|
|
 |
|
Sarbanes Oxley Act -
Auditing Standards |
|
Public
Company Accounting Oversight
Board
Bylaws
and Rules – Standards – AS2
Auditing
Standard No. 2: An Audit of Internal Control
Over Financial Reporting Performed in
Conjunction With an Audit of Financial
Statements
Reporting on Internal
Control Over Financial
Reporting
Management's
Report
162. Management is
required to include in its annual report its
assessment of the
effectiveness of
the company's internal control over financial
reporting in addition to
its
audited financial
statements as of the end of the most recent
fiscal year. Management's
report on internal
control over financial reporting is required to
include the following:19/
• A statement of
management's responsibility for establishing
and
maintaining
adequate internal control over financial
reporting for the
company;
• A statement
identifying the framework used by management to
conduct
the required
assessment of the effectiveness of the company's
internal
control over
financial reporting;
• An assessment of
the effectiveness of the company's internal
control over
financial
reporting as of the end of the company's most
recent fiscal year,
including an
explicit statement as to whether that internal
control over
financial
reporting is effective; and
• A statement that
the registered public accounting firm that
audited the
financial
statements included in the annual report has
issued an
attestation report
on management's assessment of the company's
internal
control over
financial reporting.
19/ See Item
308(a) of Regulation S-B and S-K, 17 C.F.R.
228.308(a) and 17
C.F.R. 229.308(a),
respectively.
163. Management
should provide, both in its report on internal
control over financial
reporting and in
its representation letter to the auditor, a
written conclusion about
the
effectiveness of
the company's internal control over financial
reporting. The conclusion
about the
effectiveness of a company's internal control
over financial reporting can
take
many forms;
however, management is required to state a
direct conclusion about
whether the
company's internal control over financial
reporting is effective.
This
standard, for
example, includes the phrase "management's
assessment that W
Company maintained
effective internal control over financial
reporting as of [date]" to
illustrate such a
conclusion.
Other phrases,
such as "management's assessment
that
W Company's internal
control over financial reporting as of [date] is
sufficient to meet
the stated
objectives," also might be used. However, the
conclusion should not be so
subjective (for
example, "very effective internal control") that
people having competence
in and using the
same or similar criteria would not ordinarily be
able to arrive at similar
conclusions.
164. Management is
precluded from concluding that the company's
internal control
over financial
reporting is effective if there are one or more
material weaknesses.20/ In
addition,
management is required to disclose all material
weaknesses that exist as of
the end of the
most recent fiscal year.
20 See Item
308(a)(3) of Regulation S-B and S-K, 17 C.F.R.
228.308(a) and
17 C.F.R.
229.308(a),
respectively.
165. Management
might be able to accurately represent that
internal control over
financial
reporting, as of the end of the company's most
recent fiscal year, is
effective
even if one or
more material weaknesses existed during the
period. To make this
representation,
management must have changed the internal
control over financial
reporting to
eliminate the material weaknesses sufficiently
in advance of the "as of"
date
and have
satisfactorily tested the effectiveness over a
period of time that is adequate
for
it to determine
whether, as of the end of the fiscal year, the
design and operation of
internal control
over financial reporting is
effective.21/
21 However, when
the reason for a change in internal control over
financial
reporting is the
correction of a material weakness, management
and the auditor should
evaluate whether
the reason for the change and the circumstances
surrounding the
change are
material information necessary to make the
disclosure about the change
not
misleading in a
filing subject to certification under Securities
Exchange Act Rule 13a-
14(a) or
15d-14(a), 17 C.F.R. 240.13a-14(a) or 17 C.F.R.
240.15d-14(a). See
discussion
beginning at paragraph 200 for further
direction.
Auditor's Evaluation
of Management's Report
166. With respect
to management's report on its assessment, the
auditor should
evaluate the
following matters:
a. Whether
management has properly stated its
responsibility for
establishing and
maintaining adequate internal control over
financial
reporting.
b. Whether the
framework used by management to conduct the
evaluation is
suitable. (As
discussed in paragraph 14, the framework
described in
COSO constitutes a
suitable and available
framework.)
c. Whether
management's assessment of the effectiveness of
internal
control over
financial reporting, as of the end of the
company's most
recent fiscal
year, is free of material
misstatement.
d. Whether
management has expressed its assessment in an
acceptable
form.
– Management is
required to state whether the company's
internal
control over
financial reporting is
effective.
– A negative
assurance statement indicating that, "Nothing
has come
to management's
attention to suggest that the company's
internal
control over
financial reporting is not effective," is not
acceptable.
– Management is
not permitted to conclude that the
company's
internal control
over financial reporting is effective if there
are one
or more material
weaknesses in the company's internal control
over
financial
reporting.
e. Whether
material weaknesses identified in the company's
internal control
over financial
reporting, if any, have been properly disclosed,
including
material
weaknesses corrected during the
period.22/
|
|
.
| | |
