Public Company Accounting Oversight Board; Notice of Filing of Proposed Rule on Auditing Standard No. 5, an Audit of Internal Control Over Financial Reporting That Is Integrated With an Audit of Financial Statements, and Related Independence Rule and Conforming Amendments, 32340-32368 [E7-11311]

Agencies

• SECURITIES AND EXCHANGE COMMISSION

[Federal Register Volume 72, Number 112 (Tuesday, June 12, 2007)]
[Notices]
[Pages 32340-32368]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: E7-11311]


-----------------------------------------------------------------------

SECURITIES AND EXCHANGE COMMISSION

[Release No. 34-55876; File No. PCAOB-2007-02]


Public Company Accounting Oversight Board; Notice of Filing of 
Proposed Rule on Auditing Standard No. 5, an Audit of Internal Control 
Over Financial Reporting That Is Integrated With an Audit of Financial 
Statements, and Related Independence Rule and Conforming Amendments

June 7, 2007.
    Pursuant to Section 107(b) of the Sarbanes-Oxley Act of 2002 (the 
``Act''), notice is hereby given that on May 25, 2007, the Public 
Company Accounting Oversight Board (the ``Board'' or the ``PCAOB'') 
filed with the Securities and Exchange Commission (the ``Commission'' 
or ``SEC'') the proposed rules described in Items I and II below, which 
items have been prepared by the Board. The Commission is publishing 
this notice to solicit comments on the proposed rules from interested 
persons. The text of the proposed rules consists of proposed Auditing 
Standard No. 5, An Audit of Internal Control Over Financial Reporting 
That is Integrated with an Audit of Financial Statements, and Related 
Independence Rule and conforming amendments to its auditing standards.

I. Board's Statement of the Terms of Substance of the Proposed Rules

    On May 24, 2007, the Board adopted Auditing Standard No. 5, An 
Audit of Internal Control Over Financial Reporting That is Integrated 
with an Audit of Financial Statements (``Auditing Standard No. 5''); 
Rule 3525, Audit Committee Pre-Approval of Non-Audit Services Related 
to Internal Control Over Financial Reporting, and conforming amendments 
to its auditing standards. The proposed rule text is set out below.

Auditing Standard No. 5--An Audit of Internal Control Over Financial 
Reporting That Is Integrated With an Audit of Financial Statements

Table of Contents

 
                                                               Paragraph
 
Introduction................................................         1-8
    Integrating the Audits..................................         6-8
Planning the Audit..........................................        9-20
    Role of Risk Assessment.................................       10-12
    Scaling the Audit.......................................          13
    Addressing the Risk of Fraud............................       14-15
    Using the Work of Others................................       16-19
    Materiality.............................................          20
Using a Top-Down Approach...................................       21-41
    Identifying Entity-Level Controls.......................       22-27
        Control Environment.................................          25
        Period-end Financial Reporting Process..............       26-27
    Identifying Significant Accounts and Disclosures and           28-33
     Their Relevant Assertions..............................
    Understanding Likely Sources of Misstatement............       34-38
        Performing Walkthroughs.............................       37-38
    Selecting Controls to Test..............................       39-41
Testing Controls............................................       42-61
    Testing Design Effectiveness............................       42-43
    Testing Operating Effectiveness.........................       44-45
    Relationship of Risk to the Evidence to be Obtained.....       46-56
        Nature of Tests of Controls.........................       50-51
        Timing of Tests of Controls.........................       52-53
        Extent of Tests of Controls.........................          54
        Roll-Forward Procedures.............................       55-56
    Special Considerations for Subsequent Years' Audits.....       57-61
Evaluating Identified Deficiencies..........................       62-70
    Indicators of Material Weaknesses.......................       69-70
Wrapping-Up.................................................       71-84
    Forming an Opinion......................................       71-74
    Obtaining Written Representations.......................       75-77
    Communicating Certain Matters...........................       78-84
Reporting on Internal Control...............................       85-98
    Separate or Combined Reports............................       86-88
    Report Date.............................................          89
    Material Weaknesses.....................................       90-92
    Subsequent Events.......................................       93-98
 

Appendices

 
 
 
Appendix A--Definitions.....................................      A1-A11
Appendix B--Special Topics..................................      B1-B33
    Integration of Audits...................................       B1-B9
    Multiple Locations Scoping Decisions....................     B10-B16
    Use of Service Organizations............................     B17-B27
    Benchmarking of Automated Controls......................     B28-B33
Appendix C--Special Reporting Situations....................      C1-C17

[[Page 32341]]

 
    Report Modifications....................................      C1-C15
    Filings Under Federal Securities Statutes...............     C16-C17
 

Introduction

    1. This standard establishes requirements and provides direction 
that applies when an auditor is engaged to perform an audit of 
management's assessment \1\ of the effectiveness of internal control 
over financial reporting (``the audit of internal control over 
financial reporting'') that is integrated with an audit of the 
financial statements.\2\
---------------------------------------------------------------------------

    \1\ Terms defined in Appendix A, Definitions, are set in 
boldface type (italics in the Federal Register printing) the first 
time they appear.
    \2\ This auditing standard supersedes Auditing Standard No. 2, 
An Audit of Internal Control Over Financial Reporting Performed in 
Conjunction with An Audit of Financial Statements, and is the 
standard on attestation engagements referred to in Section 404(b) of 
the Act. It also is the standard referred to in Section 
103(a)(2)(A)(iii) of the Act.
---------------------------------------------------------------------------

    2. Effective internal control over financial reporting provides 
reasonable assurance regarding the reliability of financial reporting 
and the preparation of financial statements for external purposes.\3\ 
If one or more material weaknesses exist, the company's internal 
control over financial reporting cannot be considered effective.\4\
---------------------------------------------------------------------------

    \3\ See Securities Exchange Act Rules 13a-15(f) and 15d-15(f), 
17 CFR Sec. Sec.  240.13a-15(f) and 240.15d-15(f); Paragraph A5.
    \4\ See Item 308 of Regulation S-K, 17 CFR 229.308.
---------------------------------------------------------------------------

    3. The auditor's objective in an audit of internal control over 
financial reporting is to express an opinion on the effectiveness of 
the company's internal control over financial reporting. Because a 
company's internal control cannot be considered effective if one or 
more material weaknesses exist, to form a basis for expressing an 
opinion, the auditor must plan and perform the audit to obtain 
competent evidence that is sufficient to obtain reasonable assurance 
\5\ about whether material weaknesses exist as of the date specified in 
management's assessment. A material weakness in internal control over 
financial reporting may exist even when financial statements are not 
materially misstated.
---------------------------------------------------------------------------

    \5\ See AU sec. 230, Due Professional Care in the Performance of 
Work, for further discussion of the concept of reasonable assurance 
in an audit.
---------------------------------------------------------------------------

    4. The general standards \6\ are applicable to an audit of internal 
control over financial reporting. Those standards require technical 
training and proficiency as an auditor, independence, and the exercise 
of due professional care, including professional skepticism. This 
standard establishes the fieldwork and reporting standards applicable 
to an audit of internal control over financial reporting.
---------------------------------------------------------------------------

    \6\ See AU sec. 150, Generally Accepted Auditing Standards.
---------------------------------------------------------------------------

    5. The auditor should use the same suitable, recognized control 
framework to perform his or her audit of internal control over 
financial reporting as management uses for its annual evaluation of the 
effectiveness of the company's internal control over financial 
reporting.\7\
---------------------------------------------------------------------------

    \7\ See Securities Exchange Act Rules 13a-15(c) and 15d-15(c), 
17 CFR 240.13a-15(c) and 240.15d-15(c). SEC rules require management 
to base its evaluation of the effectiveness of the company's 
internal control over financial reporting on a suitable, recognized 
control framework (also known as control criteria) established by a 
body or group that followed due-process procedures, including the 
broad distribution of the framework for public comment. For example, 
the report of the Committee of Sponsoring Organizations of the 
Treadway Commission (known as the COSO report) provides such a 
framework, as does the report published by the Financial Reporting 
Council, Internal Control Revised Guidance for Directors on the 
Combined Code, October 2005 (known as the Turnbull Report).
---------------------------------------------------------------------------

Integrating the Audits

    6. The audit of internal control over financial reporting should be 
integrated with the audit of the financial statements. The objectives 
of the audits are not identical, however, and the auditor must plan and 
perform the work to achieve the objectives of both audits.
    7. In an integrated audit of internal control over financial 
reporting and the financial statements, the auditor should design his 
or her testing of controls to accomplish the objectives of both audits 
simultaneously--
     To obtain sufficient evidence to support the auditor's 
opinion on internal control over financial reporting as of year-end, 
and
     To obtain sufficient evidence to support the auditor's 
control risk assessments for purposes of the audit of financial 
statements.
    8. Obtaining sufficient evidence to support control risk 
assessments as low for purposes of the financial statement audit 
ordinarily allows the auditor to reduce the amount of audit work that 
otherwise would have been necessary to opine on the financial 
statements. (See Appendix B for additional direction on integration.)

    Note: In some circumstances, particularly in some audits of 
smaller and less complex companies, the auditor might choose not to 
assess control risk as low for purposes of the audit of the 
financial statements. In such circumstances, the auditor's tests of 
the operating effectiveness of controls would be performed 
principally for the purpose of supporting his or her opinion on 
whether the company's internal control over financial reporting is 
effective as of year-end. The results of the auditor's financial 
statement auditing procedures also should inform his or her risk 
assessments in determining the testing necessary to conclude on the 
effectiveness of a control.

Planning the Audit

    9. The auditor should properly plan the audit of internal control 
over financial reporting and properly supervise any assistants. When 
planning an integrated audit, the auditor should evaluate whether the 
following matters are important to the company's financial statements 
and internal control over financial reporting and, if so, how they will 
affect the auditor's procedures--
     Knowledge of the company's internal control over financial 
reporting obtained during other engagements performed by the auditor;
     Matters affecting the industry in which the company 
operates, such as financial reporting practices, economic conditions, 
laws and regulations, and technological changes;
     Matters relating to the company's business, including its 
organization, operating characteristics, and capital structure;
     The extent of recent changes, if any, in the company, its 
operations, or its internal control over financial reporting;
     The auditor's preliminary judgments about materiality, 
risk, and other factors relating to the determination of material 
weaknesses;
     Control deficiencies previously communicated to the audit 
committee \8\ or management;
---------------------------------------------------------------------------

    \8\ If no audit committee exists, all references to the audit 
committee in this standard apply to the entire board of directors of 
the company. See 15 U.S.C. 78c(a)58 and 7201(a)(3).
---------------------------------------------------------------------------

     Legal or regulatory matters of which the company is aware;
     The type and extent of available evidence related to the 
effectiveness of the company's internal control over financial 
reporting;
     Preliminary judgments about the effectiveness of internal 
control over financial reporting;
     Public information about the company relevant to the 
evaluation of the likelihood of material financial statement 
misstatements and the effectiveness of the company's internal control 
over financial reporting;
     Knowledge about risks related to the company evaluated as 
part of the auditor's client acceptance and retention evaluation; and

[[Page 32342]]

     The relative complexity of the company's operations.

    Note: Many smaller companies have less complex operations. 
Additionally, some larger, complex companies may have less complex 
units or processes. Factors that might indicate less complex 
operations include: fewer business lines; less complex business 
processes and financial reporting systems; more centralized 
accounting functions; extensive involvement by senior management in 
the day-to-day activities of the business; and fewer levels of 
management, each with a wide span of control.

Role of Risk Assessment

    10. Risk assessment underlies the entire audit process described by 
this standard, including the determination of significant accounts and 
disclosures and relevant assertions, the selection of controls to test, 
and the determination of the evidence necessary for a given control.
    11. A direct relationship exists between the degree of risk that a 
material weakness could exist in a particular area of the company's 
internal control over financial reporting and the amount of audit 
attention that should be devoted to that area. In addition, the risk 
that a company's internal control over financial reporting will fail to 
prevent or detect misstatement caused by fraud usually is higher than 
the risk of failure to prevent or detect error. The auditor should 
focus more of his or her attention on the areas of highest risk. On the 
other hand, it is not necessary to test controls that, even if 
deficient, would not present a reasonable possibility of material 
misstatement to the financial statements.
    12. The complexity of the organization, business unit, or process, 
will play an important role in the auditor's risk assessment and the 
determination of the necessary procedures.

Scaling the Audit

    13. The size and complexity of the company, its business processes, 
and business units, may affect the way in which the company achieves 
many of its control objectives. The size and complexity of the company 
also might affect the risks of misstatement and the controls necessary 
to address those risks. Scaling is most effective as a natural 
extension of the risk-based approach and applicable to the audits of 
all companies. Accordingly, a smaller, less complex company, or even a 
larger, less complex company might achieve its control objectives 
differently than a more complex company.\9\
---------------------------------------------------------------------------

    \9\ The SEC Advisory Committee on Smaller Public Companies 
considered a company's size with respect to compliance with the 
internal control reporting provisions of the Act. See Advisory 
Committee on Smaller Public Companies to the United States 
Securities and Exchange Commission, Final Report, at p. 5 (April 23, 
2006).
---------------------------------------------------------------------------

Addressing the Risk of Fraud

    14. When planning and performing the audit of internal control over 
financial reporting, the auditor should take into account the results 
of his or her fraud risk assessment.\10\ As part of identifying and 
testing entity-level controls, as discussed beginning at paragraph 22, 
and selecting other controls to test, as discussed beginning at 
paragraph 39, the auditor should evaluate whether the company's 
controls sufficiently address identified risks of material misstatement 
due to fraud and controls intended to address the risk of management 
override of other controls. Controls that might address these risks 
include--
---------------------------------------------------------------------------

    \10\ See paragraphs .19 through .42 of AU sec. 316, 
Consideration of Fraud in a Financial Statement Audit, regarding 
identifying risks that may result in material misstatement due to 
fraud.
---------------------------------------------------------------------------

     Controls over significant, unusual transactions, 
particularly those that result in late or unusual journal entries;
     Controls over journal entries and adjustments made in the 
period-end financial reporting process;
     Controls over related party transactions;
     Controls related to significant management estimates; and
     Controls that mitigate incentives for, and pressures on, 
management to falsify or inappropriately manage financial results.
    15. If the auditor identifies deficiencies in controls designed to 
prevent or detect fraud during the audit of internal control over 
financial reporting, the auditor should take into account those 
deficiencies when developing his or her response to risks of material 
misstatement during the financial statement audit, as provided in AU 
sec. 316.44 and .45.

Using the Work of Others

    16. The auditor should evaluate the extent to which he or she will 
use the work of others to reduce the work the auditor might otherwise 
perform himself or herself. AU sec. 322, The Auditor's Consideration of 
the Internal Audit Function in an Audit of Financial Statements, 
applies in an integrated audit of the financial statements and internal 
control over financial reporting.
    17. For purposes of the audit of internal control, however, the 
auditor may use the work performed by, or receive direct assistance 
from, internal auditors, company personnel (in addition to internal 
auditors), and third parties working under the direction of management 
or the audit committee that provides evidence about the effectiveness 
of internal control over financial reporting. In an integrated audit of 
internal control over financial reporting and the financial statements, 
the auditor also may use this work to obtain evidence supporting the 
auditor's assessment of control risk for purposes of the audit of the 
financial statements.
    18. The auditor should assess the competence and objectivity of the 
persons whose work the auditor plans to use to determine the extent to 
which the auditor may use their work. The higher the degree of 
competence and objectivity, the greater use the auditor may make of the 
work. The auditor should apply paragraphs .09 through .11 of AU sec. 
322 to assess the competence and objectivity of internal auditors. The 
auditor should apply the principles underlying those paragraphs to 
assess the competence and objectivity of persons other than internal 
auditors whose work the auditor plans to use.

    Note: For purposes of using the work of others, competence means 
the attainment and maintenance of a level of understanding and 
knowledge that enables that person to perform ably the tasks 
assigned to them, and objectivity means the ability to perform those 
tasks impartially and with intellectual honesty. To assess 
competence, the auditor should evaluate factors about the person's 
qualifications and ability to perform the work the auditor plans to 
use. To assess objectivity, the auditor should evaluate whether 
factors are present that either inhibit or promote a person's 
ability to perform with the necessary degree of objectivity the work 
the auditor plans to use.


    Note: The auditor should not use the work of persons who have a 
low degree of objectivity, regardless of their level of competence. 
Likewise, the auditor should not use the work of persons who have a 
low level of competence regardless of their degree of objectivity. 
Personnel whose core function is to serve as a testing or compliance 
authority at the company, such as internal auditors, normally are 
expected to have greater competence and objectivity in performing 
the type of work that will be useful to the auditor.

    19. The extent to which the auditor may use the work of others in 
an audit of internal control also depends on the risk associated with 
the control being tested. As the risk associated with a control 
increases, the need for the auditor to perform his or her own work on 
the control increases.

[[Page 32343]]

Materiality

    20. In planning the audit of internal control over financial 
reporting, the auditor should use the same materiality considerations 
he or she would use in planning the audit of the company's annual 
financial statements.\11\
---------------------------------------------------------------------------

    \11\ See AU sec. 312, Audit Risk and Materiality in Conducting 
an Audit, which provides additional explanation of materiality.
---------------------------------------------------------------------------

Using a Top-Down Approach

    21. The auditor should use a top-down approach to the audit of 
internal control over financial reporting to select the controls to 
test. A top-down approach begins at the financial statement level and 
with the auditor's understanding of the overall risks to internal 
control over financial reporting. The auditor then focuses on entity-
level controls and works down to significant accounts and disclosures 
and their relevant assertions. This approach directs the auditor's 
attention to accounts, disclosures, and assertions that present a 
reasonable possibility of material misstatement to the financial 
statements and related disclosures. The auditor then verifies his or 
her understanding of the risks in the company's processes and selects 
for testing those controls that sufficiently address the assessed risk 
of misstatement to each relevant assertion.

    Note: The top-down approach describes the auditor's sequential 
thought process in identifying risks and the controls to test, not 
necessarily the order in which the auditor will perform the auditing 
procedures.

Identifying Entity-Level Controls

    22. The auditor must test those entity-level controls that are 
important to the auditor's conclusion about whether the company has 
effective internal control over financial reporting. The auditor's 
evaluation of entity-level controls can result in increasing or 
decreasing the testing that the auditor otherwise would have performed 
on other controls.
    23. Entity-level controls vary in nature and precision--
     Some entity-level controls, such as certain control 
environment controls, have an important, but indirect, effect on the 
likelihood that a misstatement will be detected or prevented on a 
timely basis. These controls might affect the other controls the 
auditor selects for testing and the nature, timing, and extent of 
procedures the auditor performs on other controls.
     Some entity-level controls monitor the effectiveness of 
other controls. Such controls might be designed to identify possible 
breakdowns in lower-level controls, but not at a level of precision 
that would, by themselves, sufficiently address the assessed risk that 
misstatements to a relevant assertion will be prevented or detected on 
a timely basis. These controls, when operating effectively, might allow 
the auditor to reduce the testing of other controls.
     Some entity-level controls might be designed to operate at 
a level of precision that would adequately prevent or detect on a 
timely basis misstatements to one or more relevant assertions. If an 
entity-level control sufficiently addresses the assessed risk of 
misstatement, the auditor need not test additional controls relating to 
that risk.
    24. Entity-level controls include--
     Controls related to the control environment;
     Controls over management override;

    Note: Controls over management override are important to 
effective internal control over financial reporting for all 
companies, and may be particularly important at smaller companies 
because of the increased involvement of senior management in 
performing controls and in the period-end financial reporting 
process. For smaller companies, the controls that address the risk 
of management override might be different from those at a larger 
company. For example, a smaller company might rely on more detailed 
oversight by the audit committee that focuses on the risk of 
management override.

     The company's risk assessment process;
     Centralized processing and controls, including shared 
service environments;
     Controls to monitor results of operations;
     Controls to monitor other controls, including activities 
of the internal audit function, the audit committee, and self-
assessment programs;
     Controls over the period-end financial reporting process; 
and
     Policies that address significant business control and 
risk management practices.
    25. Control Environment. Because of its importance to effective 
internal control over financial reporting, the auditor must evaluate 
the control environment at the company. As part of evaluating the 
control environment, the auditor should assess--
     Whether management's philosophy and operating style 
promote effective internal control over financial reporting;
     Whether sound integrity and ethical values, particularly 
of top management, are developed and understood; and
     Whether the Board or audit committee understands and 
exercises oversight responsibility over financial reporting and 
internal control.
    26. Period-end Financial Reporting Process. Because of its 
importance to financial reporting and to the auditor's opinions on 
internal control over financial reporting and the financial statements, 
the auditor must evaluate the period-end financial reporting process. 
The period-end financial reporting process includes the following--
     Procedures used to enter transaction totals into the 
general ledger;
     Procedures related to the selection and application of 
accounting policies;
     Procedures used to initiate, authorize, record, and 
process journal entries in the general ledger;
     Procedures used to record recurring and nonrecurring 
adjustments to the annual and quarterly financial statements; and
     Procedures for preparing annual and quarterly financial 
statements and related disclosures.

    Note: Because the annual period-end financial reporting process 
normally occurs after the ``as-of'' date of management's assessment, 
those controls usually cannot be tested until after the as-of date.

    27. As part of evaluating the period-end financial reporting 
process, the auditor should assess--
     Inputs, procedures performed, and outputs of the processes 
the company uses to produce its annual and quarterly financial 
statements;
     The extent of information technology (``IT'') involvement 
in the period-end financial reporting process;
     Who participates from management;
     The locations involved in the period-end financial 
reporting process;
     The types of adjusting and consolidating entries; and
     The nature and extent of the oversight of the process by 
management, the board of directors, and the audit committee.

    Note: The auditor should obtain sufficient evidence of the 
effectiveness of those quarterly controls that are important to 
determining whether the company's controls sufficiently address the 
assessed risk of misstatement to each relevant assertion as of the 
date of management's assessment. However, the auditor is not 
required to obtain sufficient evidence for each quarter 
individually.

Identifying Significant Accounts and Disclosures and Their Relevant 
Assertions

    28. The auditor should identify significant accounts and 
disclosures and their relevant assertions. Relevant assertions are 
those financial statement assertions that have a reasonable possibility 
of containing a misstatement

[[Page 32344]]

that would cause the financial statements to be materially misstated. 
The financial statement assertions include \12\--
---------------------------------------------------------------------------

    \12\ See AU sec. 326, Evidential Matter, which provides 
additional information on financial statement assertions.
---------------------------------------------------------------------------

     Existence or occurrence
     Completeness
     Valuation or allocation
     Rights and obligations
     Presentation and disclosure

    Note: The auditor may base his or her work on assertions that 
differ from those in this standard if the auditor has selected and 
tested controls over the pertinent risks in each significant account 
and disclosure that have a reasonable possibility of containing 
misstatements that would cause the financial statements to be 
materially misstated.

    29. To identify significant accounts and disclosures and their 
relevant assertions, the auditor should evaluate the qualitative and 
quantitative risk factors related to the financial statement line items 
and disclosures. Risk factors relevant to the identification of 
significant accounts and disclosures and their relevant assertions 
include--
     Size and composition of the account;
     Susceptibility to misstatement due to errors or fraud;
     Volume of activity, complexity, and homogeneity of the 
individual transactions processed through the account or reflected in 
the disclosure;
     Nature of the account or disclosure;
     Accounting and reporting complexities associated with the 
account or disclosure;
     Exposure to losses in the account;
     Possibility of significant contingent liabilities arising 
from the activities reflected in the account or disclosure;
     Existence of related party transactions in the account; 
and
     Changes from the prior period in account or disclosure 
characteristics.
    30. As part of identifying significant accounts and disclosures and 
their relevant assertions, the auditor also should determine the likely 
sources of potential misstatements that would cause the financial 
statements to be materially misstated. The auditor might determine the 
likely sources of potential misstatements by asking himself or herself 
``what could go wrong?'' within a given significant account or 
disclosure.
    31. The risk factors that the auditor should evaluate in the 
identification of significant accounts and disclosures and their 
relevant assertions are the same in the audit of internal control over 
financial reporting as in the audit of the financial statements; 
accordingly, significant accounts and disclosures and their relevant 
assertions are the same for both audits.

    Note: In the financial statement audit, the auditor might 
perform substantive auditing procedures on financial statement 
accounts, disclosures and assertions that are not determined to be 
significant accounts and disclosures and relevant assertions.\13\

    \13\ This is because his or her assessment of the risk that 
undetected misstatement would cause the financial statements to be 
materially misstated is unacceptably high (see AU sec. 312.39 for 
further discussion about undetected misstatement) or as a means of 
introducing unpredictability in the procedures performed (see 
paragraph 61 and AU sec. 316.50 for further discussion about 
predictability of auditing procedures).

    32. The components of a potential significant account or disclosure 
might be subject to significantly differing risks. If so, different 
controls might be necessary to adequately address those risks.
    33. When a company has multiple locations or business units, the 
auditor should identify significant accounts and disclosures and their 
relevant assertions based on the consolidated financial statements. 
Having made those determinations, the auditor should then apply the 
direction in Appendix B for multiple locations scoping decisions.

Understanding Likely Sources of Misstatement

    34. To further understand the likely sources of potential 
misstatements, and as a part of selecting the controls to test, the 
auditor should achieve the following objectives--
     Understand the flow of transactions related to the 
relevant assertions, including how these transactions are initiated, 
authorized, processed, and recorded;
     Verify that the auditor has identified the points within 
the company's processes at which a misstatement--including a 
misstatement due to fraud--could arise that, individually or in 
combination with other misstatements, would be material;
     Identify the controls that management has implemented to 
address these potential misstatements; and
     Identify the controls that management has implemented over 
the prevention or timely detection of unauthorized acquisition, use, or 
disposition of the company's assets that could result in a material 
misstatement of the financial statements.
    35. Because of the degree of judgment required, the auditor should 
either perform the procedures that achieve the objectives in paragraph 
34 himself or herself or supervise the work of others who provide 
direct assistance to the auditor, as described in AU sec. 322.
    36. The auditor also should understand how IT affects the company's 
flow of transactions. The auditor should apply paragraphs .16 through 
.20, .30 through .32, and .77 through .79, of AU sec. 319, 
Consideration of Internal Control in a Financial Statement Audit, which 
discuss the effect of information technology on internal control over 
financial reporting and the risks to assess.

    Note: The identification of risks and controls within IT is not 
a separate evaluation. Instead, it is an integral part of the top-
down approach used to identify significant accounts and disclosures 
and their relevant assertions, and the controls to test, as well as 
to assess risk and allocate audit effort as described by this 
standard.

    37. Performing Walkthroughs. Performing walkthroughs will 
frequently be the most effective way of achieving the objectives in 
paragraph 34. In performing a walkthrough, the auditor follows a 
transaction from origination through the company's processes, including 
information systems, until it is reflected in the company's financial 
records, using the same documents and information technology that 
company personnel use. Walkthrough procedures usually include a 
combination of inquiry, observation, inspection of relevant 
documentation, and re-performance of controls.
    38. In performing a walkthrough, at the points at which important 
processing procedures occur, the auditor questions the company's 
personnel about their understanding of what is required by the 
company's prescribed procedures and controls. These probing questions, 
combined with the other walkthrough procedures, allow the auditor to 
gain a sufficient understanding of the process and to be able to 
identify important points at which a necessary control is missing or 
not designed effectively. Additionally, probing questions that go 
beyond a narrow focus on the single transaction used as the basis for 
the walkthrough allow the auditor to gain an understanding of the 
different types of significant transactions handled by the process.

Selecting Controls To Test

    39. The auditor should test those controls that are important to 
the auditor's conclusion about whether the company's controls 
sufficiently address the assessed risk of misstatement to each relevant 
assertion.

[[Page 32345]]

    40. There might be more than one control that addresses the 
assessed risk of misstatement to a particular relevant assertion; 
conversely, one control might address the assessed risk of misstatement 
to more than one relevant assertion. It is neither necessary to test 
all controls related to a relevant assertion nor necessary to test 
redundant controls, unless redundancy is itself a control objective.
    41. The decision as to whether a control should be selected for 
testing depends on which controls, individually or in combination, 
sufficiently address the assessed risk of misstatement to a given 
relevant assertion rather than on how the control is labeled (e.g., 
entity-level control, transaction-level control, control activity, 
monitoring control, preventive control, detective control).

Testing Controls

Testing Design Effectiveness

    42. The auditor should test the design effectiveness of controls by 
determining whether the company's controls, if they are operated as 
prescribed by persons possessing the necessary authority and competence 
to perform the control effectively, satisfy the company's control 
objectives and can effectively prevent or detect errors or fraud that 
could result in material misstatements in the financial statements.

    Note: A smaller, less complex company might achieve its control 
objectives in a different manner from a larger, more complex 
organization. For example, a smaller, less complex company might 
have fewer employees in the accounting function, limiting 
opportunities to segregate duties and leading the company to 
implement alternative controls to achieve its control objectives. In 
such circumstances, the auditor should evaluate whether those 
alternative controls are effective.

    43. Procedures the auditor performs to test design effectiveness 
include a mix of inquiry of appropriate personnel, observation of the 
company's operations, and inspection of relevant documentation. 
Walkthroughs that include these procedures ordinarily are sufficient to 
evaluate design effectiveness.

Testing Operating Effectiveness

    44. The auditor should test the operating effectiveness of a 
control by determining whether the control is operating as designed and 
whether the person performing the control possesses the necessary 
authority and competence to perform the control effectively.

    Note: In some situations, particularly in smaller companies, a 
company might use a third party to provide assistance with certain 
financial reporting functions. When assessing the competence of 
personnel responsible for a company's financial reporting and 
associated controls, the auditor may take into account the combined 
competence of company personnel and other parties that assist with 
functions related to financial reporting.

    45. Procedures the auditor performs to test operating effectiveness 
include a mix of inquiry of appropriate personnel, observation of the 
company's operations, inspection of relevant documentation, and re-
performance of the control.

Relationship of Risk to the Evidence To Be Obtained

    46. For each control selected for testing, the evidence necessary 
to persuade the auditor that the control is effective depends upon the 
risk associated with the control. The risk associated with a control 
consists of the risk that the control might not be effective and, if 
not effective, the risk that a material weakness would result. As the 
risk associated with the control being tested increases, the evidence 
that the auditor should obtain also increases.

    Note: Although the auditor must obtain evidence about the 
effectiveness of controls for each relevant assertion, the auditor 
is not responsible for obtaining sufficient evidence to support an 
opinion about the effectiveness of each individual control. Rather, 
the auditor's objective is to express an opinion on the company's 
internal control over financial reporting overall. This allows the 
auditor to vary the evidence obtained regarding the effectiveness of 
individual controls selected for testing based on the risk 
associated with the individual control.

    47. Factors that affect the risk associated with a control 
include--
     The nature and materiality of misstatements that the 
control is intended to prevent or detect;
     The inherent risk associated with the related account(s) 
and assertion(s);
     Whether there have been changes in the volume or nature of 
transactions that might adversely affect control design or operating 
effectiveness;
     Whether the account has a history of errors;
     The effectiveness of entity-level controls, especially 
controls that monitor other controls;
     The nature of the control and the frequency with which it 
operates;
     The degree to which the control relies on the 
effectiveness of other controls (e.g., the control environment or 
information technology general controls);
     The competence of the personnel who perform the control or 
monitor its performance and whether there have been changes in key 
personnel who perform the control or monitor its performance;
     Whether the control relies on performance by an individual 
or is automated (i.e., an automated control would generally be expected 
to be lower risk if relevant information technology general controls 
are effective); and

    Note: A less complex company or business unit with simple 
business processes and centralized accounting operations might have 
relatively simple information systems that make greater use of off-
the-shelf packaged software without modification. In the areas in 
which off-the-shelf software is used, the auditor's testing of 
information technology controls might focus on the application 
controls built into the pre-packaged software that management relies 
on to achieve its control objectives and the IT general controls 
that are important to the effective operation of those application 
controls.

     The complexity of the control and the significance of the 
judgments that must be made in connection with its operation.

    Note: Generally, a conclusion that a control is not operating 
effectively can be supported by less evidence than is necessary to 
support a conclusion that a control is operating effectively.

    48. When the auditor identifies deviations from the company's 
controls, he or she should determine the effect of the deviations on 
his or her assessment of the risk associated with the control being 
tested and the evidence to be obtained, as well as on the operating 
effectiveness of the control.

    Note: Because effective internal control over financial 
reporting cannot, and does not, provide absolute assurance of 
achieving the company's control objectives, an individual control 
does not necessarily have to operate without any deviation to be 
considered effective.

    49. The evidence provided by the auditor's tests of the 
effectiveness of controls depends upon the mix of the nature, timing, 
and extent of the auditor's procedures. Further, for an individual 
control, different combinations of the nature, timing, and extent of 
testing may provide sufficient evidence in relation to the risk 
associated with the control.

    Note: Walkthroughs usually consist of a combination of inquiry 
of appropriate personnel, observation of the company's operations, 
inspection of relevant documentation, and re-performance of the 
control and might provide sufficient evidence of operating 
effectiveness, depending on the risk associated with the control 
being tested, the specific procedures performed as part of the 
walkthrough and the results of those procedures.

    50. Nature of Tests of Controls. Some types of tests, by their 
nature, produce

[[Page 32346]]

greater evidence of the effectiveness of controls than other tests. The 
following tests that the auditor might perform are presented in order 
of the evidence that they ordinarily would produce, from least to most: 
inquiry, observation, inspection of relevant documentation, and re-
performance of a control.

    Note: Inquiry alone does not provide sufficient evidence to 
support a conclusion about the effectiveness of a control.

    51. The nature of the tests of effectiveness that will provide 
competent evidence depends, to a large degree, on the nature of the 
control to be tested, including whether the operation of the control 
results in documentary evidence of its operation. Documentary evidence 
of the operation of some controls, such as management's philosophy and 
operating style, might not exist.

    Note: A smaller, less complex company or unit might have less 
formal documentation regarding the operation of its controls. In 
those situations, testing controls through inquiry combined with 
other procedures, such as observation of activities, inspection of 
less formal documentation, or re-performance of certain controls, 
might provide sufficient evidence about whether the control is 
effective.

    52. Timing of Tests of Controls. Testing controls over a greater 
period of time provides more evidence of the effectiveness of controls 
than testing over a shorter period of time. Further, testing performed 
closer to the date of management's assessment provides more evidence 
than testing performed earlier in the year. The auditor should balance 
performing the tests of controls closer to the as-of date with the need 
to test controls over a sufficient period of time to obtain sufficient 
evidence of operating effectiveness.
    53. Prior to the date specified in management's assessment, 
management might implement changes to the company's controls to make 
them more effective or efficient or to address control deficiencies. If 
the auditor determines that the new controls achieve the related 
objectives of the control criteria and have been in effect for a 
sufficient period to permit the auditor to assess their design and 
operating effectiveness by performing tests of controls, he or she will 
not need to test the design and operating effectiveness of the 
superseded controls for purposes of expressing an opinion on internal 
control over financial reporting. If the operating effectiveness of the 
superseded controls is important to the auditor's control risk 
assessment, the auditor should test the design and operating 
effectiveness of those superseded controls, as appropriate. (See 
additional direction on integration beginning at paragraph B1.)
    54. Extent of Tests of Controls. The more extensively a control is 
tested, the greater the evidence obtained from that test.
    55. Roll-Forward Procedures. When the auditor reports on the 
effectiveness of controls as of a specific date and obtains evidence 
about the operating effectiveness of controls at an interim date, he or 
she should determine what additional evidence concerning the operation 
of the controls for the remaining period is necessary.
    56. The additional evidence that is necessary to update the results 
of testing from an interim date to the company's year-end depends on 
the following factors--
     The specific control tested prior to the as-of date, 
including the risks associated with the control and the nature of the 
control, and the results of those tests;
     The sufficiency of the evidence of effectiveness obtained 
at an interim date;
     The length of the remaining period; and
     The possibility that there have been any significant 
changes in internal control over financial reporting subsequent to the 
interim date.

    Note: In some circumstances, such as when evaluation of the 
foregoing factors indicates a low risk that the controls are no 
longer effective during the roll-forward period, inquiry alone might 
be sufficient as a roll-forward procedure.

Special Considerations for Subsequent Years' Audits

    57. In subsequent years' audits, the auditor should incorporate 
knowledge obtained during past audits he or she performed of the 
company's internal control over financial reporting into the decision-
making process for determining the nature, timing, and extent of 
testing necessary. This decision-making process is described in 
paragraphs 46 through 56.
    58. Factors that affect the risk associated with a control in 
subsequent years' audits include those in paragraph 47 and the 
following --
     The nature, timing, and extent of procedures performed in 
previous audits,
     The results of the previous years' testing of the control, 
and
     Whether there have been changes in the control or the 
process in which it operates since the previous audit.
    59. After taking into account the risk factors identified in 
paragraphs 47 and 58, the additional information available in 
subsequent years' audits might permit the auditor to assess the risk as 
lower than in the initial year. This, in turn, might permit the auditor 
to reduce testing in subsequent years.
    60. The auditor may also use a benchmarking strategy for automated 
application controls in subsequent years' audits. Benchmarking is 
described further beginning at paragraph B28.
    61. In addition, the auditor should vary the nature, timing, and 
extent of testing of controls from year to year to introduce 
unpredictability into the testing and respond to changes in 
circumstances. For this reason, each year the auditor might test 
controls at a different interim period, increase or reduce the number 
and types of tests performed, or change the combination of procedures 
used.

Evaluating Identified Deficiencies

    62. The auditor must evaluate the severity of each control 
deficiency that comes to his or her attention to determine whether the 
deficiencies, individually or in combination, are material weaknesses 
as of the date of management's assessment. In planning and performing 
the audit, however, the auditor is not required to search for 
deficiencies that, individually or in combination, are less severe than 
a material weakness.
    63. The severity of a deficiency depends on--
     Whether there is a reasonable possibility that the 
company's controls will fail to prevent or detect a misstatement of an 
account balance or disclosure; and
     The magnitude of the potential misstatement resulting from 
the deficiency or deficiencies.
    64. The severity of a deficiency does not depend on whether a 
misstatement actually has occurred but rather on whether there is a 
reasonable possibility that the company's controls will fail to prevent 
or detect a misstatement.
    65. Risk factors affect whether there is a reasonable possibility 
that a deficiency, or a combination of deficiencies, will result in a 
misstatement of an account balance or disclosure. The factors include, 
but are not limited to, the following--
     The nature of the financial statement accounts, 
disclosures, and assertions involved;
     The susceptibility of the related asset or liability to 
loss or fraud;
     The subjectivity, complexity, or extent of judgment 
required to determine the amount involved;
     The interaction or relationship of the control with other 
controls,

[[Page 32347]]

including whether they are interdependent or redundant;
     The interaction of the deficiencies; and
     The possible future consequences of the deficiency.

    Note: The evaluation of whether a control deficiency presents a 
reasonable possibility of misstatement can be made without 
quantifying the probability of occurrence as a specific percentage 
or range.


    Note: Multiple control deficiencies that affect the same 
financial statement account balance or disclosure increase the 
likelihood of misstatement and may, in combination, constitute a 
material weakness, even though such deficiencies may individually be 
less severe. Therefore, the auditor should determine whether 
individual control deficiencies that affect the same significant 
account or disclosure, relevant assertion, or component of internal 
control collectively result in a material weakness.

    66. Factors that affect the magnitude of the misstatement that 
might result from a deficiency or deficiencies in controls include, but 
are not limited to, the following--
     The financial statement amounts or total of transactions 
exposed to the deficiency; and
     The volume of activity in the account balance or class of 
transactions exposed to the deficiency that has occurred in the current 
period or that is expected in future periods.
    67. In evaluating the magnitude of the potential misstatement, the 
maximum amount that an account balance or total of transactions can be 
overstated is generally the recorded amount, while understatements 
could be larger. Also, in many cases, the probability of a small 
misstatement will be greater than the probability of a large 
misstatement.
    68. The auditor should evaluate the effect of compensating controls 
when determining whether a control deficiency or combination of 
deficiencies is a material weakness. To have a mitigating effect, the 
compensating control should operate at a level of precision that would 
prevent or detect a misstatement that could be material.

Indicators of Material Weaknesses

    69. Indicators of material weaknesses in internal control over 
financial reporting include--
     Identification of fraud, whether or not material, on the 
part of senior management; \14\
---------------------------------------------------------------------------

    \14\ For the purpose of this indicator, the term ``senior 
management'' includes the principal executive and financial officers 
signing the company's certifications as required under Section 302 
of the Act as well as any other members of senior management who 
play a significant role in the company's financial reporting 
process.
---------------------------------------------------------------------------

     Restatement of previously issued financial statements to 
reflect the correction of a material misstatement; \15\
---------------------------------------------------------------------------

    \15\ See Financial Accounting Standards Board Statement No. 154, 
Accounting Changes and Error Corrections, regarding the correction 
of a misstatement.
---------------------------------------------------------------------------

     Identification by the auditor of a material misstatement 
of financial statements in the current period in circumstances that 
indicate that the misstatement would not have been detected by the 
company's internal control over financial reporting; and
     Ineffective oversight of the company's external financial 
reporting and internal control over financial reporting by the 
company's audit committee.
    70. When evaluating the severity of a deficiency, or combination of 
deficiencies, the auditor also should determine the level of detail and 
degree of assurance that would satisfy prudent officials in the conduct 
of their own affairs that they have reasonable assurance that 
transactions are recorded as necessary to permit the preparation of 
financial statements in conformity with generally accepted accounting 
principles. If the auditor determines that a deficiency, or combination 
of deficiencies, might prevent prudent officials in the conduct of 
their own affairs from concluding that they have reasonable assurance 
that transactions are recorded as necessary to permit the preparation 
of financial statements in conformity with generally accepted 
accounting principles, then the auditor should treat the deficiency, or 
combination of deficiencies, as an indicator of a material weakness.

Wrapping-Up

Forming an Opinion

    71. The auditor should form an opinion on the effectiveness of 
internal control over financial reporting by evaluating evidence 
obtained from all sources, including the auditor's testing of controls, 
misstatements detected during the financial statement audit, and any 
identified control deficiencies.

    Note: As part of this evaluation, the auditor should review 
reports issued during the year by internal audit (or similar 
functions) that address controls related to internal control over 
financial reporting and evaluate control deficiencies identified in 
those reports.

    72. After forming an opinion on the effectiveness of the company's 
internal control over financial reporting, the auditor should evaluate 
the presentation of the elements that management is required, under the 
SEC's rules, to present in its annual report on internal control over 
financial reporting.\16\
---------------------------------------------------------------------------

    \16\ See Item 308(a) of Regulations S-B and S-K, 17 CFR 
228.308(a) and 229.308(a).
---------------------------------------------------------------------------

    73. If the auditor determines that any required elements of 
management's annual report on internal control over financial reporting 
are incomplete or improperly presented, the auditor should follow the 
direction in paragraph C2.
    74. The auditor may form an opinion on the effectiveness of 
internal control over financial reporting only when there have been no 
restrictions on the scope of the auditor's work. A scope limitation 
requires the auditor to disclaim an opinion or withdraw from the 
engagement (see paragraphs C3 through C7).

Obtaining Written Representations

    75. In an audit of internal control over financial reporting, the 
auditor should obtain written representations from management--
    a. Acknowledging management's responsibility for establishing and 
maintaining effective internal control over financial reporting;
    b. Stating that management has performed an evaluation and made an 
assessment of the effectiveness of the company's internal control over 
financial reporting and specifying the control criteria;
    c. Stating that management did not use the auditor's procedures 
performed during the audits of internal control over financial 
reporting or the financial statements as part of the basis for 
management's assessment of the effectiveness of internal control over 
financial reporting;
    d. Stating management's conclusion, as set forth in its assessment, 
about the effectiveness of the company's internal control over 
financial reporting based on the control criteria as of a specified 
date;
    e. Stating that management has disclosed to the auditor all 
deficiencies in the design or operation of internal control over 
financial reporting identified as part of management's evaluation, 
including separately disclosing to the auditor all such deficiencies 
that it believes to be significant deficiencies or material weaknesses 
in internal control over financial reporting;
    f. Describing any fraud resulting in a material misstatement to the 
company's financial statements and any other fraud that does not result 
in a material misstatement to the company's financial statements but 
involves senior management or management or other

[[Page 32348]]

employees who have a significant role in the company's internal control 
over financial reporting;
    g. Stating whether control deficiencies identified and communicated 
to the audit committee during previous engagements pursuant to 
paragraphs 77 and 79 have been resolved,\*\ and specifically 
identifying any that have not; and
---------------------------------------------------------------------------

    \*\ PCAOB staff have told the Commission staff that the 
references to paragraphs 77 and 79 in paragraph 75.g. of the 
proposed rule should instead refer to paragraphs 78 and 80, and that 
this typographical error will be corrected. Telephone conversation 
between Sharon Virag, Associate Chief Auditor, PCAOB, and Brian 
Croteau, Associate Chief Accountant, SEC, on June 4, 2007.
---------------------------------------------------------------------------

    h. Stating whether there were, subsequent to the date being 
reported on, any changes in internal control over financial reporting 
or other factors that might significantly affect internal control over 
financial reporting, including any corrective actions taken by 
management with regard to significant deficiencies and material 
weaknesses.
    76. The failure to obtain written representations from management, 
including management's refusal to furnish them, constitutes a 
limitation on the scope of the audit. As discussed further in paragraph 
C3, when the scope of the audit is limited, the auditor should either 
withdraw from the engagement or disclaim an opinion. Further, the 
auditor should evaluate the effects of management's refusal on his or 
her ability to rely on other representations, including those obtained 
in the audit of the company's financial statements.
    77. AU sec. 333, Management Representations, explains matters such 
as who should sign the letter, the period to be covered by the letter, 
and when to obtain an updated letter.

Communicating Certain Matters

    78. The auditor must communicate, in writing, to management and the 
audit committee all material weaknesses identified during the audit. 
The written communication should be made prior to the issuance of the 
auditor's report on internal control over financial reporting.
    79. If the auditor concludes that the oversight of the company's 
external financial reporting and internal control over financial 
reporting by the company's audit committee is ineffective, the auditor 
must communicate that conclusion in writing to the board of directors.
    80. The auditor also should consider whether there are any 
deficiencies, or combinations of deficiencies, that have been 
identified during the audit that are significant deficiencies and must 
communicate such deficiencies, in writing, to the audit committee.
    81. The auditor also should communicate to management, in writing, 
all deficiencies in internal control over financial reporting (i.e., 
those deficiencies in internal control over financial reporting that 
are of a lesser magnitude than material weaknesses) identified during 
the audit and inform the audit committee when such a communication has 
been made. When making this communication, it is not necessary for the 
auditor to repeat information about such deficiencies that has been 
included in previously issued written communications, whether those 
communications were made by the auditor, internal auditors, or others 
within the organization.
    82. The auditor is not required to perform procedures that are 
sufficient to identify all control deficiencies; rather, the auditor 
communicates deficiencies in internal control over financial reporting 
of which he or she is aware.
    83. Because the audit of internal control over financial reporting 
does not provide the auditor with assurance that he or she has 
identified all deficiencies less severe than a material weakness, the 
auditor should not issue a report stating that no such deficiencies 
were noted during the audit.
    84. When auditing internal control over financial reporting, the 
auditor may become aware of fraud or possible illegal acts. In such 
circumstances, the auditor must determine his or her r