The Sarbanes-Oxley Act of 2002 requires public accounting firms that audit public companies to register with the Public Company Accounting Oversight Board (PCAOB) and to adhere to professional standards established by the board for audits of public companies. The PCAOB's pronouncement, Auditing Standard 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statements, requires auditors to issue an opinion on the effectiveness of their public company clients' internal control
On June 5, 2003, the SEC issued Release 33-8238 to implement section 404(a) of the Sarbanes-Oxley Act (SOA), which requires management to include in the annual report to shareholders its assessment of the effectiveness of internal control. The company's external auditors must attest to and report on management's assessment for fiscal years beginning on or after January 15, 2006, for accelerated filers, and on or after July 15, 2006, for nonaccelerated filers. Standard 2 imposes many new responsibilities on public companies' auditors and, by extension, on the public companies themselves. In its over 200 pages, Standard 2 delineates the PCAOB's expectations for an internal control audit.
Overview of an Internal Control Audit
Although Standard 2 defines an "audit" as an integrated audit of both the financial statements and internal control, separate examination of the internal control audit facilitates understanding. Standard 2 identifies the following important steps in an audit of internal control:
* Plan the audit.
* Evaluate management's assessment process.
* Obtain an understanding of internal control.
* Test and evaluate design effectiveness.
* Test and evaluate operating effectiveness.
* Evaluate the sufficiency of testing.
* Formulate an opinion on the effectiveness of internal control over financial reporting.
* Issue a report on internal control.
* Communicate findings to the audit committee and management.
Although auditors routinely carry out some of the foregoing steps in a financial statement audit, the audit of internal control requires more extensive procedures, coupled with some requirements that break new ground. Key implementation issues include the following:
* Differentiating between management and auditor responsibilities;
* Identifying entities to include in the consolidated group;
* Selecting testing locations;
* Distinguishing design effectiveness from operating effectiveness;
* Considering issues related to the "as of date;
* Deciding on the extent of control testing;
* Using the work of others;
* Distinguishing between a material weakness and a significant deficiency; and
* Reporting results to management and financial statement users.
Differentiating Between Management and Auditor Responsibilities
Management's responsibilities. Standard 2 requires management to do the following:
* Accept responsibility for the effectiveness of the company's internal control over financial reporting.
* Evaluate the effectiveness of internal control over financial reporting, using suitable control criteria such as the COSO framework or an alternative recognized framework developed by a body of experts following due process.
* Support the evaluation with sufficient documented evidence.
* Present a written assessment about the effectiveness of the company's internal control as of the end of the most recent fiscal year.
Management must perform procedures sufficient to support its evaluation of control effectiveness, and is prohibited by Standard 2 from using the auditor's testing as part of the basis for its assessment of control effectiveness. Management's failure to fulfill the foregoing responsibilities requires the auditor to disclaim an opinion on internal control due to a scope limitation. …