Since the SSAE 9, auditor is able to report directly on a specified subject matter, such as internal control. Now, engagement to examining the effectiveness of an entity’s internal control is become more and more demanded. So, what is the auditing standard to be followed by auditor in reporting entity’s internal control?

Advertisement

This post discusses: what conditions are required for accepting engagement to examine entity’s internal control, management representations and responsibilities under such engagement, usage of criteria.

Also, procedure that auditor should perform to gather sufficient competent evidential matter—enabling to express an opinion, required documents, reporting and expressing opinion.

Separately, I am going to provide a full set of independent auditor’s reports (auditor’s opinion directly on the effectiveness of an entity’s internal control, auditor’s opinion on management’s assertion, material weakness in internal control qualified opinion, material weakness in internal control—adverse opinion, scope limitation—qualified opinion, scope limitation—disclaimer of opinion, opinion based in part on the report of another auditor, reporting on a segment of the entity’s internal control, reporting on the suitability of design, criteria specified by a regulatory agency, and management representations letter). Update: “11 Examples of Auditor Opinion on Entity Internal Control” is available now!

Read on…

One of SSAE 10 (Attestation Standards:Revision and Recodification) clarify that:

“The responsible party’s refusal to provide a written assertion as part of an examination engagement should cause the auditor to withdraw from the engagement. (An exception exists if an examination of internal control is required by law or regulation. In this case, the auditor should disclaim an opinion unless he or she obtains evidential matter that warrants expressing an adverse opinion.)”

 

It establishes conditions that should be met for a auditor to examine the effectiveness of an entity’s internal control over financial reporting and the engagement performance and reporting requirements for four types of such engagements. These types are engagements to examine:

1. The effectiveness of an entity’s internal control.

2. The design and operating effectiveness of a segment of an entity’s internal control.

3. Only the suitability of design of an entity’s internal control when no assertion is made about the operating effectiveness.

4. The design and operating effectiveness of an entity’s internal control based on criteria established by a regulatory agency.

 

Required Conditions For Engagement Acceptance

According to AU 501.04, the following conditions should be present for the auditor to accept the engagement to examine the effectiveness of an entity’s internal control. These are:

1. Management accepts responsibility for the effectiveness of the entity’s internal control.

2. The responsible party evaluates the effectiveness of the entity’s internal control using suitable criteria.

3. Sufficient evidential matter exists or could be developed to support the responsible party’s evaluation.

The auditor should obtain a written assertion about the effectiveness of the entity’s internal control from the responsible party. The written assertion may be provided in a representation letter to the auditorr or in a separate report accompanying the auditor’s report.

Regardless of whether the client is the responsible party, the responsible party’s refusal to provide as assertion requires that the auditor withdraw from an examination engagement.

Withdrawal is not required if the engagement is required by law or regulation. In that case, the auditor should disclaim an opinion on internal control unless an adverse opinion is warranted. If the auditor expresses an adverse opinion and the responsible party does not provide an assertion, the auditor’s report should be restricted.

The responsible party’s written assertion may take various forms but should be specific enough that individuals having competence in and using the same or similar measurement and disclosure criteria ordinarily would be able to arrive at similar conclusions.

 

Management Representations and Responsibilities

The statement requires the auditor to obtain in writing certain specific representations from the responsible party. If the responsible party refuses to furnish all of the required written representations, a scope limitation exists which ordinarily is sufficient to require that the auditor disclaim an opinion or withdraw from the engagement.

However, depending on the nature of the representations not obtained or the circumstances of the refusal, the auditor may decide that a qualified opinion is appropriate. The required representations are:

1. Acknowledgment of the responsible party’s responsibility for the establishment and maintenance of internal control.

2. A statement that the responsible party has performed an evaluation of the effectiveness of the entity’s internal control, specifying the control criteria used.

3. A statement of the responsible party’s assertion about the effectiveness of the entity’s internal control based on the control criteria as of a specified date.

4. A statement that the responsible party has disclosed to the auditor all significant deficiencies in the design or operation of internal control which could adversely affect the entity’s ability to record, process, summarize, and report financial data consistent with the assertions of management in the financial statements and has identified those that it believes to be material weaknesses in internal control.

5. A description of any material fraud and any other fraud that, although not material, involves management or other employees who have a significant role in the entity’s internal control.

6. A statement whether there were, subsequent to the date being reported on, any changes in internal control or other factors that might significantly affect internal control, including any corrective actions taken by the responsible party with regard to significant deficiencies and material weaknesses.

 

Usage of Criteria

Criteria issued by bodies composed of experts that follow a formal process of developing and exposing drafts of pronouncements to the public before issuance are generally reasonable criteria. Such bodies include the AICPA, some regulatory agencies, and the Committee of Sponsoring Organizations of the Treadway Commission (COSO).

Criteria established by groups that do not follow due process or “do not as clearly represent the public interest” should be evaluated by the auditor to determine that the criteria are reasonable for general-use reporting.

In some cases, criteria may be suitable only for reports that are limited to the parties, generally a regulatory agency, who developed the criteria. For example, a regulatory agency may include specific criteria in its audit guide that are suitable to its specific needs.

When such criteria are used, the auditor’s report should be modified to limit its use to the regulatory agency. If the criteria has been subject to due process procedures and the criteria are available to users, the auditor may use the report in this [example].

 

Gathering Sufficient Competent Evidential Matter

To be able to express an opinion, the auditor performs procedures to gather sufficient competent evidential matter:

  • In considering the effectiveness of the design of a specific control, the auditor evaluates whether the policy or procedure is suitably designed to prevent or detect material misstatements in specific financial statement assertions.
  • In considering operating effectiveness of a control, the auditor evaluates whether the control was applied consistently, whether the control is effectively achieving its purpose, and considers who applied it.

 

Here are what auditor should aware of:

1. Tests performed by the responsible party – The responsible party may have performed tests and may provide their results to the auditor. The auditor may consider such results, but it is the auditor’s responsibility to obtain sufficient evidence to support the opinion. The auditor’s tests may corroborate the results of the responsible party’s tests. In considering whether the evidence obtained is sufficient, the auditor should recognize that evidence obtained directly by the auditor is more persuasive than that obtained indirectly, such as from the responsible party.

2. Time period covered – The time period to be covered by tests of controls is a matter of judgment. The auditor should perform tests of controls over a period of time that is adequate to determine whether, as of the date selected, the controls necessary for achieving the objectives of the control criteria are operating effectively.
NOTE: In considering the time period to be covered by the tests of controls, the auditor recognizes that some controls operate continuously while others (e.g., controls over physical inventory counts) operate only at certain times.

3. Changes in controls – Management may change controls to make them more effective or efficient. If the change occurs before the date as of which management’s assertion about internal control over financial reporting is made, and they have been in effect for a sufficient period to be able to assess them, the auditor should consider the design and operating effectiveness of the new controls and not be concerned with superseded controls. If the change is a subsequent event (after the date as of which the internal control over financial reporting is being examined but before the date of the auditor’s report), the treatment is analogous to a subsequent event in an audit. The auditor considers:

  • Does the subsequent event significantly affect the effectiveness of the entity’s internal control as of the date specified in the assertion?
  • Does management adequately describe the subsequent event and its effects in the assertion?

4. Subsequent events – If the auditor becomes aware of subsequent events that he or she believes significantly affect the effectiveness of the entity’s internal control as of the date specified in the assertion, the auditor should report directly on the effectiveness of the entity’s internal control and issue a qualified or adverse opinion. The auditor should disclaim an opinion if he or she cannot determine the effect of the subsequent event on the effectiveness of the entity’s internal control. The auditor may become aware of subsequent events related to conditions that did not exist at the date specified in the assertion but arose after that date. Occasionally, the impact of this kind of subsequent event is so significant that the auditor may want to add an explanatory paragraph to his or her report that either describes the event and its effects or directs the reader’s attention to the event and its effects. The auditor needs to determine:

  • Is the new information reliable?
  • Did the conditions/facts exist at the date of the report?
  • Would the auditor have changed the report if the conditions/facts were known at that time?
  • Is anyone likely to be relying on the auditor’s report on the effectiveness of the entity’s internal control?

 

Required Documents (Should or Should Not Provides Assistance?)

The controls and control objectives that they were designed to achieve should be documented to support the responsible party’s assertion, and to support the auditor’s report.

The responsible party generally prepares the documentation of controls, but the auditor, at the responsible party’s request, may assist in preparing or gathering documentation. No particular form of documentation (narratives, policy manuals, flowcharts, etc.) is specifically required.

 

Entity Internal Control Reporting Requirements

The auditor may examine and report on:

  • An entity’s effectiveness of internal control over financial reporting
  • The responsible party’s written assertion.

The auditor’s examination report on the effectiveness of an entity’s internal control over financial reporting should include the following:

1. A title that includes the word independent.

2. An introductory paragraph with statements that (a)Identify the subject matter (internal control over financial reporting) and the responsible party; (b) The responsible party (management) is responsible for maintaining effective internal control over financial reporting; and (c) The auditor’s responsibility is to express an opinion on the effectiveness of an entity’s internal control based on his or her examination.

3. A scope paragraph with statements that (a) The examination was conducted in accordance with attestation standards established by the AICPA and, accordingly, included obtaining an understanding of internal control over financial reporting, testing and evaluating the design and operating effectiveness of internal control, and performing other such procedures as the auditor considered necessary in the circumstances; (b) The auditor believes the examination provides a reasonable basis for his or her opinion.

4. An inherent limitations paragraph that states that, because of inherent limitations of any internal control, misstatements due to errors or fraud may occur and not be detected. (In addition, the paragraph should state that projections of any evaluation of internal control over financial reporting to future periods are subject to the risk that internal control may become inadequate because of changes in conditions, or that the degree of compliance with the policies or procedures may deteriorate.)

5. An opinion paragraph that presents the auditor’s opinion on whether the entity has maintained, in all material respects, effective internal control over financial reporting as of the specified date, based on the control criteria.

6. A statement restricting the use of the report to the specified parties when the criteria used to evaluate internal control over financial reporting are: (a) Determined by the auditor to be appropriate only for a limited number of parties who either participated in their establishment or can be presumed to have an adequate understanding of the criteria; (b) Available only to specified parties.

7. The manual or printed signature of the auditor’s firm.

8. The date of the examination report.

The auditor’s examination report on a written assertion about the effectiveness of an entity’s internal control over financial reporting should include the following:

1. A title that includes the word independent.

2. An introductory paragraph with statements that (a) Identify the written assertion about the effectiveness of the entity’s internal control over financial reporting as of a specified date and the responsible party (when the written assertion does not accompany the auditor’s report, the first paragraph of the report should also contain a statement of the assertion); (b) The assertion is the responsibility of the responsible party; (c) The auditor’s responsibility is to express an opinion on the written assertion based on his or her examination.

3. A scope paragraph with statements that (a) The examination was conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants and, accordingly, included obtaining an understanding of internal control over financial reporting, testing and evaluating the design and operating effectiveness of internal control, and performing such other procedures as the auditor considered necessary in the circumstances (b) The auditor believes the examination provides a reasonable basis for his or her opinion.

4. An inherent limitations paragraph that states that, because of inherent limitations of any internal control, misstatements due to error or fraud may occur and not be detected (In addition, the paragraph should state that projections of any evaluation of internal control over financial reporting to future periods are subject to the risk that internal control may become inadequate because of changes in conditions, or that the degree of compliance with the policies or procedures may deteriorate.)

5. An opinion paragraph that presents the auditor’s opinion on whether the assertion about the effectiveness of the entity’s internal control over financial reporting as of the specified date is fairly stated, in all material respects, based on the control criteria.

6. A statement restricting the use of the report to specified parties when the criteria used to evaluate the effectiveness of internal control over financial reporting are: (a) Determined by the auditor to be appropriate only for a limited number of parties who either participated in their establishment or can be presumed to have an adequate understanding of the criteria; (b) Available only to specified parties.

7. The manual or printed signature of the auditor’s firm.

8. The date of the examination report.

 

Note: If an auditor is requested by one party to examine the effectiveness of another entity’s internal control, he or she may want to restrict the report to the party making the request.

 

Reporting Material Weakness On Entity’s Internal Control

During the course of the engagement, the auditor may become aware of reportable conditions, some of which may be material weaknesses. The auditor has a responsibility to communicate reportable conditions to the audit committee and to identify those reportable conditions that are material weaknesses. Such communication should be in writing.

Note: The auditor should not issue a written report representing that no reportable conditions were noted because of the potential for misinterpretation of the limited degree of assurance.

If, in a multiple-party arrangement, the client is not the responsible party, the auditor has no responsibility to communicate reportable conditions to the responsible party.

The auditor should also modify his or her report:

  • If a reportable condition is of such magnitude that it is a material weakness, or
  • If the combined effect of several reportable conditions that would not individually be material weaknesses results in a material weakness existing.

To most effectively communicate with the reader of the modified report, the auditor should express his or her opinion directly on the effectiveness of internal control, not on the assertion.

If a written assertion accompanying the auditor’s report contains a statement that the responsible party believes that the cost of correcting the weakness would be greater than benefits of the new controls, the auditor should disclaim an opinion on the responsible party’s cost-benefit statement. Other reasons that the auditor may decide to modify the report include:

1. Scope limitation.

2. Reference to the report of another auditor.

3. Significant subsequent event.

4. Reporting on only a segment of internal control.

5. Reporting on only the suitability of the design (and not the operating effectiveness).

6. Criteria are not suitable for general use.

 

Other Information in Client-Prepared Documents

Other information may be contained in the document that contains the auditor’s attest report on internal control (or an assertion related thereto). When the information is contained in annual reports to owners, annual reports of not-for-profit entities distributed to the public, or annual reports filed with SEC, or other documents to which the auditor devotes attention at the client’s request, then the auditor should:

  • Read such information not covered by the auditor’s report, and
  • Consider whether it or its manner of presentation is materially inconsistent with the auditor’s report or whether it contains a material misstatement of fact.