Reporting on Internal Control Over Financial Reporting

By Abdel M. Agami

E-mail Story
Print Story
NOVEMBER 2006 - In the wake of the business failures and corporate scandals that began with Enron in 2001, the U.S. Congress passed the Sarbanes-Oxley Act of 2002 (SOX). The objective of SOX was to introduce corporate governance reforms aimed at restoring investors’ confidence in the capital markets. SOX created the Public Company Accounting Oversight Board (PCAOB) and gave it the power to establish auditing, quality-control, ethics, and independence standards; enforce compliance with these standards; inspect the extent to which each registered public accounting firm adheres to SOX; and submit an annual report to the SEC as to SOX compliance.

Section 404 of SOX requires management to assess the effectiveness of its internal control over financial reporting (ICOFR) as of the company’s fiscal year-end, and requires the independent auditor to report on management’s assessment and on the effectiveness of the company’s ICOFR. Even though internal control system review has always been an important component of an external audit, the requirement of formal reports by both management and the auditor is new.

Many companies, especially small companies and foreign private issuers, have complained that, in addition to the huge implementation costs of SOX, guidance for management to apply when discharging its responsibilities is lacking. They have stressed that they need additional guidance about identifying an internal control deficiency, deciding on the significance of a deficiency, and defining what comprises a material weakness in the internal control system. They have also had questions about how the existence of material weakness in the internal control system affects the auditor’s report on ICOFR, the company’s financial statements, and the capital markets’ reaction to the existence of material weakness in ICOFR.

Evaluation of ICOFR

In its Auditing Standard 2 (AS 2), the PCAOB defined ICOFR as a process designed by management to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements in accordance with GAAP. ICOFR is a subset of internal control specific to financial reporting objectives. It does not encompass the elements that relate to the effectiveness and efficiency of a company’s operations or a company’s compliance with applicable laws and regulations, with the exception of compliance with the applicable laws and regulations directly related to the preparation of financial statements.

The PCAOB’s definition requires ICOFR to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements. Reasonable assurance represents a high level of assurance, but it is not absolute. It recognizes that, even when ICOFR is effective, misstatements may occur, being neither prevented nor detected on a timely basis.

In deciding whether the ICOFR is effective, AS 2 requires that a company’s management and its independent auditor consider the likelihood and magnitude of a potential misstatement. As Exhibit 1 shows, when an internal control deficiency is identified, management and the auditor should decide whether this deficiency is a significant deficiency or whether it is a material weakness in ICOFR. If the likelihood of a misstatement is more than remote and its magnitude is more than inconsequential but less than material, the control deficiency is deemed to be significant. If the control deficiency’s likelihood of causing a material misstatement is more than remote, it is considered a material weakness in the ICOFR.

The PCAOB requires that management and auditors base their assessment of the effectiveness of the company’s ICOFR on a suitable, recognized control framework. AS 2’s performance and reporting directions are based on the 1992 framework published by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission, “Internal Control—Integrated Framework.” Most companies have adopted the COSO internal control framework as a basis for their assessment of ICOFR; however, many companies are using the Control Objectives for Information and Related Technology (COBIT) framework as the basis for assessing control for their information system management.

Reports on ICOFR

If a material weakness in ICOFR exists, management and the auditor must conclude that ICOFR is not effective. All identified material weaknesses that exist at year-end must be disclosed in the reports on ICOFR. Deficiencies that are less than material weaknesses are required to be disclosed to the audit committee or the board of directors, and management may disclose them in its report on ICOFR.

The SEC requires management to disclose the following information in its report on ICOFR:

  • A statement of management’s responsibility for establishing and maintaining adequate ICOFR;
  • A statement identifying the framework used by management to evaluate the effectiveness of ICOFR;
  • Management’s assessment of the effectiveness of the company’s ICOFR as of the end of its most recent fiscal year, including an explicit statement as to whether that control is effective, and disclosure of any material weakness identified;
  • A statement that the registered public accounting firm that audited the financial statements has also issued an attestation report on management’s internal control assessment.

Exhibit 2 illustrates the different types of ICOFR reports, the circumstances under which each type is required, and the information to be included in the report.

The auditor’s report on ICOFR includes two opinions:

  • Management’s assessment of the effectiveness of ICOFR; and
  • The auditor’s independent assessment of the effectiveness of the company’s ICOFR.

As Exhibit 3 illustrates, the auditor will issue an unqualified opinion on management’s assessment of the effectiveness of ICOFR under two circumstances:

  • If the auditor did not find material weakness in ICOFR; or
  • If the auditor and management have both identified material weakness in ICOFR.

On the other hand, if the auditor found material weakness in ICOFR and management did not, the auditor must issue an adverse opinion on management’s assessment of the effectiveness of ICOFR.

The auditor must also report on its independent assessment of the effectiveness on ICOFR. The auditor may issue one of three opinions, depending on this assessment:

  • An unqualified opinion on the assessment of the effectiveness of ICOFR if there were no material weaknesses in ICOFR, or ICOFR was effective;
  • An adverse opinion on the assessment of the effectiveness of ICOFR if there are one or more material weaknesses in ICOFR; or
  • A disclaimer if management has in any way restricted the auditor’s scope of work needed to assess the effectiveness of ICOFR.

Impact on the Auditor’s Report

A company can receive an unqualified (clean) opinion on its financial statements from an independent auditor even if management or the auditor identifies a material weakness in ICOFR. If a material weakness in ICOFR is found, management and the auditor should take the necessary steps to compensate for the material weakness in the financial statement preparation process by expanding the scope of testing account balances or altering the audit approach and procedures in the area of weakness. If, after expanding the scope of the audit, the auditor can conclude that the financial statements are fairly stated, the auditor may issue an unqualified opinion on the financial statements.

Impact on Capital Markets

In many corporations management is concerned with how the capital markets would react to the report, by management, the independent auditor, or both, of material weakness in ICOFR. An article in the Wall Street Journal on November 3, 2004, discussed management concerns about a reaction to the reporting of material weakness in ICOFR on the stock market. According to this article, the stock prices of companies that disclosed material weakness in ICOFR experienced declines of 5% to 10%. A study by the Stanford Law School, sponsored by Financial Executives International (www.fei.org), which looked at 141 companies that disclosed material weakness in ICOFR between November 2003 and October 2004, found that companies which gave detailed disclosures regarding the material weakness in their ICOFR experienced less of a decrease in stock price than those that did not.

In October 2004, Moody’s published Section 404 Reports on Internal Control on Ratings. In this report, Moody’s distinguished between material weaknesses in control over specific account balances, which it calls Category A weakness, and material weaknesses in company-level control such as weaknesses in the control environment or the financial reporting process, which it calls Category B weakness. Moody’s indicated that it would give companies that disclose Category A material weaknesses the benefit of the doubt and not take any rating action, assuming management takes corrective action to remedy the material weakness in a timely manner. On the other hand, Category B material weaknesses may result in a referral of the case to a rating committee for the purpose of determining whether a rating action is needed.


Abdel M. Agami, PhD, CPA, is a professor of accounting at the American University in Cairo, Cairo, Egypt.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 



The CPA Journal is broadly recognized as an outstanding, technical-refereed publication aimed at public practitioners, management, educators, and other accounting professionals. It is edited by CPAs for CPAs. Our goal is to provide CPAs and other accounting professionals with the information and news to enable them to be successful accountants, managers, and executives in today's practice environments.

©2009 The New York State Society of CPAs. Legal Notices