PCAOB Proposes Auditing Standards For Internal Control Over Financial Reporting
On Tuesday, October 7, the Public Company Accounting Oversight Board unanimously voted to propose and issue for public comment a standard on an audit of internal control over financial reporting. The Board also unanimously voted to propose and issue for public comment a rule which clearly defines terms used in auditing to assist firms in complying with the standards.
The auditing standard, An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statements, addresses both the work that is required to audit internal control over financial reporting and the relationship of that audit to the audit of the financial statements. The integrated audit results in two audit opinions: one on internal control over financial reporting and one on the financial statements.
Section 404(a) of the Sarbanes-Oxley Act of 2002, and the Securities and Exchange Commission's related implementing rules, require the management of a public company to assess the effectiveness of the company's internal control over financial reporting, as of the end of the company's most recent fiscal year. Section 404 of the Act also requires management to include in the company's annual report to shareholders, management's conclusion as a result of that assessment about whether the company's internal control is effective. Section 404 of the Act, as well as Section 103, directs the PCAOB to establish professional standards governing the independent auditor's attestation, and reporting on, management's assessment of the effectiveness of internal control.
Companies considered accelerated filers (seasoned U.S. companies with public float exceeding $75 million) are required to comply with the internal control reporting and disclosure requirements of Section 404 of the Act for fiscal years ending on or after June 15, 2004. Accordingly, auditors engaged to audit the financial statements of such companies for fiscal years ending on or after June 15, 2004, also are required to audit and report on the company's internal control over financial reporting as of the end of such fiscal year. Other companies (including smaller companies, foreign private issuers and companies with only registered debt securities) have until fiscal years ending on or after April 15, 2005, to comply with these internal control reporting and disclosure requirements, and the requirement for audit reporting on internal control is similarly delayed.
The Board considered the possible effects of the proposed standard on small and medium-sized companies, noting that internal control is not "one-size-fits-all."
The proposed standard requires the auditor to communicate in writing to the company's audit committee all significant deficiencies and material weaknesses of which the auditor is aware. The auditor also is required to communicate in writing to the company's management all internal control deficiencies of which he or she is aware and to notify the audit committee that such communication has been made.
The proposed auditing standard identifies a number of circumstances that would be, by definition, significant deficiencies and that also would be a strong indicator that a material weakness exists:
- Ineffective oversight of the company's external financial reporting and internal control over financial reporting by the company's audit committee. The proposed auditing standard requires the auditor to evaluate factors related to whether the audit committee is effective, including whether audit committee members act independently from management. Effective oversight by the company's board of directors, including its audit committee, is essential to the company's achievement of its objectives and is an integral part of a company's monitoring of internal control. In addition to requiring the audit committee to oversee the company's external financial reporting and internal control over financial reporting, the Act makes the audit committee directly responsible for the appointment, compensation, and oversight of the work of the auditor. Thus, an ineffective audit committee can have serious detrimental effects on the company and its internal control over financial reporting as well as on the independent audit.
- Material misstatement in the financial statements not initially identified by the company's internal controls. The audit of internal control over financial reporting and the audit of the company's financial statements are an integrated activity and are required by the Act to be a single engagement. The results of the work performed in a financial statement audit provide evidence to support the auditor's conclusions on the effectiveness of internal control, and vice-versa. Therefore, if the auditor discovers a material misstatement in the financial statements as a part of his or her audit of the financial statements, the auditor should consider whether internal control over financial reporting is effective. That the company's internal controls did not first detect the misstatement is a strong indicator that the company's internal control over financial reporting is not effective.
- Significant deficiencies that have been communicated to management and the audit committee but that remain uncorrected after a reasonable period of time. Significant deficiencies in internal control that are not also determined to be material weaknesses, as defined in the proposed auditing standard, are not so severe as to require the auditor to conclude that internal control is ineffective. However, these deficiencies are significant, and the company should correct them. If management does not correct significant deficiencies within a reasonable period of time, that reflects poorly on tone-at-the-top and the control environment. Additionally, the significance of the deficiency can change over time (for example, increases in sales volume or added complexity in sales transaction structures would increase the severity of a significant deficiency affecting sales).
The public comment period on this proposal is 45 days. The rule must be approved by the Securities and Exchange Commission to be effective.
The Board also voted today to propose Rule 3101, which describes the use of certain terms in the auditing and related professional practice standards to communicate the level of obligation imposed on registered public accounting firms and their associated persons in complying with the standards.
PCAOB Rule 3100 requires all registered public accounting firms and their associated persons to comply with the Board's Auditing and Related Professional Practice Standards in connection with the preparation or issuance of any audit report for an issuer, as defined in the Sarbanes-Oxley Act of 2002. Proposed Rule 3101 explains how the Board will refer to, and distinguish among, differing levels of professional obligations in the future standards it issues and in the Board's interim standards (in Rules 3200T, 3300T, 3400T, 3500T, and 3600T).
Public comments must be received by November 6, 2003. The rule must be approved by the Securities and Exchange Commission. If the Board issues the proposed standard, it will seek comment on the proposed standard for a 45-day period. Interested persons are encouraged to submit their views to the Board. Written comments should be sent to Office of the Secretary, PCAOB, 1666 K Street, N.W., Washington, D.C. 20006-2803. Comments may also be submitted by e-mail to mailto:firstname.lastname@example.org or through the Board's Web site at http://www.pcaobus.org.
All comments should refer to PCAOB Rulemaking Docket Matter No. 008 in the subject or reference line and should be received by the Board no later than 5:00 p.m. (EST) on November 21, 2003.