1666 K Street, N.W.

Washington, DC 20006
Telephone: (202) 207-9100
Facsimile: (202) 862-8430
www.pcaobus.org

STAFF QUESTIONS AND ANSWERS

AUDITING INTERNAL CONTROL OVER FINANCIAL REPORTING

JUNE 23, 2004 (Revised July 27, 2004)1/

Summary: Staff questions and answers set forth the staff's opinions on issues related
to the implementation of the standards of the Public Company Accounting
Oversight Board ("PCAOB" or "Board"). The staff publishes questions and
answers to help auditors implement, and the Board's staff administer, the
Board's standards. The statements contained in the staff questions and
answers are not rules of the Board, nor have they been approved by the
Board.

The following staff questions and answers related to PCAOB Auditing Standard No. 2,
An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an
Audit of Financial Statements ("Auditing Standard No. 2"), were prepared by the Office
of the Chief Auditor. Questions should be directed to Laura Phillips, Associate Chief
Auditor (202/207-9111; [email protected]) or Greg Fletcher, Assistant Chief Auditor
(202/207-9203; [email protected]).

* * *

General

Q1. What is the authoritative status of the Background and Basis for Conclusions
appendix in a Board's standard?

1/
Paragraph A16 was revised on July 27, 2004 to more closely align the
answer with the directions in paragraph B6 of Auditing Standard No. 2 upon which the
answer was based.
 Auditing Standard No. 2 – Internal Control
June 23, 2004
(Revised July 27, 2004)
Page 2

STAFF QUESTIONS & ANSWERS

A1. All appendices of auditing standards issued by the Board, including the
Background and Basis for Conclusions, are an integral part of the standard and
carry the same authoritative weight as the body of the standard.

Q2. What is the authoritative status of the Notes included within the body of a Board's
standard?

A2. Both the Notes and footnotes to a Board standard are an integral part of
the standard and carry the same authoritative weight as any other information in
the body of, or appendices to, the standard.

Independence

Q3. Paragraph 33 of Auditing Standard No. 2 states: "The auditor must not accept an
engagement to provide internal control-related services to an issuer for which the
auditor also audits the financial statements unless that engagement has been
specifically pre-approved by the audit committee." Although the word "non-audit" does
not appear in that requirement, do only non-audit internal control-related services need
to be specifically pre-approved?

A3. The pre-approval requirement in Auditing Standard No. 2 applies to any

internal control-related services, regardless of whether they are classified as
audit or non-audit services for proxy disclosure purposes or otherwise. Every
proposed engagement by the issuer's auditor to provide internal control-related
services merits specific attention by the audit committee so that the audit
committee can determine whether the performance of the services would impair
the auditor's independence and whether management's involvement in the
services is substantive and extensive.

Q4. Under Auditing Standard No. 2, an auditor cannot accept an engagement to

provide internal control-related services unless the audit committee has evaluated the
actual, individual control-related service before the auditor was engaged. An auditor
might have been engaged by an issuer to perform internal control-related services prior
to the effective date of Auditing Standard No. 2, at which time those services were pre-
approved in a manner that would not satisfy the requirement in Auditing Standard No. 2.
Further, those services might be ongoing such that the auditor continues to provide
internal control-related services after the effective date of Auditing Standard No. 2 that
were pre-approved prior to the effective date of Auditing Standard No. 2 in a manner
 Auditing Standard No. 2 – Internal Control
June 23, 2004
(Revised July 27, 2004)
Page 3

STAFF QUESTIONS & ANSWERS

that does not satisfy the auditor's requirement in Auditing Standard No. 2. Is there any
grandfathering for these types of engagements in which their original pre-approval
would be considered sufficient under Auditing Standard No. 2?

A4. No, there is no grandfathering for internal control-related engagements

that were pre-approved prior to the effective date of Auditing Standard No. 2 in a
manner that would not satisfy the requirement in Auditing Standard No. 2 if the
provision of services is ongoing after the effective date of the standard. If the
auditor has been engaged to perform internal control-related services that were
pre-approved prior to the effective date of Auditing Standard No. 2 in a manner
that does not satisfy the requirements of Auditing Standard No. 2 and if those
services are ongoing after the effective date of Auditing Standard No. 2, the
auditor should request the audit committee to specifically evaluate the
independence implications of the continuation of those services as soon as
practicable. This type of remedial involvement of the audit committee is
consistent with the emphasis and vigilance that is appropriate for the audit
committee to have regarding approval of internal control-related services.

Scope and Extent of Testing

Q5. Several passages in Auditing Standard No. 2 refer to "financial statements and
related disclosures." Do these references to "related disclosures" extend the auditor's
evaluation and testing of controls to controls over the preparation of management's
discussion and analysis ("MD&A")?

A5. No. References in Auditing Standard No. 2 to "financial statements and

related disclosures" refer to a company's financial statements and notes as
presented in accordance with generally accepted accounting principles
("GAAP"). These references do not extend to the preparation of MD&A or other
similar financial information presented outside a company's GAAP-basis financial
statements and notes.

Q6. If management implements, late in the year, a new accounting system that
significantly affects the processing of transactions for significant accounts, and if the
majority of the year's transactions were processed on the old system, does the auditor
need to test controls over the new system? Given the same scenario, does the auditor
need to test controls over the old system?
 Auditing Standard No. 2 – Internal Control
June 23, 2004
(Revised July 27, 2004)
Page 4

STAFF QUESTIONS & ANSWERS

A6. To audit internal control over financial reporting, the auditor will need to
test controls over the new system. Paragraphs 147-149 of Auditing Standard No.
2 provide relevant directions to the auditor in this situation. Those paragraphs
state that the auditor's opinion on whether management's assessment of the
effectiveness of internal control over financial reporting is fairly stated relates to
the effectiveness of the company's internal control over financial reporting as of a
point in time. Furthermore, Section 404(a) of the Act requires that this
assessment be as of the end of the issuer's most recent fiscal year. Because
controls over the new system, which significantly affect the processing of
transactions for significant accounts, are the controls that are operating as of the
date of management's assessment, the auditor should test controls over the new
system.

Although the auditor would not be required to test controls over the old system to
have sufficient evidence to support his or her opinion on management's
assessment of the effectiveness of internal control over financial reporting as of
the end of the issuer's fiscal year, the old system is relevant to the audit of the
financial statements. In the audit of the financial statements, the auditor should
have an understanding of the internal control over financial reporting, which
includes the old system. Additionally, to assess control risk for specific financial
statement assertions at less than the maximum, the auditor is required to obtain
evidence that the relevant controls operated effectively during the entire period
upon which the auditor plans to place reliance on those controls. Paragraphs
150 and 151 of Auditing Standard No. 2 provide relevant directions to the auditor
in this situation.

Q7. Paragraph 140 of Auditing Standard No. 2 includes the following circumstance as
a significant deficiency and a strong indicator of a material weakness:

Identification by the auditor of a material misstatement in financial

statements in the current period that was not initially identified by the
company's internal control over financial reporting. (This is a strong
indicator of a material weakness even if management subsequently
corrects the misstatement.)
 Auditing Standard No. 2 – Internal Control
June 23, 2004
(Revised July 27, 2004)
Page 5

STAFF QUESTIONS & ANSWERS

Historically, many auditors have worked with companies closely at year-end, performing
auditing procedures on preliminary drafts of the financial statements and providing
feedback over a period of time on each successive draft. If the auditor identifies a
misstatement in a preliminary draft of financial statements, does this represent a
significant deficiency and a strong indicator of a material weakness? Do discussions
between management and the auditor regarding the adoption of a new accounting
principle or an emerging issue that have, in the past, been seen as a normal part of a
high quality audit, need to be postponed until after the company has completed its
related accounting?

A7. The inclusion of this circumstance in Auditing Standard No. 2 as a

significant deficiency and a strong indicator of a material weakness emphasizes
that a company must have effective internal control over financial reporting on its
own. More specifically, the results of auditing procedures cannot be considered
when evaluating whether the company's internal control provides reasonable
assurance that the company's financial statements will be presented fairly in
accordance with generally accepted accounting principles. There are a variety of
ways that a company can emphasize that it, rather than the auditor, is
responsible for the financial statements and that the company has effective
controls surrounding the preparation of financial statements.

Modifying the traditional audit process such that the company provides the
auditor with only a single draft of the financial statements to audit when the
company believes that all its controls over the preparation of the financial
statements have fully operated is one way to demonstrate management's
responsibility and to be clear that all the company's controls have operated.
However, this process is not necessarily what was expected to result from the
implementation of Auditing Standard No. 2. Such a process might make it
difficult for some companies to meet the accelerated filing deadlines for their
annual reports. More importantly, such a process, combined with the
accelerated filing deadlines, might put the auditor under significant pressure to
complete the audit of the financial statements in too short a time period thereby
impairing, rather than improving, audit quality. Therefore, some type of
information-sharing on a timely basis between management and the auditor is
necessary.
 Auditing Standard No. 2 – Internal Control
June 23, 2004
(Revised July 27, 2004)
Page 6

STAFF QUESTIONS & ANSWERS

A company may share interim drafts of the financial statements with the auditor.
The company can minimize the risk that the auditor would determine that his or
her involvement in this process might represent a significant deficiency or
material weakness through clear communications (either written or oral) with the
auditor about the following:

• state of completion of the financial statements;

• extent of controls that had operated or not operated at the time; and

• purpose for which the company was giving the draft financial
statements to the auditor.

For example, a company might give the auditor draft financial statements to audit
that lack two notes required by generally accepted accounting principles. Absent
any communication from the company to clearly indicate that the company
recognizes that two specific required notes are lacking, the auditor might
determine that the lack of those notes constitutes a material misstatement of the
financial statements that represents a significant deficiency and is a strong
indicator of a material weakness. On the other hand, if the company makes it
clear when it provides the draft financial statements to the auditor that two
specific required notes are lacking and that those completed notes will be
provided at a later time, the auditor would not consider their omission at that time
a material misstatement of the financial statements.

As another example, a company might release a partially completed note to the

auditor and make clear that the company's process for preparing the numerical
information included in a related table is complete and, therefore, that the
company considers the numerical information to be fairly stated even though the
company has not yet completed the text of the note. At the same time, the
company might indicate that the auditor should not yet subject the entire note to
audit, but only the table. In this case, the auditor would evaluate only the
numerical information in the table and the company's process to complete the
table. However, if the auditor identifies a misstatement of the information in the
table, he or she should consider that circumstance a misstatement of the
financial statements. If the auditor determines that the misstatement is material,
 Auditing Standard No. 2 – Internal Control
June 23, 2004
(Revised July 27, 2004)
Page 7

STAFF QUESTIONS & ANSWERS

a significant deficiency as well as a strong indicator of a material weakness
would exist.

This type of analysis, focusing on the company's responsibility for internal

control, may be extended to other types of auditor involvement. For example,
many audit firms prepare accounting disclosure checklists to assist both
companies and auditors in evaluating whether financial statements include all the
required disclosures under GAAP. Obtaining a blank accounting disclosure
checklist from the company's auditor and independently completing the checklist
as part of the procedures to prepare the financial statements is not, by itself, an
indication of a weakness in the company's controls over the period-end financial
reporting process. As another example, if the company obtains the blank
accounting disclosure checklist from its auditor, requests the auditor to complete
the checklist, and the auditor determines that a material required disclosure is
missing, that situation would represent a significant deficiency and a strong
indicator of a material weakness.

These evaluations, focusing on the company's responsibility for internal control

over financial reporting, will necessarily involve judgment on the part of the
auditor. A discussion with management about an emerging accounting issue that
the auditor has recently become aware of, or the application of a complex and
highly technical accounting pronouncement in the company's particular
circumstances, are all types of timely auditor involvement that should not
necessarily be indications of weaknesses in a company's internal control over
financial reporting. However, as described above, clear communication between
management and the auditor about the purpose for which the auditor is being
involved is important. Although the auditor should not determine that the
implications of Auditing Standard No. 2 force the auditor to become so far
removed from the financial reporting process on a timely basis that audit quality
is impaired, some aspects of the traditional audit process may need to be
carefully structured as a result of this increased focus on the effectiveness of the
company's internal control over financial reporting.

Q8. If an issuer decides to forego the required testing or documentation that would
form a sufficient basis for management's assessment of the effectiveness of internal
control over financial reporting, may the auditor simply render an adverse opinion on
internal control over financial reporting? In this circumstance, could the auditor render
 Auditing Standard No. 2 – Internal Control
June 23, 2004
(Revised July 27, 2004)
Page 8

STAFF QUESTIONS & ANSWERS

an adverse opinion on management's assessment but render an unqualified opinion on
the effectiveness of internal control over financial reporting?

A8. No. Paragraph 20 of Auditing Standard No. 2 describes the

responsibilities that management is required to fulfill for the auditor to
satisfactorily complete an audit of internal control over financial reporting. These
responsibilities include management evaluating the effectiveness of the
company's internal control over financial reporting and supporting its evaluation
with sufficient evidence, including documentation. If the auditor concludes that
management has not fulfilled these responsibilities, Auditing Standard No. 2
states that the auditor should communicate, in writing, to management and the
audit committee that the audit of internal control over financial reporting cannot
be satisfactorily completed and that he or she is required to disclaim an opinion.
Therefore, an auditor could not render either an adverse opinion on
management's assessment or an unqualified opinion on internal control over
financial reporting because, in this situation, the auditor would be precluded from
expressing any opinion.

Additionally, management is required to fulfill these responsibilities under Items

308(a) and (c) of Regulation S-B and S-K, 17 C.F.R. 228.308 (a) and (c) and
229.308 (a) and (c), respectively. To the extent that management has willfully
decided not to fulfill these responsibilities, the auditor also may have
responsibilities under AU sec. 317, Illegal Acts by Clients,2/ and Section 10A of
the Securities Exchange Act of 1934.

Q9. Is it necessary for the auditor to test controls directly if management asserts that
internal control over financial reporting is ineffective? If the auditor identifies a material
weakness, does the auditor need to complete his or her testing of controls?

2/
The Board adopted the generally accepted auditing standards, as
described in the AICPA Auditing Standards Board's ("ASB") Statement on Auditing
Standards No. 95, Generally Accepted Auditing Standards, as in existence on April 16,
2003, on an initial, transitional basis. The Statements on Auditing Standards
promulgated by the ASB have been codified into the AICPA Professional Standards,
Volume 1, as AU sections 100 through 900. References in Auditing Standard No. 2 and
this Staff Questions and Answers document refer to those generally accepted auditing
standards, as adopted on an interim basis in PCAOB Rule 3200T.
 Auditing Standard No. 2 – Internal Control
June 23, 2004
(Revised July 27, 2004)
Page 9

STAFF QUESTIONS & ANSWERS

A9. Yes. Paragraph 27 of Auditing Standard No. 2 requires the auditor to

obtain sufficient competent evidence about the design and operating
effectiveness of controls over all relevant financial statement assertions related to
all significant accounts and disclosures in the financial statements. That
paragraph also requires the auditor to plan and perform the audit to obtain
reasonable assurance that all material weaknesses are identified. Therefore, to
complete an audit of internal control over financial reporting and render an
opinion, it is necessary for the auditor to test controls directly, regardless of the
company's assessment or the auditor's earlier identification of a material
weakness.

Q10. Auditing Standard No. 2 describes five financial statement assertions and
describes the auditor's responsibilities in terms of relevant assertions. Some
professional standards, such as the International Standards on Auditing, include more
than five financial statement assertions. Some companies are using fewer than five
assertions when making their assessments. For the auditor to perform an audit of
internal control over financial reporting in accordance with Auditing Standard No. 2,
must management and the auditor use the five assertions described therein?

A10. No. For the auditor to perform an audit of internal control over financial
reporting in accordance with Auditing Standard No. 2, management and the
auditor may base their evaluations on assertions that are different from those
specified in Auditing Standard No. 2. Paragraphs 69 and 70 of Auditing Standard
No. 2 describe the identification of relevant assertions. Relevant assertions are
those that have a meaningful bearing on whether the account is fairly stated. To
identify relevant assertions, the auditor should determine the sources of likely
potential misstatements in each significant account. Ultimately, management
and the auditor should identify and test controls over all relevant assertions for all
significant accounts. To the extent that management or the auditor bases his or
her work on assertions different from those in Auditing Standard No. 2, the
auditor would be required to determine that he or she had identified and tested
controls over all sources of likely potential misstatements in each significant
account and over all representations by management that have a meaningful
bearing on whether the account is fairly stated.
 Auditing Standard No. 2 – Internal Control
June 23, 2004
(Revised July 27, 2004)
Page 10

STAFF QUESTIONS & ANSWERS

Evaluating Deficiencies

Q11. The definition of a significant deficiency is based, in part, on a magnitude of

financial statement misstatement that is "more than inconsequential." Paragraphs E87-
E91 of Auditing Standard No. 2 describe the development of the Board's definition of the
term inconsequential. The definition is based on paragraph .41 of AU sec. 312, Audit
Risk and Materiality in Conducting an Audit, which states:

In aggregating likely misstatements that the entity has not corrected, pursuant to
paragraphs .34 and .35 [of AU sec. 312], the auditor may designate an amount
below which misstatements need not be accumulated. This amount should be
set so that any such misstatements, either individually or when aggregated with
other such misstatements, would not be material to the financial statements, after
the possibility of further undetected misstatements is considered.

In the audit of the financial statements, different auditors designate the amount
described in paragraph .41 of AU sec. 312 in various ways. Some auditors quantify,
during the planning phase of the audit, a specific dollar amount above which likely
misstatements will be accumulated. Others take a more judgmental approach to
determining which likely misstatements to accumulate. Of the auditors who quantify a
specific dollar amount above which likely misstatements will be accumulated, different
auditors use different methodologies to arrive at different thresholds or specific dollar
amounts.

Given the relationship of paragraph .41 of AU sec. 312 to the definition of

inconsequential, is a known or likely misstatement aggregated by the auditor during the
audit of the financial statements in response to the directions in paragraph .41 of AU
sec. 312 by definition "more than inconsequential"? Furthermore, by virtue of having
been aggregated by the auditor, such a misstatement would have a "more than remote
likelihood" of occurring; therefore, by extension, does the aggregation of a difference by
the auditor, by definition, mean that there is a significant deficiency in the company's
internal control over financial reporting?

A11. No. A known or likely misstatement aggregated by the auditor as part of

the audit of the financial statements is not, by definition, either "more than
inconsequential" or determinative of there being a significant deficiency. There
are several reasons and circumstances why such a likely misstatement
 Auditing Standard No. 2 – Internal Control
June 23, 2004
(Revised July 27, 2004)
Page 11

STAFF QUESTIONS & ANSWERS

aggregated by the auditor might or might not indicate the existence of a
significant deficiency.

The threshold for "more than inconsequential" when evaluating whether a

significant deficiency exists is not necessarily the same as the amount the auditor
establishes pursuant to paragraph .41 of AU section 312 for aggregating
misstatements. The definition of inconsequential includes a combination of
concepts from both Staff Accounting Bulletin ("SAB") No. 99, Materiality, and AU
sec. 312. The definition of inconsequential is largely based on the discussion of
magnitude in SAB No. 99 and on AU sec. 312 for its directions regarding both the
consideration of misstatements individually and in the aggregate as well as the
possibility of undetected misstatements.

Also, as the Board indicated in paragraph E75 of the Background and Basis for
Conclusions of Auditing Standard No. 2, one reason that a significant deficiency
is defined differently from the previously used term "reportable condition" is
because the definition of reportable condition was solely a matter of the auditor's
judgment. A definition dependent solely on the auditor's judgment was
insufficient for purposes of the Sarbanes-Oxley Act because management also
needs a definition to determine whether a deficiency is significant, and that
definition should be the same as the definition used by the auditor. Accordingly,
Auditing Standard No. 2's definition of significant deficiency is not, by definition,
the same as the auditor's threshold for aggregating likely misstatements in the
audit of the financial statements.

As indicated in the question, different auditors exercise their professional

judgment in different ways in different circumstances when accumulating likely
misstatements as part of the audit of the financial statements. Furthermore, some
auditors, as a matter of policy, tend to set their posting threshold for
accumulating likely misstatements lower than "inconsequential." For example,
some auditors set their posting threshold for accumulating likely misstatements at
.25 percent of the company's pre-tax income which would, in most cases, be
clearly inconsequential on a quantitative basis.

Because a likely misstatement aggregated by the auditor as part of the audit of

the financial statements is not, by definition, "more than inconsequential" or
determinative of the existence of a significant deficiency, the auditor need not
 Auditing Standard No. 2 – Internal Control
June 23, 2004
(Revised July 27, 2004)
Page 12

STAFF QUESTIONS & ANSWERS

align the amount above which he or she aggregates misstatements with the
amount above which he or she believes a misstatement to be "more than
inconsequential" or determinative of the existence of a significant deficiency.
Furthermore, the auditor should not, for example, change the types of
deficiencies that he or she determines to be significant deficiencies simply by
raising the auditor's threshold for accumulating likely misstatements. These
determinations also need to take into consideration qualitative, as well as
quantitative, factors. The auditor might still determine that there is a more than
remote likelihood that a misstatement larger than the difference on his or her
summary of audit differences might occur and not be prevented or detected. For
these reasons, it is possible that a control deficiency associated with a likely
misstatement accumulated by the auditor on his or her summary of audit
differences might indicate the existence of a deficiency, a significant deficiency,
or a material weakness.

Q12. When determining whether a control deficiency exists, should the auditor
consider compensating controls?

A12. No. The Note to paragraph 10 of Auditing Standard No. 2 states that "…
in determining whether a control deficiency or combination of deficiencies is a
significant deficiency or a material weakness, the auditor should evaluate the
effect of compensating controls and whether such compensating controls are
effective." An important part of the evaluation of whether a significant deficiency
or material weakness exists includes aggregating deficiencies and considering
their effect in combination. The logical extension of this aggregation is to also
consider compensating controls. However, control deficiencies should be
considered individually and in isolation; therefore, the existence of compensating
controls does not affect whether a control deficiency exists.

Q13. Are all control testing exceptions, by definition, control deficiencies?

A13. No. Paragraph 107 of Auditing Standard No. 2 states: "A conclusion that
an identified exception does not represent a control deficiency is appropriate only
if evidence beyond what the auditor had initially planned and beyond inquiry
supports that conclusion." Paragraph 133 also includes the example that "a
control with an observed non-negligible deviation rate is a deficiency." Both
these passages in the standard recognize the inherent limitations in internal
 Auditing Standard No. 2 – Internal Control
June 23, 2004
(Revised July 27, 2004)
Page 13

STAFF QUESTIONS & ANSWERS

control. Effective internal control over financial reporting is a process designed to
provide reasonable assurance regarding the reliability of financial reporting.
Because effective internal control over financial reporting cannot, and does not,
provide absolute assurance of achieving financial reporting objectives, any
individual control does not necessarily have to operate perfectly, all the time, to
be considered effective. Therefore, Auditing Standard No. 2 provides the auditor
with directions that allow the use of judgment in the circumstances in which he or
she is evaluating whether a control testing exception is a control deficiency.

Q14. When a control deficiency exists, what degree of precision is required for a
compensating control to effectively mitigate a significant deficiency or material
weakness?

A14. As discussed in A13, Auditing Standard No. 2 provides that auditors

should evaluate the effect of compensating controls when determining whether a
control deficiency or combination of deficiencies is a significant deficiency or a
material weakness. However, to have a mitigating effect, the compensating
control should operate at a level of precision that would prevent or detect a
misstatement that was more than inconsequential or material, respectively.

Q15. Paragraph 9 of Auditing Standard No. 2 defines a significant deficiency as "a

control deficiency, or combination of control deficiencies ..." Paragraph 10 defines a
material weakness as "a significant deficiency, or combination of significant
deficiencies..." The definition of a material weakness, therefore, relies on the definition
of significant deficiency. Does this mean that a control deficiency, once determined to
be only a control deficiency and not also a significant deficiency, could be excluded from
the evaluation of whether a significant deficiency or combination of significant
deficiencies constitutes a material weakness?

A15. No. The definitions of significant deficiency and material weakness

delineate increasingly severe types of control deficiencies. All significant
deficiencies are also deficiencies; all material weaknesses are also significant
deficiencies and deficiencies. If the auditor correctly aggregates control
deficiencies when evaluating whether a significant deficiency exists, then all
related and salient control deficiencies will also be included in the auditor's
evaluation of whether a combination of significant deficiencies represents a
material weakness. Therefore, whether the definition of a material weakness is
 Auditing Standard No. 2 – Internal Control
June 23, 2004
(Revised July 27, 2004)
Page 14

STAFF QUESTIONS & ANSWERS

expressed as "a significant deficiency, or combination of significant
deficiencies…" or as "a control deficiency, or combination of control
deficiencies…" is unimportant. Both the meaning and the evaluation are the
same.

Multi-Location Issues

Q16. Paragraph 87 of Auditing Standard No. 2 states:

Appendix B, paragraphs B1 through B17, provide additional direction to

the auditor in determining which controls to test when a company has
multiple locations or business units. In these circumstances, the auditor
should determine significant accounts and their relevant assertions,
significant processes, and major classes of transactions based on those
that are relevant and significant to the consolidated financial statements.
Having made those determinations in relation to the consolidated financial
statements, the auditor should then apply the directions in Appendix B.

Paragraph B4 states:

Because of the importance of financially significant locations or business

units, the auditor should evaluate management's documentation of and
perform tests of controls over all relevant assertions related to significant
accounts and disclosures at each financially significant location or
business unit, as discussed in paragraphs 83 through 105 [of the
standard].

Does the combination of these directions mean that, for example, if the auditor
determines that accounts receivable is a significant account to the consolidated financial
statements, the auditor should test controls over all relevant assertions over accounts
receivable at every financially significant location or business unit, even if accounts
receivable at a particular financially significant location is immaterial?

A16. No. The combination of these directions means that the auditor should
determine significant accounts and their relevant assertions based on the
consolidated financial statements and perform tests of controls over all relevant
assertions related to those significant accounts at each financially significant
 Auditing Standard No. 2 – Internal Control
June 23, 2004
(Revised July 27, 2004)
Page 15

STAFF QUESTIONS & ANSWERS

location or business unit for which the selected accounts are material at the
account level. Therefore, the auditor need not test controls over all relevant
assertions for a significant account at a financially significant location where the
significant account is immaterial. However, if accounts receivable at a location or
business unit that is not otherwise considered financially significant represents a
risk of material misstatement to the consolidated financial statements, the auditor
should test controls over all relevant assertions for accounts receivable at that
location. This direction is consistent with the directions in paragraph B6
addressing locations or business units that involve specific risks.

Q17. The multi-location guidance in Appendix B of Auditing Standard No. 2 states that
the auditor should test controls over a "large portion" of the company's operations and
financial position. Many auditors are referring to specific percentages that represent
coverage over a "large portion" of the company's operations and financial position, such
as 60 percent or 75 percent. Are these percentages set in Auditing Standard No. 2?

A17. No. Auditing Standard No. 2 does not establish specific percentages that
would achieve this level of testing. During the comment period on the proposed
standard for the audit of internal control over financial reporting, several
commenters suggested that the standard should provide more specific directions
regarding the evaluation of whether controls over a "large portion" of the
company's operations and financial position had been tested, including
establishing specific percentages. The Board decided that balancing auditor
judgment with the consistency that would be enforced by increased specificity
would be best served by this direction remaining "principles-based." Therefore,
Auditing Standard No. 2 leaves to the auditor's judgment the determination of
what exactly constitutes a "large portion."

Additionally, the Note to paragraph B11 states that, "the evaluation of whether
controls over a large portion of the company's operations or financial position
have been tested should be made at the overall level, not at the individual
significant account level." For example, if an auditor believes that he or she
should test controls over x percent of some measure, that auditor should
evaluate whether he or she had tested controls over x percent of the company's
consolidated operations or financial position (e.g., x percent of total assets or x
percent of revenues) and not x percent of each individual significant account.
 Auditing Standard No. 2 – Internal Control
June 23, 2004
(Revised July 27, 2004)
Page 16

STAFF QUESTIONS & ANSWERS

Q18. Is any type of sampling strategy accommodated by the direction to test controls
over "a large portion" of financial position or operations?

A18. Yes. The directions in paragraph B11 of Auditing Standard No. 2 that the
auditor should test controls over a large portion of the company's operations or
financial position are intended as a fail-safe to ensure that every audit of internal
control over financial reporting is supported by sufficient evidence. In no case
should the auditor find that, in following the directions in paragraphs B1-B10, the
auditor could merely test company-level controls without also testing controls
over all relevant assertions related to significant accounts and disclosures.

The direction to test controls over a large portion of financial position or

operations is easily satisfied at companies in which the auditor's testing of
individual financially significant locations or business units clearly covers a large
portion. At these types of entities and others, the type of judgment discussed in
Q17 in which an auditor determines that he or she should test controls over 60
percent or 75 percent of the company's financial position or operations are
readily satisfied. However, in circumstances in which a company has a very
large number of individually insignificant locations or business units, testing
controls over 60 percent or 75 percent of the company's financial position or
operations may result in an extensive amount of work, in which the auditor would
test controls over hundreds and even thousands of individual locations to reach
that type of percentage target. In circumstances in which a company has a very
large number of individually insignificant locations or business units and
management asserts to the auditor that controls have been documented and are
effective at all locations or business units, the auditor may satisfy the directions in
paragraph B11 by testing a representative sample of the company's locations or
business units.

The auditor may select the representative sample either statistically or non-
statistically. However, the locations or business units should be selected in such
a way that the sample is expected to be representative of the entire population.
Also, particularly in the case of a non-statistical sample, the auditor's sampling
will be based on the expectation of no, or very few, control testing exceptions. In
such circumstances, because of the nature of the sample and the control testing
involved, the auditor will not have an accurate basis upon which to extrapolate an
error or exception rate that is more than negligible. Furthermore, the existence of
 Auditing Standard No. 2 – Internal Control
June 23, 2004
(Revised July 27, 2004)
Page 17

STAFF QUESTIONS & ANSWERS

testing exceptions would not support management's assertion that controls had
been documented and were effective at all locations or business units.
Therefore, if the auditor elects to use a representative sample in these
circumstances and encounters testing exceptions within the sample that exceed
a negligible rate, the auditor might decide that testing controls over a very large
number of individual locations or business units is necessary to adequately
support his or her opinion.

Q19. Paragraphs B16 and B17 of Auditing Standard No. 2 provide direction to the
auditor in situations in which the SEC allows management to limit its assessment of
internal control over financial reporting by excluding certain entities. The SEC staff's
guidance, Office of the Chief Accountant and Division of Corporation Finance:
Management's Report on Internal Control Over Financial Reporting and Disclosure in
Exchange Act Periodic Reports, Frequently Asked Questions, dated June 23, 2004,
discusses such situations in Questions 1 and 3. However, that document also instructs
management to refer in its report on internal control over financial reporting to
disclosure in its Form 10-K or Form 10-KSB regarding the scope of management's
assessment and any entity excluded from the scope. How does this disclosure by
management in its report affect the directions in Auditing Standard No. 2 that instruct
the auditor, in these situations, to report without reference to the limitation in scope?

A19. In these situations, the auditor's opinion would not be affected by a scope
limitation. However, the auditor should include, either in an additional
explanatory paragraph or as part of the scope paragraph in his or her report, a
disclosure similar to management's regarding the exclusion of an entity from the
scope of both management's assessment and the auditor's audit of internal
control over financial reporting.

Using the Work of Others

Q20. Auditing Standard No. 2 allows the auditor to use the work of others to alter the
nature, timing, or extent of the work the auditor would otherwise have performed. If the
auditor plans to use the work of others, he or she should, among other things, test some
of the work performed by others to evaluate the quality and effectiveness of the work.
In performing this testing, does the auditor need to test the work of others in every
significant account in which the auditor plans to use their work?
 Auditing Standard No. 2 – Internal Control
June 23, 2004
(Revised July 27, 2004)
Page 18

STAFF QUESTIONS & ANSWERS

A20. No. Auditing Standard No. 2 establishes a framework for using the work
of others based on evaluating the nature of the controls, evaluating the
competence and objectivity of the individuals who performed the work, and
testing some of the work performed by others to evaluate the quality and
effectiveness of their work. Within this framework, the amount of testing of the
work of others should be sufficient to enable the auditor to evaluate the overall
quality and effectiveness of their work. Auditing Standard No. 2 provides
flexibility in this regard; testing the work of others in every significant account in
which the auditor plans to use their work is not required. Furthermore, if the
auditor believes that extensive testing of the work of others is necessary in every
area in which the auditor plans to use their work, the auditor should keep in mind
the directions in paragraph 124 of Auditing Standard No. 2. Those directions
state that the auditor should also assess whether the evaluation of the quality
and effectiveness of the work of others has an effect on the auditor's conclusions
about the competence and objectivity of the individuals performing the work. If
the auditor determines the need to test the work of others to a high degree, the
auditor should consider whether his or her original assessment of their
competence and objectivity is correct.

Q21. Paragraph 108 of Auditing Standard No. 2 requires the auditor to perform enough
of the testing himself or herself so that the auditor's own work provides the principal
evidence for the auditor's opinion. Does the auditor's testing of the work of others
"count" toward the auditor obtaining the principal evidence supporting his or her
opinion?

A21. No. As described in paragraph 109 of Auditing Standard No. 2, to

determine the extent to which the auditor may use the work of others to alter the
nature, timing, or extent of the work the auditor would have otherwise performed,
in addition to obtaining the principal evidence for his or her opinion, the auditor
should, among other things, test some of the work performed by others to
evaluate the quality and effectiveness of their work. Therefore, the auditor's
testing of the work of others is not considered to be part of the principal evidence
obtained by the auditor. As described in A20, if the auditor determines the need
to test the work of others to a high degree, the auditor should consider whether
his or her original assessment of their competence and objectivity is correct.
 Auditing Standard No. 2 – Internal Control
June 23, 2004
(Revised July 27, 2004)
Page 19

STAFF QUESTIONS & ANSWERS

Q22. Paragraph 123 of Auditing Standard No. 2 states that the auditor's tests of the
work of others may be accomplished by either (a) testing some of the controls that
others tested or (b) testing similar controls not actually tested by others. Based on the
response in A21, regardless of whether the auditor tested some of the controls tested
by others or tested similar controls not actually tested by others ("independent testing"),
if the objective of that testing is to evaluate the quality and effectiveness of the work of
others, that testing should not be considered as part of the principal evidence obtained
by the auditor. However, does the auditor's independent testing in areas in which the
auditor is using the work of others count as principal evidence if the independent tests
are not for the purpose of assessing the quality and effectiveness of the work of others?

A22. Yes. The auditor's independent testing in these circumstances may be

considered as work performed by the auditor when evaluating whether the
auditor obtained the principal evidence supporting his or her opinion, but only if
these independent tests are not for the purpose of assessing the quality and
effectiveness of the work of others. If the independent tests are for the purpose
of assessing the quality and effectiveness of the work of others, then the
independent tests should not be considered as work performed by the auditor
when evaluating whether the auditor obtained the principal evidence supporting
his or her opinion.

Q23. Paragraphs 113 through 115 of Auditing Standard No. 2 describe the auditor's
evaluation of the nature of the controls subjected to the work of others when
determining how to use the work of others to alter the nature, timing, or extent of the
work the auditor would otherwise have performed. Those paragraphs state that the
auditor should not use the work of others to reduce the amount of work he or she
performs on controls in the control environment. Further, those directions state that
controls that are part of the control environment include, but are not limited to, controls
specifically established to prevent and detect fraud that is at least reasonably possible
to result in a material misstatement of the financial statements. How do these directions
regarding the auditor's testing of controls specifically established to prevent and detect
fraud relate to the auditor's responsibilities in AU sec. 316, Consideration of Fraud in a
Financial Statement Audit?

A23. Paragraph 26 of Auditing Standard No. 2 generally describes how the

auditor's evaluation of controls in an audit of internal control over financial
reporting is interrelated with the auditor's evaluation of fraud risks in a financial
 Auditing Standard No. 2 – Internal Control
June 23, 2004
(Revised July 27, 2004)
Page 20

STAFF QUESTIONS & ANSWERS

statement audit as required by AU sec. 316. AU sec. 316 requires, among other
things, that the auditor identify risks that may result in a material misstatement of
the financial statements due to fraud and that the auditor should respond to those
identified risks. AU sec. 316 emphasizes that the auditor's response to the risks
of material misstatement due to fraud involves the application of professional
skepticism when gathering and evaluating evidence. The auditor also is required
to respond to the results of the fraud risk assessment in three ways:

a. A response that has an overall effect on how the audit of the

financial statements is conducted, that is, a response involving
more general considerations apart from the specific procedures
otherwise planned.

b. A response to identified risks that involves the nature, timing, and

extent of auditing procedures to be performed.

c. A response involving the performance of certain procedures to

further address the risk of material misstatement due to fraud
involving management override of controls.

The relationship of these requirements with the directions in Auditing Standard

No. 2 regarding the auditor's use of the work of others may be illustrated by
several examples.

First, AU sec. 316 establishes a presumption that there is a risk of material

misstatement due to fraud relating to revenue recognition. If the auditor does not
overcome this presumption, as would frequently be the case with, for example,
software revenue recognition, the auditor should test the controls specifically
established to prevent and detect fraud related to a material misstatement of the
company's revenue recognition himself or herself.

Because material misstatement due to fraud often involves manipulation of the

financial reporting process by management, AU sec. 316 also requires the
auditor to review journal entries and other adjustments for evidence of material
misstatement due to fraud. Paragraph 112 of Auditing Standard No. 2 includes
as one of the factors that the auditor should evaluate when evaluating the nature
of the controls subjected to the work of others "the potential for management
 Auditing Standard No. 2 – Internal Control
June 23, 2004
(Revised July 27, 2004)
Page 21

STAFF QUESTIONS & ANSWERS

override of the control." Taken together, these directions mean that obtaining the
understanding of the design of controls over journal entries and other
adjustments and determining whether they are suitably designed and have been
placed in operation, as required by AU sec. 316, and performing any associated
testing of those controls that the auditor determines is necessary when auditing
internal control over financial reporting under Auditing Standard No. 2, should be
performed by the auditor himself or herself. However, Auditing Standard No. 2
emphasizes that, although the auditor should not use the work of others in this
situation, the auditor should consider the results of work performed in the area by
others because it might indicate the need for the auditor to increase his or her
work.

Service Organizations

Q24. What types of outsourcing activities result in a service organization arrangement

addressed by Statement on Auditing Standards ("SAS") No. 70, Service Organizations
(AU sec. 324)? What types of outsourcing activities are part of a company's internal
control over financial reporting?

A24. As described in paragraph .03 of AU sec. 324, a service organization's

services are part of a company's information system if they affect any of the
following:

• The classes of transactions in the company's operations that are

significant to the company's financial statements.

• The procedures, both automated and manual, by which the

company's transactions are initiated, authorized, recorded,
processed, and reported from their incurrence to their inclusion in
the financial statements.

• The related accounting records, whether electronic or manual,

supporting information and specific accounts in the company's
financial statements involved in initiating, authorizing, recording,
processing and reporting the company's transactions.
 Auditing Standard No. 2 – Internal Control
June 23, 2004
(Revised July 27, 2004)
Page 22

STAFF QUESTIONS & ANSWERS

• How the company's information system captures other events and

conditions that are significant to the financial statements.

• The financial reporting process used to prepare the company's

financial statements, including significant accounting estimates and
disclosures.

Paragraph .03 of AU sec. 324 also provides examples of situations in which a

service organization's services affect a company's information system. For
instance, the trust departments of banks and insurance companies often serve
as the custodian of an employee benefit plan's assets, including making
investment decisions, maintaining records of each participants account,
allocating income amongst participants, and preparing other types of
recordkeeping; this type of servicing is a common example of a service
organization's services that affect a company's information system. In contrast,
AU sec. 324 does not apply to situations in which the services being provided are
limited to executing client organization transactions that the client specifically
authorizes. For example, the processing of checking account transactions or
wire transfer instructions by a bank would not constitute a service organization
arrangement. Paragraph .03 of AU sec. 324 also excludes other types of
transactions, such as transactions arising from joint ventures, from the scope of a
service organization arrangement addressed by AU sec. 324.

All of the examples of outsourcing activities in paragraph .03 of AU sec. 324

(which are not an exhaustive listing of all types of possible outsourcing activities)
are part of the company's information system. However, not all outsourcing
activities are a part of the company's information system. In addition to the
arrangements described in paragraph .03 of AU sec. 324 to which AU sec. 324
does not apply, the use of a specialist is not part of a company's information
system. For example, a company might outsource actuarial services; however,
the nature of the services represents the use of a specialist, and the actuary is
not a part of the company's information system.

If the service organization's services are part of a company's information system,

then they are part of the information and communication component of the
company's internal control over financial reporting. In those circumstances,
management should consider the activities of the service organization in making
 Auditing Standard No. 2 – Internal Control
June 23, 2004
(Revised July 27, 2004)
Page 23

STAFF QUESTIONS & ANSWERS

its assessment of internal control over financial reporting, and the auditor should
consider the activities of the service organization in determining the evidence
required to support his or her opinion. Appendix B of Auditing Standard No. 2
provides additional directions regarding the procedures management and the
auditor should perform with respect to activities performed by the service
organization.

Q25. Auditing Standard No. 2 indicates that evidence about the operating
effectiveness of controls at a service organization can be obtained from a Type 2 SAS
No. 70 report. Is a Type 2 SAS No. 70 report issued more than six months prior to the
date of management's assessment current enough to provide any such evidence?

A25. Paragraphs B25 through B27 provide directions when a significant period
of time has elapsed between the time period covered by the tests of controls in
the service auditor's report and the date of management's assessment. These
directions do not establish any "bright lines." In other words, application of the
directions does not result in a precise answer as to whether a service auditor's
report issued more than six months prior to the date of management's
assessment is not current enough to provide any evidence. Rather, these
directions state that, when a significant period of time has elapsed between the
time period covered by the tests of controls in the service auditor's report and the
date of management's assessment, additional procedures should be performed.

Paragraph B26 provides directions to the auditor in determining whether to obtain

additional evidence about the operating effectiveness of controls at the service
organization. The auditor's procedures to obtain additional evidence will typically
be more extensive the longer the period of time that has elapsed between the
time period covered by the service auditor's report and the date of management's
assessment. Also, those auditor's procedures will vary depending on the
importance of the controls at the service organization to management's
assessment and on the level of interaction between the company's controls and
the controls at the service organization.

The auditor's procedures will be focused on, among other things, identifying
changes in the service organization's controls subsequent to the period covered
by the service auditor's report. The auditor should be alert for situations in which
management has not made changes to its procedures and controls to respond to
 Auditing Standard No. 2 – Internal Control
June 23, 2004
(Revised July 27, 2004)
Page 24

STAFF QUESTIONS & ANSWERS

changes in procedures and controls at the service organization. These situations
might result in errors not being prevented or detected in a timely manner.

Q26. Can a registered public accounting firm in the integrated audit of an issuer obtain
evidence from a service auditor's report issued by a non-registered public accounting
firm?

A26. Yes. Paragraph B24 of Auditing Standard No. 2 directs the auditor to
make inquiries concerning the service auditor's reputation, competence, and
independence in determining whether the service auditor's report provides
sufficient evidence to support management's assessment and the auditor's
opinion on internal control over financial reporting. Auditing Standard No. 2 does
not require that the service auditor be a registered public accounting firm.

The auditor should be aware of how evidence obtained from a service auditor's
report issued by a non-registered firm interacts with the Board's registration rules.
Any public accounting firm that "plays a substantial role in the preparation or
furnishing of an audit report" with respect to any issuer must register with the
Board. Because of the nature of the service auditor's report (the user auditor
could have performed tests of controls at the service organization himself or
herself but, instead, may have chosen to obtain evidence from a service auditor's
report), when a registered public accounting firm obtains evidence from a service
auditor's report in the audit of an issuer, the service auditor has participated in
the audit of the issuer. If the service auditor's work, measured in terms of either
services or procedures, meets the "substantial role" threshold (as defined in Rule
1001(p)(ii)) for the audit of the user organization, the service auditor is required to
be registered with the Board.