November 21, 2008
 
About the AICPA
Member Service Center
Membership Information
AICPA Mission
Corporate Governance
Understanding the Organization
Frequently Asked Questions
Media Center
People and Places
Jobs at the AICPA
Vision Project
Legal Briefs
Professional Resources
Accounting and Auditing
Accounting and Auditing Technical Help
Accounting Standards
Audit and Attest Standards
Audit Committee Effectiveness Center
Authoritative Standards
Business Reporting Assurance & Advisory Services
Enhanced Business Reporting
GAAP Codification
IFRS
Private Company Financial Reporting
Sarbanes-Oxley Resources
SEC Regulations Committee
XBRL
Tax
Business, Industry, and Government
Financial Management Center
Audit Committee Effectiveness Center
Audit Committee Matching System
Public Accounting Firm Resources
Center for Audit Quality
Employee Benefit Plan Audit Quality Center
Governmental Audit Quality Center
PCPS Firm Practice Center
Small Firm Corner
Peer Review
AICPA Peer Review Program
Peer Review Public File
Center Peer Review Program
Peer Review Transparency
Professional Ethics/Code of Conduct
Code of Conduct
Disciplinary Actions
Professional Ethics
Personal Financial Planning
Forensic and Valuation Services
Information Technology
Antifraud Resource Center
Financial Literacy
Exposure Drafts
CPA Marketing Toolkit
Public Meeting Notices
Conferences, Publications, CPE & the AICPA Library
AICPA Conferences
CPE
Publications
AICPA Library
Magazines and Newsletters
The CPA Letter
Journal of Accountancy
Journal of Accountancy Classified Ads
Newsletters
The Tax Adviser
Weekly News Updates
Copyright Information
Becoming a CPA/Academic Resources
Accounting Education Center
CPA Candidates and Students
Minority Initiatives
Start Here. Go Places.
Career Development and Workplace Issues
What's New
Career Advice
Job Search Tools
Mentoring Guidelines
Women in the Profession
Work-Life Balance
Young CPA Network
Consumer Information
360 Degrees of Financial Literacy
Antifraud Resource Center
Audit Committee Effectiveness Center
Audit Committee Matching System
Disciplinary Actions
Find a CPA
Peer Review Public File
Web Trust
Media Center and Video Library
Media Center
Video Library
Legislative Activities and State Licensing Issues
Congressional and Federal Affairs
Mobility and State Licensing Issues
State News and Info

Home > Professional Resources > Accounting and Auditing > Audit and Attest Standards > Exposure Drafts of Proposed Statements > Proposed Statement on Auditing Standards, Communicating Internal Control Related Matters Identified in an Audit


Proposed Statement on Auditing Standards, Communicating Internal Control Related Matters Identified in an Audit



EXPOSURE DRAFT

Proposed Statement on Auditing Standards, Communicating Internal Control Related Matters Identified in an Audit

Executive Summary

Why Issued and What the Proposed Statement on Auditing Standards Does

This proposed Statement on Auditing Standards (SAS) is being issued to conform the definitions in AU section 325, Communicating Internal Control Related Matters Identified in an Audit (AICPA, Professional Standards, vol. 1), of the various kinds of deficiencies in internal control and the related guidance for evaluating such deficiencies with the definitions and guidance in the proposed Statement on Standards for Attestation Engagements (SSAE), An Examination of an Entity’s Internal Control Over Financial Reporting That Is Integrated With an Audit of Its Financial Statements.That proposed SSAE is being exposed for comment concurrently with this exposure draft. In addition to eliminating differences within the AICPA’s Audit and Attest Standards, the amendment also would align these definitions with those used by the Public Company Accounting Oversight Board and the definitions in an exposure draft of a proposed International Standard on Auditing 265, Communicating Deficiencies in Internal Control, currently being exposed for comment by the International Auditing and Assurance Standards Board.

Requests for Comments on Specific Topics

Although the exposure process is intended to solicit comments or suggestions on any aspect of this proposed SAS, the ASB would appreciate comments on the following matters.

Definition of Significant Deficiency

The definition of the term significant deficiency in extant AU section 325 includes “the likelihood and magnitude of the misstatement that could occur” as criteria for evaluating the severity of a control deficiency. The definition of that term in paragraph 7 of the proposed SAS no longer includes these criteria. The ASB believes that removing these criteria from the definition of significant deficiency will encourage auditors to consider qualitative factors and exercise greater professional judgment in determining what is and is not a significant deficiency, thus enabling auditors to inform management and those charged with governance about matters that better approximate their concerns about internal control. It is not the ASB’s intention to “lower the bar” in terms of what is a significant deficiency, as paragraph 8 makes it clear that the auditor still needs to evaluate magnitude and likelihood when evaluating the severity of any identified deficiency in internal control.

Question 1. Are these changes helpful in evaluating significant deficiencies? If not, how should the definition be amended?

Compensating Controls

Paragraph .54 of AU section 314, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement (AICPA, Professional Standards, vol. 1), states that obtaining an understanding of internal control involves evaluating the design of a control and determining whether it has been implemented. Extant AU section 325, however, allows the auditor to consider the effectiveness of a compensating control as a basis for determining whether it mitigates the severity of a control deficiency only if the auditor has tested the operating effectiveness of the compensating control, even if the deficiency was identified while evaluating the design of the entity’s controls and determining whether they were implemented.

The ASB has concluded that the requirement to test the operating effectiveness of compensating controls in order to categorize a control deficiency for the purpose of communicating to management and those charged with governance goes beyond the auditor’s obligation to obtain an understanding of the entity and its environment, including its internal control. Paragraph 14 of the proposed SAS reflects this view and indicates that (1) the auditor is not required to consider the effects of compensating controls for the purpose of communicating significant deficiencies or material weaknesses, and (2) if the auditor decides to consider the effects of compensating controls for this purpose he or she should

  • evaluate the design of the compensating controls to determine whether such controls are capable of preventing the deficiency from rising to the level of a significant deficiency or a material weakness, and
  • determine whether the compensating controls were implemented.

The ASB concluded that the proposed SAS need not provide guidance to the auditor whose strategy entails testing the operating effectiveness of controls because AU section 318, Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained (AICPA, Professional Standards, vol. 1), is very clear that an auditor may not rely on a control nor reduce control risk without testing controls.

Question 2. If the auditor identifies an improperly designed control, and is not testing the operating effectiveness of controls as part of the financial statement audit, is it sufficient for the auditor to evaluate the design of a compensating control, determine whether it has been implemented, and use that information as a basis for (1) considering the mitigating effects of the compensating control on the deficiency and (2) categorizing the deficiency for the purpose of communicating to management and those charged with governance?

How the Proposed SAS Affects Existing Standards

This proposed SAS would amend AU section 325.

The document is available below to download as a PDF file. The Adobe Acrobat Reader is needed to view a file in PDF format. The Reader is available as a free download from the Adobe Web site at www.adobe.com/prodindex/acrobat/readstep.html.

To begin downloading, click on the item below with the right-hand mouse button. Choose the "Save Target As" option if using a Microsoft browser. (If using a Netscape browser, choose "Save Link As.") Then, save the file to the appropriate location.

Download the Exposure Draft





















 
To ensure that you can receive email messages from the AICPA, remember to update your member profile. Also, add the AICPA's email domains ("aicpa.org" and "email.aicpa.org") to your Sender Safe List, or contact your IT administrator to update your firm's email software.

©2006-2008 The American Institute of Certified Public Accountants, ISO 9001 Certified
AICPA Privacy Policy and Copyright Information | Jobs at the AICPA | Contact Us
AICPA, 1211 Avenue of the Americas, New York, NY 10036
Trusted Commerce