Internal control over financial reporting is essential information an auditor supposed to be able to draw during an audit session. Why? A client’s internal control state (be it is strong, somewhat strong or weak) implies 3 conditions about the company:
(1) Whether the company’s financial reporting is reliable or unreliable;
(2) Whether the company operates in effectively or ineffectively manner; and
(3) Whether the company is laws regulation compliant or incompliant.
These are super-important information to all stakeholders. Therefore, the PCAOB requires all public companies, in the United States, to file annual report with its management’s assessment of the effectiveness of the company’s internal control over financial reporting.
Specifically, what is a client responsibility, in term with internal control over financial reporting? And, what is an auditor’s responsibility for that matter?” You may ask.
This post provides the most frequently asked questions around internal control over financial reporting. If you have a question or two in the particular area, read on…

Question#1. What is a client’s reporting responsibility in connection with internal control over financial reporting?
Answer: A client’s annual report must include a management report that contains management’s assessment of the effectiveness of the company’s internal control over financial reporting as of the end of the company’s most recent fiscal year, including a statement as to whether the internal control is effective.
Question#2. What is an auditor’s reporting responsibility in connection with internal control over financial reporting?
Answer: An auditor is required to attest to (audit) and report on management’s assessment of internal control over financial reporting if the auditor audits the company’s financial statements included in the company’s annual report. The auditor’s attestation report must then be included in the annual report.
Note: The auditor may make an independent estimate of fair value to corroborate the entity’s fair value measurement.
Question#3. What is the objective of the audit of internal control over financial reporting?
Answer: The objective of the audit of internal control over financial reporting is to obtain reasonable, but not absolute, assurance that no material weaknesses exist as of the date specified in management’s assessment. To achieve this objective, an auditor must evaluate management’s assessment and obtain and evaluate evidence regarding the design and operating effectiveness of internal control.
Question#4. What is the definition of a “material weakness?”
Answer: The definition of a material weakness is slightly different from the definition included in SAS 60. Under AS2, a material weakness is a significant deficiency, or combination of significant deficiencies, that results in more than a remote likelihood that a material misstatement of the annual or interim financial statements will not be prevented or detected.
Question#5. What established criteria should management use in assessing the effectiveness of its internal control?
Answer: Management is required to base its assessment on a suitable recognized framework. Generally, in the United States, the framework to be utilized is the framework contained in Internal Control—Integrated Framework (the COSO Report), published by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission.
Note: The criteria contained in the COSO Report served as the basis for developing the SASs relevant to internal control issued by the Auditing Standards Board of the AICPA.
Question#6. What are management’s responsibilities in an audit of internal control over financial reporting?
Answer: Management’s responsibilities in an audit of internal control are essentially the same as those specified in the Statements on Standards for Attestation Engagements issued by the AICPA.
Question#7. How should an auditor evaluate management’s assessment process?
Answer: An auditor is required to obtain an understanding of, and evaluate, management’s process for assessing the effectiveness of internal control over financial reporting. Accordingly, an auditor needs to determine whether management has considered the following elements:
  • Determining which controls should be tested, including controls over all relevant assertions related to all significant accounts and disclosures.
  • Evaluating the likelihood that failure of the control could result in a misstatement, the magnitude of such a misstatement, and the degree to which other controls, if effective, achieve the same control objectives.
  • Determining the locations or business units to include in the evaluation for a company with multiple locations or business units.
  • Evaluating the design effectiveness of controls.
  • Evaluating the operating effectiveness of controls based on procedures sufficient to assess their operating effectiveness. To evaluate the effectiveness of the company’s internal control over financial reporting, management must have evaluated controls over all relevant assertions related to all significant accounts and disclosures.
  • Determining the deficiencies in internal control over financial reporting that are of such a magnitude and likelihood of occurrence that they constitute significant deficiencies or material weaknesses.
  • Communicating findings to the auditor and to others, if applicable.
  • Evaluating whether findings are reasonable and support management’s assessment.
Note: In order to obtain a sufficient understanding of management’s process for assessing internal control, an auditor should perform at least one walkthrough for each major class of transactions. A walkthrough involves tracing a transaction from its initiation through its reporting in the company’s financial reports.
Question#8. When auditing internal control over financial reporting, may an auditor use the work of others?
Answer: While an auditor is required to perform enough of the audit testing himself or herself so that his or her own work provides the principal basis for the opinion, an auditor is allowed to use the work of others to modify the nature, extent, and timing of the work he or she would have performed.
Question#9. When may an auditor issue an unqualified opinion?
Answer: An unqualified opinion may be issued only when there are no identified material weaknesses and when there have been no scope restrictions.
Question#10. What type of opinion should be issued if a material weakness is identified?
Answer: An adverse opinion must be issued if a material weakness is identified.
Question#11. What type of opinion should be issued if the scope of the auditor’s work has been restricted?
Answer: Depending on the significance of the scope restriction, a qualified opinion or a disclaimer of opinion should be issued.
Question#12. What should be included in management’s assessment of the effectiveness the company’s internal control over financial reporting?
Answer: The items required to be included in management’s assessment of the effectiveness the company’s internal control over financial reporting are:
  • A statement of management’s responsibility for establishing and maintaining adequate internal control over financial reporting
  • A statement identifying the framework used by management to conduct the required assessment of the effectiveness of the company’s internal control over financial reporting.
  • An assessment of the effectiveness of the company’s internal control over financial reporting as of the end of the company’s most recent fiscal year, including an explicit statement as to whether that internal control over financial reporting is effective.
  • A statement that the registered public accounting firm that audited the financial statements included in the annual report has issued an attestation report on management’s assessment of the company’s internal control over financial reporting
Question#13. What should an auditor consider in evaluating management’s report on its assessment of internal control over financial reporting?
Answer: In order to properly evaluate management’s report on its assessment of internal control over financial reporting, an auditor should consider whether:
  • Management has properly stated its responsibility for establishing and maintaining adequate internal control over financial reporting
  • The framework used by management to conduct the evaluation is suitable
  • Management’s assessment of the effectiveness of internal control over financial reporting, as of the end of the company’s most recent fiscal year, is free of material misstatement
  • Management has expressed its assessment in acceptable form; that is, management must state whether the company’s internal control over financial reporting is effective
  • Material weaknesses identified in the company’s internal control over financial reporting, if any, have been properly disclosed, including material weaknesses corrected during the period
Question#14. What should be included in the auditor’s report on management’s assessment of internal control over financial reporting?
Answer: The following elements must be included in the auditor’s report:
  • A title that includes the word independent
  • An identification of management’s conclusion about the effectiveness of the company’s internal control over financial reporting as of a specified date based on the control criteria [for example, criteria established in Internal Control—Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO)]
  • An identification of the title of the management report that includes management’s assessment (The auditor should use the same description of the company’s internal control over financial reporting as management uses in its report.)
  • A statement that the assessment is the responsibility of management
  • A statement that the auditor’s responsibility is to express an opinion on the assessment and an opinion on the company’s internal control over financial reporting based on his or her audit.
  • A definition of internal control over financial reporting
  • A statement that the audit was conducted in accordance with the standards of the Public Company Accounting Oversight Board (United States)
  • A statement that the standards of the Public Company Accounting Oversight Board require that the auditor plan and perform the audit to obtain reasonable assurance about whether effective internal control over financial reporting was maintained in all material respects
  • A statement that an audit includes obtaining an understanding of internal control over financial reporting, evaluating management’s assessment, testing and evaluating the design and operating effectiveness of internal control, and performing such other procedures as the auditor considered necessary in the circumstances
  • A paragraph stating that, because of inherent limitations, internal control over financial reporting may not prevent or detect misstatements and that projections of any evaluation of effectiveness to future periods are subject to the risk that controls may become inadequate because of changes in conditions, or that the degree of compliance with the policies or procedures may deteriorate
  • The auditor’s opinion on whether management’s assessment of the effectiveness of the company’s internal control over financial reporting as of the specified date is fairly stated, in all material respects, based on the control criteria
  • The auditor’s opinion on whether the company maintained, in all material respects, effective internal control over financial reporting as of the specified date, based on the control criteria
  • The manual or printed signature of the auditor’s firm
  • The city and state (or city and country, in the case of non-U.S. auditors) from which the auditor’s report has been issued
  • The date of the audit report, which should coincide with the date of the audit report on the company’s financial statements (This is required because an audit of internal control over financial reporting cannot be performed without auditing the company’s financial statements)
Question#15. When is it appropriate to modify the standard report?
Answer: The standard report should be modified if:
  • Management’s assessment is inadequate or management’s report is inappropriate. (The auditor should qualify or disclaim an opinion.)
  • There is a material weakness in the company’s internal control over financial reporting. (In this, an adverse opinion should be expressed.)
  • There is a restriction on the scope of the engagement. (The issuance of a qualified opinion or a disclaimer of opinion is appropriate; withdrawal from the engagement might need to be considered.)
  • The auditor decides to refer to the report of other auditors as the basis, in part, for the auditor’s own report. (The auditor should consider the appropriateness of dividing responsibility with another auditor.)
  • A significant subsequent event has occurred since the date being reported on. (If the effectiveness of internal control is adversely affected, an adverse opinion should be issued.)
Note: Instead of issuing separate reports on the company’s financial statements and on internal control, the auditor may issue a combined report that contains both an opinion on the financial statements and an opinion on internal control over financial reporting.
A separate report on internal control over financial reporting necessitates the inclusion of the following paragraph to the auditor’s report on the company’s financial statements:
We also have audited, in accordance with the standards of the Public Company Accounting Oversight Board (United States), the effectiveness of W Company’s internal control over financial reporting as of December 31, 2013, based on [identify control criteria] and our report dated [date of report, which should be the same as the date of the report on the financial statements] expressed [include nature of opinions].
In addition, the following paragraph must be added to the report on internal control over financial reporting:
We have also audited, in accordance with the standards of the Public Company Accounting Oversight Board (United States), the [identify financial statements] of W Company and our report dated [date of report, which should be the same as the date of the report on the effectiveness of internal control over financial reporting] expressed [include nature of opinion].
Question#16. What are an auditor’s responsibilities for evaluating management’s Quarterly Certification Disclosures about internal control over financial reporting?
Answer: An auditor is required only to perform the following limited procedures on a quarterly basis to become aware of any material modifications that should be made to the disclosures about changes in internal control over financial reporting in order for management’s certification to be accurate:
  • Inquire of management about significant changes in the design or operation of internal control as it relates to the preparation of annual as well as interim financial information that could have occurred since the preceding annual audit or prior review of interim financial information.
  • Evaluate the implications of misstatements identified during the required review of interim financial information.
  • Determine, through inquiry and observation, whether any change in internal control has materially affected, or is reasonably likely to materially affect, internal control.
Question#17. What communications are required in an audit of internal control over financial reporting?
Answer: All identified significant deficiencies and material weakness must be communicated in writing to management and the audit committee before the auditor’s report on internal control over financial reporting is issued. It is important that the communication distinguish the significant deficiencies from the material weaknesses.
The communication should be made directly to the board of directors if the auditor determines that the matters identified were based on the ineffectiveness of the oversight of the audit committee. All deficiencies in internal control over financial reporting other than those considered to be significant deficiencies should be communicated, in writing, to management. The audit committee should be notified that this type of communication occurs. Any of the communications described above should include a statement restricting the use of communication to the board of directors, audit committee, management, and others within the organization.