By AICPA Staff. Copyright © 2005 by American Institute of Certified Public Accountants, Inc., New York, NY 10036-8775

Download this Tool

Background

The Sarbanes-Oxley Act of 2002 (SOX) introduced a requirement for management to (1) state its responsibility for establishing and maintaining an adequate internal control structure and procedures for financial reporting and (2) make an assessment, as of the end of the most recent fiscal year, of the effectiveness of the internal control structure and procedures for financial reporting. Further, the independent auditor that prepares or issues the audit report on financial statements must attest to, and report on, management’s assessment. SOX instructed the SEC to issue final rules to implement Section 404.

As required, the SEC issued final rules for management and the independent auditor to comply with this SOX requirement, which is often referred to by its location within SOX as “Section 404.” The final rules are available on the SEC Web site at http://www.sec.gov/rules/final/33-8238.htm.

It is important to know that the rules surrounding Section 404 come from different sources depending on the perspective of the involved party (management or the independent auditor). The nature and form of management’s assessment is specified by the SEC, through its final rule noted above. The role of the independent auditor in its review of management’s assessment of internal controls and its own assessment of the effectiveness of management’s assessment is specified by Public Company Accounting Oversight Board (PCAOB) Auditing Standard No. 2 (AS 2). The PCAOB Standard can be found at http://www.pcaobus.org/Rules_of_the_Board/Documents/Rules_of_the_Board/
Auditing_Standard_2.pdf.

Based on management’s assessment of the effectiveness of its internal control over financial reporting, the final outcome of the independent auditor’s report on this process should come as no surprise to the audit committee. The audit committee needs to be advised and regularly updated on management’s review of internal controls, and should have a clear understanding of the expected outcome. In the event the auditor issues an adverse report, management should already have a plan in place to correct the weakness(es), and the audit committee should already be engaged in review and approval of that plan. Before getting that far, however, the audit committee should have an understanding of the requirements of the SOX Section 404, the implementing rules from the SEC, and the related auditing standards from the PCAOB. Following are some key concepts that will contribute to that understanding:

1. Management must base its assessment of internal control using a comprehensive framework such as the COSO Integrated Framework on Internal Control, which includes five components: (1) control environment; (2) risk assessment; (3) control activities; (4) information and communication; and (5) monitoring. (See Internal Control: A Tool for the Audit Committee in this Toolkit.)
2. If a material weakness is found by management, its report cannot conclude that internal control is effective.
3. The auditor must include two opinions: (1) an opinion on the effectiveness of internal control over financial reporting and (2) an opinion on management's assessment of internal control.
4. The more extensive and reliable management's assessment, the less extensive and costly the auditor's work needs to be. The auditor's review of management's documentation of the system is a major component in evaluating the internal control assessment performed by management.
5. An auditor can only audit internal control in conjunction with the audit of financial statements. However, PCAOB issued an exposure draft on March 31, 2005, that could permit an auditor to report on the company's elimination of a material weakness. Such reporting would be a separate engagement between the company and the independent auditor. (See box titled "PCAOB Exposure Draft" at the end of this section.)
6. Both audits must be performed by the same auditor.
7. The auditor must form an opinion on the effectiveness of the internal control structure and whether deficiencies exist.
8. The auditor is permitted to express an unqualified opinion on effectiveness only if enough testing was done and no material weaknesses were found. If there was not enough testing done, the auditor can either qualify or disclaim an opinion, but must explain why.
9. All deficiencies must be reported in writing to management.
10. All significant deficiencies and /or all material weaknesses must be reported in writing to the audit committee.
11. Existence of a material weakness requires an adverse report.
12. The existence of a material weakness requires the issuance of an adverse report, or a report agreeing with management, if management had also identified the material weakness.
13. If a material weakness is found by management, the auditor's report could be unqualified with regard to management's assessment - meaning that the auditor is concluding that management's assessment was good because it found the material weakness. At the same time, the auditor's report on internal control would be qualified due to the existence of the material weakness.
14. If a material weakness is found by the independent auditor and not by management, management might disagree with the finding or the conclusion about it being a material weakness. Implications here could be significant, because the weakness could lead the auditors to conclude that management's process was not effective if management did not discover it. The audit committee needs to be involved if there is a material weakness that management did not discover, and/or if management and the auditor disagree on whether an observation is a material weakness.
15. If management and the auditor disagree on whether there is a material weakness, the auditor could render an adverse opinion on management's assessment - meaning that the auditor concludes that management's process was not effective because management did not identify the material weakness. In such cases, management and the auditor should address the problem.
16. In some cases, management might not be able to complete the Section 404 assessment in time for the auditor to meet SEC filing deadlines. SEC rules prohibit management from issuing a report with a scope limitation, so if management cannot complete its testing, its only option is to conclude that internal control over financial reporting is not effective. In these circumstances, the auditors would likely disclaim an opinion both on management's assessment and on the effectiveness of internal control based on a scope limitation. (NOTE: See Additional Resources section of this tool. The document titled "Perspectives on Internal Control Reporting - A Resource for Financial Market Participants" includes as its Table 2: "Most Likely Reporting Scenarios - Internal Control over Financial Reporting" on page 13, which illustrates the point presented here.)

Key Terms:

Control Deficiency: The design or operation of a control that does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect
misstatements on a timely basis.

Example: A member of the accounting department has been assigned responsibility to perform reconciliations on all bank accounts on a monthly basis. This person also has responsibility for opening the mail and preparing the daily deposit to the bank. The person’s manager is required to review each reconciliation when completed, but the manager does not consistently sign off on the reconciliation indicating review. Two internal control deficiencies exist here: (1) the lack of segregation of duties because one individual is preparing the cash deposit and reconciling the cash accounts and (2) the lack of documentation of a control because the manager does not evidence review so it is not clear that the review has been performed.

Significant Deficiency: A control deficiency that adversely affects the company’s ability to initiate, record, process, or report external financial data reliably in accordance with generally accepted accounting principles (GAAP).

Alone or with other deficiencies, this type of control deficiency results in more than a remote likelihood that a misstatement of the financials, that is more than inconsequential in amount, will not be prevented or detected.

Example: The company uses a standard sales contract making it necessary for the accounting department to review completed sales contracts for changes to standard shipping terms to assure the proper timing for recognizing revenue from sales. Because the terms are not always reviewed, revenue has been overstated on occasion. It is unlikely that any single sales contract could result in a material overstatement of revenue, and there are controls in place to ensure that materials misstatements do not occur. However, a misstatement that is more than inconsequential yet less than material could result, creating a significant deficiency in internal control.

Material Weakness: A significant deficiency that, alone or with others, results in more than a remote likelihood that a material misstatement of the financials will not be prevented or detected.

Examples of weaknesses that would likely be considered material depending on the circumstances include:

• Ineffective oversight by the audit committee over the external financial reporting process, and the internal controls over financial reporting
• Material misstatements in the financial statements not initially identified by the company’s internal controls
• Significant deficiencies that have been communicated to management and the audit committee but that remain uncorrected after a reasonable period of time
• Restatement of previously issued financial statements to correct a material misstatement
• For larger, more complex entities, ineffective internal audit functions
• For complex entities in highly regulated industries, ineffective regulatory compliance function
• Fraud of any magnitude on the part of senior management
• An ineffective control environment

Remote Likelihood: Has the same meaning as the term remote used in Financial Accounting Standards Board (FASB) Statement of Financial Accounting Standards No 5:

• Probable – The chance of the future event is likely.
• Reasonably possible – The chance of the future event is more than remote but less than likely.
• Remote – The chance of the future event is slight.

The likelihood that an event is “more than remote” occurs when it is either reasonably possible or probable that the event will happen.

Additional Resources

A variety of resources have been created to assist the investing community, financial statement preparers, and auditors to understand and consistently apply the implementing rules of SOX Section 404. Following are additional resources you may wish to refer to:

• The Big 4 public accounting firms (Deloitte & Touche LLP, Ernst & Young LLP, KPMG LLP, and PricewaterhouseCoopers LLP) cooperatively created a document "Perspectives on Internal Control Reporting - A Resource for Financial Market Participants." This document and more is available on the Web at: http://www.s-oxinternalcontrolinfo.com.
• Another group of firms, including the Big 4 and five others, along with a professor from Georgia State University, created "A Framework for Evaluating Control Exceptions and Deficiencies." The purpose of this framework is to promote consistency in evaluating deficiencies across companies subject to the internal control requirements in SOX Section 404. It is available through the AICPA Center for Public Company Audit Firms at http://cpcaf.aicpa.org.

Steps the Audit Committee Should Take
If Faced With an Adverse Report on Internal Controls

Instructions for Using This Tool: It is anticipated that some number of publicly traded companies will receive an adverse or disclaimed report from the independent auditors on the results of the review of its internal control structure over financial reporting. In such cases the audit committee and the board of directors will need to take steps to ensure that (1) any weakness(es) in internal control are swiftly corrected and (2) the market is assured that corrective action has been taken. This checklist is intended to help guide the audit committee through such steps.

NOTE: This tool has purposefully been prepared for broad application. No single tool of a practical length could be developed to address all different situations that could cause an adverse report on an organization's internal controls over financial reporting. Audit committees faced with an adverse report should use this tool in the context of deficiencies noted. As with all tools of this type, users must apply their own insight and judgment to the situation to maximize benefits.

Not all material weaknesses are equal, so make sure you understand the weakness(es) giving rise to the adverse report. Meet with the management team, internal auditors, and independent auditors, and understand the issue from each perspective to make fully informed recommendations and decisions.

1. Management team:

Interview members of the management team about the weakness(es) including the chief financial officer (CFO), controller, and management closer to the situation. You should consider conducting these interviews in an executive session.

• Who identified the weakness?
1. Management - As part of its assessment of internal control over financial reporting or otherwise?
2. Internal audit - As part of a routine audit, or in connection with the review of internal control?
3. Independent auditors - As part of its review of internal control over financial reporting?
• What is the nature of the weakness?
• How long has the weakness be there?
• What are the implications of the weakness? Could fraud have resulted from this weakness?
• What other controls are operating in the area that could have provided some coverage of the weakness area?
• What is management's plan to correct the weakness?
• Discuss steps to correct the deficiency.


Explore with the management team how much was known about the weakness(es) when the CEO and CFO made their Section 302 certifications when filing quarterly and annual financial information with the SEC.

• Consider any implications of these statements in light of the material weaknesses noted.
• Does any action need to be taken with respect to the previously issued CEO and CFO certifications? (Consider consulting with securities counsel or others with respect to the previously issued certification.)

2. Chief audit executive:

Discuss the findings with the chief audit executive:

• Determine whether the internal audit team conducted any recent testing in the area and understand the results of this testing.
• Was the weakness observed in the past by the internal audit team?
• Was management responsive to findings and recommendations in the past?

3. Independent auditor:

Discuss the findings, implications, and recommendations of the weakness with the independent auditor:

• Consider the need to meet with the independent auditor in executive session.
• Determine whether the independent auditor's result is consistent with the result of management's assessment of internal controls.


Collect information from the independent auditor based on his or her knowledge of internal controls and experiences with other clients:

• Has the weakness been discussed with the company in the past?
• Is this weakness a result of some unique situation at the company?
• Is this weakness a result of some unique situation in the industry?

4. After meeting with the management team, chief audit executive, and independent auditor:

Address whether the weakness(es) could have resulted in an illegal act. Consider the need to conduct a formal investigation in the area to determine if the weakness(es) resulted in an illegal act:

• Consider the need to engage a forensic accountant/auditor to review the situation if any fraud or illegal activity is suspected.
• If an illegal act is suspected, refer to the box titled "Special Requirements of Section 10A of the Securities and Exchange Act of 1934" found in the "Restating Financial Statement - Audit Committee Perspective" available in the AICPA Audit Committee Effectiveness Center Web site at www.aicpa/org/audcommctr. (Note: This document is under construction and will be posted to the Web site soon.)

Consult experts from outside the organization about the weakness(es) and the steps necessary to be taken to correct them.

Work with management to develop a plan to correct the weakness(es):

• Identify metrics that can be reported to internal and external parties on the progress being made in correcting the weakness(es).

Depending on the outcome of the proposed PCAOB Standard (see box titled "PCAOB Exposure Draft" in the preceding section), and, provided the company has successfully corrected its internal control weakness, consider whether to engage the independent auditor to issue a separate report on the elimination of the weakness in internal control over financial reporting.

5. Additional considerations:

Consider the impact of the adverse report on employees:

• Educate employees on what the adverse report means, and equally important, what it does not mean.
• Inform them about the nature of the report and its implications.
• Keep them informed (to the extent appropriate) about the changes that will be made to correct the weakness(es).

Consider the need to reassure investors about the findings and corrective actions that have been and need to be taken.

Consider the need have a communications program for the business press who might be interested in the company's plans to correct the weakness(es) noted.

Consider other potential implications of the adverse report, for example, consider whether the adverse report could have an impact on:

• Compliance with debt covenants.
• Partnership/alliance agreements. " Contracts with suppliers and/or customers.
• Other parties that could have an interest in the company.

Prepare management to have discussions with these parties.