(The news featured below is a selection from the news covered in the Federal Securities Report Letter, which is distributed to subscribers of the Federal Securities Law Reports.)

PCAOB Proposes Internal Control Audit Standards

The Public Company Accounting Oversight Board has proposed standards for audits of internal control over financial reporting. The proposed standards address both the work that is required to audit internal control over financial reporting and the relationship of that audit to the audit of the financial statements. The integrated audit results in two audit opinions, one on internal control over financial reporting and one on the financial statements. The rule must be approved by the SEC to be effective.

The proposals flow from Section 404 of the Sarbanes-Oxley Act and SEC implementing rules that require management to assess the effectiveness of the company's internal control over financial reporting and include in the annual report to shareholders management's conclusion as a result of that assessment about whether the company's internal control is effective. Section 404 also requires the company's auditor to report on and attest to management's assessment of the internal controls. Sarbanes-Oxley directs the PCAOB to establish professional standards governing the independent auditor's attestation, and reporting on, management's assessment of the effectiveness of internal control.

In the view of board member Daniel L. Goelzer, from the perspective of investor protection and promoting accurate financial reporting, this is one of the most important standards the board will ever consider. Mr. Goelzer believes that the Sarbanes-Oxley requirement of a management report and an auditor attestation on internal controls revolutionizes the nature of both management's and the auditor's focus on internal control. According to board member Kayla J. Gillan, the proposals require a top down approach to the audit, starting with company-level controls, which may include the tone at the top, down through significant accounts, significant processes, and finally to the individual control level.

The proposed standard requires auditors to communicate in writing to the company's audit committee all significant deficiencies and material weaknesses of which the auditor is aware. Auditors are also required to communicate in writing to the company's management all internal control deficiencies of which they are aware and to notify the audit committee that such communication has been made. The proposed auditing standard identifies a number of circumstances that would be, by definition, significant deficiencies and that also would be a strong indicator that a material weakness exists.

One such circumstance would be ineffective oversight of the company's external financial reporting and internal control over financial reporting by the company's audit committee. In this context, the proposed standard requires the auditor to evaluate factors related to whether the audit committee is effective, including whether committee members act independently from management.

Another strong indicator that the company's internal control over financial reporting is not effective would be a material misstatement in the financial statements not initially identified by the company's internal controls. Still another circumstance would be when significant deficiencies that have been communicated to management and the audit committee have remained uncorrected after a reasonable period of time.

PCAOB Chief Auditor Douglas Carmichael clarified why the proposal refers to an audit of internal control when Sarbanes-Oxley talks about an attestation. An attestation, he explained, is generally an expert's communication of a conclusion about the reliability of someone else's assertion. For example, a financial statement audit is a form of attestation.

Management makes assertions about the accuracy and completeness of the financial statements, and the auditor evaluates management's assertions. Internal control is similar, Mr. Carmichael said, adding that management makes an assertion about the effectiveness of internal control and the auditor evaluates management's assertion. In either case, the auditor ultimately renders an opinion about whether management's assertion is correct, either that the financial statements are fairly stated or that internal control is effective.

To do that the auditor evaluates the process management used to make its assertion and obtains evidence about whether that assertion is correct. In the chief auditor's view, the objectives and work performed both in an attestation of management's assessment of internal control and an audit of the financial statements are closely interrelated.

Therefore, the proposed standard states that these activities should be integrated, and that the auditor cannot report on management's assessment of the effectiveness of internal control without also performing an audit of the company's financial statement. Consistent with that idea, the board proposes an integrated standard that refers to both the financial statement audit and the internal control attestation. Throughout the proposed standard, concluded the official, the auditor's attestation of management's assessment of the effectiveness of internal control over financial reporting is referred to as the audit of internal control over financial reporting.