
smaller, less complex companies and would have required auditors to 
evaluate and document the effect of the company's size and 
complexity on the audit. This documentation requirement applied to 
audits of companies of all sizes. The proposed standard also 
included a list of the attributes of smaller, less complex companies 
and a description of how the auditor might tailor his or her 
procedures when these attributes are present. In general, commenters 
were supportive of the proposed standard's general approach to 
scalability, but had several recommendations for change.
    Some commenters suggested that scalability should not be covered 
as a stand-alone discussion applicable only to smaller companies and 
that other companies, regardless of size, might have areas that are 
less complex. The Board agrees that the direction on scaling will be 
most effective if it is a natural extension of the risk-based 
approach and applicable to all companies. Consequently, the Board 
shortened the separate section on ``scaling the audit,'' and 
incorporated a discussion of scaling concepts, similar to what was 
proposed, throughout the final standard. Specifically, notes to 
relevant paragraphs describe how to tailor the audit to the 
particular circumstances of a smaller, less complex company or unit. 
The Board also retained the list of attributes of smaller, less 
complex companies and acknowledged that, even within larger 
companies, some business units or processes may be less complex than 
others. Discussion of these attributes has been incorporated in the 
section on the auditor's planning procedures in the final 
standard.\16\ As described in the proposing release, the provisions 
on scalability in the final standard will form the basis for 
guidance on auditing internal control in smaller companies to be 
issued this year.
---------------------------------------------------------------------------

    \16\ See paragraph 9.
---------------------------------------------------------------------------

    Several commenters, mostly auditors, suggested that the 
performance requirements that applied to all companies, including 
large, complex companies, would lead to unnecessary and costly 
documentation requirements. These commenters were particularly 
concerned about the requirement to document the effects of size and 
complexity on all aspects of the audit, even if a particular 
engagement could not be tailored as a result of these factors. After 
considering these comments, the Board agreed that this documentation 
requirement is not necessary to promote audit quality and, 
therefore, has not included it in the final standard.

Use of the Work of Others in an Integrated Audit

    At the time the Board proposed Auditing Standard No. 5 for 
public comment, the Board also proposed an auditing standard 
entitled Considering and Using the Work of Others in an Audit that 
would have superseded the Board's interim standard AU sec. 322, The 
Auditor's Consideration of the Internal Audit Function in an Audit 
of Financial Statements (``AU sec. 322''), and replaced the 
direction on using the work of others in an audit of internal 
control in Auditing Standard No. 2. As discussed in the proposing 
release, the Board had several objectives in proposing this 
standard. The first was to better integrate the financial statement 
audit and the audit of internal control by having only one framework 
for using the work of others in both audits. Additionally, the Board 
wanted to encourage auditors to use the work of others to a greater 
extent when the work is performed by sufficiently competent and 
objective persons. Among other things, under the proposed standard, 
auditors would have been able to use the work of sufficiently 
competent and objective company personnel--not just internal 
auditors--and third parties working under the direction of 
management or the audit committee for purposes of the financial 
statement audit as well as the audit of internal control.
    The Board received numerous comments on the proposed standard on 
using the work of others. Commenters generally indicated support for 
a single framework regarding the auditor's use of the work of others 
in an integrated audit. Some, however, suggested retaining existing 
AU sec. 322 as the basis for that single framework. They expressed 
the view that the objective of removing barriers to integration and 
using the work of others to the fullest extent appropriate could be 
achieved by retaining AU sec. 322 and going forward with the 
proposed removal of the ``principal evidence'' provision. At the 
same time, some other commenters suggested that the proposed 
standard did not go far enough in encouraging auditors to use the 
work of others.
    After considering these comments, the Board continues to believe 
that a single framework for the auditor's use of the work of others 
is preferable to separate frameworks for the audit of internal 
control and the audit of financial statements. The factors used to 
determine whether and to what extent it is appropriate to use the 
work of others should be the same for both audits. At the same time, 
the Board agreed with those commenters who suggested that better 
integration of the audits could be achieved without replacing the 
existing auditing standard. The Board therefore has decided to 
retain AU sec. 322 for both audits and incorporate language into 
Auditing Standard No. 5 that establishes these integration concepts 
rather than adopt the proposed standard on considering and using the 
work of others.
    Consistent with the proposal, however, Auditing Standard No. 5 
allows the auditor to use the work of others to obtain evidence 
about the design and operating effectiveness of controls and 
eliminates the principal evidence provision. Recognizing that 
issuers might employ personnel other than internal auditors to 
perform activities relevant to management's assessment of internal 
control over financial reporting, the final standard allows the 
auditor to use the work of company personnel other than internal 
auditors, as well as third parties working under the direction of 
management or the audit committee.\17\
---------------------------------------------------------------------------

    \17\ See paragraph 17.
---------------------------------------------------------------------------

    In line with the overall risk-based approach to the audit of 
internal control over financial reporting, the extent to which the 
auditor may use the work of others depends, in part, on the risk 
associated with the control being tested. As the risk decreases, so 
does the need for the auditor to perform the work him or herself. 
The impact of the work of others on the auditor's work also depends 
on the relationship between the risk and the competence and 
objectivity of those who performed the work. As the risk decreases, 
the necessary level of competence and objectivity decreases as 
well.\18\ Likewise, in higher risk areas (for example, controls that 
address specific fraud risks), use of the work of others would be 
limited, if it could be used at all.
---------------------------------------------------------------------------

    \18\ See paragraph 18.
---------------------------------------------------------------------------

    Finally, the Board understands that some of the work performed 
by others for the purposes of management's assessment of internal 
controls can be relevant to the audit of financial statements. 
Therefore, in an integrated audit, the final standard allows the 
auditor to use the work of these sufficiently competent and 
objective others--not just internal auditors--to obtain evidence 
supporting the auditor's assessment of control risk for purposes of 
the audit of financial statements.\19\ The Board believes that this 
provision will promote better integration of the audit of internal 
control with the audit of financial statements.
---------------------------------------------------------------------------

    \19\ See paragraph 17.
---------------------------------------------------------------------------

Rule 3525--Audit Committee Pre-Approval of Non-Audit Services Related 
to Internal Control Over Financial Reporting

    The Board also proposed a new rule related to the auditor's 
responsibilities when seeking audit committee pre-approval of 
internal control related non-audit services. As proposed, the rule 
required a registered public accounting firm that seeks pre-approval 
of an issuer audit client's audit committee to perform internal 
control-related non-audit services that are not otherwise prohibited 
by the Act or the rules of the SEC or the Board to: describe, in 
writing, to the audit committee the scope of the proposed service; 
discuss with the audit committee the potential effects of the 
proposed service on the firm's independence; and document the 
substance of the firm's discussion with the audit committee. These 
requirements parallel the auditor's responsibility in seeking audit 
committee pre-approval to perform tax services for an audit client 
under PCAOB Rule 3524. Most commenters were supportive of the rule 
as proposed, though some offered suggestions about what should

[[Page 32364]]

be included in the required communication. After considering the 
comments on the proposed rule, the Board has adopted it without 
change.

Conforming Amendments

    As part of the proposal issued for public comment, the Board 
proposed amendments to certain of the Board's other auditing 
standards. Only one comment letter specifically addressed the 
proposed amendments. That letter expressed support for the 
amendments and suggested a few additional amendments that might be 
necessary. The Board has considered this comment and added these 
additional amendments, as well as others, as necessary based on the 
final standard.

Effective Date

    The proposing release solicited commenters' feedback on how the 
Board could structure the effective date of the final requirements 
so as to best minimize disruption to ongoing audits, but make 
greater flexibility available to auditors as early as possible. Most 
commenters on this topic suggested making the final standard on 
auditing internal control effective as soon as possible in order to 
be available for 2007 audits.
    The Board agrees that the improvements in Auditing Standard No. 
5 should be available as soon as possible. Accordingly, the Board 
has determined that Auditing Standard No. 5, Rule 3525, and the 
conforming amendments will be effective, subject to approval by the 
SEC, for audits of fiscal years ending on or after November 15, 
2007. Earlier adoption is permitted, however, at any point after SEC 
approval. Auditors who elect to comply with Auditing Standard No. 5 
after SEC approval but before its effective date must also comply, 
at the same time, with Rule 3525 and other PCAOB standards as 
amended by this release.
    Auditing Standard No. 2 will be superseded when Auditing 
Standard No. 5 becomes effective. Auditors who do not elect to 
comply with Auditing Standard No. 5 before that date (but after SEC 
approval) must continue to comply with Auditing Standard No. 2 until 
it is superseded. Such auditors should, however, apply the 
definition of ``material weakness'' contained in Auditing Standard 
No. 5, rather than the one contained in Auditing Standard No. 2. The 
SEC has adopted a rule to define the term ``material weakness,'' and 
the definition in Auditing Standard No. 5 parallels the new SEC 
definition.

Additional Discussion of Comments and the Board's Response Alignment of 
Board's Internal Control Auditing Standard and the SEC's Guidance to 
Management

    Many commenters suggested that the SEC's guidance to management 
and the Board's auditing standard should be more closely aligned. 
The commenters appeared to hold different opinions, however, about 
what alignment should mean in this context. Some commenters 
suggested that the most important issue was the need to use the same 
definitions of important terms in both documents. Some focused on 
perceived differences in scope, testing, and documentation 
requirements, while others suggested that the tone of the two 
documents was different and that the Board's proposals were more 
prescriptive. A few commenters suggested that the standard on 
auditing internal control should merely refer to the SEC management 
guidance without providing additional direction to the auditor.
    As discussed above, in formulating a new standard on auditing 
internal control, the Board intended to describe an audit process 
that would be coordinated with management's evaluation process. 
After considering the comments in this area, the Board made several 
changes, described above, that improve coordination while 
recognizing the inherent differences in the roles of management and 
the independent auditor under Section 404. The Board also adopted, 
as proposed, the final standard without a requirement for the 
auditor to perform an evaluation of management's assessment process. 
Commenters generally supported this aspect of the proposal, which 
was intended to respond to concerns that the requirements of 
Auditing Standard No. 2 had become de facto guidance for 
management's process. The absence of this requirement in the final 
standard should also allow for improved coordination between 
management and the auditor.

Level of Prescriptive Detail

    Some commenters suggested that there remained too many instances 
of the use of the terms ``should'' and ``must'' in the proposed 
standard and that this might drive excessive documentation and 
possibly unnecessary work. The Board's Rule 3101 describes the level 
of responsibility that these imperatives impose on auditors when 
used in PCAOB standards, and the Board uses these terms in its 
standards to clearly convey its expectations. In response to these 
comments, the Board analyzed each requirement in the proposed 
standard to determine whether more reliance could be placed on 
general principles rather than detailed requirements. Where 
appropriate, the Board made modifications to make the final standard 
more principles-based. As discussed more fully above, areas in which 
changes were made include the focus on fulfilling the objectives of 
a walkthrough and in the description of the top-down approach. Some 
of these changes also contributed to better coordination with the 
SEC's guidance for management.
    In addition, several commenters expressed concern over the 
creation of presumptively mandatory responsibilities related to 
efficiency concepts. The example cited most often was the note to 
paragraph 3 of the proposed standard on auditing internal control, 
which stated--

    Note: The auditor should select for testing only those controls 
that are important to the auditor's conclusion about whether the 
company's controls sufficiently address the assessed risk of 
misstatement to a given relevant assertion that could result in a 
material misstatement to the company's financial statements.

    Commenters suggested that because of this requirement for the 
auditor to select ``only those controls that are important'' for 
testing, an auditor would have violated the Board's standards if he 
or she tested even one control that was later shown to be not 
important. Commenters believed that this would undermine audit 
effectiveness and recommended removal of such statements.
    One of the objectives of the revised standard is to encourage 
auditors to focus on those areas that present the greatest risk of 
allowing a material misstatement in the financial statements. 
However, the Board agrees that its standards should not define a 
ceiling or maximum amount of work which the auditor may not exceed. 
While this statement (and others like it) in the proposed standard 
was not intended to imply that the Board would, with hindsight, 
suggest that an auditor violated the standard through testing of a 
control that was later determined to be not important to the audit, 
the Board has removed the note to paragraph 3 in response to these 
comments. Similar statements throughout the standard have also 
either been removed or modified.

Walkthroughs

    The proposed standard required that the auditor perform a 
walkthrough of each significant process each year and allowed the 
auditor to use others, such as management personnel and internal 
auditors, to directly assist the auditor in this work. The proposed 
standard also indicated that the walkthrough provides audit evidence 
but did not prescribe further requirements regarding the 
circumstances in which a walkthrough might provide the auditor with 
sufficient evidence of operating effectiveness for a particular 
control. The proposing release, however, noted that a walkthrough 
could be sufficient for some low-risk controls in subsequent years.
    As discussed above, the Board received a significant number of 
comments on this topic. While several commenters expressed support 
for the importance of the walkthrough to audit quality, many 
commenters suggested that the proposed provisions in this area were 
more prescriptive than necessary, and suggested risk concepts as a 
way to add flexibility. While these commenters acknowledged the 
value of a walkthrough and its importance to the evaluation of 
design effectiveness, many stated that the requirement to perform a 
walkthrough in an area that is either low-risk, not complex, or 
unchanged appears inconsistent with the other areas in the proposed 
standard that rely upon auditor judgment to a much greater extent.

Use of Others in Achieving the Objectives of a Walkthrough

    Commenters supported allowing the auditor to use others to 
provide the auditor with direct assistance, particularly in low-risk 
areas, with only a few commenters believing that this change could 
jeopardize the quality of the audit. In addition, many commenters 
believed that the standard should allow full use of the work of 
others in performing walkthroughs, although some commenters strongly 
disagreed with this point.
    As discussed above, the final standard focuses the auditor on 
achieving four objectives related to the identification of

[[Page 32365]]

where within the company's processes misstatements could arise, 
rather than specifically on performing walkthroughs. Due to the 
importance of achieving these objectives to the auditor's conclusion 
about internal control, the Board believes that allowing the use of 
the work of others to a greater extent than what was proposed would 
not provide the auditor with an adequate understanding of the 
relevant risks and the related controls. Therefore, similar to the 
proposed standard, Auditing Standard No. 5 allows the auditor to use 
the work of others in achieving the objectives of a walkthrough, but 
only as direct assistance. That is, the auditor will be required to 
supervise, review, evaluate, and test the work performed by 
others.\20\
---------------------------------------------------------------------------

    \20\ See paragraph 27 of AU sec. 322, The Auditor's 
Consideration of the Internal Audit Function in an Audit of 
Financial Statements.
---------------------------------------------------------------------------

Using Walkthroughs To Test Operating Effectiveness

    On the subject of using walkthroughs to test operating 
effectiveness, commenters suggested that walkthroughs can provide 
sufficient evidence of operating effectiveness, but held different 
views about situations in which this would be the case. Some 
commenters supported the use of walkthroughs in low-risk areas, 
while others focused on whether the control itself should be low-
risk. Several commenters suggested that a walkthrough could provide 
sufficient evidence of operating effectiveness for lower-risk 
controls but only when entity-level controls are strong. Almost all 
commenters agreed that the proposed standard focused on the 
appropriate conditions for using such an approach--specifically, 
when risk is low, when past audits indicate effective design and 
operation of the control, and when no changes have been made to the 
control or process in which the control resides.
    After considering these comments, the Board has decided that the 
risk-based approach that is described in the final standard is the 
appropriate framework for determining the evidence necessary to 
support the auditor's opinion. Therefore, Auditing Standard No. 5 
articulates the principle that performance of a walkthrough might 
provide sufficient evidence of operating effectiveness, depending on 
the risk associated with the control being tested, the specific 
procedures performed as part of the walkthroughs and the results of 
the procedures performed.\21\ The Board believes that establishing 
more detailed requirements in this area is not necessary, because 
application of the general principle in the standard will depend on 
the particular facts and circumstances presented.
---------------------------------------------------------------------------

    \21\ See paragraph 49.
---------------------------------------------------------------------------

Assessing Risk

    The Board's May 16, 2005 guidance emphasized the importance of 
risk assessment in the audit of internal control, and that element 
of the guidance was incorporated and enhanced in the proposed 
standard. The proposed standard required risk assessment at each of 
the decision points in a top-down approach, including the auditor's 
identification of significant accounts and disclosures and their 
relevant assertions. The proposed standard also required an 
assessment of risk at the individual control level, and required 
that the auditor determine the evidence necessary for a given 
control based on this risk assessment.
    The Board received many comments on the risk assessment 
provisions in the proposed standard. Comments on the proposed risk 
assessment approach were generally supportive, with some commenters 
suggesting ways for improving the risk assessment emphasis in the 
standard. Many commenters discussed the requirement in the proposed 
standard for the auditor to assess the risk that the control might 
not be effective and, if not effective, the risk that a material 
weakness would result for each control the auditor selected for 
testing. Commenters suggested that this requirement conflicted with 
both current practice and the requirements within the interim 
standards for the financial statement audit, which involve risk 
assessment at the financial statement assertion level. These 
commenters believed that this requirement would result in risk 
assessments at both the assertion level and the individual control 
level and suggested that assessing (and documenting) risk at the 
relevant assertion level is sufficiently precise to drive 
appropriate audits. Furthermore, they believed that a specific 
requirement to assess risk at the individual control level and its 
associated documentation requirement would be unnecessary.
    After considering these comments, the Board continues to believe 
that the auditor may vary the nature, timing, and extent of testing 
based on the assessed risk related to a control. Making this 
assessment a presumptively mandatory requirement, as it was in the 
proposed standard, however, does not appear necessary to achieve the 
intended benefits of varied testing based on the risk associated 
with a control. Auditing Standard No. 5, therefore, requires the 
auditor to assess the risk related to the relevant assertion, but 
not the risk at the individual control level. The standard permits 
the auditor to consider the risk at the control level, however, and 
alter the nature, timing, and extent of testing accordingly.
    Several commenters expressed concern about the advisability of 
taking a risk-based approach and the adequacy of the Board's interim 
standards regarding risk assessment. These commenters suggested that 
auditors have frequently been unsuccessful at applying a risk-based 
approach to the financial statement audit in the past.
    The Board has found the arguments for a more principles-based 
approach to internal control auditing convincing, and the principle 
that the auditor should vary the testing to respond to the risk is 
one of the most important in the standard. Early implementation of 
Auditing Standard No. 2 demonstrated that, when internal control is 
audited without adequate consideration of risk, the areas that pose 
the greatest danger of material misstatement may be obscured or 
lost. The emphasis on risk, therefore, drives an audit that is more 
effective and focused. While the Board believes that auditors can 
appropriately assess risk based on the interim auditing standards, 
it has committed to examining the existing standards in this area to 
see where improvements can be made. This is currently one of the 
Board's standard setting priorities.

Evaluation of Deficiencies

    The Board received a substantial number of comments on the topic 
of evaluating deficiencies, including comments on the proposed 
definitions of material weakness and significant deficiency, the 
``strong indicators'' of a material weakness, and the requirement to 
evaluate all identified deficiencies. While a number of commenters 
stated that auditors do identify material weaknesses in the absence 
of an actual material misstatement, some noted that, in many cases, 
material weaknesses are identified only when material misstatements 
are discovered. Several commenters suggested that the proposed 
standard, with its focus on using a top-down approach and scoping to 
identify material weaknesses, would allow auditors to do a more 
thorough review of the most important controls with less effort 
expended on reviewing lower risk controls. These commenters often 
stated that this approach should increase the likelihood of the 
auditor detecting material weaknesses before a material misstatement 
occurs.

Definition of a Material Weakness

    The proposed standard retained the basic framework in Auditing 
Standard No. 2 that described material weaknesses by reference to 
the likelihood and magnitude of a potential misstatement. While the 
Board believed that framework to be sound, it made an effort to 
clarify the definition in the proposed standard by replacing the 
reference to ``more than remote likelihood'' with ``reasonable 
possibility.'' Financial Accounting Standards Board (``FASB'') 
Statement No. 5 describes the likelihood of a future event occurring 
as ``probable,'' ``reasonably possible,'' or ``remote.'' The 
definition in Auditing Standard No. 2 referred to a ``more than 
remote'' likelihood of a misstatement occurring. In accordance with 
FASB Statement No. 5, the likelihood of an event is ``more than 
remote'' when it is either ``reasonably possible'' or ``probable.''
    As the Board noted in the proposing release, however, some 
auditors and issuers have misunderstood the term ``more than 
remote'' to mean something significantly less likely than a 
reasonable possibility. This, in turn, could have caused these 
issuers and auditors to evaluate the likelihood of a misstatement at 
a much lower threshold than the Board intended. Because the term 
``more than remote'' could have resulted in auditors and issuers 
evaluating likelihood at a more stringent level than originally 
intended, the Board proposed changing the definition to refer to a 
``reasonable possibility.''
    Commenters on this change were split between those that felt the 
change would reduce unnecessary effort spent on identifying and 
analyzing deficiencies, and those who believed it would not. Several 
commenters noted that the replacement of the term ``more than remote 
likelihood'' with the term ``reasonable possibility'' does not raise 
the auditor's threshold for classifying

[[Page 32366]]

deficiencies. According to those commenters, the change simply 
attempts to align the description of the threshold for identifying 
deficiencies with previous guidance issued by the PCAOB. The Board 
continues to believe that the proposed definition--as well as 
Auditing Standard No. 2--established an appropriate threshold for 
the likelihood part of the definition of material weakness. While 
the Board agrees that, as a definitional matter, ``reasonable 
possibility'' and ``more than remote'' describe the same threshold, 
it believes that ``reasonable possibility'' describes that threshold 
more appropriately and clearly, and will therefore avoid the 
misunderstanding of the threshold created by the way it was 
described in Auditing Standard No. 2. As a result, it retained that 
term in the final definition in the standard.
    In addition, some commenters noted that the definitions of 
material weakness and significant deficiency in the proposed 
standard, like the definitions in Auditing Standard No. 2, referred 
to the likelihood of a material misstatement in both the interim and 
annual financial statements. Most of these commenters suggested that 
the Board remove the term ``interim'' from the definitions of 
material weakness and significant deficiency because, according to 
the commenters, it causes confusion when scoping the audit of 
internal control and unnecessarily complicates the evaluation of 
deficiencies, particularly in the absence of guidance from the SEC 
and FASB regarding interim materiality. Some commenters, however, 
said that the Board should not remove the term ``interim'' from the 
definitions because the evaluation of deficiencies should be 
performed to consider the effectiveness of internal control for both 
the interim and annual financial statements. After carefully 
considering these comments, and in order to use the same definition 
that the SEC uses in its guidance to management, the Board 
determined to retain the reference to interim financial statements 
in the final definition of material weakness.\22\
---------------------------------------------------------------------------

    \22\ The provisions in the final standard relating to 
significant deficiencies are discussed above. As discussed above, 
the Board also made minor wording changes to the definition of 
material weakness in order to use the same definition as the SEC in 
its guidance to management and related rules.
---------------------------------------------------------------------------

Indicators of a Material Weakness

    The proposed standard described circumstances that should be 
regarded as strong indicators of a material weakness in internal 
control. The proposing release noted that the identification of one 
of these strong indicators should bias the auditor toward a 
conclusion that a material weakness exists but does not require the 
auditor to reach that conclusion. Under the proposal, the auditor 
could determine that these circumstances do not rise to the level of 
a material weakness, and in some cases, are not deficiencies at all.
    Many commenters supported the proposed changes from Auditing 
Standard No. 2 relating to strong indicators, agreeing that, by 
allowing greater use of professional judgment in this area, practice 
will improve. A few commenters stated that these changes may lead to 
some inconsistency in practice, but consistent with other 
commenters, they still supported the use of greater professional 
judgment in the evaluation of deficiencies. At least one commenter 
suggested that several of the strong indicators were not indicators 
of a material weakness but should be, under all circumstances, a 
material weakness. A few commenters also suggested that the list of 
strong indicators in Auditing Standard No. 2 actually stifles the 
auditor's judgment to the point that auditors fail to identify 
material weaknesses that exist because the deficiency is not on the 
list of strong indicators. These commenters suggested that removing 
the list of strong indicators entirely would be best.
    The Board believes that auditor judgment is imperative in 
determining whether a deficiency is a material weakness and that the 
standard should encourage auditors to use that judgment. At the same 
time, the Board continues to believe that highlighting certain 
circumstances that are indicative of a material weakness provides 
practical information about the application of the standard. As a 
result, the Board has included this information in the final 
standard but has taken a more principles-based approach. 
Additionally, the Board has coordinated with the SEC so that the 
indicators in the auditing standard parallel those in the SEC's 
management guidance.
    Rather than referring to ``strong indicators,'' the final 
standard refers simply to ``indicators'' of material weakness.\23\ 
The standard also makes clear that the list of indicators is not 
exhaustive and should not be used as a checklist. Specifically, 
under the final standard, the presence of one of the indicators does 
not mandate a conclusion that a material weakness exists. At the 
same time, a deficiency that is not a listed indicator may be a 
material weakness.
---------------------------------------------------------------------------

    \23\ The Board included as an indicator the proposed standard's 
requirement to determine the level of assurance that would satisfy 
prudent officials in the conduct of their own affairs that they have 
reasonable assurance that transactions are recorded as necessary to 
permit the preparation of financial statements in conformity with 
generally accepted accounting principles. In the proposal, if the 
auditor determined that a deficiency would prevent prudent officials 
from concluding that they have such reasonable assurance, the 
auditor was required to deem the deficiency to be at least a 
significant deficiency. Under the final standard, if the auditor 
determines that a deficiency might prevent prudent officials from 
concluding that they have such reasonable assurance, this 
circumstance is an indicator of material weakness.
---------------------------------------------------------------------------

    The Board did not adopt as indicators in the final standard 
certain proposed strong indicators. The Board believes, as at least 
one commenter suggested, that some of these proposed strong 
indicators are better characterized as material weaknesses rather 
than as indicators of a material weakness.\24\ Including them in the 
list of indicators, as adopted, would therefore be inconsistent with 
the degree of judgment required to evaluate whether an indicator of 
a material weakness is, under particular facts and circumstances, a 
material weakness.
---------------------------------------------------------------------------

    \24\ One such proposed strong indicator was an ineffective 
control environment. Under the proposal, indicators of an 
ineffective control environment included identification of fraud on 
the part of senior management and significant deficiencies that have 
been communicated to management and the audit committee and remain 
uncorrected after some reasonable period of time. The final standard 
includes the identification of fraud on the part of senior 
management as an indicator of a material weakness. In order to 
simplify the list and make it more principles-based, as well as to 
align it with the SEC management guidance, however, the Board did 
not include significant deficiencies that remain uncorrected as an 
indicator in the final standard.
---------------------------------------------------------------------------

Requirement To Evaluate All Identified Deficiencies

    The proposed standard required the auditor to evaluate the 
severity of each control deficiency that comes to his or her 
attention. The same provision in the proposed standard made clear, 
however, that the auditor need not scope the audit to find control 
deficiencies that are less severe than material weaknesses. A few 
commenters believed that this requirement is not necessary and 
suggested that an acceptable alternative would be for the auditor to 
verify that management has evaluated all deficiencies.
    The Board continues to believe that the auditor needs to 
evaluate all deficiencies that come to his or her attention. Without 
such an evaluation, there would not be a sufficient basis for the 
auditor's opinion.

Additional Scoping and Materiality Issues

    The proposed standard clarified that the auditor should plan and 
perform the audit of internal control using the same materiality 
measures used to plan and perform the audit of the annual financial 
statements. This direction was intended to address concerns that 
auditors have interpreted Auditing Standard No. 2 as directing them 
to search for potential defects in internal control at a lower 
materiality level than that used in the audit of the annual 
financial statements.
    The Board received many comments on materiality and scoping, and 
a large portion of the commenters expressed support for the proposed 
standard's approach. Some commenters, however, recommended providing 
clear quantitative guidelines for calculating materiality. Other 
commenters expressed concern about such an approach, fearing that 
material areas would be inappropriately excluded from the audit 
scope. Finally, some commenters suggested that the Board should 
provide additional guidance on scoping and extent of control testing 
decisions, such as guidance on sample sizes related to testing of 
high-risk controls versus low-risk controls or more specific 
guidance on the scope of the internal control audit for entities 
with multiple locations.\25\
---------------------------------------------------------------------------

    \25\ The proposed standard focused on the auditor's assessment 
of risk of material misstatement and how the auditor could carry 
that assessment process into the scoping of a multi-location audit. 
Commenters were very supportive of the Board's approach in this area 
and, consequently, the Board has determined to adopt these 
provisions as proposed.
---------------------------------------------------------------------------

    After considering these comments, the Board has determined to 
adopt its discussion of materiality in the internal control audit as 
proposed. The Board believes that the auditing standard on internal 
control is an inappropriate place to redefine or refine the

[[Page 32367]]

meaning of materiality, which is a long-established concept in the 
federal securities laws. With respect to requests for more specific 
guidance on scoping or extent of testing issues, the Board has, as 
discussed above, endeavored to adopt a standard that relies more on 
general principles than detailed requirements. Accordingly, the 
Board believes that auditors should make specific determinations of 
how to comply with the general scoping and testing requirements in 
the standard using professional judgment in the particular 
circumstances presented.

Scaling the Audit for Smaller Companies

    As discussed above, the Board received many comments on the 
proposed section on scaling the audit from commenters with a variety 
of perspectives. The comments covered a wide range of issues. In 
addition to the matters discussed above, commenters suggested:
     That the proposed section on scalability should be 
focused more closely on how complexity relates to a risk-based 
audit;
     That the proposed standard did not provide sufficient 
flexibility for smaller companies and that the standard should 
provide for more ``credit'' for control testing based on work done 
as part of the financial statement audit;
     That the resulting costs of these proposed changes 
would need to be studied for several years to determine if they are 
appropriate;
     That the attributes of smaller, less complex companies 
that were included in the proposed standard were appropriate and 
that the tailoring directions for auditors were adequate;
     That some of the attributes of smaller, less complex 
companies that might allow the auditor to tailor the audit might be, 
instead, risk factors that require more testing;
     That the emphasis on entity-level controls might not be 
appropriate; and
     That the Board's project to develop guidance on 
auditing internal control in smaller public companies is necessary.
    As discussed above, the Board made several changes in response 
to comments in the final standard. The new standard provides 
direction on how to tailor internal control audits to fit the size 
and complexity of the company being audited. It does so by including 
notes throughout the standard on how to apply the principles in the 
standard to smaller, less complex companies, and by including a 
discussion of the relevant attributes of smaller, less complex 
companies as well as less complex units of larger companies. The 
Board believes that the final standard appropriately considers the 
circumstances of smaller and less complex public companies (and 
other companies with less complex business units) while requiring a 
high-quality audit regardless of company size or complexity. The 
planned guidance on this topic will provide additional practical 
information for auditors of smaller companies.

Information Technology Principles

    In gaining an understanding of the effect of information 
technology (``IT'') on internal control over financial reporting and 
the risks the auditor should assess, the proposed standard directed 
the auditor to apply guidance in AU sec. 319, Consideration of 
Internal Control in a Financial Statement Audit. Additionally, the 
proposed standard included a discussion of IT operations at smaller 
and less complex companies. A number of commenters discussed the 
importance of IT risks to determining the scope of the audit and 
recommended that the final standard include additional guidance on 
how the risk assessment related to IT is incorporated in the audit 
of internal control.
    In response to these comments, the Board included in Auditing 
Standard No. 5 a note to paragraph 36 that clarifies that the 
identification of risks and controls within IT should not be a 
separate evaluation but, rather, an integral part of the auditor's 
top-down risk assessment, including identification of significant 
accounts and disclosures and their relevant assertions, as well as 
the controls to test.

Roll-forward Procedures

    The proposed standard discussed the procedures the auditor 
should perform to obtain additional evidence concerning the 
operation of the control when the auditor reports on the 
effectiveness of the control ``as of'' a specific date, but has 
tested the effectiveness of the control at an interim date. The 
Board received a few comments on this topic, mainly from auditors. 
The comments were consistent in their view that the proposed 
standard improperly implies, by using the expression ``if any'' in 
relation to additional evidence the auditor is required to obtain, 
that the auditor may not need to do any roll-forward work. 
Commenters suggested that such an approach would be inconsistent 
with paragraph .99 of AU sec. 319 and suggested that the words ``if 
any'' be removed from the final standard. The Board believes that 
its standard should be consistent with AU sec. 319.99 in that the 
auditor should perform some level of roll-forward procedures. 
Consequently, the Board removed the words ``if any'' from the 
relevant paragraphs of Auditing Standard No. 5 to correct the 
inconsistency. The Board also noted that, in some circumstances, 
inquiry alone might be a sufficient roll-forward procedure.

Cumulative Knowledge and Rotation

    The proposed standard on auditing internal control allowed the 
auditor to incorporate knowledge from previous years' audits into 
his or her decision making process for determining the nature, 
timing, and extent of testing necessary. The section in the proposed 
standard on special considerations for subsequent years' audits 
built upon the risk-based framework in the proposed standard for 
determining the nature, timing, and extent of testing by describing 
certain additional factors for the auditor to evaluate in subsequent 
years. These factors included the results of prior years' testing 
and any change that may have taken place in the controls or the 
business since that testing was performed. This section retained the 
requirement in Auditing Standard No. 2 that each control deemed 
important to the auditor's conclusion be tested every year, but 
allowed for a reduction in testing when the additional risk factors 
indicated that the risk was lower than in the past.
    Many commenters strongly supported these provisions as proposed. 
Many investors, in particular, stated that while they supported the 
proposed approach, they would not be supportive of rotation of 
control testing over a multiple-year period. These commenters were 
generally concerned that rotation of control testing would 
negatively affect audit quality. Among supporters of the approach in 
the proposed standard, several requested further clarification in 
the standard or additional guidance on how this approach should 
affect the level of testing.
    Many issuers suggested that the standard should allow for full 
rotation--which exempts some important controls from testing each 
year--of at least controls in low-risk areas. Other commenters 
recommended that all controls should be tested on a multi-year 
rotating basis. These comments often focused on the fact that while 
the proposed standard required the auditor to evaluate whether there 
had been any relevant changes since the control was tested, it still 
required testing at some level even when there had been no change. 
These commenters considered this requirement to be unnecessary.
    The Board shares the concern that multi-year rotation of control 
testing would not provide sufficient evidence for the auditor's 
opinion on internal control effectiveness, which is required by the 
Act to be issued each year. In the financial statement audit, 
control testing plays a supporting role--to the extent that controls 
have been tested and are effective, the auditor can reduce the level 
of (but not eliminate) the necessary substantive testing. In 
contrast, in the internal control audit, control testing does not 
play a supporting role but is the sole basis for the auditor's 
opinion. Additionally, even if the design of the control and its 
related process does not change from the prior year, it is not 
possible to assess the control's operating effectiveness without 
performing some level of testing. For these reasons, rotation is not 
a viable option in the audit of internal control. Instead, the 
approach described in the proposed standard has been clarified in 
the final standard and continues to focus the auditor on relevant 
changes since a particular control was last tested, as many 
commenters suggested. Under this approach, the auditor would 
consider, in addition to the risk factors described in the standard 
that are always relevant to determining the nature, timing, and 
extent of testing, whether there has been a change in the controls 
or in the business that might necessitate a change in controls; the 
nature, timing, and extent of procedures performed in previous 
audits; and the results of the previous years' testing of the 
control.\26\ After taking into account these additional factors, the 
additional information in subsequent years' audits might permit the 
auditor to assess risk as lower than in the

[[Page 32368]]

initial year and, thus, might permit the auditor to reduce testing.
---------------------------------------------------------------------------

    \26\ See paragraph 55.
---------------------------------------------------------------------------

    This treatment of cumulative knowledge is analogous to the roll-
forward provisions in the final standard. In the case of subsequent 
years, the auditor, in essence, rolls forward the prior years' 
testing when the control was found to be effective in the past and 
no change has occurred (or would have been expected to occur due to 
changes in the environment or process that contains the control). 
Because the auditor might be able to assess the risk lower in the 
subsequent years, a walkthrough, or equivalent procedures, might be 
sufficient for low-risk controls. This approach appropriately 
factors in the effect of cumulative knowledge, while maintaining 
audit quality and providing a sufficient basis for the auditor's 
opinion.

Reporting the Results of the Audit

    In the proposed standard, the Board attempted to address 
concerns that the separate opinion on management's assessment 
required by Auditing Standard No. 2 contributed to the complexity of 
the standard and caused confusion regarding the scope of the 
auditor's work.\27\ Accordingly, to emphasize the proper scope of 
the audit and to simplify the reporting, the proposed standard 
required that the auditor express only one opinion on internal 
control--a statement of the auditor's opinion on the effectiveness 
of the company's internal control over financial reporting. The 
proposal eliminated the separate opinion on management's assessment 
because it was redundant of the opinion on internal control itself 
and because the opinion on the effectiveness of controls more 
clearly conveys the same information--specifically, whether the 
company's internal control is effective.
---------------------------------------------------------------------------

    \27\ Although Auditing Standard No. 2 requires the auditor to 
evaluate management's process, the auditor's opinion on management's 
assessment is not an opinion on management's internal control 
evaluation process. Rather, it is the auditor's opinion on whether 
management's statements about the effectiveness of the company's 
internal controls are fairly stated.
---------------------------------------------------------------------------

    Many commenters agreed with the Board that eliminating the 
separate opinion on management's assessment would reduce confusion 
and clarify the reporting. Some commenters, however, suggested that 
the Board should instead require only an opinion on management's 
assessment. These commenters expressed their belief that the Act 
requires only that the auditor review management's assessment 
process and not the company's internal control. Additionally, a few 
commenters expressed confusion about why the proposed standard 
continued to reference an audit of management's assessment in 
paragraph 1 of the proposed standard and the auditor's report.
    The Board has determined, after considering these comments, to 
adopt the provision requiring only an opinion on internal 
control.\28\ The Board continues to believe that the overall scope 
of the audit that was described by Auditing Standard No. 2 and the 
proposed standard is correct; that is, to attest to and report on 
management's assessment, as required by Section 404(b) of the Act, 
the auditor must test controls directly to determine whether they 
are effective.\29\ Accordingly, paragraphs 1 and 2 of the proposed 
standard provided that the auditor audits management's assessment--
the statement in management's annual report about whether internal 
control is effective--by auditing whether that statement is 
correct--that is, whether internal control is, in fact, effective. 
The final standard similarly makes this clear. In response to 
commenters, however, the Board has clarified the auditor's report so 
that it will consistently refer to the required audit as the audit 
of internal control.
---------------------------------------------------------------------------

    \28\ The SEC has adopted changes to its rules that require the 
auditor to express an opinion directly on internal control.
    \29\ In addition, Section 103 of the Act requires the Board's 
standard on auditing internal control to include ``testing of the 
internal control structure and procedures of the issuer * * *.'' 
Under Section 103, the Board's standard also must require the 
auditor to present in the audit report, among other things, ``an 
evaluation of whether such internal control structure and procedures 
* * * provide reasonable assurance that transactions are recorded as 
necessary to permit preparation of financial statements in 
accordance with generally accepted accounting principles * * *.''
---------------------------------------------------------------------------

Implementation

    Some commenters urged the Board to focus on implementation 
issues after it adopts a final standard, and noted that effective 
implementation by the Board is crucial to the internal control 
reporting process. Some of these commenters focused on the 
inspections process, which they suggested is key to promoting audit 
efficiency. Some stated that auditors would be unlikely to change 
their audit approach until they are confident that the inspections 
will be similarly focused. The Board is committed to effective 
monitoring of firms' compliance with the new standard and will 
continue to promote proper implementation through other means, 
including the Board's Forums on Auditing in the Small Business 
Environment and guidance for auditors of smaller companies.

III. Date of Effectiveness of the Proposed Rules and Timing for 
Commission Action

    Within 35 days of the date of publication of this notice in the 
Federal Register or within such longer period (i) As the Commission 
may designate up to 90 days of such date if it finds such longer 
period to be appropriate and publishes its reasons for so finding or 
(ii) as to which the Board consents, the Commission will:
    (a) By order approve such proposed rule; or
    (b) Institute proceedings to determine whether the proposed rule 
should be disapproved.

IV. Solicitation of Comments

    Interested persons are invited to submit written data, views and 
arguments concerning the foregoing, including whether the proposed 
rules are consistent with the Act. Comments may be submitted by any 
of the following methods:

Electronic Comments

     Use the Commission's Internet comment form (http://www.sec.gov); or
     Send an e-mail to [email protected]. Please include 
File Number PCAOB-2007-02 on the subject line.

Paper Comments

     Send paper comments in triplicate to Nancy M. Morris, 
Secretary, Securities and Exchange Commission, 100 F Street, NE., 
Washington, DC 20549-1090.

All submissions should refer to File No. PCAOB-2007-02. This file 
number should be included on the subject line if e-mail is used. To 
help process and review your comments more efficiently, please use 
only one method. The Commission will post all comments on the 
Commission's Internet Web site (http://www.sec.gov). Copies of the 
submission, all subsequent amendments, all written statements with 
respect to the proposed rule that are filed with the Commission, and 
all written communications relating to the proposed rule change 
between the Commission and any person, other than those that may be 
withheld from the public in accordance with the provisions of 5 
U.S.C. 552, will be available for inspection and copying in the 
Commission's Public Reference Section, 100 F Street, NE., 
Washington, DC 20549. All comments received will be posted without 
change; we do not edit personal identifying information from 
submissions. You should submit only information that you wish to 
make available publicly. All submissions should refer to File Number 
PCAOB-2007-02. In light of the significant public interest in the 
implementation of section 404 of the Sarbanes-Oxley Act, the 
Commission is providing a 30-day comment period. Comments should be 
submitted on or before July 12, 2007. The Commission intends to act 
on the proposed rule no later than 45 days after publication in the 
Federal Register.

    By the Commission.
Florence E. Harmon,
Deputy Secretary.

[FR Doc. E7-11311 Filed 6-11-07; 8:45 am]
BILLING CODE 8010-01-P