**********************
******************
Updated:09/19/2008 Copyright © 1996-2008 Skip Stein
On June 18, 2004, the Public Company Accounting Oversight Board announced that its Auditing Standard No. 2, “ An Audit of Internal Control over Financial Reporting Performed in Conjunction with an Audit of Financial Statements,” had been approved by the Securities and Exchange Commission. This standard is the standard on attestation engagements referred to in Section 404(b) as well as Section 103(a)(2)(A) of the Sarbanes-Oxley Act of 2002. It addresses both the work that is required to audit internal control over financial reporting and the relationship of that audit to the audit of the financial statements.
Objective of an Audit of Internal Control (Paragraphs 4-6). The Standard continues to require the independent auditor to evaluate management’s assessment process to determine whether management has an appropriate basis for reaching its conclusion concerning Internal Control over Financial Reporting (ICFR). The Standard also continues to require the independent auditor to test the effectiveness of ICFR to determine whether management’s assessment is fairly stated.
The Standard requires the independent auditor to express two separate opinions, one on whether management’s assessment is fairly stated and the second on whether the company maintained effective ICFR. The Standard also retains the requirement that the auditor issue an adverse opinion when one or more material weaknesses are identified.
Evaluating Control Deficiencies under PCAOB Auditing Standard No 2.
Under the requirements of Section 404 of the Sarbanes–Oxley Act (SOX), management is required to provide an assessment of both the internal control design and the operating effectiveness. As part of documenting the control design and testing its effectiveness, it is anticipated that deficiencies will arise.
One of the challenges in the process is evaluating the deficiencies and classifying them. Control deficiencies are classified in the PCAOB Auditing Standard No 2 from internal control deficiencies to significant deficiencies to material weaknesses in internal control. The definitions of the differences among these categories are difficult to interpret and are noted at the end of the article for reference.
Specific guidance on interpreting the standard with respect to deficiencies is limited and, since this is the first year of SOX compliance, best practices are still evolving. Because of the subjectivity involved, it is advisable for management to seek guidance from the external audit firm that will be attesting to the internal controls. Some of the external auditing firms are recommending that both quantitative and qualitative measures need to be applied when evaluating the potential significance of a deficiency. By quantitative, they mean attributing some monetary amount to the deficiency noted. As a guide to analyzing deficiencies the following approach to identifying, evaluating, and classifying internal control deficiencies is recommended.
Identification.
The first task of management is to make sure that all deficiencies are identified. Internal control deficiencies may relate to the design or operating effectiveness of a control. All areas of the control environment should be accounted for, including key business units, overall company-level controls, anti-fraud programs, and audit committee effectiveness. Deficiencies may be identified through many sources, including:
- management’s assessment of internal control over financial reporting
- management’s testing or a self-assessment process
- internal audit in the scope of its work
- the external auditors in the scope of their work
- service organization SAS 70 reports
- regulatory examination reports.
Information Technology Controls.
In the past, the assessment of internal controls has been accomplished by ‘testing’ selected transactions ‘around’ information technology systems. In other words, the auditor never examines the technical system and computer operations, but ‘tests’ the transaction on the front end and to see if the same results come out at the ‘other’ end; bypassing any examination of the data manipulation that occurs in any automated information processing system. While in the past, this was deemed sufficient, SOX now is placing additional scrutiny on the IT systems that process financial related transactions. Since any operational transaction (inventory movement, sales, distribution, personnel acquisition, etc.) impacts the company revenue or expense, all transactions are thus covered by any internal control structure.
Any internal controls or audit documentation project requires a background in accounting, systems and technology to understand the intricacies of the data manipulation that occurs within any IT processing system. Typically this mix of skills are not found in the traditional financial auditor; they only receive passing training on the operation and functioning of a complex data processing and information technology department.
Evaluation.
The deficiencies should be listed and analyzed in a logical manner. For example, deficiencies that could potentially impact the accuracy of financial reporting or result in a possible error are more important than deficiencies that if corrected would enhance the efficiency of operations. Therefore, management should ensure that it has an accurate understanding of the nature and implications of the deficiency, as well as its potential impact on the financial statements.
It is possible that a consideration of the financial statement assertion(s) that are not supported as a result of the deficiency will assist in this understanding. However, it is also possible that other controls may address the assertion which would help mitigate the weakness. As a result, part of the assessment of deficiencies includes a determination as to the likelihood that a misstatement would not be prevented or detected because of the deficiency. Deficiencies for which there is only a remote likelihood of occurrence cannot rise to the level of a significant deficiency or material weakness, and therefore in the case of these less critical deficiencies, determining the magnitude of a potential misstatement is not required.
The PCAOB Standard identifies the following as factors that may impact conclusions on the likelihood of occurrence being more than remote or not:
The nature of the financial statement accounts, disclosures, and assertions involved
The susceptibility of the related assets or liability to loss or fraud
The subjectivity, complexity, or extent of judgment required to determine the amount involved. For example the more subjectivity, complexity, or judgment the greater the risk
The cause and frequency of known or detected exceptions for the operating effectiveness of a control
The interaction or relationship of the deficiencies with the other controls
The possible future consequences of the deficiency
In attempting to quantify the impact of a deficiency, management should consider the total account balance or transaction flow, and the assertion that is exposed to risk as a result of the deficiency. The focus should be on the size of the potential error that could occur in a more-than-remote likelihood situation. The Standard indicates the following factors may impact the magnitude:
The financial statement amounts or total of transactions exposed to the deficiency;
The volume of activity in the account balance or class of transactions exposed to the deficiency.
Compensating Controls.
Control deficiencies should first be evaluated separately since the existence of a compensating control does not affect whether a control deficiency exists. However, compensating controls should be taken into account when assessing the likelihood of a misstatement occurring and not being prevented or detected. In addition, a compensating control may limit the potential dollar impact of a deficiency such as certain processes that are triggered at certain dollar and or volume levels. In addition, high-level analytical procedures alone are not sufficient to compensate for deficiencies. For a compensating control to be effective, the control should operate at a level of precision that would prevent or detect a misstatement that was more than inconsequential or material.
Classification.
Once controls are identified and evaluated from a likelihood of occurrence standpoint, management needs to determine if the deficiency represents a significant deficiency or a material weakness. The Standard indicates that if the deficiency would prevent a prudent person from concluding that reasonable assurance exists that the financial statements are in conformity with GAAP, the deficiency should be considered at least to be a significant deficiency.
The Standard indicates weaknesses in the following areas would ordinarily be considered at least significant deficiencies:
Controls over the selection and application of accounting policies that are in conformity with GAAP
Anti-fraud programs and controls
Controls over non-routine or non-systematic transactions
Controls over the period-end financial reporting process
The Standard indicates each of the following circumstances should be regarded as at least a significant deficiency, and as a strong indicator that a material weakness exists:
Restatement of previously issued financial statements to reflect the correction of a misstatement due to error or fraud.
Identification by the auditor of a material misstatement in the financial statements in the current period that was not initially identified by the company’s internal control over financial reporting.
Ineffective oversight of the company’s external financial reporting and internal control over financial reporting by the company’s audit committee.
The internal audit function or the risk assessment function is ineffective at a company for which such a function needs to be effective for the company to have an effective monitoring or risk assessment component, such as for very large or highly complex companies.
For complex entities in highly regulated industries, an ineffective regulatory compliance function. This relates solely to those aspects of the ineffective regulatory compliance function in which associated violations of laws and regulations could have a material effect on the reliability of financial reporting.
Identification of fraud of any magnitude on the part of senior management.
Significant deficiencies that have been communicated to management and the audit committee remain uncorrected after some reasonable period of time.
Aggregation of Deficiencies.
The Standard indicates that a significant deficiency can be a combination of internal control deficiencies, and a material weakness can be a combination of significant deficiencies. Thus, management must accumulate all internal control deficiencies for evaluation in the aggregate, considering whether there is a concentration of deficiencies over a particular business process, account, or assertion. Individually, deficiencies may not be a significant deficiency, however, that could change when aggregated. In addition, the assessment of the interaction of deficiencies with each other is important since it may highlight patterns of deficiencies that could impact the same group accounts, therefore rising to the level of a significant deficiency or possibly even a material weakness.
Definitions of the Control Deficiencies in PCAOB Standard No. 2
- Internal Control Deficiency. An internal control deficiency exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis.
- Significant Deficiency. A significant deficiency is an internal control deficiency or combination of control deficiencies that adversely affects the company’s ability to initiate, authorize, record, process, or report external financial data reliably in accordance with GAAP. In such an occurrence, there will be a more-than-remote likelihood that a misstatement of the company’s annual or interim financial statements that is more than inconsequential would not be prevented or detected.
- Material Weakness. A material weakness is a significant deficiency or combination of significant deficiencies that results in a more-than-remote likelihood that a material misstatement of the annual or interim financial statements will not be prevented or detected.