(The news
featured below is a selection from the news covered in the Federal Securities
Report Letter, which is distributed to subscribers of the Federal
Securities Law Reports.)
PCAOB Proposes Internal
Control Audit Standards
The Public Company Accounting
Oversight Board has proposed standards for audits of internal control over
financial reporting. The proposed standards address both the work that is
required to audit internal control over financial reporting and the relationship
of that audit to the audit of the financial statements. The integrated audit
results in two audit opinions, one on internal control over financial reporting
and one on the financial statements. The rule must be approved by the SEC to be
effective.
The proposals flow from Section
404 of the Sarbanes-Oxley Act and SEC implementing rules that require management
to assess the effectiveness of the company's internal control over financial
reporting and include in the annual report to shareholders management's
conclusion as a result of that assessment about whether the company's internal
control is effective. Section 404 also requires the company's auditor to report
on and attest to management's assessment of the internal controls.
Sarbanes-Oxley directs the PCAOB to establish professional standards governing
the independent auditor's attestation, and reporting on, management's assessment
of the effectiveness of internal control.
In the view of board member Daniel
L. Goelzer, from the perspective of investor protection and promoting accurate
financial reporting, this is one of the most important standards the board will
ever consider. Mr. Goelzer believes that the Sarbanes-Oxley requirement of a
management report and an auditor attestation on internal controls revolutionizes
the nature of both management's and the auditor's focus on internal control.
According to board member Kayla J. Gillan, the proposals require a top down
approach to the audit, starting with company-level controls, which may include
the tone at the top, down through significant accounts, significant processes,
and finally to the individual control level.
The proposed standard requires
auditors to communicate in writing to the company's audit committee all
significant deficiencies and material weaknesses of which the auditor is aware.
Auditors are also required to communicate in writing to the company's management
all internal control deficiencies of which they are aware and to notify the
audit committee that such communication has been made. The proposed auditing
standard identifies a number of circumstances that would be, by definition,
significant deficiencies and that also would be a strong indicator that a
material weakness exists.
One such circumstance would be
ineffective oversight of the company's external financial reporting and internal
control over financial reporting by the company's audit committee. In this
context, the proposed standard requires the auditor to evaluate factors related
to whether the audit committee is effective, including whether committee members
act independently from management.
Another strong indicator that the
company's internal control over financial reporting is not effective would be a
material misstatement in the financial statements not initially identified by
the company's internal controls. Still another circumstance would be when
significant deficiencies that have been communicated to management and the audit
committee have remained uncorrected after a reasonable period of time.
PCAOB Chief Auditor Douglas
Carmichael clarified why the proposal refers to an audit of internal control
when Sarbanes-Oxley talks about an attestation. An attestation, he explained, is
generally an expert's communication of a conclusion about the reliability of
someone else's assertion. For example, a financial statement audit is a form of
attestation.
Management makes assertions about
the accuracy and completeness of the financial statements, and the auditor
evaluates management's assertions. Internal control is similar, Mr. Carmichael
said, adding that management makes an assertion about the effectiveness of
internal control and the auditor evaluates management's assertion. In either
case, the auditor ultimately renders an opinion about whether management's
assertion is correct, either that the financial statements are fairly stated or
that internal control is effective.
To do that the auditor evaluates
the process management used to make its assertion and obtains evidence about
whether that assertion is correct. In the chief auditor's view, the objectives
and work performed both in an attestation of management's assessment of internal
control and an audit of the financial statements are closely interrelated.
Therefore, the proposed standard
states that these activities should be integrated, and that the auditor cannot
report on management's assessment of the effectiveness of internal control
without also performing an audit of the company's financial statement.
Consistent with that idea, the board proposes an integrated standard that refers
to both the financial statement audit and the internal control attestation.
Throughout the proposed standard, concluded the official, the auditor's
attestation of management's assessment of the effectiveness of internal control
over financial reporting is referred to as the audit of internal control over
financial reporting.
|