[professionalskeptic]

Public co’s are required to present an auditor’s report on internal control over financial reporting by PCAOB. AND to satisfy SOX 404 they are required to present an ‘attestation report on managements assessment of internal control’ as well?

My Becker book, in A5, made it seem like the attest report is a non-issuer only thing. But later in A6, it says that the attest report is also required by SOX. So which one is it?

AUD - 95
BEC - 79
FAR - 86
REG - NINJA in Training

The woods are lovely, dark and deep, but I have promises to keep and miles to go before I sleep, miles to go before I sleep.

FAR - 11/18/15 - 74, 04/29 - 70 overworked myself to the last day and was burnt out at the exam.
AUD - 01/18/16 - 74 AGAIN FML, retake - only going to schedule when I feel happy with my prep.

[HoosierCPA]

Audit of financial statements for issuers require an integrated audit which essentially is an Opinion on the financial statements complimented with a paragraph or separate report (they can do either) stating the auditors assessment of the effectiveness of the internal controls.

For non-issuers reporting on the effectiveness of the IC is not required, however they can still do so if they feel the need.

I believe the attest engagement you are talking about is a separate issue. SSAE engagements are issuer/non-issuer engagements on specific misc items (agreed upon procedures, forecasts, projections, internal controls over financial reporting). SSAE has separate rules on how to report (AICPA).

AUD - 80
BEC - 82
FAR - 78
REG - 89

...

FAR - 78
REG - 72,74,71...please just go away REG nobody likes you!
BEC - 82
AUD - Aug 16

[professionalskeptic]

Audit of financial statements for issuers require an integrated audit which essentially is an Opinion on the financial statements complimented with a paragraph or separate report (they can do either) stating the auditors assessment of the effectiveness of the internal controls.

For non-issuers reporting on the effectiveness of the IC is not required, however they can still do so if they feel the need.

Agreed.

I believe the attest engagement you are talking about is a separate issue. SSAE engagements are issuer/non-issuer engagements on specific misc items (agreed upon procedures, forecasts, projections, internal controls over financial reporting). SSAE has separate rules on how to report (AICPA).

It definitely is a separate issue. If you look up SOX 404, it talks about an ‘attestation report on managements assessment of internal control’ for issuers which is governed by SSAE. And is required for issuers.

A direct excerpt from the Sarbanes-Oxley Act of 2002 report for section 404:

(a) Rules Required. The Commission shall prescribe rules requiring each annual report required by section 13(a) or 15(d) of the Securities Exchange Act of 1934 to contain an internal control report, which shall–
(1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and
(2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.

(b) Internal Control Evaluation and Reporting. With respect to the internal control assessment required by subsection (a), each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this subsection shall be made in accordance with standards for attestation engagements issued or adopted by the Board. Any such attestation shall not be the subject of a separate engagement.

Maybe the book is only taking about PCAOB in A5 and about SOX in A6, with no reference to the relation. Just wanted to confirm if my understanding is correct.

Thanks.

AUD - 95
BEC - 79
FAR - 86
REG - NINJA in Training

The woods are lovely, dark and deep, but I have promises to keep and miles to go before I sleep, miles to go before I sleep.

FAR - 11/18/15 - 74, 04/29 - 70 overworked myself to the last day and was burnt out at the exam.
AUD - 01/18/16 - 74 AGAIN FML, retake - only going to schedule when I feel happy with my prep.

[professionalskeptic]

Wow I did not know quotes will come out so bold lol. Sorry about that.

AUD - 95
BEC - 79
FAR - 86
REG - NINJA in Training

The woods are lovely, dark and deep, but I have promises to keep and miles to go before I sleep, miles to go before I sleep.

FAR - 11/18/15 - 74, 04/29 - 70 overworked myself to the last day and was burnt out at the exam.
AUD - 01/18/16 - 74 AGAIN FML, retake - only going to schedule when I feel happy with my prep.

[HoosierCPA]

Honestly I would probably need to dive into the material more to give you a great answer.

However, what I want to say is the word “attest” might be tripping us up. Just because it says attest doesn't mean it falls under SSAE. Based on the excerpt you provided it makes me believe that the additional disclosure for PCAOB on the effectiveness of controls is required BECAUSE of SOX 404 and SOX 404 is not related to SSAE at all.

I wouldn't mind someone jumping in on this thread and confirming that though lol.

AUD - 80
BEC - 82
FAR - 78
REG - 89

...

FAR - 78
REG - 72,74,71...please just go away REG nobody likes you!
BEC - 82
AUD - Aug 16

[professionalskeptic]

I'm pretty sure that PCAOB talks about an integrated audit and an auditor's report on internal control whereas SOX talks about an attestation on managements assessment. I'm not aware of any other attestation standards other than SSAE.

From what I can gather, both are required, which seems kind of counter intuitive.

Maybe someone who's working in Public accounting can give us an answer, I have no real experience at all..

AUD - 95
BEC - 79
FAR - 86
REG - NINJA in Training

The woods are lovely, dark and deep, but I have promises to keep and miles to go before I sleep, miles to go before I sleep.

FAR - 11/18/15 - 74, 04/29 - 70 overworked myself to the last day and was burnt out at the exam.
AUD - 01/18/16 - 74 AGAIN FML, retake - only going to schedule when I feel happy with my prep.

[Anonymous]

Just throwing this in there – could they be talking about the Management Report that is a required part of the audit? The Management Report includes management's assertions as to what is presented in the FS and other items they are taking responsibility for (design & maintenance of IC, they aren't aware of any fraud, compliance with laws blah blah blah). The auditor has to corroborate/back up those assertions made by management.

My understanding of SOX is that they needed to develop rules and guidelines for companies so that their CEO/CFO couldn't claim they didn't know something was happening so they shouldn't be held responsible.

[professionalskeptic]

Yes, SOX is talking about the management report on IC, More specifically, An attestation on that management report.

I don't think this report includes any assertions, but it includes an assessment of IC by management. The assertions are made in the rep letter.

AUD - 95
BEC - 79
FAR - 86
REG - NINJA in Training

The woods are lovely, dark and deep, but I have promises to keep and miles to go before I sleep, miles to go before I sleep.

FAR - 11/18/15 - 74, 04/29 - 70 overworked myself to the last day and was burnt out at the exam.
AUD - 01/18/16 - 74 AGAIN FML, retake - only going to schedule when I feel happy with my prep.

[HoosierCPA]

So here's what I am trying to explain. I looked at this link awhile back and it made me rethink how “attest” is used. Attest can be used in more ways then to just explain SSAE. This link comes straight from AICPA.

https://www.aicpa.org/advocacy/state/downloadabledocuments/attest-services-chart-color-nonfillable.pdf

SOX is not required by non-issuers so because of that I believe the SOX 404 only applies to a Standard audit on the FS not SSAE since SSAE applies to both issuers and non-issuers.

Please someone steer me in the right direction if I'm completely wrong!! haha

AUD - 80
BEC - 82
FAR - 78
REG - 89

...

FAR - 78
REG - 72,74,71...please just go away REG nobody likes you!
BEC - 82
AUD - Aug 16

[professionalskeptic]

I see what you're saying. I might be wrong in saying that the particular SOX engagement we are talking about is to be governed by SSAE.
But I just want to know if an Issuer is required to present both, an auditor’s report on internal control over financial reporting AND an ‘attestation report on managements assessment of internal control’, or not?

AUD - 95
BEC - 79
FAR - 86
REG - NINJA in Training

The woods are lovely, dark and deep, but I have promises to keep and miles to go before I sleep, miles to go before I sleep.

FAR - 11/18/15 - 74, 04/29 - 70 overworked myself to the last day and was burnt out at the exam.
AUD - 01/18/16 - 74 AGAIN FML, retake - only going to schedule when I feel happy with my prep.

[HoosierCPA]

My short answer is no. Attestation report on managements internal control is a separate engagement.

I'm surprised more people haven't jumped in to help us! We are drowning here people!!!

AUD - 80
BEC - 82
FAR - 78
REG - 89

...

FAR - 78
REG - 72,74,71...please just go away REG nobody likes you!
BEC - 82
AUD - Aug 16

[monikernc]

PCAOB 5 is the standard for issuers and covers reporting on internal control integrated with financial stmt audits.

The SSAE AT-501,is the AICPA attest standard for internal controls for nonissuers. read the footnotes on page 1.

always know what type of entity you are dealing with. and when in doubt, read the standards.

AICPA Standards only apply to nonissuers. PCAOB only apply to issuers.

I had a post on the old forum. i will try to find it and include a link.

AUD - 93
BEC - 82
FAR - 76
REG - 88

How have you been?
Ninja book and MCQs and the forum, all first try! 2016
Licensed State of Montana April Fool’s Day 2020
State of Colorado June 2020 - AICPA Ethics 93
Experience was the worst part of the journey for me. You?
If you want things to change you have to do something different.

FAR 7/25/15 76!
AUD 10/30/15 93
BEC 2/27/16 82
REG 5/23/16 88!
Ninja Book and MCQ and the forum - all the way!!!
and a little thing i like to call, time and effort!
if you want things to change, you have to do something different

[monikernc]

there was a shorter one but we no longer have favorites so it is lost…
my post is about half way down. good luck.

Suggestion for AUD tester.

AUD - 93
BEC - 82
FAR - 76
REG - 88

How have you been?
Ninja book and MCQs and the forum, all first try! 2016
Licensed State of Montana April Fool’s Day 2020
State of Colorado June 2020 - AICPA Ethics 93
Experience was the worst part of the journey for me. You?
If you want things to change you have to do something different.

FAR 7/25/15 76!
AUD 10/30/15 93
BEC 2/27/16 82
REG 5/23/16 88!
Ninja Book and MCQ and the forum - all the way!!!
and a little thing i like to call, time and effort!
if you want things to change, you have to do something different

[professionalskeptic]

Thanks for your input everyone. So I think if we have established that the attest engagement will not be covered under SSAE, then the next question is, what attestation standards is the excerpt I posted referring to?

Also here is a question I just ran into, which seems to suggest that the attest report on managements assessment of IC is REQUIRED. It also says in the book that this report must accompany all 10Q and 10k filings.

To ensure that the audit report for an issuer is prepared in accordance with Section 404 of the Sarbanes-Oxley Act of 2002, the report must:
a.
Attest to and report on the internal control assessment made by the management of the issuer.
b.
Be prepared within 60 days of the end of the issuer's fiscal year-end unless extenuating circumstances, as outlined in the act, are publicly disclosed.
c.
Be prepared within 60 days of the issuer's fiscal year-end, be certified by the Public Company Accounting Oversight Board, and be publicly disclosed.
d.
Attest to, and report on, the efficiency and effectiveness of the issuer's system of internal control.
Explanation
Choice “a” is correct. Section 404 of the Sarbanes-Oxley Act of 2002 requires the company's external auditors to attest to, and report on, the internal control assessment made by management of the issuer.
Choice “b” is incorrect. Section 404 of the Sarbanes-Oxley Act of 2002 does not require the audit report to be prepared within 60 days of the end of the issuer's fiscal year.
Choice “c” is incorrect. The audit report on the effectiveness of the issuer's systems of internal control is not certified by the Public Company Accounting Oversight Board.
Choice “d” is incorrect. Section 404 of the Sarbanes-Oxley Act of 2002 requires the company's external auditors to attest to, and report on, management's assessment of the effectiveness, not efficiency, of the issuer's system of internal control.

AUD - 95
BEC - 79
FAR - 86
REG - NINJA in Training

The woods are lovely, dark and deep, but I have promises to keep and miles to go before I sleep, miles to go before I sleep.

FAR - 11/18/15 - 74, 04/29 - 70 overworked myself to the last day and was burnt out at the exam.
AUD - 01/18/16 - 74 AGAIN FML, retake - only going to schedule when I feel happy with my prep.

[Anonymous]

@professionalskeptic An audit is a type of attestation engagement, which I think is what @dtatham10 was getting at by posting this: https://www.aicpa.org/advocacy/state/downloadabledocuments/attest-services-chart-color-nonfillable.pdf So, an attest report regarding IC is required, but it's also an audit report (I think), because an audit is a specialized type of attest, even though not all attests are audits.

Like rectangles and squares. All squares are rectangles, but not all rectangles are squares. So, rectangles are attest engagements, and that MCQ is saying there's got to be a rectangle involved. Audits are squares. The issuer always has a square on hand, so in practicality, the issuer is going to use a square to fulfill the rectangle requirement, but that's OK, cause a square is a type of rectangle (an audit is a type of attest function). Not sure if that helped or made it worse haha. 🙂

[professionalskeptic]

I think the word you're looking for is assurance.
Basically, what you said is, all attestation engagements are assurance engagements but not every assurance engagement is attestation engagement.
Which I totally agree with, but it still does not answer my question.

Also I don't think the analogy is correct here, the issuer is not using a square to fullfil the rectangle requirement (The issuer is not using an attest report on managements assertion to fulfil the requirements of PCAOB 5, this is a completely different requirement itself) And the only reason I ask is because the book is giving me conflicting statements. I think I will settle for the explanation that both are required. One by PCAOB 5 and one by SOX 404.

Thanks a lot for your replies! I'm sorry, I know it's dumb to post a question and come to a conclusion myself lol

AUD - 95
BEC - 79
FAR - 86
REG - NINJA in Training

The woods are lovely, dark and deep, but I have promises to keep and miles to go before I sleep, miles to go before I sleep.

FAR - 11/18/15 - 74, 04/29 - 70 overworked myself to the last day and was burnt out at the exam.
AUD - 01/18/16 - 74 AGAIN FML, retake - only going to schedule when I feel happy with my prep.

[Author]

Replies