BA 427 – Assurance and Attestation Services Lecture 7 Reporting on Internal Controls
1978: The Cohen Commission recommended that auditors expand their consideration of internal controls in connection with a financial statement audit.
The Treadway Report, 1987 Formally: The Report of the National Commission on Fraudulent Financial Reporting. Recommended a management report that includes management’s opinion on the effectiveness of the company’s internal controls. Reporting on Internal Controls
The Treadway Report, 1987 Recommended that the auditor’s standard report should describe the extent to which the auditors have reviewed and evaluated the system of internal accounting control. Recommended that the ASB should provide explicit guidance to address the situation where the auditors disagree with management’s assessment of internal control. Reporting on Internal Controls
The Treadway Report, 1987 Did not recommend increasing the extent to which the auditors must review and evaluate internal accounting controls. Reporting on Internal Controls
1988: The Auditing Standards Board issued SAS No. 55, which required auditors to obtain, on every audit, a sufficient understanding of a company’s internal control structure to assist in planning the audit. Reporting on Internal Controls
1988: The SEC issued proposed rules that would have required management to report annually on its responsibilities for internal controls. These rules would not have required the auditors to attest to management’s report. Reporting on Internal Controls
Section 36(b)(2) Annual reporting requirements (b) Management report. Each … institution shall prepare … a report signed by the chief executive officer and the chief accounting or financial officer … which contains: (A) A statement of the management’s responsibilities for … establishing and maintaining an adequate internal control structure and procedures for financial reporting … F.D.I.C.I.A. (1991)
Section 36(b)(2) Annual reporting requirements (b) Management report. Each … institution shall prepare … a report signed by the chief executive officer and the chief accounting or financial officer … which contains: (B) An assessment, as of the end of the institution’s most recent fiscal year, of … the effectiveness of such internal control structure and procedures …. F.D.I.C.I.A. (1991)
Section 36(c) Annual reporting requirements In general: with respect to any internal control report required by subsection (b)(2) of any institution, the institution’s independent public accountant shall attest to, and report separately on, the assertions of the institution’s management contained in such report. F.D.I.C.I.A. (1991)
1992: Due to negative feedback on its proposal, the SEC withdrew its proposed rules on management’s report on internal controls. Reporting on Internal Controls
1992: The Committee of Sponsoring Organizations (COSO) issues its report Internal Controls – Integrated Framework. The report provides guidance on, among other internal control topics, management’s assessment of, and reporting on, internal controls. Recent survey data suggests that prior to Sarbanes-Oxley, about one-third of companies did not use the 1992 COSO framework. Reporting on Internal Controls
1993: The Auditing Standards Board issued Statement on Standards for Attestation Engagements (SSAE) No. 2, Reporting on an Entity’s Internal Control over Financial Reporting. SSAE No. 2 provided guidance for performing and reporting on engagements to attest to management’s report on internal control. SSAE No. 2 was amended in 1995 by SSAE No. 6. Reporting on Internal Controls
1995: The Auditing Standards Board issued SAS 78, which recognized COSO’s definition and description of internal control, including the five components: Control environment Risk assessment Control activities Information and communication Monitoring Reporting on Internal Controls
1995: Baring Investment Bank fails due to trading losses incurred on its behalf by Nick Leeson. Internal control weaknesses allowed Leeson to hide trading losses for a critical period of time, allowing Leeson to incur additional losses that bankrupt the firm. Reporting on Internal Controls
GAO: The Accounting Profession – Major Issues: Progress and Concerns (1996) “the actions of the accounting profession have not been totally effective in resolving several major issues. Issues remain about auditor independence, auditor responsibility for detecting fraud and reporting on internal controls, public participation in standard setting, the timeliness and relevancy of accounting standards, and maintaining the independence of FASB. Reporting on Internal Controls
1987: The Treadway Report indicated that 45% of cases brought by the SEC against public companies between 1981 and 1986 alleged fraud because of breakdown in internal controls. 1998: KPMG survey finds that internal control weaknesses are a contributing cause in 60% of frauds perpetuated against companies. Reporting on Internal Controls
Sarbanes-Oxley Act of 2002 Title IV – Enhanced Financial Disclosures Section 404: Management Assessment of Internal Controls Reporting on Internal Controls
(a) The [SEC] shall prescribe rules requiring each annual report … to contain an internal control report, which shall: (1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting Sarbanes-Oxley, Section 404
(a) The [SEC] shall prescribe rules requiring each annual report … to contain an internal control report, which shall: (2) contain an assessment as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting. Sarbanes-Oxley, Section 404
(b) With respect to the internal control assessment required by subsection (a), each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this subsection shall be made in accordance with standards for attestation engagements issued or adopted by the Board. Any such attestation shall not be the subject of a separate engagement. Sarbanes-Oxley, Section 404
SEC and PCAOB Rules The SEC oversees the PCAOB. The SEC issues rules directly. The PCAOB issues rules, including auditing standards. Hence, the rules that auditors and public companies must follow with respect to internal controls reporting come from both the SEC and the PCAOB. Reporting on Internal Controls
SEC and PCAOB Rules The most important standard issued by the PCAOB so far is Auditing Standard #2: An Audit of Internal Control over Financial Reporting Performed in Conjunction with an Audit of Financial Statements. Reporting on Internal Controls
SEC and PCAOB Rules These rules became effective for large public companies (called “accelerated filers”; with market value more than $75 million) for years ending on or after Nov. 15, The effective date for non-accelerated filers continues to be postponed. Reporting on Internal Controls
PCAOB Auditing Standard #2 Three levels of evaluating the absence of internal controls for any given audit objective: Control deficiency Significant deficiency Material Weakness Reporting on Internal Controls
PCAOB Auditing Standard #2 Control Deficiency Exists if the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis. Reporting on Internal Controls
PCAOB Auditing Standard #2 Significant Deficiency A control deficiency, or combination of control deficiencies, that adversely affects the company’s ability to initiate, author- ize, record, process, or report external financial data reliably in accordance with GAAP, such that there is more than a remote likelihood that a misstatement that is more than inconsequential will not be prevented or detected. Reporting on Internal Controls
PCAOB Auditing Standard #2 Significant Deficiency The term remote likelihood is defined as in SFAS No. 5: Remote: The chance of the future event occurring is slight. Reporting on Internal Controls
PCAOB Auditing Standard #2 A misstatement is inconsequential if a reasonable person would conclude, after considering the possibility of further undetected misstatements, that the misstatement, either individually or when aggregated with other misstatements, would clearly be immaterial to the financial statements. Reporting on Internal Controls
PCAOB Auditing Standard #2 Material Weakness: A significant deficiency, by itself, or in combination with other significant deficiencies, results in a more than remote likelihood that a material misstatement of the financial statements will not be prevented or detected. Reporting on Internal Controls
PCAOB Auditing Standard #2 Examples of “strong indicators” that a material weakness exists: Restatement of previously issued financial statements to correct a misstatement. Identification by the auditor of a material misstatement in the current period F/S that was not detected by the company. Identification of fraud of any magnitude on the part of senior management. Reporting on Internal Controls
SEC and PCAOB Rules Management’s report must Identify the framework used to evaluate the effectiveness of internal controls. Report management’s assessment of the design of internal controls over financial reporting. Report management’s assessment of the operating effectiveness of those controls, as of the fiscal year-end, based on the results of tests. Reporting on Internal Controls
SEC and PCAOB Rules The Design of Internal Control Management evaluates whether controls are designed to prevent and detect material misstatements in the financial statements. The focus is on controls over all relevant assertions related to all significant accounts and disclosures in the financial statements. Reporting on Internal Controls
SEC and PCAOB Rules The Design of Internal Control Management evaluates information about how significant transactions are initiated, authorized, recorded, processed, and reported, to identify how errors and fraud could occur. Management must determine whether existing controls will be effective if they operate as designed, and whether all necessary controls are in place. Reporting on Internal Controls
SEC and PCAOB Rules Operating Effectiveness of Controls Management must test the operating effectiveness of controls, to determine whether controls operate as designed. These tests must be documented, and form the basis for management’s assertions. Management must disclose any material weaknesses in internal control. Reporting on Internal Controls
SEC and PCAOB Rules Operating Effectiveness of Controls A material weakness at fiscal year-end precludes the conclusion that controls are effective. In other words, material weaknesses cannot be corrected after the fact, to generate a clean opinion. Reporting on Internal Controls
SEC and PCAOB Rules Operating Effectiveness of Controls Management’s tests include Inquiries of personnel Inspection of documentation Observation of company operations Re-performance of the application of controls Tests must be performed over a period of time, not only at year-end. Reporting on Internal Controls
Sample Management Report on Internal Controls The management of Dutch Brothers Corporation is responsible for establishing and maintaining adequate internal control over financial reporting. The Company’s internal control system was designed to provide reasonable assurance to the Company’s management and board of directors regarding the preparation and fair presentation of published financial statements.
Sample Management Report on Internal Controls, cont. Dutch Brothers management assessed the effectiveness of the company’s internal control over financial reporting as of December 31, In making this assessment, it used the criteria set forth by COSO in its report Internal Control – Integrated Framework. Based on our assessment, we believe that, as of December 31, 2006, the company’s internal control over financial reporting is effective based on those criteria.
Sample Management Report on Internal Controls, cont. Dutch Brothers’ independent auditors have issued an audit report on our assessment of the company’s internal control over financial reporting. This report appears on the following page. January 31, 2007 Jim Reed, CEO Kristina Frankenburger, CFO
PCAOB Auditing Standard #2 An Audit of Internal Control over Financial Reporting Performed in Conjunction with an Audit of Financial Statements. The auditor’s objective is to express an opinion on management’s assessment of the effectiveness of the company’s internal control over financial reporting. Reporting on Internal Controls
PCAOB Auditing Standard #2 The auditor’s report on internal controls includes two opinions: an opinion on whether management’s assessment of the effectiveness of internal controls over financial reporting as of the end of the fiscal period is fairly stated, in all material respects; whether the company maintained, in all material respects, effective internal control over financial reporting as of the specified date. Reporting on Internal Controls
PCAOB Auditing Standard #2 To issue a clean opinion on internal controls, two conditions must be met: No material weaknesses were identified A material weakness results in an adverse opinion. There were no restrictions on the auditor’s scope A scope restriction results in a qualified opinion or a disclaimer of opinion. Reporting on Internal Controls
PCAOB Auditing Standard #2 Significant deficiencies and material weaknesses must be communicated to the company’s Audit Committee. Lesser internal control weaknesses are communicated in a separate letter, called a Management Letter, or a Letter of Recommendations. Management Letters were generally issued prior to SOX, and are still used for nonpublic companies. Reporting on Internal Controls