SARBANES-OXLEY SECTION 404 AN OVERVIEW OF THE PCAOB S REQUIREMENTS APRIL 2004
SARBANES-OXLEY SECTION 404 AN OVERVIEW OF THE PCAOB S REQUIREMENTS 2004 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. 040167 APRIL 2004
PREFACE The Public Company Accounting Oversight Board (PCAOB) has approved its Auditing Standard No. 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statements, and submitted the Standard to the Securities and Exchange Commission (SEC) for its approval. KPMG LLP presents this document to assist management of public companies in better understanding the provisions of the PCAOB s Standard and the provisions of section 404 of the Sarbanes-Oxley Act of 2002. This document provides details relating to management s overall responsibilities, including its required assessment and documentation of a public company s internal control over financial reporting. Further, this document provides information regarding the responsibilities of a public company s independent auditor in performing an audit of internal control over financial reporting in conjunction with an audit of financial statements. Readers should understand and appreciate that Auditing Standard No. 2 is presently with the SEC for approval and is therefore subject to change before becoming final. Management is responsible for complying with the provisions of the Sarbanes-Oxley Act, and specifically with section 404, and should consult with legal counsel, external auditors, and other professionals in meeting these obligations.
CONTENTS Executive Summary 1 Background 8 Management s Responsibilities 9 Management s Evaluation 10 Assessment of the Effectiveness of Internal Control Over Financial Reporting 10 Framework Used by Management to Conduct Its Assessment 10 Reasonable versus Absolute Assurance and Inherent Limitations 11 Example Management Assessment Process 12 Plan and Scope the Evaluation 12 Evaluation of IT Controls 14 Multi-Location Considerations 14 Consideration of Outside Service Organizations 14 Document Controls 15 Evaluate Design and Operating Effectiveness 16 Identify, Assess, and Correct Deficiencies 17 Report on Internal Control 18 Coordination with Section 302 of The Sarbanes-Oxley Act of 2002 19 The Audit of Internal Control Over Financial Reporting 20 Auditor s Responsibilities in the Audit of Internal Control Over Financial Reporting 21 Planning 21 Materiality and Fraud Considerations 21 Multi-Location Considerations 22 Evaluating Management s Assessment Process 24 Obtaining an Understanding of Internal Control 24 Evaluating the Effectiveness of the Audit Committee 25 Identifying Significant Account Balances and Disclosures 25 Identifying Relevant Financial Statement Assertions 26 Identifying Significant Processes and Major Classes of Transactions 26 Understanding the Period-End Financial Reporting Process 26 Performing Walkthroughs 26 Identifying Controls to Test 27 Testing and Evaluating Design and Operating Effectiveness 27 Timing of Tests of Controls 27 Using the Work of Others 28
Forming an Opinion 29 Required Communications of Deficiencies 29 Relationship of the Audit of ICOFR to an Audit of Financial Statements 29 Beyond Compliance 30 Appendixes Appendix A: Sample Auditor s Report 33 Appendix B: Management s Report 35 Appendix C: Reference Sources 37
EXECUTIVE SUMMARY The Public Company Accounting Oversight Board (PCAOB or the Board) has recently approved Auditing Standard No. 2. The time for compliance is drawing near and the Securities and Exchange Commission is expected to move rapidly in approving a final Standard. All parties responsible for implementation should now be well along in their preparation, feeling a keen sense of urgency. Implementation will be effective if all responsible parties are viewing the requirements through a similar lens. KPMG presents this summary to emphasize the importance of a common understanding between companies and their external auditors and to highlight what we see as the most likely areas where questions may remain. The credibility of public company financial reporting has been sharply questioned by a string of corporate reporting scandals that began with the collapse of a number of major corporations in late 2001. The results shook the financial markets and severely eroded investor confidence in the information being reported by companies with publicly traded securities. These historic events led to a number of proposals to improve the financial reporting process and restore investor confidence in the U.S. financial markets. Congress responded with the passage of the Sarbanes-Oxley Act of 2002 (the Act). When President George W. Bush signed the Act into law, he characterized it as the most far reaching reforms of American business practices since the time of Franklin Delano Roosevelt. The Act clearly represents the most significant change in reporting for U.S. publicly traded companies since the Securities Acts of 1933 and 1934. In addition, the Act has unprecedented reach both within the United States and internationally for foreign SEC registrants. It is aimed at restoring public confidence and protecting the public interest as well as improving the integrity of financial reporting the foundation on which the U.S. capital markets system is built and thrives. The passage of this Act represents a significant change in both management s reporting responsibilities and the scope and nature of the responsibilities of the independent auditor. Management is now required to both assess and report on the effectiveness of internal control over financial reporting, and the auditor is required to audit and report on the effectiveness of internal control over financial reporting, including management s assessment process. As a result, auditors will be evaluating and testing a company s internal control in a different light and in greater depth. The overall goal of these new requirements is to strengthen internal control over financial reporting, provide more reliable information to investors, and renew investor confidence in the U.S. capital markets. This document contains a general discussion only of the matters included and should not be relied on as advice for any particular company since no consideration is given to individual facts and circumstances, which vary greatly from company to company. 1
A MANAGEMENT PERSPECTIVE ON THE IMPACT OF THE SARBANES-OXLEY ACT In late 2003, KPMG set out to understand how senior executives from a cross-section of industries perceived the impact of the legislation. During a two-month period, beginning in October, we conducted 175 interviews among CEOs and CFOs, across a variety of industries, asking them for their opinions on various aspects of the Act. Nearly seven in 10 (68 percent) of the respondents said they believe the Act has boosted investor confidence in corporate America. Most (58 percent) said they believe the Act represents important regulatory legislation, with an additional 29 percent perceiving it as landmark. Do you believe that the Sarbanes-Oxley Act has helped boost investor confidence in corporate America? Yes 0 10 20 30 40 50 60 70 68% Interestingly, these executives representing the financial services, consumer and industrial products, healthcare and public services, and information, communication, and entertainment industries also said significant challenges relating to the Act still lay ahead. Although nearly all respondents (97 percent) reported being on or ahead of schedule with Sarbanes-Oxley readiness, less than a third of them (31 percent) said they have completed more than half of the section 404 preparation. The group identified two areas where they had the most challenges documentation and testing of internal controls. Which of the following best describes your enterprise s current state of Sarbanes-Oxley 404 readiness? Significantly ahead of schedule Ahead of schedule On schedule 0 10 20 30 40 50 60 70 7% 24% 66% 31% Ahead of schedule No Not sure 7% 25% Behind schedule Significantly behind schedule 0% 3% 3% Behind schedule Source: KPMG LLP, 2004 Source: KPMG LLP, 2004 Which of the following best describes your perspective on Sarbanes-Oxley? 0 10 20 30 40 50 60 Landmark legislation 29% Important regulatory legislation 58% Interim solution 10% Undecided 3% Source: KPMG LLP, 2004 2
MANAGEMENT S RESPONSIBILITIES Compliance obligations for publicly traded companies have significantly increased as a result of the Act. Management has a responsibility to report reliable information to public investors and should discuss fulfilling its responsibility under the Act with its attorneys and other advisers. For the auditor to satisfactorily complete an audit of internal control over financial reporting, management must fulfill a number of important responsibilities, including: Accepting responsibility for the effectiveness of the company s internal control over financial reporting Evaluating the effectiveness of the company s internal control over financial reporting using suitable control criteria (e.g., the COSO Committee of Sponsoring Organizations of the Treadway Commission criteria) Supporting its evaluation with sufficient evidence, including documentation Presenting a written assessment about the effectiveness of the company s internal control over financial reporting as of the end of the company s most recent fiscal year If the auditor concludes that management has not fulfilled these responsibilities, the auditor should communicate, in writing, to management and the audit committee that the audit of internal control over financial reporting cannot be satisfactorily completed and must disclaim an opinion. MANAGEMENT S ASSESSMENT PROCESS The process that management undertakes in its assessment should include determining which controls should be tested, evaluating the likelihood that failure of a control could result in a material misstatement, and determining the locations or business units to include in the evaluation, if the company has multiple locations or business units. Management also should evaluate the design and operating effectiveness of internal control over financial reporting and document the results of the evaluation. This process ordinarily would be considered incomplete unless it extended to controls over all relevant assertions (for example, existence and valuation of accounts receivable) related to all significant accounts and disclosures. As part of its assessment, management determines if identified deficiencies in design or operating effectiveness individually or in combination constitute significant deficiencies or material weaknesses. Management then communicates these findings to the auditor and others, if applicable, and evaluates whether those findings are reasonable and support its assessment. ASSESSMENT ENHANCES INTERNAL CONTROL As companies develop processes to assist management in its annual internal control assessment under section 404 of the Act and its annual and quarterly certifications under section 302, the process should result in a continuous strengthening of internal controls. Effective internal control over financial reporting is essential for a company to effectively manage its affairs and to fulfill its obligation to its investors. A company s management and its owners public investors and others must be able to rely on the financial information reported by companies to make decisions. 3
DOCUMENTATION SUPPORTING MANAGEMENT S ASSESSMENT Documentation that provides reasonable support for management s assessment of the effectiveness of internal control over financial reporting includes, but is not limited to: The design of controls over relevant assertions related to all significant accounts and disclosures in the financial statements Information about how significant transactions are initiated, authorized, recorded, processed, and reported Enough information about the flow of transactions to identify where material misstatements due to error or fraud could occur Controls designed to prevent or detect fraud, including who performs the controls and the related segregation of duties Controls over the period-end financial reporting process Controls over safeguarding of assets The results of management s testing and evaluation INTERNAL CONTROL AUDIT AND FINANCIAL STATEMENT AUDIT THE IMPORTANCE OF INTEGRATED ACTIVITIES At its core, section 404 of the Act emphasizes the need of investors to have confidence not only in the financial reports issued by a company but also in the underlying processes and controls that are an integral part of producing those reports. The Board recognizes the relationship of the audit of internal control over financial reporting and the audit of the financial statements, and that the two should be viewed by auditors as integrated activities. The PCAOB concluded that the existing Standard governing an auditor s attestation on internal control was insufficient in addressing the requirements of section 404 of the Act. These integrated activities address both the work that is required to audit internal control over financial reporting and the relationship of that audit to the audit of the financial statements. An understanding of the concept of integrated activities requires a common definition of the terms internal control and internal control over financial reporting as used in the context of the Standard. Internal control is a process designed to provide reasonable assurance regarding the achievement of a company s objectives in the areas of financial reporting reliability, operating efficiency and effectiveness, and compliance with applicable laws and regulations. Internal control over financial reporting consists of a company s policies and procedures that are designed and operated to provide reasonable assurance that is, a high but not absolute level of assurance about both the reliability of a company s financial reporting and its process for preparing and fairly presenting financial statements. Internal control over financial reporting includes policies and procedures that pertain to the maintenance of accounting records, the authorization of receipts and disbursements, and the safeguarding of assets. DIRECT EVIDENCE For auditors to form an opinion on the effectiveness of a company s internal control over financial reporting, the auditor must obtain direct evidence relating to the effectiveness of internal control over financial reporting. That means an auditor may not form an opinion on effectiveness solely by evaluating management s process for concluding on control effectiveness. Additionally, in concluding on operating effectiveness, the auditor needs to personally perform enough of the testing so that their work provides the principal evidence for their opinion. The PCAOB reasons that without direct evidence of control effectiveness, the auditor would not have a sufficiently high level of assurance that management s conclusion is correct. Further, the auditor also must evaluate the adequacy of management s documentation of the design of internal controls and their assessment of internal control effectiveness. The Standard provides the auditor with criteria to use in evaluating the adequacy of management s documentation. Inadequate documentation is considered an internal control deficiency. 4
LIMITATIONS Regardless of how well any system of internal control over financial reporting is designed and operating, it cannot provide absolute assurance of achieving financial reporting objectives because of inherent limitations. These inherent limitations exist because internal control over financial reporting is a process that involves human diligence and compliance and is subject to lapses in judgment and breakdowns resulting from human failures. Consequently, controls can be intentionally or unintentionally circumvented. MAJOR ISSUES COMPANIES ARE FACING REGARDING MANAGEMENT S ASSESSMENT FOR SECTION 404 COMPLIANCE As part of the fall 2003 survey conducted by KPMG, 175 executives were asked the following question: What are the major issues you are facing regarding the work for management s assessment in connection with Sarbanes-Oxley 404 compliance? Here is a sampling of their responses: A lot of extra paperwork and clarification while trying to balance the workload. Additional disclosure requirements, review of document retention policies, [The need for] Clarity for what is required to do for SOX. Ensuring that any gaps are covered. Definition of [what constitutes] significant controls Going through system implementation; on top of changes of control structure. PCAOB Chief Auditor and Director of Professional Standards Douglas R. Carmichael on the issue of concerns being expressed by public companies that the costs of compliance with Sarbanes-Oxley outweigh its benefits: The greatest cost should be incurred the first time through for many reasons. Because it is the first time, and companies and auditors will be doing things they have never done before, the wise people will be erring on the side of doing too much rather than doing too little. All that will result in the first-year costs probably being the most significant, and it should be reduced in subsequent years. However, companies still need to do enough [to satisfy] the standard. Each year needs to stand on its own. You can t say it was good last year, so it must be good this year. However, having done the work the year before, the focus is on updating your understanding and on the changes. BNA, Securities Regulation & Law Report February 9, 2004 WHAT S DIFFERENT IN THE FINAL PCAOB STANDARD AS COMPARED WITH THE PROPOSED STANDARD? Highlights of the most significant changes to the final Standard are outlined below and discussed in more detail throughout the document. Appendix E of Standard No. 2 discusses the rationale for the changes and conclusions reached by the Board. USING THE WORK OF OTHERS The Board decided to change the provisions in the Proposed Standard regarding using the work of others. The Proposed Standard presented a three-bucket approach for using the work of others areas where audit evidence was required to be derived solely from the independent auditor s own work, limited in certain areas and without specific limitation in other areas. Standard No. 2 revises the categories of controls by focusing on the nature of the controls being tested and evaluating the competence and objectivity of the individuals performing the work. This change generally should result in the auditor exercising their judgment to a greater degree than under the provisions of the Proposed Standard. EVALUATION OF THE AUDIT COMMITTEE S EFFECTIVENESS The Proposed Standard required the auditor to evaluate the effectiveness of the audit committee s oversight of the external financial reporting process and the internal control over financial reporting. Although this concept was retained in Standard No. 2, it was clarified to emphasize that the auditor s evaluation of the audit committee is not required to be a separate evaluation. Instead, it should be made as part of the evaluation of the control environment and monitoring components of internal control over financial reporting. Standard No. 2 explicitly acknowledges 5
that the board of directors is responsible for evaluating the effectiveness of the audit committee. In addition, the Board concluded that, if the auditor determines that the audit committee s oversight is ineffective, the auditor should communicate the findings to the full board of directors. The Board also deleted certain factors that addressed compliance with listing standards and sections of the Act. WALKTHROUGHS The Proposed Standard included a requirement that the auditor perform walkthroughs for all of the company s significant processes. The Board decided in Standard No. 2 that the scope of transactions subjected to walkthroughs should be more narrowly defined. As a result, the scope of transactions for which auditors are required to perform walkthroughs pursuant to Standard No. 2 was narrowed by replacing the words all types of transactions with major classes of transactions. AUDITOR S REPORT The Proposed Standard required that the auditor s opinion state whether management s assessment of the effectiveness of the company s internal control over financial reporting, as of the specified date, is fairly stated, in all material respects, based on control criteria. The Board concluded that the expression of two opinions one on management s assessment and one on the effectiveness of internal control over financial reporting is a superior approach to the concept of one opinion on these elements. DEFINITIONS OF SIGNIFICANT DEFICIENCY AND MATERIAL WEAKNESS The definitions for what constitutes a significant deficiency and a material weakness have not changed. However, the Board clarified the term inconsequential with the following definition: A misstatement is inconsequential if a reasonable person would conclude, after considering the possibility of further undetected misstatements, that the misstatement, either individually or when aggregated with other misstatements, would clearly be immaterial to the financial statements. If a reasonable person could not reach such a conclusion regarding a particular misstatement, that misstatement is more than inconsequential. The list of significant deficiencies and strong indicators of material weaknesses was retained and now also includes an ineffective control environment. SMALL AND MEDIUM-SIZED COMPANY CONSIDERATIONS The Proposed Standard discussed small and medium-sized company considerations in its Appendix E. That discussion was removed in the final Standard and replaced with a reference to the existing COSO guidance already tailored for special small and medium-sized company considerations. Standard No. 2 clearly emphasizes that while the cost benefit concerns were considered, the Board recognizes that this exercise will be burdensome in many instances, particularly for some small and medium-sized companies. However, the expected benefits to investors of improved internal control over financial reporting are warranted. The Board recognized that this Standard must appropriately balance the cost to implement the Standard s directions with the benefits of achieving theses important goals. As a result, all the Board s decisions about this Standard were guided by the additional objective of creating a rational relationship between costs and benefits. Investors further recognized that this kind of assurance would come at a price and expressed their belief that the cost of the anticipated benefits was reasonable. 6
NEXT STEPS Management should take time to study Standard No. 2 to facilitate a better understanding of their company s state of readiness and to better prepare for their respective reporting deadline. The remaining sections of this document present additional details to the discussion above. Executives would be well served to assign resources in their organization to become familiar with the details of the PCAOB s Auditing Standard No. 2 and with our additional thoughts presented below. Relying solely on the Executive Summary could result in an incomplete understanding of the PCAOB s positions expressed in Standard No. 2. It should be understood that management is responsible for complying with the provisions of the Sarbanes-Oxley Act of 2002, and specifically with section 404. KPMG LLP 7
BACKGROUND In July 2002 the president signed the Sarbanes-Oxley Act of 2002 into law. The Act came in response to a string of corporate scandals, including the collapse of a number of businesses that negatively affected the confidence of investors in the capital markets of the United States. The Act created the Public Company Accounting Oversight Board, a quasi-governmental agency that oversees the audits of public companies, intending to protect the interests of investors and other users of an issuer s financial statements. The Board, which is subject to SEC oversight, is empowered to establish auditing standards for public company audits, inspect accounting firms that audit public companies, investigate possible rule violations, and sanction violators. Section 404 of the Act has two parts: Section 404(a) describes management s responsibility for establishing and maintaining an adequate internal control structure and procedures for financial reporting. It also outlines management s responsibility for assessing the effectiveness of internal control over financial reporting. Section 404(b) describes the independent auditor s responsibility for attesting to and reporting on management s internal control assessment. In passing the Act, Congress reasoned that the restoration of investors trust in public companies would depend on demanding that public companies possess strong internal controls over financial reporting. Section 404 of the Act requires that management first assess the effectiveness of the company s internal control over financial reporting (ICOFR) and then report on that assessment at the close of its fiscal year. The Act also requires a company s external auditor to attest to and report on the assessment made by management. 8
MANAGEMENT S RESPONSIBILITIES Section 404 of the Act describes management s responsibility for establishing and maintaining an adequate internal control structure and procedures for financial reporting. It also outlines management s responsibility for assessing the effectiveness of the company s ICOFR, and that the company s external auditors attest to management s assessment. Under Standard No. 2, management must: Accept responsibility for the effectiveness of the company s ICOFR Evaluate the effectiveness of the company s ICOFR using suitable control criteria (e.g., the COSO criteria, defined below) Support the evaluation with sufficient evidence, including documentation of the design of controls related to all relevant assertions for its significant financial statement accounts and disclosures Present a written assessment of the effectiveness of the company s ICOFR as of the end of the company s most recent fiscal year If management has not fulfilled its responsibilities as noted above, the auditor is required to issue a disclaimer opinion. Management should fulfill its responsibilities by undertaking a comprehensive approach that includes thorough planning and evaluation of its system of internal controls. Once management has identified significant controls, it can document those controls and proceed with testing their effectiveness. Companies should allow sufficient time to complete this process in the event deficiencies are identified. Early identification of deficiencies may provide management sufficient time to correct deficiencies and determine operating effectiveness of the new control. DEFINITION OF INTERNAL CONTROL OVER FINANCIAL REPORTING Internal control is defined by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) as a process effected by an entity s board of directors, management, and other personnel designed to provide reasonable assurance of the achievement of objectives in the following categories: effectiveness and efficiency of operations, compliance with applicable laws and regulations, and reliability of financial reporting. The SEC rules implementing section 404(a) of the Act focus on those objectives related to the reliability of a company s external financial reporting. This subset of internal control is commonly referred to as internal control over financial reporting. Internal control over financial reporting is defined in Standard No. 2 as a process designed by or under the supervision of the company s principal executive and financial officers, or persons performing similar functions, and effected by the company s board of directors, management, and other personnel to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles (GAAP). It also includes policies and procedures that pertain to maintenance of accounting records, authorization of receipts and disbursements, and safeguarding of assets. For purposes of an audit of internal control over financial reporting, internal control over financial reporting includes controls over the safeguarding of assets and controls related to the prevention or timely detection of unauthorized acquisition, use, or disposition of an entity s assets that could have a material effect on the financial statements. These safeguarding controls are a subset of the broader segment of internal control. 9
MANAGEMENT S EVALUATION ASSESSMENT OF THE EFFECTIVENESS OF INTERNAL CONTROL OVER FINANCIAL REPORTING Management must maintain sufficient evidence of its assessment of the effectiveness of ICOFR, including documentation. The development and maintenance of such documentation is an important element of effective internal control. The assessment of a company s ICOFR must be based on procedures sufficient to both evaluate design and test operating effectiveness. Controls subject to such assessment include, but are not limited to: Controls over initiating, authorizing, recording, processing, and reporting significant account balances and disclosures and related assertions included in the financial statements Controls related to the selection and application of accounting policies in accordance with GAAP Controls related to the prevention, identification, and detection of fraud Controls related to the initiation and processing of nonroutine and non-systematic transactions UNIQUE SYSTEMS OF INTERNAL CONTROL COSO recognizes that no two companies will, or should, have the same internal control system. Companies and their internal control needs differ dramatically by industry and size, and by culture and management philosophy. Consequently, each The nature of a company s testing activities will depend approach to implementing inter- company may take a different nal control. Nevertheless, the largely on the circumstances of internal control principles discussed in this document apply to the company and the significance of the particular control. all companies. However, inquiry only generally will not provide an adequate basis for management s determination of operating effectiveness. FRAMEWORK USED BY MANAGEMENT TO CONDUCT ITS ASSESSMENT Management is required to base its assessment on a suitable, recognized control framework established by a body of experts that followed public due-process procedures to develop the framework. In the United States, the Committee of Sponsoring Organizations of the Treadway Commission has published Internal Control Integrated Framework, which is commonly used for purposes of management s assessment. Because COSO is expected to be the most frequently used control framework in the United States, the guidance in Standard No. 2 is based on COSO concepts. A CONCISE DESCRIPTION OF THE FIVE COSO COMPONENTS OF INTERNAL CONTROL OVER FINANCIAL REPORTING Source: KPMG LLP, 2004 OPERATIONS FINANCIAL REPORTING COMPLIANCE ACTIVITY 2 ACTIVITY 1 UNIT B UNIT A Control Environment The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. Risk Assessment Every entity faces a variety of financial reporting risks from external and internal sources that must be assessed at both the entity and the activity levels. These risks include external and internal events and circumstances that may occur and adversely affect an entity s ability to initiate, record, process, and report financial data consistent with the assertions of management embodied in the financial statements. Control Activities Control activities are the policies and procedures that help ensure management directives are carried out. These controls help ensure that transactions occurred, are authorized, and are completely and accurately recorded and processed. Information and Communication Pertinent information must be identified, captured, and communicated in a form and time frame that supports all other control components. The quality of system-generated information, including the accounting system and other information technology applications, affects management s ability to make appropriate decisions in controlling the entity s activities and to prepare reliable financial reports. Monitoring Internal control systems need to be monitored a process that assesses the quality of the system s performance over time. 10
Internal control as defined by COSO consists of a number of interrelated components that are inherent in the way a company is managed. These components include the control environment, risk assessment, control activities, information and communication, and monitoring. COSO provides criteria for evaluating whether internal control is effective based on these components. Although the five internal control components are applicable to all entities, small and mid-sized organizations may implement them differently than large entities. Controls in a small entity may be less formal and less structured, yet a small company can maintain effective ICOFR. We believe that the underlying concepts regarding ICOFR apply to entities of all sizes. The application of auditing standards in general is subject to auditor judgment and is dependent on a number of factors, including the size and complexity of the particular entity. We believe that Standard No. 2 provides a framework for the audit of ICOFR for all entities, regardless of size. REASONABLE VERSUS ABSOLUTE ASSURANCE AND INHERENT LIMITATIONS ICOFR consists of company policies and procedures that are designed and operated to provide reasonable assurance but not an absolute level of assurance about the reliability of a company s financial reporting. Management s assessment of the effectiveness of ICOFR is expressed at the level of reasonable assurance. Reasonable assurance includes an understanding that there is a relatively low risk that material misstatements will not be prevented or detected on a timely basis. Although reasonable assurance is not absolute assurance, it provides a high level of assurance. WHY REASONABLE ASSURANCE AND NOT ABSOLUTE ASSURANCE? Regardless of how well any system of ICOFR is designed and operating, it cannot provide absolute assurance of achieving financial reporting objectives because of inherent limitations. These inherent limitations exist because ICOFR is a process that involves human diligence and compliance and is subject to lapses in judgment and breakdowns resulting from human failures. Consequently, ICOFR can be circumvented intentionally by collusion or improper management override. To ensure financial stability, a company must support the execution of its objectives with rigorous internal controls and effective risk management. An effective internal control apparatus is critical to provide reasonable assurance that the information produced by the organization is timely and reliable and that errors and irregularities are discovered and corrected promptly. Effective risk management is based on a foundation of good corporate governance and rigorous internal controls. Taking calculated risks is part of any business enterprise. That is well understood. At the same time, each company needs to have in place the technical systems and management processes necessary not only to identify the risks associated with its activities but also to effectively measure, monitor, and control them. An effective risk management and control structure is not sufficient, however, if it is not accompanied by an institutional culture that ensures that written policies and procedures are actually translated into practice. Ultimately, a company s culture is determined by the board of directors and the senior management it installs. In particular, the actions of senior management and the consistency of their decisions and behavior with the values and principles they articulate are critical to shaping company culture. William J. McDonough, Chairman, PCAOB at the January 14, 2004, meeting of Women in Housing and Finance 11
EXAMPLE MANAGEMENT ASSESSMENT PROCESS There are a number of methods a company may choose in developing an approach to fulfill its responsibilities relating to its assessment of ICOFR. The following is an example of one way a company may approach its assessment process: 1 Plan & Scope the Evaluation Establish internal control evaluation process. Determine significant controls and locations/business units to be included. Define project approach, milestones, timeline, and resources. Launch project. 2 Document Controls Document design of controls over relevant assertions related to all significant accounts and disclosures. 3 Evaluate Design & Operating Effectiveness Evaluate design and operating effectiveness of internal control over financial reporting and document results of evaluation. 4 Identify, Assess & Correct Deficiencies Identify, accumulate, and evaluate design and operating control deficiencies. Communicate findings and correct deficiencies. 5 Report on Internal Control Prepare written assertion of the effectiveness of internal control over financial reporting. The process of evaluating the effectiveness 1 Plan & Scope the Evaluation of ICOFR may require careful planning due to the complexity and breadth of the control structure within an entity. This evaluation plan may include a process to examine the overall approach to documentation, identification of controls and evaluation procedures, significant milestones, and anticipated time lines. The plan also may include the institution of policies and procedures that will be used in the evaluation process as well as appropriate internal communication processes. As part of the KPMG fall 03 Survey, CEOs and CFOs were asked: Which functions are involved in your Sarbanes-Oxley 404 planning activities? Internal audit External audit Legal IT Tax operations Source: KPMG LLP, 2004 0 20 40 60 80 100 53% 57% 60% 74% 86% 12
Management may identify the team responsible for performing the evaluation. The project may have an executive sponsor, a project manager, and personnel from operations, finance and accounting, human resources, information systems, tax, legal, and internal audit all of whom should have appropriate skills, knowledge of COSO, and an understanding of controls evaluation. Where necessary, management may consider training programs to supplement existing knowledge. Among the most important Period-end financial reporting, including preparing financial activities in the planning statements and disclosures process is one that identifies the controls to be included in the scope of the evaluation. According to the PCAOB, the evaluation should include controls related to all significant accounts and disclosures in the financial statements. Under Standard No. 2, an account is considered significant if there is more than a remote likelihood that it could contain misstatements that individually or when aggregated with others could have a material effect on the financial statements. In practice, we believe this will result ROLE OF INTERNAL AUDIT in a relatively low threshold Management may consider the role that the internal audit function will play during its assessnation of accounts that are over the selection and determiment process and, in particular, during the planning and scoping deemed to be significant. phase. Internal audit can be used to identify controls and test and A financial statement caption evaluate design and operating effectiveness, among other may consist of a number of things. Internal auditors normally have greater competence account balances, the components of which are subject to and objectivity with regard to ICOFR than other company differing risks or different controls that should be personnel. considered Controls over significant account balances and disclosures for purposes of evaluating the effectiveness of ICOFR include controls over: Initiating, authorizing, recording, processing, and reporting significant accounts and disclosures and related assertions embodied in the financial statements The selection and application of accounting policies in conformity with GAAP Antifraud programs and controls Information technology general controls or other controls on which other significant controls are dependent (i.e., pervasive controls) Significant non-routine and non-systematic transactions Significance in this context may be determined by the value, volume, or financial reporting risk associated with transactions processed. Management may consider establishing controls to review the appropriate application of new accounting pronouncements, interpretations, or emerging issues in a timely manner. It is management s responsibility to design and carry out programs and controls to prevent, deter, and detect fraud. Management, along with those who have responsibility for oversight of the financial reporting process, should set the proper tone by creating and maintaining a culture of honesty and high ethical standards. General computer controls support the effective functioning of many application controls by helping to ensure the continued proper operation of computer information systems. General computer controls commonly include controls over program development and changes, computer operations, and access to programs and data. These may include accounts involving significant judgments and estimates. Choosing which controls to evaluate may, for example, involve consideration of the complexity of the estimating process and any bias on the part of the estimator. Specific controls include those over procedures used to enter transaction totals into the general ledger to initiate, authorize, record, and process journal entries in the general ledger and to record recurring and nonrecurring adjustments to the financial statements. INCOME TAXES Taxes are often one of the largest expenses in a company s financial statements. This is why companies cannot ignore tax processes as part of their evaluation of internal controls. To comply with section 404, management will need to identify and evaluate all significant controls, including those related to taxation. The impact of tax operations is not associated only with corporate income taxes and provisions. In reality, tax-related activities range from sales or value-added taxes to accounting for inter-company, customs, and cross-border transactions. The complex and ever-changing rules of taxing jurisdictions and the estimated liabilities often will require that controls over these activities be included in management s evaluation process. In KPMG s survey of 175 CEOs and CFOs, only 24 percent reported increased spending in the last 12 months to address tax function financial control deficiencies 37 percent anticipate increased spending in the next 12 months. separately as potential significant accounts. For example, a financial institution may have several significant account balances within its loan portfolio (e.g., commercial and residential loans). These significant accounts are subject to different financial reporting risks and different controls. 13
EVALUATION OF IT CONTROLS Information technology controls represent an integral part of ICOFR. Management may determine which applications or systems are within the scope of ICOFR and which IT controls need to be evaluated (i.e., user-level and infrastructure). An evaluation of a company s IT controls also may determine whether existing systems have been changed or a new system has been put in place. Controls within the system are important, but so are the controls dealing with access to IT systems. Management would be well served by evaluating details of the following broad categories of the IT function: IT governance Change management Interface and application controls Security and access controls Systems development life cycle Data center operations The specific risks that IT poses to an entity s internal control may include reliance on systems or programs that are inaccurately processing data, processing inaccurate data, or both. IT also may involve the risk of unauthorized access to systems, including unauthorized changes to existing applications as well as unauthorized changes to data, and the potential for loss of data. MULTI-LOCATION CONSIDERATIONS Companies with multiple business units, geographic locations, or reporting units may need to determine which locations are relevant and should be included in their assessment. Management may consider which locations are financially significant in terms of the potential for a material misstatement. It is likely that a relatively small number of locations or business units may encompass a large portion of the company s operations and financial position. Management also may consider whether there are locations that have specific significant risks or whether individual locations or business units that are not significant by themselves may be financially significant when aggregated with others. CONSIDERATION OF OUTSIDE SERVICE ORGANIZATIONS Many companies use outside service organizations to process a variety of transactions. Management may need to consider the controls at the service organization in its assessment of ICOFR. Management may take an inventory of all outside service organizations used to process data and determine which controls at each service organization are relevant for management s evaluation, document those controls, and obtain evidence of the design and operating effectiveness of the controls. Service organizations often obtain a report from a service auditor regarding the effectiveness of their internal control. Management would be well served by initiating discussions with outside service organizations about the scope of the service auditor s report, period covered, and timing for receiving the report. If a report is available, management may consider if the service auditor s report provides sufficient evidence to support an assessment of the operating effectiveness of the related controls. In particular, management may determine whether the report considers the operating effectiveness of controls (referred to in U.S. auditing standards as a Type II SAS 70 report) and the time period covered by the report. Management may need to ensure that the service organization provides Type II reports on a timely basis, preferably at or close to the company s fiscal year-end. 14
Documentation of a company s ICOFR is an 2 Document Controls essential part of management s evaluation process. It provides evidence that controls related to management s assertion including changes to those controls have been identified, can be communicated to those responsible for their performance, and can be monitored. Under Standard No. 2, management should provide documentation that provides reasonable support for its assessment of the effectiveness of ICOFR covering: The design of controls over relevant assertions related to all significant accounts and disclosures in the financial statements, including documentation of the five components of ICOFR discussed in the COSO framework Information about how significant transactions are initiated, authorized, recorded, processed, and reported Enough information about the flow of transactions to identify where material misstatements due to error or fraud could occur Documentation of controls may take many forms and can include a variety of information, including policy manuals, process models, flowcharts, job descriptions, documents, and forms. No one kind of documentation is required and the extent of documentation will vary depending on the size, nature, and complexity of the company. Management should consider establishing companywide documentation standards for capturing and reporting information. Documentation of processes and controls will be an important element in the test of internal control design effectiveness. PERFORMANCE OF WALKTHROUGHS FOR EACH MAJOR CLASS OF TRANSACTIONS Standard No. 2 states that the auditor should perform at least one walkthrough for each major class of transactions which means the auditor must trace the life of the transaction from its initiation through its publication in the financial statements. In a February 2004 interview with BNA s Securities Regulation & Law Report, PCAOB Chief Auditor and Director of Professional Standards Douglas R. Carmichael described the Board s thinking behind instituting walkthroughs: The goal there is to make sure that the auditor understands how the systems work and what the controls are. During the walkthrough, the questions auditors may ask company personnel include: What do they do when they find an error? What are they looking for to determine if there is an error? What kinds of errors have been found? What happened as a result of finding the errors? How were the errors resolved? Have personnel ever been asked to override the process or controls? Controls designed to prevent or detect fraud, including who performs the controls and the related segregation Although the extent to of duties which management Controls over the period-end documents its evaluation is financial reporting process a matter of judgment, such Controls over safeguarding documentation should go of assets beyond a simple conclusion The results of management s testing and evaluation that the control is designed and operating effectively. To provide a sufficient basis for its conclusion, management should document the procedures performed, the results, and other evidence obtained regarding operating effectiveness. Internal control deficiencies noted also should be documented along with appropriate remediation proposals. Inadequate documentation of the design of controls and the absence of sufficient documented evidence to support management s assessment of the operating effectiveness of ICOFR are control deficiencies under Standard No. 2. COSO provides example documentation that could be useful for management in documenting the results of its evaluation. The examples in COSO include numerous evaluation programs and worksheets. To collate and evaluate the documentation of the results of the evaluation, management may consider a manual approach, an automated approach, or a combination of the two. Whatever the choice, management may consider establishing enterprise-wide documentation standards for capturing the results. An automated tool may assist in ensuring that the documentation output of the evaluation process meets management s requirements. With the use of an automated tool, the information could be summarized and reported in a format tailored by management. An added benefit of using an automated tool may be to assist with project management; for example, to monitor the progress of the documentation and evaluation process and identify areas that need 15
As part of the KPMG fall 03 Survey, CEOs and CFOs were asked for each of the following: How difficult are you finding it to comply with Sarbanes-Oxley 404? Documentation Testing of internal controls Planning 0 10 20 30 40 50 10% 21% 29% 50% 10% 19% 29% 34% 44% Effectively designed controls are expected to prevent or detect errors or fraud that could result in material misstatements in the financial statements. All controls necessary to provide reasonable assurance regarding the fairness of a company s financial statements should be in place and performed and monitored by qualified personnel. Management must evaluate the design of relevant controls. Procedures to evaluate design effectiveness could include inquiry, observation, walkthroughs, and a specific evaluation of whether the controls are likely to prevent or detect misstatements if they are operated as prescribed by appropriately qualified persons. Gap analysis Remediation 7% 21% 28% 7% 16% 23% OPERATING EFFECTIVENESS Source: KPMG LLP, 2004 attention. An automated tool also will help companies gather information to make required section 409 disclosures, which obligates public companies to disclose on a rapid and current basis information concerning material changes in the financial condition or operations of the issuer. 3 Evaluate Design & Operating Effectiveness Extremely difficult Management will need to evaluate the design and operating effectiveness of ICOFR as well as document the results of the evaluation. DESIGN AND OPERATING EFFECTIVENESS Design effectiveness refers to whether a control is suitably designed to prevent or detect material misstatements in specific financial statement assertions. It involves consideration of the financial reporting objectives that the control is meant to achieve. Operating effectiveness refers to whether the control is functioning as designed. During evaluation of operating effectiveness, management gathers evidence regarding how the control was applied, the consistency with which it was applied, and who applied it. DESIGN Somewhat difficult In evaluating whether a control is operating effectively, the company may consider whether the control is operating as designed and whether the person performing the control possesses the necessary authority and qualifications to perform the control effectively. Management must perform procedures sufficient to assess the operating effectiveness of controls. These procedures could include testing of the controls by internal audit, testing of controls by others under the HOW MUCH IS ENOUGH? direction of management, using The extent of test work by management and the independent a service organization s reports, auditor will vary from company or testing by means of a selfassessment process. Inquiry PCAOB and the SEC expect the to company. However, the extent and effort to be significant. Following are a few indica- alone will not be adequate to complete this evaluation by tors of those expectations: SEC staff communicated that management. companies should expect to test and evaluate more controls than the independent auditor. Based on a number of publicly reported surveys of chief executives, many believe that preparation for an audit of internal control will involve an extensive labor effort, even exceeding original expectations. 16
Identify, Assess Management may establish a process by 4 & Correct Deficiencies which deficiencies are identified and accumulated across the entire company, including all locations and business units evaluated. To conclude on the assessment of effectiveness of ICOFR, management is likely to evaluate the severity of all identified deficiencies. An internal control deficiency exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis. An internal control deficiency may be either a design or operating deficiency. A design deficiency exists when either a necessary control is missing or an existing control is not properly designed so that even when the control is operating as designed, the control objective is not always met. A deficiency is significant if it results in more than a remote likelihood that a misstatement that is more than inconsequential in amount will not be prevented or detected. This definition establishes a relatively low threshold in making the significance determination. An operating deficiency exists when a properly designed control either is not operating as designed or the person performing the control does not possess the necessary authority or qualifications to perform the control effectively. Internal control deficiencies range from inconsequential internal control deficiencies to material weaknesses in internal control. Management should determine whether the internal control deficiency is inconsequential, significant, or represents a material weakness. Personnel throughout the company should share a common understanding of these definitions and how they are applied. As defined under Standard No. 2: A significant deficiency is a control deficiency, or combination of control deficiencies, that adversely affects the company s ability to initiate, authorize, record, process, or report external financial data reliably in accordance with generally accepted accounting principles such that there is more than a remote likelihood that a misstatement of the company s annual or interim financial statements that is more than inconsequential will not be prevented or detected. A material weakness is a significant deficiency, or combination of significant deficiencies, that results in more than a remote likelihood that a material misstatement of the annual or interim financial statements will not be prevented or detected. If there are significant deficiencies that, individually or in combination, result in one or more material weaknesses, management is precluded from concluding that ICOFR is effective. As defined in Standard No. 2, a misstatement is inconsequential if a reasonable person would conclude, after considering the possibility of further undetected misstatements, that the misstatement, either individually or when aggregated with other misstatements, would clearly be immaterial to the financial statements. If a reasonable person could not reach such a conclusion regarding a particular misstatement, that misstatement is considered more than inconsequential. Standard No. 2 also identifies certain areas that, if deficiencies exist, are deemed to be at least significant deficiencies. These areas include: Controls over the selection and application of accounting policies in accordance with GAAP Antifraud programs and controls Controls over non-routine and non-systematic transactions Controls over the period-end financial reporting process Standard No. 2 identifies a number of circumstances that, because of their likely significant negative effect on ICOFR, are significant deficiencies and strong indicators that a material weakness exists. These circumstances include: Restatement of previously issued financial statements to reflect the correction of a misstatement, whether due to error or fraud Identification by the auditor of a material misstatement in financial statements in the current period that was not initially identified by the company (even if management subsequently corrects the misstatement) Ineffective oversight of the company s external financial reporting and ICOFR by the company s audit committee For larger, more complex entities, ineffective internal audit or risk assessment functions For complex entities in highly regulated industries, an ineffective regulatory compliance function 17
Identification of fraud of any magnitude on the part of senior management Significant deficiencies that have been communicated to management and the audit committee that remain uncorrected after some reasonable period of time An ineffective control environment Management should allow sufficient time to evaluate and test controls. In the event deficiencies are discovered, management will have the opportunity to correct and remediate these deficiencies prior to the reporting date. However, management will need to allow enough time for new controls to be in place to validate their operating effectiveness. Report on In accordance with Standard No. 2, management is required to include in its annual 5 Internal Control report its assessment of the effectiveness of the company s ICOFR. Management s report on ICOFR is required to include the following: A statement of management s responsibility for establishing and maintaining adequate ICOFR for the company A statement identifying the framework used by management to conduct the required assessment of the effectiveness of the company s ICOFR An assessment of the effectiveness of the company s ICOFR as of the end of the company s most recent fiscal year, including an explicit statement as to whether that ICOFR is effective A statement that the registered public accounting firm that audited the financial statements included in the annual report has issued an attestation report on management s assessment of the company s ICOFR conclusion should not be so Management is precluded subjective (for example, very from concluding that the effective internal control ) that company s ICOFR is people having competence in effective if there are one or and using the same or similar more material weaknesses. Management is required to criteria would not ordinarily be disclose all material weaknesses that exist as of the able to arrive at similar conclusions. Standard No. 2 does not end of the most recent provide an example of management s report. We recommend fiscal year. that companies discuss the form and content of their report with their outside counsel and independent auditor. In accordance with Standard No. 2, management might be able to accurately represent that ICOFR as of the end of the company s most recent fiscal year is effective even if one or more material weaknesses existed during that year. To make this representation, management must correct the control deficiencies to eliminate all material weaknesses sufficiently in advance of the as of date and satisfactorily test the effectiveness over a period of time sufficient for management to determine whether, as of the end of the fiscal year, the design and operation of ICOFR is effective. Under Standard No. 2, management is required to provide a written conclusion about the effectiveness of the company s ICOFR. This conclusion can take many forms; however, management is required to state a direct conclusion about its effectiveness. For example, the phrase management s assessment that W Company maintained effective ICOFR as of [date] is an appropriate conclusion. Other phrases, such as management s assessment that W Company s ICOFR as of [date] is sufficient to meet the stated objectives, also might be used. However, the 18
COORDINATION WITH SECTION 302 OF THE SARBANES-OXLEY ACT OF 2002 In any discussion of section 404, it also is useful to consider its relationship with section 302 of the Act dealing with certifications in annual and quarterly reports. Section 302 requires a company s CEO and CFO to issue a statement certifying periodic reports. The section 302 certification statement centers on control evaluation and addresses the issuer s disclosure controls and procedures. Disclosure controls and procedures refer to controls and procedures intended to provide reasonable assurance of fulfilling the issuer s annual, quarterly, and Form 8-K reporting obligations, including requirements to report nonfinancial information. Disclosure controls and procedures are broader than ICOFR. Management s requirements for the certifications under section 302 apply to both definitions of controls and disclosure controls and procedures. 19
THE AUDIT OF INTERNAL CONTROL OVER FINANCIAL REPORTING The auditor s objective in an audit of ICOFR is to express opinions on management s assessment of the effectiveness of the company s ICOFR and on whether the company maintained effective ICOFR. To form a basis for expressing such an opinion, the auditor must plan and perform the audit to obtain reasonable assurance about whether the company maintained, in all material respects, effective ICOFR as of the date specified in management s assessment. The auditor also must audit the company s financial statements as of the specified date because the information obtained during the financial statement audit is relevant to the auditor s conclusion about the effectiveness of the company s ICOFR. To obtain reasonable assurance, the auditor will evaluate the assessment performed by management and obtain evidence about whether the ICOFR is designed and operating effectively for all relevant financial statement assertions related to all significant accounts and disclosures in the financial statements. The auditor is required to obtain evidence of operating effectiveness of controls over relevant assertions for significant accounts and disclosures each year that is, the audit evidence obtained each year must stand alone. However, the nature, timing, and extent of test work directed toward relevant assertions can and should vary from year to year based on prior years findings, changes in a company s internal control, or changes in management. There are inherent limitations on the degree of assurance the auditor can obtain as a result of performing an audit of ICOFR. ICOFR is a process that involves human diligence and compliance that can be intentionally circumvented. Therefore, the auditor s opinion does not provide absolute assurance that ICOFR is effective, but rather it provides reasonable assurance. 20
AUDITOR S RESPONSIBILITIES IN THE AUDIT OF INTERNAL CONTROL OVER FINANCIAL REPORTING The graphic below depicts auditor requirements ordinarily applicable to an audit of internal control over financial reporting, and is followed by a discussion of each of the steps. 1 Planning 2 Evaluating Management s Assessment Process 3 Obtaining an Understanding of Internal Control 4 Testing & Evaluating Design & Operating Effectiveness 5 Forming an Opinion 1 Planning Planning is an integral step in any audit. It allows the auditor to develop an overall strategy and consider the numerous factors that play a role in performing the audit. For an audit of ICOFR, the auditor has many factors to consider, including internal (e.g., the number of significant business units or locations) and external (e.g., industry trends) considerations. The audit of ICOFR should be planned and performed in accordance with applicable existing general, fieldwork, and reporting auditing standards. MATERIALITY AND FRAUD CONSIDERATIONS The concept of materiality is applicable in an audit of ICOFR at both the financial statement level and the individual account balance level, considering quantitative and qualitative factors. The auditor uses materiality at the financial statement level in deciding whether a deficiency or combination of deficiencies in controls is a significant deficiency or a material weakness. Materiality at the account balance level is necessarily lower than materiality at the financial statement level. 21
The auditor should evaluate controls specifically intended to address the risks of fraud that are at least reasonably likely to have a material effect on the company s financial statements. The auditor will likely place special emphasis on the evaluation of such controls in the control environment. If an auditor identifies deficiencies in controls related to prevention, identification, and detection of fraud during the audit of ICOFR, the auditor may alter the nature, timing, and extent of procedures to be performed in completing the related financial statement audit to be responsive to such deficiencies. MULTI-LOCATION CONSIDERATIONS To determine the locations or business units for performing audit procedures, the auditor should evaluate their relative financial significance and related risk of material misstatement. In making this evaluation, the auditor should consider locations or business units in terms of these categories: Locations or business units that are individually important Locations or business units that contain specific risks that, by themselves, could create a material misstatement Locations or business units that, when aggregated, represent a group with a level of financial significance that could create a material misstatement in the financial statements Locations or business units that are not important, even when aggregated with others MULTI-LOCATION TESTING CONSIDERATIONS Is location or business unit individually important? YES Evaluate documentation and test controls over relevant assertions for significant accounts at each location or business unit. NO Are there specific significant risks? YES Evaluate documentation and test controls over specific risks. NO Are there locations or business units that are not important even when aggregated with others? YES No further action required for such units. NO YES Evaluate documentation and test company-level controls over group. Are there documented company-level controls over this group? NO Some testing of controls at individual locations or business units required. Source: KPMG LLP, 2004 22
A relatively small number of locations or business units may encompass a large portion of the company s operations or financial position. These locations or business units are considered financially significant. The auditor should consider both the relative financial significance and the risk of material misstatement when making this assessment. In these instances, the auditor should evaluate management s documentation of and perform tests of controls over all relevant assertions for significant accounts and disclosures at each of these locations or business units. Financially significant locations should be selected to cover a large portion of the company s operations or financial position. A large portion is not specifically defined in Standard No. 2, but currently, we believe, should include no less than 65 percent to 70 percent of the company s operations and financial position. Although a location or business unit might not be individually financially significant, it might present specific risks that, by themselves, could create a material misstatement in the company s financial statements. For example, a business unit could be responsible for foreign exchange trading and thus expose the company to a risk of material misstatement even though the relative financial significance is not great. In this instance, the auditor should test the controls over the specific risks identified that could result in a material misstatement in the financial statements. Although individual locations may not be considered financially significant, they may, when aggregated with other locations or business units, represent a group that has a level of financial significance that could result in a material misstatement of the financial statements. For example, a coffee manufacturer may have a chain of coffee houses that, while not individually significant, when considered together make a significant contribution to the business and could result in a material misstatement. In determining the nature, timing, and extent of testing for important when aggregated locations or business units, the auditor should determine whether management has documented and placed in operation company-level controls. Company-level controls are those controls that management has in place to monitor the operations and to oversee the control environment and risk assessment process at the locations or business units. If relevant company-level controls are present, the auditor should determine whether such controls are operating effectively. If company-level controls do not exist or are not effective, the auditor will need to design an approach to evaluate relevant controls at the locations or business units that will provide sufficient evidence that adequate controls are in place at these locations or business units to provide reasonable assurance that ICOFR is effective. Finally, locations or business units may exist that are not financially significant individually or when aggregated and do not present specific risks, and, as such, could not result in a material misstatement to the financial statements. Further action by the auditor may not be required for such locations or business units. As a further consideration, situations may arise in which a company acquires a business at or near year-end. Since management s assertion relates to the effectiveness of the company s ICOFR as of a point in time subsequent to the date of acquisition, the auditor may consider the need to document and evaluate the internal control of the acquired business in accordance with the considerations discussed above. It is possible that the SEC may permit management to exclude an entity acquired late in the year from a company s assessment of ICOFR, in which case the auditor could do the same without referring to a scope limitation in the auditor s report. 23
In conjunction with planning the audit of 2 Evaluating Management s Assessment internal control, the auditor will evaluate Process management s process for assessing the effectiveness of the entity s ICOFR. This evaluation provides the auditor with evidence that management has a basis to support its assertion on the effectiveness of ICOFR, and provides information that will help the auditor understand the entity s ICOFR. It also assists the auditor in planning the necessary work to complete their audit and provides some evidence the auditor will use to support their opinion. The auditor must obtain an understanding of management s process and evaluate whether management has determined the appropriate controls to be tested, including controls over relevant assertions related to all significant accounts and disclosures. Generally, such controls include: Controls over initiating, authorizing, recording, processing, and reporting significant accounts and disclosures and related assertions embodied in the financial statements Controls over the selection and application of accounting policies that are in conformity with GAAP Antifraud programs and controls Controls, including IT general controls, on which other controls are dependent Controls over significant non-routine and non-systematic transactions, such as accounts involving judgments and estimates Company-level controls, including the control environment Controls over the period-end financial reporting process, including controls over procedures used to enter transaction totals into the general ledger; to initiate, authorize, record, and process journal entries in the general ledger; and to record recurring and nonrecurring adjustments to the financial statements In addition to determining which controls should be tested, the auditor evaluates the likelihood that control failures could result in a misstatement and the degree to which other controls, if operating effectively, could achieve the same control objectives. The auditor s evaluation also considers management s process for determining the locations to include in its evaluation and, once determined, evaluating the design and operating effectiveness of controls at such locations. The auditor also must understand and evaluate management s process for evaluating and communicating deficiencies that are of such a magnitude that they might constitute significant deficiencies or material weaknesses. The auditor also should obtain an understanding of the results of procedures performed by others, including company personnel (in addition to internal audit) and third parties working under the direction of management. The auditor evaluates management s documentation to determine whether such documentation supports its assessment. Inadequate documentation is considered a deficiency in the company s ICOFR, the severity of which is subject to the auditor s judgment. Obtaining an The auditor obtains an understanding of 3 Understanding of Internal ICOFR by applying procedures that Control include making inquiries of appropriate entity personnel, inspecting documents, observing the application of specific controls, and tracing transactions through the information systems (i.e., walkthroughs). The auditor s understanding of ICOFR should encompass the design of controls related to each component of internal control. These components include the Testing company-level controls alone is not sufficient for the company s control environment, the company s risk purpose of expressing an opinion on the effectiveness of a company s ICOFR. assessment process, the control activities management has implemented to prevent or detect material misstatements, information and communication processes, and management s monitoring of controls. The auditor should focus on combinations of controls, in addition to specific controls in isolation, in assessing whether the objectives of the control criteria are being achieved. Further, when one or more controls achieve the same objective, it may not be necessary for the auditor to evaluate other controls that achieve the same objectives. 24
Controls that exist at the company level often have a pervasive effect on controls at the process, transaction, or application levels. Therefore, it may be appropriate for the auditor to test and evaluate the design of company-level controls first, as the results of that work could affect the manner in which the auditor evaluates other aspects of ICOFR. EVALUATING THE EFFECTIVENESS OF THE AUDIT COMMITTEE Today s audit committee must proactively identify issues that might impact the financial reporting process. Committees must be more aggressive in how they probe for information. They must possess a deeper understanding of a company s business. Their communications with management must be more frequent and detailed. Sarbanes-Oxley made clear that audit committees have direct responsibility for the external auditor. This includes hiring, firing, pre-approving services and fees, resolving disputes with management, and monitoring quality. Audit committee members must demonstrate independence from management, as well as their own financial literacy. Public agencies and shareholders now expect that committee members are suitably able to understand complex business and financial issues. Committees are expected to devote substantially more time to understanding the company s financial statements. Which means they re expected to vigorously question and probe management, internal audit, and the external auditor and engage outside advisers as necessary. As they respond to these challenges, audit committees are also exercising more direct oversight of the internal audit department. And they re focusing on their legal duty to hear and resolve whistleblower complaints. That s quite a list of responsibilities. In fact, I would add one more. The public expects audit committees to bring a moral dimension to their tasks. This means subjecting managerial decisions to analysis that is ethical as well as financial. With this expanded workload it s no surprise that audit committees are meeting more frequently and for longer sessions. Eugene O Kelly, Chairman, CEO, KPMG LLP Excerpted from remarks delivered at a program sponsored by Stanford University and Humboldt Institute of Management Berlin, Germany, July 2003 The company s audit committee plays an important role within the control environment and in monitoring components of ICOFR. Within the control environment, the existence of an effective audit committee is essential to setting a positive tone at the top. However, it should be understood that management is responsible for maintaining effective ICOFR. Further, the company s board of directors is responsible for evaluating the performance and effectiveness of the audit committee. As clarified under Standard No. 2, the auditor is not responsible for performing a separate and distinct evaluation of the audit committee. The auditor should assess the effectiveness of the audit committee as part of the evaluation of the control environment and monitoring components of ICOFR. Factors to consider in evaluating the effectiveness of the audit committee may vary considerably based on specific circumstances. In accordance with Standard No. 2, the auditor s focus should be on factors related to their oversight of the company s external financial reporting and ICOFR, such as: Independence of the audit committee members from management Clarity with which the audit committee s responsibilities are articulated, and how well the audit committee and management understand those responsibilities Level of involvement and interaction with the independent auditor and internal auditors as well as interaction with key members of financial management, including the CFO and CEO Consideration as to whether relevant questions are raised by the audit committee, including questions that indicate an understanding of critical accounting policies and significant accounting estimates and whether or not such questions are pursued with management and the independent auditor Responsiveness to issues raised by the independent auditor Ineffective oversight by the audit committee is considered at least a significant deficiency in ICOFR and is a strong indicator that a material weakness in ICOFR exists. IDENTIFYING SIGNIFICANT ACCOUNT BALANCES AND DISCLOSURES To determine what specific controls to test, the auditor begins by identifying significant account balances and disclosures within the financial statements, based on both quantitative and qualitative factors. An account is considered significant if there is more than a remote likelihood that the account could contain misstatements that individually, or when aggregated with others, could have a material effect on the financial statements, considering the 25
risks of both overstatement and understatement. Other accounts may be significant on a qualitative basis based on the expectation of a reasonable user (e.g., investors might be interested in a particular financial statement account even though it is not quantitatively significant because it represents an important performance measure in a specialized industry). An account also may be considered significant because of the exposure to unrecognized obligations represented by the account (e.g., loss reserves related to a self-insurance program). IDENTIFYING RELEVANT FINANCIAL STATEMENT ASSERTIONS For each significant account, the auditor determines the relevance of each of the following financial statement assertions: Existence or occurrence Completeness Valuation or allocation Rights and obligations Presentation and disclosure IDENTIFYING SIGNIFICANT PROCESSES AND MAJOR CLASSES OF TRANSACTIONS The auditor identifies each significant process over each major class of transactions affecting significant accounts or groups of accounts. Major classes of transactions are those that are significant to the company s financial statements. Different types of major classes of transactions have different levels of risk associated with them and require different levels of management supervision and involvement. For this reason, the auditor might further categorize major classes of transactions by whether they represent routine, nonroutine, or estimation activities. For each significant process, the auditor should: Understand the flow of transactions, including how transactions are initiated, authorized, recorded, processed, and reported Identify the points within the process where a misstatement related to each relevant financial statement assertion could arise, including a misstatement due to fraud Identify the controls that management has implemented to address these potential misstatements Identify the controls that management has put in place for the prevention or timely detection of unauthorized acquisition, use, or disposition of the company s assets An understanding of the controls described above is usually obtained in performing walkthroughs. UNDERSTANDING THE PERIOD-END FINANCIAL REPORTING PROCESS The period-end financial reporting process is always considered a significant process because of its importance to financial reporting in general and to the auditor s opinions on ICOFR and the financial statements. The auditor obtains an understanding and evaluates this process by evaluating: The inputs, procedures performed, and outputs of the processes the company uses to produce its financial statements The extent of information technology involvement in each period-end financial reporting process element Who participates from management The number of locations involved The types of adjusting entries The nature and extent of the oversight of the process by appropriate parties, including management, the board of directors, and the audit committee PERFORMING WALKTHROUGHS Standard No. 2 indicates that the auditor should perform at least one walkthrough for each major class of transactions. In performing a walkthrough, the auditor traces a transaction from origination through the company s information systems (manual and electronic) until it is reflected in the company s financial reports. Walkthroughs provide the auditor with evidence that confirms the understanding of the process flow of transactions; design of controls identified for all five components of ICOFR, including those related to the prevention or detection of fraud; and completeness of the process, among other things. 26
Walkthroughs should encompass the entire process for initiating, authorizing, recording, processing, and reporting individual transactions and controls for each of the significant processes identified, including fraud controls. IDENTIFYING CONTROLS TO TEST The auditor obtains evidence about the effectiveness of controls by performing tests for all relevant assertions related to all significant accounts and disclosures in the financial statements. The auditor determines the controls to test by evaluating the following factors: Points at which errors or fraud could occur The nature of the controls implemented by management The significance of each control in achieving the objectives of the control criteria and whether more than one control achieves a particular objective or whether more than one control is necessary to achieve a particular objective The risk that the controls might not be operating effectively The auditor identifies the controls over the prevention or timely detection of unauthorized acquisition, use, or disposition of the entity s assets and evaluates the operating effectiveness of those controls. The appropriateness of either preventive or detective controls is dependent on the nature, materiality, and sensitivity to loss of the asset. The lack of such controls or the ineffective operation of the controls may result in an internal control deficiency that the auditor would need to evaluate when considering the overall effectiveness of ICOFR. After obtaining an understanding of 4 Testing & Evaluating Design & Operating ICOFR, the auditor evaluates the design Effectiveness and operating effectiveness of those controls. ICOFR is effectively designed when the controls comply with the expectation of preventing or detecting material misstatements in the financial statements. The auditor determines whether the company has controls to meet the objectives of the control criteria by understanding the company s control objectives in each area, identifying the controls that satisfy each objective, and determining whether the controls, if operating effectively, will prevent or detect material misstatements in the financial statements. The auditor performs procedures to test and evaluate the design effectiveness of controls by using inquiry, observation, walkthroughs, and inspection of relevant documentation. In addition, the auditor evaluates whether the controls are likely to prevent or detect misstatements due to errors or fraud if they operate as prescribed by appropriately qualified persons. The procedures the auditor performs in evaluating management s assessment process and obtaining an understanding of ICOFR also provide the auditor with evidence about the design effectiveness of ICOFR. The procedures the auditor performs to test and evaluate design effectiveness also might provide evidence about operating effectiveness. In evaluating operating effectiveness, the auditor considers whether the control is operating as designed and whether the person performing the control possesses the necessary authority and qualifications to perform the control effectively. Procedures may include a mix of inquiry, inspection, observation, and re-performance. Inquiry alone is not sufficient to conclude on operating effectiveness. TIMING OF TESTS OF CONTROLS The auditor performs tests of controls over a period of time that is adequate to determine whether, as of the date specified in management s report, the controls necessary for achieving the objectives of the control criteria are operating effectively. The period of time varies with the nature of the controls being tested and the frequency with which specific controls operate. The auditor often performs tests of operating effectiveness prior to the as of date specified in management s report. When tests are performed prior to the as of date, the auditor performs rollforward procedures to obtain evidence regarding the operation of the control for the remaining period to ensure operating effectiveness at the as of date. For certain controls relating to significant nonroutine transactions, controls over accounts or processes with a high degree of subjectivity or judgment, or controls over the 27
recording of period-end adjustments, the auditor normally performs tests closer to the as of date rather than, or in addition to, an interim date. Prior to the date specified in management s report, management might implement changes to the company s controls to make them more effective or efficient, or to address control deficiencies. In those instances, the auditor might not need to evaluate controls that have been superseded. For example, if the auditor determines that the new controls achieve the related objectives and have been operating for a period of time sufficient to permit the auditor to assess their design and operating effectiveness by performing tests of controls, the auditor will not need to evaluate the superseded controls for purposes of expressing an opinion on ICOFR. USING THE WORK OF OTHERS In making the determination of operating effectiveness of ICOFR, the auditor must perform enough of the testing so that the auditor s own work provides the principal evidence supporting the audit opinion. However, the auditor may use the work of others to alter the nature, timing, and extent of procedures performed independently by the auditor. The auditor s judgment about whether they have obtained principal evidence to support their opinion includes qualitative as well as quantitative considerations. For these purposes, the work of others includes work performed by internal auditors, other company personnel, and third parties working under the direction of management or of the audit committee. In determining the extent to which the auditor will use the work of others, the auditor should: Evaluate the nature of the controls subjected to the work of others Evaluate the competence and objectivity of the individuals who performed the work Test some of the work performed by others to evaluate the quality and effectiveness of their work The auditor may apply the relevant concepts in the existing auditing standards when considering whether to use the work of others in the audit of ICOFR. Standard No. 2 gives the auditor significant flexibility to use their judgment to determine the work necessary to obtain the principal evidence and to determine when the auditor can use the work of others rather than perform the work themselves. As outlined in Standard No. 2, there are a number of areas in which the auditor should not use the results of testing performed by management and others, including: Controls that are part of the control environment, including controls specifically established to prevent and detect fraud Walkthroughs The auditor should limit the use of the results of procedures performed by management and others in the following areas: Controls for which a high degree of judgment is required to evaluate the operating effectiveness Controls that have a pervasive impact on the system of internal control, including controls on which other controls are dependent Controls involving a high level of judgment or estimation Controls that have a high potential for management override of the control The auditor might decide to use the results of tests performed by management and others within the company in other areas, such as controls over routine processing of significant accounts and disclosures, without specific limitation. However, the auditor must perform enough of the testing so that their own work provides the principal evidence for the auditor s opinion. The auditor should re-perform some of the tests of controls originally performed by others; however, re-performance does not contribute to the assessment of principal evidence. 28
Forming an The auditor forms an opinion on the effectiveness of ICOFR by evaluating all evi- 5 Opinion dence obtained from all sources during the audit. This includes the adequacy of the assessment performed by management, results of the auditor s tests of controls, the results of substantive procedures performed during the financial statement audit, and the impact of any identified internal control deficiencies. As part of this evaluation, the auditor considers all reports issued during the year by internal audit that address controls related to ICOFR and evaluates any control deficiencies identified in those reports. The auditor issues an opinion The existence of a material on whether management s weakness in ICOFR precludes the auditor from issuing an assessment of the effectiveness unqualified opinion and will of the company s ICOFR is result in an adverse opinion on the effectiveness of ICOFR. fairly stated in all material respects, and on whether the company maintained, in all material respects, effective ICOFR, both as of the specified date. The auditor may choose to issue a combined report that includes both an opinion on the financial statements and the opinions on ICOFR, or separate reports. If the auditor issues separate reports, the report dates of both opinions must be the same. The auditor s requirement to evaluate the operating effectiveness of controls relative to a company s period-end financial reporting process may result in reports being dated later than in the past. The auditor may issue an unqualified opinion only when there are no identified material weaknesses and when there have been no restrictions on the scope of the auditor s work. The existence of a material weakness results in an adverse opinion (i.e., ICOFR is not operating effectively). A scope limitation will result in a qualified opinion or a disclaimer of opinion. REQUIRED COMMUNICATIONS OF DEFICIENCIES The auditor must communicate, in writing, to management and the audit committee all significant deficiencies and material weaknesses identified during the audit of ICOFR. The written communication is made prior to issuance of the auditor s report on ICOFR. The written communication distinguishes between those matters considered significant deficiencies and those considered material weaknesses. If a significant deficiency or material weakness exists because the oversight of the company s external financial reporting and ICOFR by the company s audit committee are ineffective, the auditor must communicate that specific significant deficiency or material weakness in writing to the entire board of directors. In addition, the auditor should communicate to management, in writing, all deficiencies in ICOFR of a lesser magnitude identified during the audit and inform the audit committee that such a communication has been made. RELATIONSHIP OF THE AUDIT OF ICOFR TO AN AUDIT OF FINANCIAL STATEMENTS The audit of ICOFR is integrated with the audit of the financial statements. The objectives of the procedures for the audits are not identical, however, and the auditor simultaneously plans and performs the work to achieve the objectives of both audits. The information the auditor obtains during the audit of ICOFR and the procedures performed are interrelated with those performed during the financial statement audit. Therefore, performance synergies are derived from coordinating and executing these procedures simultaneously. 29
BEYOND COMPLIANCE Using the compliance requirements of the landmark Sarbanes-Oxley legislation as a springboard, executives are moving beyond compliance. While section 404 of the Act mandates that each annual report of a public company be accompanied by management s assessment of the effectiveness of internal controls, the work that is performed by a company has provided a valuable opportunity to invigorate a business. Moving beyond compliance toward greater operational efficiency requires that corporate chiefs not look at the legislation as an onerous, congressional-driven exercise that will waste their time, money, and resources. Organizations that institute processes to increase an enterprise-wide understanding of the company s reporting, operational, and regulatory risks and controls can reap valuable rewards. They will strengthen and streamline internal controls across the business, get a better grasp of consistent risk tolerances, and gain assurance about the business s financialreporting integrity. In our judgment, organizations that view the requirements of the Act as a starting point for future process improvement take the appropriate long-term view. They may then consider creating cross-functional teams to review key systems and processes. In doing so, these forward-thinking organizations may increase the possibility of uncovering organizational inconsistencies, inefficiencies, and redundancies that are costly. Such reviews, with an unblinking eye, make good businesses become better businesses, and can improve investor perceptions. There is much to be gained by moving beyond a focus on the ICOFR compliance efforts. By focusing their attention to the quality of overall operations, and not just design of controls, executives can help maximize the value of the data that was mined during the Sarbanes-Oxley compliance effort. It is important to view the work associated with complying with the Act as only the beginning of a sustainable improvement process. Up to now, the focus has been on initial compliance, and companies have been able to operate as though this were a singleevent project. Along with building the discipline needed for a constant and rigorous review program, a business with a process-driven rather than a project-driven mentality also may be better positioned to handle any future legislative changes while maintaining compliance with the Act. William H. Donaldson, Chairman of the U.S. Securities and Exchange Commission, underscored that thought in a speech last summer when he said, Successful corporate leaders must strive MOVING TOWARD CONTINUOUS COMPLIANCE Initial Compliance Readiness Assessment SARBANES-OXLEY LIFE CYCLE Ongoing Monitoring and Testing Ongoing Documentation Updates and Remediation Process Improvement Complying with section 404 is simply the beginning of an ongoing process that can move an organization toward the realization of value. The organizations that take the long-term view, rather a short-term project view, will be able to leverage the information gained during the initial phase for enduring process improvement. CONTINUOUS IMPROVEMENT Achieving Compliance Realizing Value Source: KPMG LLP, 2004 30
to do the right thing, in disclosure, in governance, and otherwise in their businesses. And they must instill in their corporations this attitude of doing the right thing. Simply complying with the rules is not enough. They should make this approach part of their companies DNA. For companies that take this approach, most of the major concerns about compliance disappear. Moreover, if companies view the new laws as opportunities opportunities to improve internal controls, improve the performance of the board, and improve their public reporting they will ultimately be better run, more transparent, and therefore more attractive to investors. The coauthors of the Act, Senator Paul Sarbanes and Representative Michael Oxley, recently said in an interview published in Wall Street Journal Online (Dow Jones News Wires, March 1, 2004) that the reforms they initiated are starting to pay off. Senator Sarbanes said corporate boards are becoming more diligent in achieving good corporate governance, and Representative Oxley added that the legislation is working to help boost investor confidence. In addition, Oxley said the costs to comply with the Act are reasonable compared with the amount of value that was destroyed by the financial scandals. COMPANIES DRIVE VALUE FROM SARBANES-OXLEY PROCESS Executives at several businesses that had completed their initiatives to comply with section 404 of the Act shared their views with KPMG. Before the section 404 compliance effort, for example, a multibilliondollar utility needed nearly 200 people and 22 days to complete its closing process. The manual nature of the process typically resulted in unexpected results as well as entries of significance after the company released earnings. The section 404 compliance effort process prompted the company to examine the extent of its manual processes for the first time. The company is now re-engineering the closing process so that it will require half as many people and just 10 days to complete. In another case, a financial-services organization discovered that many of its derivatives traders used vastly different methods to place a value on the hard-to-price financial instruments. The concern about the possibility of inconsistencies led to a standardization of pricing methods that has reassured the CFO about the accuracy of asset value on the company s balance sheet. Thus, the focus of the section 404 compliance effort prompted these executives to evaluate overall operations, not just design of controls, and thus derive new business value from the data captured during the compliance process. 31
APPENDIX A: SAMPLE AUDITOR S REPORT The following is an illustrative combined report expressing an unqualified opinion on financial statements, an unqualified opinion on management s assessment of the effectiveness of internal control over financial reporting, and an unqualified opinion on the effectiveness of internal control over financial reporting. REPORT OF INDEPENDENT REGISTERED PUBLIC ACCOUNTING FIRM We have audited the accompanying balance sheets of W Company as of December 31, 20X4, and 20X3, and the related statements of income, stockholders equity and comprehensive income, and cash flows for each of the years in the three-year period ended December 31, 20X4. We also have audited management s assessment, included in the accompanying [title of management s report], that W Company maintained effective internal control over financial reporting as of December 31, 20X4, based on [identify control criteria, for example, criteria established in Internal Control Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) ]. W Company s management is responsible for these financial statements, for maintaining effective internal control over financial reporting, and for its assessment of the effectiveness of internal control over financial reporting. Our responsibility is to express an opinion on these financial statements, an opinion on management s assessment, and an opinion on the effectiveness of the company s internal control over financial reporting based on our audits. We conducted our audits in accordance with the standards of the Public Company Accounting Oversight Board (United States). Those standards require that we plan and perform the audits to obtain reasonable assurance about whether the financial statements are free of material misstatement and whether effective internal control over financial reporting was maintained in all material respects. Our audit of financial statements included examining, on a test basis, evidence supporting the amounts and disclosures in the financial statements, assessing the accounting principles used and significant estimates made by management, and evaluating the overall financial statement presentation. Our audit of internal control over financial reporting included obtaining an understanding of internal control over financial reporting, evaluating management s assessment, testing and evaluating the design and operating effectiveness of internal control, and performing such other procedures as we considered necessary in the circumstances. We believe that our audits provide a reasonable basis for our opinions. A company s internal control over financial reporting is a process designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles. A company s internal control over financial reporting includes those policies and procedures that (1) pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the company; (2) provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the company are being made only in accordance with authorizations of management and directors of the company; and (3) provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use, or disposition of the company s assets that could have a material effect on the financial statements. Because of its inherent limitations, internal control over financial reporting may not prevent or detect misstatements. Also, projections of any evaluation of effectiveness to future periods are subject to the risk that controls may become inadequate because of changes in conditions, or that the degree of compliance with the policies or procedures may deteriorate. 33
In our opinion, the financial statements referred to above present fairly, in all material respects, the financial position of W Company as of December 31, 20X4, and 20X3, and the results of its operations and its cash flows for each of the years in the threeyear period ended December 31, 20X4, in conformity with accounting principles generally accepted in the United States of America. Also in our opinion, management s assessment that W Company maintained effective internal control over financial reporting as of December 31, 20X4, is fairly stated, in all material respects, based on [identify control criteria, for example, criteria established in Internal Control Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) ]. Furthermore, in our opinion, W Company maintained, in all material respects, effective internal control over financial reporting as of December 31, 20X4, based on [identify control criteria, for example, criteria established in Internal Control Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) ]. [Signature] [City and State or Country] [Date] 34
APPENDIX B: MANAGEMENT S REPORT In accordance with Standard No. 2, management is required to include in its annual report its assessment of the effectiveness of the company s internal control over financial reporting in addition to its audited financial statements as of the end of the most recent fiscal year. Management s report on internal control over financial reporting is required to include the following: A statement of management s responsibility for establishing and maintaining adequate internal control over financial reporting for the company A statement identifying the framework used by management to conduct the required assessment of the effectiveness of the company s internal control over financial reporting An assessment of the effectiveness of the company s internal control over financial reporting as of the end of the company s most recent fiscal year, including an explicit statement as to whether that internal control over financial reporting is effective A statement that the registered public accounting firm that audited the financial statements included in the annual report has issued an attestation report on management s assessment of the company s internal control over financial reporting Management should provide, both in its report on internal control over financial reporting and in its representation letter to the auditor, a written conclusion about the effectiveness of the company s internal control over financial reporting. The conclusion about the effectiveness of a company s internal control over financial reporting can take many forms. However, management is required to directly state a conclusion about whether the company s internal control over financial reporting is effective. The Standard, for example, includes the phrase management s assessment that W Company maintained effective internal control over financial reporting as of [date] to illustrate such a conclusion. Other phrases, such as management s assessment that W Company s internal control over financial reporting as of [date] is sufficient to meet the stated objectives, also might be used. However, the conclusion should not be so subjective, for example, very effective internal control, that people having competence in and using the same or similar criteria would not ordinarily be able to arrive at similar conclusions. 35
APPENDIX C: REFERENCE SOURCES The following resources are provided for additional reference to assist management. Internal Control Integrated Framework, Committee of Sponsoring Organizations of the Treadway Commission, http://www.coso.org Auditing Practice Release, Sampling, American Institute of Certified Public Accountants Financial Reporting Alerts, Internal Control Reporting, Implementing Sarbanes-Oxley Act Section 404, American Institute of Certified Public Accountants An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statements, PCAOB Release No. 2004-001, March 9, 2004, http://www.pcaobus.org/rules/release-20040308-1.pdf Securities and Exchange Commission Web site: http://www.sec.gov KPMG s 404 Institute Web site: http://www.404institute.com KPMG s Audit Committee Institute Web site: http://www.kpmg.com/aci 37
KPMG LLP is the audit, tax, and advisory firm that has maintained a continuous commitment throughout its history to providing leadership, integrity, and quality. The Big Four firm with the strongest growth record over the past decade, KPMG turns knowledge into value for the benefit of its clients, people, communities, and the capital markets. Its professionals work together to provide clients access to global support, industry insights, and a multidisciplinary range of services. KPMG LLP (www.us.kpmg.com) is the U.S. member firm of KPMG International. KPMG International s member firms have nearly 100,000 professionals, including 6,800 partners, in 148 countries.