SOX

SOX ICFR Audit: The External Auditor's Opinion (PCAOB AS 2201)

The short version

For most public companies above a size threshold, an external auditor audits internal control over financial reporting and issues an opinion on it. The governing standard is PCAOB AS 2201, An Audit of Internal Control Over Financial Reporting That Is Integrated with an Audit of Financial Statements. The audit is integrated: the same auditor opines on both the financial statements and ICFR, using a top-down, risk-based approach to focus testing on the controls over the accounts and assertions that matter most. Management's own assessment under Section 404(a) is separate from, and tested by, the auditor's 404(b) opinion.

SOX created two assessments of internal control, not one. Management assesses ICFR and the external auditor, for companies above a size threshold, audits it. The auditor's work is governed by a single standard and a particular method. This guide covers PCAOB AS 2201, the integrated audit, the top-down approach, how management's assessment and the auditor's opinion differ, and how a material weakness is reported.

404(a) versus 404(b)

Section 404(a) requires management to assess and report on the effectiveness of ICFR. Section 404(b) requires the external auditor to attest to and report on ICFR, and it applies to accelerated and large accelerated filers, not to smaller reporting companies. The two are distinct: management forms its own conclusion, and the auditor forms an independent one. The auditor does not simply accept management's assessment; it tests the controls itself.

The standard: PCAOB AS 2201

The auditor's audit of ICFR is governed by PCAOB AS 2201, An Audit of Internal Control Over Financial Reporting That Is Integrated with an Audit of Financial Statements. Integrated means the ICFR audit and the financial-statement audit are performed together by the same auditor, with the evidence from each informing the other. The objective is an opinion on whether the company maintained, in all material respects, effective internal control over financial reporting as of the reporting date.

The top-down, risk-based approach

AS 2201 directs the auditor to start at the financial statements and work down, rather than testing every control. The sequence concentrates effort where misstatement risk is highest.

How a deficiency is reported

The audit classifies control deficiencies by severity, the same scale management uses. A deficiency is a shortcoming in a control. A significant deficiency is important enough to merit the attention of those responsible for oversight. A material weakness is a deficiency, or combination of deficiencies, such that there is a reasonable possibility a material misstatement will not be prevented or detected on a timely basis. A material weakness that exists at the reporting date results in an adverse opinion on ICFR.

How the auditor works through it

Step 1: Start at the financial statements and entity-level controls

Begin with the risks to the financial statements as a whole and the controls that operate broadly across the company.

Step 2: Identify significant accounts and relevant assertions

Focus on the accounts and disclosures where a material misstatement could occur, and the assertions that matter for each.

Step 3: Follow the risk to the controls

Select for testing the controls that address the assessed risks of material misstatement, with walkthroughs of the significant processes.

Step 4: Test design and operating effectiveness

Evaluate whether the selected controls are designed to prevent or detect misstatement and whether they operated over the period.

Step 5: Form an opinion on ICFR

Conclude whether the company maintained, in all material respects, effective internal control over financial reporting as of the reporting date.

Where it goes wrong

The ICFR audit is the external, independent test of the control environment management is responsible for. For the wider regime, see the SOX compliance guide and the SOX glossary; for the scoping that precedes it, see the SOX ICFR risk assessment guide.

Primary sources

Common questions

What standard governs the SOX ICFR audit?
PCAOB AS 2201, An Audit of Internal Control Over Financial Reporting That Is Integrated with an Audit of Financial Statements. It requires the same auditor to opine on both the financial statements and ICFR, using a top-down, risk-based approach to concentrate testing where misstatement risk is highest.
What is the difference between Section 404(a) and 404(b)?
Section 404(a) requires management to assess and report on the effectiveness of internal control over financial reporting. Section 404(b) requires the external auditor to independently attest to and report on ICFR, and it applies to accelerated and large accelerated filers, not smaller reporting companies. The auditor tests the controls itself rather than accepting management's assessment.
What is a material weakness?
A deficiency, or combination of deficiencies, in internal control over financial reporting such that there is a reasonable possibility a material misstatement of the financial statements will not be prevented or detected on a timely basis. A material weakness that exists at the reporting date results in an adverse opinion on ICFR.
What does a top-down, risk-based approach mean?
Under AS 2201 the auditor starts at the financial statements and entity-level controls, identifies the significant accounts and relevant assertions where a material misstatement could occur, and then tests the controls that address those risks, rather than testing every control in the company.
From the team behind this guide

An ICFR control environment that survives the audit

Compliance Command Center maps the controls to the significant accounts and assertions the auditor will follow under AS 2201, tests design and operating effectiveness, and documents the evidence the integrated audit relies on. Practitioners build it, with a human reviewing every deliverable.

See Compliance Command Center Talk to a Practitioner