Audits of internal control over financial reporting: what do they mean?

The PCAOB recently finalized its auditing standard implementing Section 404 of the Sarbanes-Oxley Act of 2002, which requires outside auditors to attest to and report on their assessment of internal controls over financial reporting by a company's management. Not surprisingly, but at substantial costs', it requires the outside auditor to reach its own conclusion about a company's internal controls over financial reporting and not just rely on the process by which management assessed the internal controls.

**********

On March 9, 2004, the Public Company Accounting Oversight Board (PCAOB) (1) adopted its second auditing standard. (2) The PCAOB was established as a private-sector regulatory body a little over a year ago in accordance with the Sarbanes-Oxley Act of 2002 (Sarbanes-Oxley). It is required to establish auditing and related professional practice standards to be used by public accounting firms registered with the PCAOB in connection with the preparation and issuance of audit reports on financial statements of public companies.

Auditing Standard No. 2, "An Audit of Internal Control Over Financial Reporting Performed in Conjunction With an Audit of Financial Statements," (3) may be one of the most difficult auditing standards that the PCAOB will have to consider. The standard implements the requirement in Section 404(b) of Sarbanes-Oxley that outside auditors attest to and report on their assessment of internal control over financial reporting by a company's management in accordance with Section 404(a) of Sarbanes-Oxley. (4) In addition,

Auditing Standard No. 2 is consistent with the requirement in Section 103(a)(2)(A)(iii) of Sarbanes-Oxley that the PCAOB adopt auditing standards that, among other things, require the outside auditor to report on its evaluation of internal control. (5)

No Honeymoon for the PCAOB

The need for the PCAOB to quickly adopt an auditing standard relating to internal control eliminated any possibility of a honeymoon period for the young PCAOB and required it to tackle a topic that has generated significant comment and controversy since 1977 when Congress amended the Securities Exchange Act of 1934 (Exchange Act), to require in Section 13(b)(2)(B) that companies have a system of internal controls that provides reasonable assurances that transactions are executed, and access to assets is permitted, only in accordance with management's authorization and that transactions and assets are accounted for properly. (6)

The Securities and Exchange Commission (SEC) proposed to require management reports on internal control in both 1979 (7) and 1988. (8) Even though those rule proposals would only have required management, and not the outside auditors, to report on internal control, the proposals generated significant comment and controversy. (9) Ultimately, the SEC did not act on the proposals, (10) in part, with respect to the 1979 proposal, because of the private sector initiative that funded the Committee of Sponsoring Organizations (COSO) of the Treadway Commission. (11) In 1992, COSO issued its "Internal Control--Integrated Framework," which defines internal control, identifies the components of internal control and provides a broad framework of criteria against which companies can evaluate the effectiveness of their internal control. (12) While large financial institutions have been required to obtain attestation reports on internal control since 1993, (13) that did not eliminate the controversy and concerns that public companies had about the Section 404 audit requirement.

Not only did the PCAOB confront controversy in addressing its first major auditing standard setting project, but it also had a short period of time in which to develop the standard. On June 5, 2003, (14) the SEC adopted rules that, among other things, implement the requirement in Section 404(a) of Sarbanes-Oxley that management report on internal control. (15) The SEC's adoption release announced that the new rules would require companies that are "accelerated filers" as defined in Exchange Act Rule 12b-2 (16) to include a management report on internal control over financial reporting (17) and an outside auditor opinion on such report in their first annual report for the fiscal year ending on or after June 15, 2004, and would require all other public companies to include such report and opinion in their first annual report for the fiscal year ending on or after April 15, 2005. This effective date imposed on the PCAOB an unrealistically short time period in which to adopt an auditing standard that would enable companies to comply with the SEC's rules, given the complexity of many of the issues that the PCAOB would need to address in the auditing standard. While the existence of a standard for the attestation of internal control, (18) which has been used primarily by outside auditors to report on the internal control of large financial institutions in accordance with the Federal Deposit Insurance Corporation Improvement Act of 1991, may have facilitated the PCAOB's work, the need to satisfy Congress, the public and others that the PCAOB was independent and up to the considerable task bestowed on it by Sarbanes-Oxley required the PCAOB to take a fresh look at the old attestation standard. (19)

Finally, the PCAOB's task was particularly difficult because of the considerable concerns of public companies that the Section 404 requirements would result in both internal costs and costs resulting from the audit requirement that would offset the benefits to the investing public and that could not have been contemplated by Congress in imposing the Section 404 requirements. (20) This concern required the PCAOB to address whether Congress contemplated a simple attestation of management's process for assessing internal control or an audit of internal control over financial reporting. Given the language in Section 103(a)(2)(A)(iii) of Sarbanes-Oxley, the PCAOB concluded, correctly in my judgment, that it had no alternative but to require the outside auditor to reach a conclusion on internal control over financial reporting itself, and not just rely on the process by which management assessed the effectiveness of internal control. (21)

Summary of Auditing Standard No. 2

Auditing Standard No. 2, which is even longer than the over 110-page proposal issued by the PCAOB in October 2003 (22) and far longer and more comprehensive than any audit or attestation standard adopted by the Auditing Standard Board, sets forth procedures and provides directions that apply to an audit of a company's internal control over financial reporting. (23) The objective of such an audit is for the outside auditor to obtain reasonable assurance that no material weaknesses exist in the company's internal control over financial reporting as of the end of the company's fiscal year. This goal requires the outside auditor to evaluate management's assessment of the effectiveness of internal control over financial reporting, evidence the outside auditor obtains from the work performed by others, and evidence obtained by performing auditing procedures himself or herself about whether the internal control over financial reporting was designed and operated effectively.

To perform the audit, the outside auditor must: (24)

a. Plan the engagement;

b. Evaluate management's assessment process;

c. Obtain an understanding of the company's internal control over financial reporting by evaluating the design of controls relating to the five components of internal control, that is, the control environment, risk assessment, control activities, information and communication, and monitoring; identifying company-level controls, which include the tone at the top; evaluating the effectiveness of the audit committee's oversight; identifying significant accounts and disclosures; identifying relevant financial statement assertions; identifying significant processes and major classes of transactions; identifying the period-end reporting process; performing walkthroughs; and identifying controls to test;

d. Test and evaluate the design effectiveness of the company's internal control over financial reporting;

e. Test and evaluate the operating effectiveness of the company's internal control over financial reporting by relying on the work of others under certain circumstances but performing enough of his or her own tests so that the auditor's own work provides the principal evidence for his or her opinion; and

f. Form an opinion on the effectiveness of the company's internal control over financial reporting.

New Effective Date of Internal Control over Financial Reporting Requirements

The SEC announced in Release No. 33-8392 (February 24, 2004), a delay in the effective date of the rules …