For most public companies above a size threshold, an external auditor audits internal control over financial reporting and issues an opinion on it. The governing standard is PCAOB AS 2201, An Audit of Internal Control Over Financial Reporting That Is Integrated with an Audit of Financial Statements. The audit is integrated: the same auditor opines on both the financial statements and ICFR, using a top-down, risk-based approach to focus testing on the controls over the accounts and assertions that matter most. Management's own assessment under Section 404(a) is separate from, and tested by, the auditor's 404(b) opinion.
SOX created two assessments of internal control, not one. Management assesses ICFR and the external auditor, for companies above a size threshold, audits it. The auditor's work is governed by a single standard and a particular method. This guide covers PCAOB AS 2201, the integrated audit, the top-down approach, how management's assessment and the auditor's opinion differ, and how a material weakness is reported.
404(a) versus 404(b)
Section 404(a) requires management to assess and report on the effectiveness of ICFR. Section 404(b) requires the external auditor to attest to and report on ICFR, and it applies to accelerated and large accelerated filers, not to smaller reporting companies. The two are distinct: management forms its own conclusion, and the auditor forms an independent one. The auditor does not simply accept management's assessment; it tests the controls itself.
The standard: PCAOB AS 2201
The auditor's audit of ICFR is governed by PCAOB AS 2201, An Audit of Internal Control Over Financial Reporting That Is Integrated with an Audit of Financial Statements. Integrated means the ICFR audit and the financial-statement audit are performed together by the same auditor, with the evidence from each informing the other. The objective is an opinion on whether the company maintained, in all material respects, effective internal control over financial reporting as of the reporting date.
The top-down, risk-based approach
AS 2201 directs the auditor to start at the financial statements and work down, rather than testing every control. The sequence concentrates effort where misstatement risk is highest.
- Start at the financial statements and entity-level controls. Begin with the risks to the financial statements as a whole and the controls that operate broadly.
- Identify significant accounts and disclosures and their relevant assertions. Focus on the accounts where a material misstatement could occur.
- Follow the risk to the controls that address it. Select for testing the controls that address the assessed risks of material misstatement, including a walkthrough of the significant processes.
- Test design and operating effectiveness. Evaluate whether the selected controls are designed to prevent or detect misstatement and whether they operated over the period.
How a deficiency is reported
The audit classifies control deficiencies by severity, the same scale management uses. A deficiency is a shortcoming in a control. A significant deficiency is important enough to merit the attention of those responsible for oversight. A material weakness is a deficiency, or combination of deficiencies, such that there is a reasonable possibility a material misstatement will not be prevented or detected on a timely basis. A material weakness that exists at the reporting date results in an adverse opinion on ICFR.
How the auditor works through it
Step 1: Start at the financial statements and entity-level controls
Begin with the risks to the financial statements as a whole and the controls that operate broadly across the company.
Step 2: Identify significant accounts and relevant assertions
Focus on the accounts and disclosures where a material misstatement could occur, and the assertions that matter for each.
Step 3: Follow the risk to the controls
Select for testing the controls that address the assessed risks of material misstatement, with walkthroughs of the significant processes.
Step 4: Test design and operating effectiveness
Evaluate whether the selected controls are designed to prevent or detect misstatement and whether they operated over the period.
Step 5: Form an opinion on ICFR
Conclude whether the company maintained, in all material respects, effective internal control over financial reporting as of the reporting date.
Where it goes wrong
- Management relies on the auditor. Management treats the auditor's testing as its 404(a) assessment, rather than forming and supporting its own conclusion.
- Scope not tied to risk. Testing spreads evenly instead of following the top-down approach to the accounts and assertions that matter.
- Deficiencies misclassified. A material weakness is reported as a significant deficiency, understating the severity and the required disclosure.
The ICFR audit is the external, independent test of the control environment management is responsible for. For the wider regime, see the SOX compliance guide and the SOX glossary; for the scoping that precedes it, see the SOX ICFR risk assessment guide.
Primary sources
- PCAOB AS 2201: An Audit of Internal Control Over Financial Reporting: The auditing standard governing the external auditor's audit of ICFR integrated with the financial-statement audit.
- Sarbanes-Oxley Act Section 404(b): The external auditor's attestation on management's assessment of internal control over financial reporting, required of accelerated and large accelerated filers.
- COSO Internal Control - Integrated Framework: The internal-control framework most issuers use to evaluate the design and operating effectiveness of ICFR.