. 48
( 82 .)


basis, evidence about [name of entity]™s compliance with those requirements and perform-
ing such other procedures as we considered necessary in the circumstances. We believe that
our examination provides a reasonable basis for our opinion. Our examination does not pro-
vide a legal determination on [name of entity]™s compliance with specified requirements.
[Opinion paragraph]
In our opinion, management™s assertion [identify management™s assertion”for example,
that Z Company complied with the aforementioned requirements for the year ended De-
cember 31, 20X1] is fairly stated in all material respects.

Source: Statement on Standards for Attestation Engagements No. 3, “Compliance Attestation” (New
York: AICPA, 1993), par. 55. It should be observed that few, if any, companies to date have made
such management assertions along with the independent auditors™ report thereon. This standard has
been recodified as Section 601 of SSAE No. 10.

In June 2003, the Securities and Exchange Commission adopted a final rule,
“Management Reports on Internal Control Over Financial Reporting and Certifi-
cation of Disclosure in Exchange Act Period Reports,” which requires registrants,
other than registered investment companies, to include in their annual reports a re-
port by management on the company™s internal control over financial reporting.
More specifically, the internal control report must include:

• A statement of management™s responsibility for establishing and maintaining
adequate internal control over financial reporting for the company
• Management™s assessment of the effectiveness of the company™s internal control
over financial reporting as of the end of the company™s most recent fiscal year
• A statement identifying the framework used by management to evaluate the ef-
fectiveness of the company™s internal control over financial reporting
• A statement that the registered public accounting firm that audited the com-
pany™s financial statements included in the annual report has issued an attesta-
tion report on management™s assessment of the company™s internal control
over financial reporting8

Securities and Exchange Commission, Release No. 33-8238 (Washington, DC: SEC, June 5, 2003),
www.sec.gov/rules/final/33-8238.htm, p. 1.
Responsibility for the System of Internal Control 241

Additionally, management is required to evaluate any material change in the
company™s internal control during a fiscal quarter, including certifications to cer-
tain periodic reports.9

The Independent Auditors
According to one former executive audit partner, “the independent auditor™s ex-
ternal review is an indispensable supplement to a corporate system of internal
controls, but it is no substitute for it.”10 As indicated in Chapter 5, the independent
auditors are required to study and evaluate the system of internal control. The
study and evaluation is performed during their interim-period work, ordinarily a
predetermined period prior to the date of the financial statements.
The independent auditors™ major objective is to determine whether the internal
control is adequate so that the financial accounting transactions are recorded prop-
erly and presented fairly in the financial statements. Furthermore, they must evalu-
ate the controls in order to determine not only how much reliance can be placed on
such controls but also the extensiveness of their auditing procedures. Obviously, if
the internal control structure is weak, then the assessment of control risk is high;
thus the auditors must extend their auditing procedures to minimize the risk of er-
rors in the financial statements and limit the level of detection risk. During the audit
engagement, the auditors test the accounting system through verification tests. For
example, tests of controls consist of the auditors™ selection of several transactions
whereby such transactions are traced through the accounting system. Such tests
allow the auditors to determine the degree of reliance they can place on the inter-
nal control structure. However, the auditors™ examination of the cancelled checks in
connection with the bank reconciliation and the examination of the vendors™ in-
voices in support of account balances are substantive tests of transactions.
Since the auditors are required to communicate to senior management and the
board of directors or its audit committee reportable conditions in internal control,
the following form of report is recommended.11

In planning and performing our audit of the financial statements of the ABC Corpo-
ration for the year ended December 31, 19XX, we considered its internal control in
order to determine our auditing procedures for the purpose of expressing our opinion
on the financial statements and not to provide assurance on the internal control. How-
ever, we noted certain matters involving the internal control and its operation that we
consider to be reportable conditions under standards established by the American

Ibid., p. 1. For additional information, visit the web site and note the SEC™s particular rule that states: “au-
ditors may assist management in documenting internal controls. When the auditor is engaged to assist
management in documenting internal controls, management must be actively involved in the process.”
The audit committee may wish to have discussions with the internal chief audit executive regarding the
extent to which the independent auditors participate in documenting internal controls over financial re-
porting in the context of auditor independence and management™s assertion about internal controls.
John C. Biegler, “Rebuilding Public Trust in Business,” Financial Executive 45 (June 1977), p. 30.
Statement on Auditing Standards No. 60, “Communication of Internal Control Related Matters
Noted in an Audit” (New York: AICPA, 1988), pars. 2 and 12. See also Professional Standards, U.S.
Auditing Standards/Attestation Standards, Vol. 1, AU Sec. 325.02 and 325.12. A reportable condition
may be of such magnitude as to be considered a material weakness in internal control.
242 Monitoring the System of Internal Control

Institute of Certified Public Accountants. Reportable conditions involve matters com-
ing to our attention relating to significant deficiencies in the design or operation of the
internal control that, in our judgment, could adversely affect the organization™s abil-
ity to record, process, summarize, and report financial data consistent with the asser-
tions of management in the financial statements.
(Include paragraphs to describe the reportable conditions noted.)
This report is intended solely for the information and use of the audit committee
(board of directors, board of trustees, or owners in owner-managed enterprises),
management, and others within the organization (or specified regulatory agency or
other specified third party).12

Although the independent auditors may communicate improvements for the
system of internal control, they cannot opine on the company™s compliance with
the Foreign Corrupt Practices Act, because that is a legal matter. In short, although
the independent auditors cannot express a legal opinion on the entity™s compliance
with the act, management should give strong consideration to their recommenda-
tions in order to indicate its intent to comply with the law.
The Auditing Standards Board™s position in the compliance attestation stan-
dard, specifically states:

A report issued in accordance with the provisions of this Statement does not provide
a legal determination on an entity™s compliance with specified requirements. How-
ever, such a report may be useful to management, legal counsel, or third parties in
making such determinations.13

Another important element of the internal control environment is the internal
audit function. As discussed in Chapter 2, the internal auditing group plays a sig-
nificant part in establishing and maintaining the internal control structure. Although
its members are engaged principally in compliance and operational auditing, which
deals with the efficiency of the various operating units, they make an important con-
tribution to the financial audit engagements. The independent auditors™ considera-
tion and use of the work of internal auditors is discussed in Chapter 9.

General Considerations
According to the Committee of Sponsoring Organizations of the Treadway Com-
mission, everyone in an organization has responsibility for internal control. Their
roles and responsibilities are characterized in this way:

• Management”The chief executive officer is ultimately responsible and should
assume “ownership” of the system. More than any other individual, the chief ex-

The audit committee may wish to discuss the independent auditor™s findings and conclusions with
respect to their assessment of internal accounting controls at service organizations. See Chapter 5 for
the applicable auditing standards. The committee also may wish to consult the AICPA™s auditing guide
and auditing procedures study, which deals with internal control.
Statement on Standards for Attestation Engagements No. 3, par. 3.
The Role of the Audit Committee 243

ecutive sets the “tone at the top” that affects integrity and ethics and other factors
of a positive control environment. In a large company, the chief executive fulfills
this duty by providing leadership and direction to senior managers and reviewing
the way they™re controlling the business. Senior managers, in turn, assign re-
sponsibility for establishment of more specific internal control policies and pro-
cedures to personnel responsible for the unit™s functions. In a smaller entity, the
influence of the chief executive, often an owner-manager, is usually more direct.
In any event, in a cascading responsibility, a manager is effectively a chief exec-
utive of his or her sphere of responsibility. Of particular significance are financial
officers and their staffs, whose control activities cut across, as well as up and
down, the operating and other units of an enterprise.
• Board of Directors”Management is accountable to the board of directors, which
provides governance, guidance and oversight. Effective board members are ob-
jective, capable and inquisitive. They also have a knowledge of the entity™s ac-
tivities and environment, and commit the time necessary to fulfill their board
responsibilities. Management may be in a position to override controls and ignore
or stifle communications from subordinates, enabling a dishonest management
which intentionally misrepresents results to cover its tracks. A strong, active
board, particularly when coupled with effective upward communications chan-
nels and capable financial, legal and internal audit functions, is often best able to
identify and correct such a problem.
• Internal Auditors”Internal auditors play an important role in evaluating the ef-
fectiveness of control systems, and contribute to ongoing effectiveness. Because
of organizational position and authority in an entity, an internal audit function
often plays a significant monitoring role.
• Other Personnel”Internal control is, to some degree, the responsibility of every-
one in an organization and therefore should be an explicit or implicit part of
everyone™s job description. Virtually all employees produce information used in
the internal control system or take other actions needed to effect control. Also, all
personnel should be responsible for communicating upward problems in opera-
tions, noncompliance with the code of conduct, or other policy violations or ille-
gal actions.14

A number of external parties often contribute to achievement of an entity™s ob-
jectives. External auditors, bringing an independent and objective view, contribute
directly through the financial statement audit and indirectly by providing infor-
mation useful to management and the board in carrying out their responsibilities.
Others providing information to the entity useful in effecting internal control are
legislators and regulators, customers and others transacting business with the en-
terprise, financial analysts, bond raters, and the news media. External parties,
however, are not responsible for, nor are they a part of, the entity™s internal control
Moreover, the Auditing Standards Board has issued Statement on Auditing
Standards No. 60, “Communication of Internal Control Related Matters Noted in
an Audit,” which requires the external auditor to communicate reportable condi-
tions to the audit committee. Reportable conditions are matters that “represent

COSO, Internal Control”Integrated Frameworks, Executive Summary (New York: AICPA, 1992),
pp. 5“6.
244 Monitoring the System of Internal Control

significant deficiencies in the design or operation of the internal control structure,
which could adversely affect the organization™s ability to record, process, summa-
rize, and report financial data consistent with the assertions of management in the
financial standards.”15
Finally, the New York Stock Exchange has proposed a rule change to Section
303A of its Corporate Governance Standards, which states, in part:
(viii) report regularly to the board of directors.
Commentary: The audit committee should review with the full board any issues that
arise with respect to the quality or integrity of the company™s financial statements,
the company™s compliance with legal or regulatory requirements, the performance
and independence of the company™s independent auditors, or the performance of the
internal audit function.
General Commentary to Section 303A(7)(d): While the fundamental responsibility
for the company™s financial statements and disclosures rests with management and
the independent auditor, the audit committee must review: (A) major issues regard-
ing accounting principles and financial statement presentations, including any sig-
nificant changes in the company™s selection or application of accounting principles,
and major issues as to the adequacy of the company™s internal controls and any spe-
cial audit steps adopted in light of material control deficiencies; (B) analyses pre-
pared by management and/or the independent auditor setting forth significant
financial reporting issues and judgments made in connection with the preparation of
the financial statements, including analyses of the effects of alternative GAAP meth-
ods on the financial statements; (C) the effect of regulatory and accounting initia-
tives, as well as off-balance sheet structures, on the financial statements of the
company; and (D) the type and presentation of information to be included in earnings
press releases (paying particular attention to any use of “pro forma,” or “adjusted”
non-GAAP, information), as well as review any financial information and earnings
guidance provided to analysts and rating agencies.
General Commentary to Section 303A(7): To avoid any confusion, note that the
audit committee functions specified in Section 303A(7) are the sole responsibility of
the audit committee and may not be allocated to a different committee.16

Although the involvement of the committee is clearly evident, it is obvious that
management faces a difficult task of implementing and for monitoring the recom-
mendations as set forth by COSO in its four-volume report. The absence of defin-
itive criteria for evaluating the adequacy of the system of internal control no longer
exists. Clearly management has a standard against which it can measure the ef-
fectiveness of the company™s internal control.

American Institute of Certified Public Accountants, U.S. Auditing Standards/Attestation Standards,
Vol. 1 (New York: AICPA, 2003), AU Sec. 325.02.
Although the preparation of a management letter is not required by generally accepted auditing
standards, many accounting firms issue such a letter, which contains recommendations for improving
the efficiency and effectiveness of the company™s operations.
Securities and Exchange Commission, Release No. 34-47672 (Washington, DC: Securities and Ex-
change Commission, April 11, 2003, www.sec.gov/rules/sro/34-47672.htm), Section 303A (7)(d)
The Role of the Audit Committee 245

With respect to annual reporting and the 2003 proxy statement season, an il-
lustration from Wal-Mart Stores, Inc., discloses these statements on internal

Management has developed and maintains a system of internal and disclosure con-
trols, including an extensive internal audit program. These controls are designed to
provide reasonable assurance that the Company™s assets are protected from improper
use and that Wal-Mart™s accounting records provide a reliable basis for the prepara-
tion of financial statements. We continually review, improve and modify these sys-
tems and programs in response to changes in business conditions and operations and
the recommendations made by Wal-Mart™s internal and external auditors. We believe
that the system of internal and disclosure controls provides reasonable assurance that
Wal-Mart™s assets are safeguarded and that the financial information disclosed is


. 48
( 82 .)