PCAOB Auditing Standards 5
Introduction
1. This standard establishes requirements and provides direction that applies when an auditor is engaged to perform an audit of management's assessment 1/ of the effectiveness of internal control over financial reporting (“the audit of internal control over financial reporting”) that is integrated with an audit of the financial statements. 2/
2. Effective internal control over financial reporting provides reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes. 3/ If one or more material weaknesses exist, the company's internal control over financial reporting cannot be considered effective. 4/
[The following paragraph is effective for audits of fiscal years beginning on or after December 15, 2010. See PCAOB Release No. 2010-004. For audits of fiscal years beginning before December 15, 2010, click here.]
3. The auditor's objective in an audit of internal control over financial reporting is to express an opinion on the effectiveness of the company's internal control over financial reporting. Because a company's internal control cannot be considered effective if one or more material weaknesses exist, to form a basis for expressing an opinion, the auditor must plan and perform the audit to obtain appropriate evidence that is sufficient to obtain reasonable assurance 5/ about whether material weaknesses exist as of the date specified in management's assessment. A material weakness in internal control over financial reporting may exist even when financial statements are not materially misstated.
4. The general standards 6/ are applicable to an audit of internal control over financial reporting. Those standards require technical training and proficiency as an auditor, independence, and the exercise of due professional care, including professional skepticism. This standard establishes the fieldwork and reporting standards applicable to an audit of internal control over financial reporting.
5. The auditor should use the same suitable, recognized control framework to perform his or her audit of internal control over financial reporting as management uses for its annual evaluation of the effectiveness of the company's internal control over financial reporting. 7/
Integrating the Audits
6. The audit of internal control over financial reporting should be integrated with the audit of the financial statements. The objectives of the audits are not identical, however, and the auditor must plan and perform the work to achieve the objectives of both audits.
7. In an integrated audit of internal control over financial reporting and the financial statements, the auditor should design his or her testing of controls to accomplish the objectives of both audits simultaneously –
To obtain sufficient evidence to support the auditor's opinion on internal control over financial reporting as of year-end, and
To obtain sufficient evidence to support the auditor's control risk assessments for purposes of the audit of financial statements.
8. Obtaining sufficient evidence to support control risk assessments of low for purposes of the financial statement audit ordinarily allows the auditor to reduce the amount of audit work that otherwise would have been necessary to opine on the financial statements. (See Appendix B for additional direction on integration.)
Note: In some circumstances, particularly in some audits of smaller and less complex companies, the auditor might choose not to assess control risk as low for purposes of the audit of the financial statements. In such circumstances, the auditor's tests of the operating effectiveness of controls would be performed principally for the purpose of supporting his or her opinion on whether the company's internal control over financial reporting is effective as of year-end. The results of the auditor's financial statement auditing procedures also should inform his or her risk assessments in determining the testing necessary to conclude on the effectiveness of a control.