Skip to main content
Find a Lawyer

Proposed PCAOB Accounting Standard No. 2: An Audit of Internal Control over Financial Reporting Performed in Conjunction with an Audit of Financial Statements

This article was edited and reviewed by FindLaw Attorney Writers | Last reviewed March 26, 2008

This article has been written and reviewed for legal accuracy, clarity, and style by FindLaw’s team of legal writers and attorneys and in accordance with our editorial standards.

The last updated date refers to the last time this article was reviewed by FindLaw or one of our contributing authors. We make every effort to keep our articles updated. For information regarding a specific legal issue affecting you, please contact an attorney in your area.

What every business lawyer should know about the internal control audit rules

The SEC recently published for comment a proposed rule prepared by the Public Company Accounting Oversight Board ("PCAOB") relating to the standards that apply when an auditor is engaged to audit both a financial statement and management's assessment of the effectiveness of internal control over financial reporting (Release 34-49544). We do not expect the SEC to make many substantive changes to the proposal, since this proposal represents the PCAOB's second attempt after the first rule proposal received substantial criticism. If adopted by the SEC, the rule will become effective for accelerated filers for fiscal years ending on or after November 15, 2004. The effective date for non-accelerated filers and foreign private issuers is for fiscal years ending on or after July 15, 2005. The following is a list of points which may be of general interest to business lawyers with respect to the proposed rule.

  • An internal control audit may only be performed in conjunction with an audit of the financial statements. No internal control audit intended to satisfy Section 404(b) of the Sarbanes-Oxley Act of 2002 can be conducted without a concurrent audit of the financial statements.

  • Finding a "material weakness" precludes the auditor from rendering an unqualified favorable opinion. A "material weakness" is a "significant deficiency," or combination of significant deficiencies, that results in more than a "remote" likelihood that a "material" misstatement of the annual or interim financial statements will not be prevented or detected. The definitions are critical and not intuitive nor identical to historical usage.

  • Management cannot certify the effectiveness of internal controls if the auditors do not. Auditors may opine favorably on management's assessment process while simultaneously issuing an adverse or qualified opinion on the internal controls. Other combinations of opinions are also possible.

  • The proposed rules specify representations to be made by management to the auditors regarding management's conclusions about the effectiveness of internal control, disclosure to the auditors of all deficiencies in the design or operation of internal controls identified by management, and disclosure of any material fraud and any fraud involving senior management, among others. Failure to provide these representations is a limit on the scope of the audit, which may preclude an unqualified favorable opinion.

  • "Walkthroughs" by the auditor should be conducted for each major class of transactions. Walkthroughs trace a transaction from its origin through the information systems to the financial statement; from initiating, authorizing, recording, processing, and reporting individual transactions and the controls for each of the significant processes identified. The auditor may not rely on the work of others. Although not "required procedures," the PCAOB deems walkthroughs as the most efficient and effective mechanism for achieving the stated objectives.

  • The outside auditor's "independence" for purposes of the internal controls audit may be compromised if the auditor has provided advice regarding internal controls. Specific Audit Committee pre-approval is required for internal control–related services. The traditional rules apply – the auditor may not audit its own work, the auditor must not act as management, the auditor must not serve as an advocate for the client, and the auditor must not have mutual or conflicting interests with the client. Management must have active, substantive, and extensive involvement in any internal control services.

  • Management may not rely on the audit as part of its internal controls. One of the enumerated significant deficiencies that may be a strong indicator of a material weakness is identification by the auditor of a material misstatement that was not initially identified by the internal controls – even though management may be finalizing the financial statements at the same time the auditors are auditing.

  • The auditor's evaluation of the effectiveness of the Audit Committee of the Board of Directors has been narrowed from the prior proposal and is now clearly only made as a part of the overall evaluation of the control environment and the oversight of the external financial reporting and the internal control over financial reporting. The factors include the extent of direct and independent interaction between the Audit Committee and the key members of financial management; the degree to which difficult questions are raised; and pursued with management and the auditor, and the level of responsiveness of the Audit Committee to issues raised by the auditor.

  • Small business issues, including both the extent of internal controls required and the extent of testing and inquiry into management override of controls, are dealt with by reference to the Committee of Sponsoring Organizations ("COSO") report, rather than in a specific appendix of exceptions.

  • The "independence" of internal auditors should be preserved to allow outside auditors to rely on some of their work to save time and money. However, the auditor must use independent judgment and obtain the principal evidence himself, including performing walkthroughs and not relying on the work of others for judgments about factors affecting the auditor's opinion, such as the significance of identified control deficiencies. The auditor may not rely on the work of others to reduce the amount of work the auditor does with respect to the control environment; integrity and ethical values; commitment to competence; Board of Directors or Audit Committee participation; management's philosophy and operating style; organizational structure; assignment of authority and responsibility, and human resource policies and procedures.

___________________________

If you have any questions or require further information regarding these or other matters, please call your regular Nixon Peabody contact or feel free to contact one of the attorneys listed below:

  • in our Boston office, Al Jordan (617-345-1103)
  • in our New York City office, Richard Langan (212-940-3140)
  • in our Rochester office, Deborah Quinn (585-263-1307)
  • in our San Francisco office, Steven Plevin (415-984-8462)
  • in our Washington, D.C. office, John Partigan (202-585-8535)

    For a complete list of the securities law practice group members, please refer to the final page of this Securities Law Alert.

    The foregoing summary is provided by Nixon Peabody for education and informational purposes only. It is not a full analysis of the matter summarized and is not intended and should not be construed as legal advice. This publication may be considered advertising under applicable laws.

    If you are not currently on our mailing list and would like to receive future publications of Securities Law Alert or if you would like to unsubscribe from this mailing list, please send your contact information, including your name and e-mail address, to lblaney@nixonpeabody.com with the words "Securities Law Alert" in the subject line. Prior publications of Securities Law Alert are available on our Web site (www.nixonpeabody.com).

Was this helpful?

Copied to clipboard