Reporting on Internal Control
For issuers (public companies), auditors are required by the Sarbanes-Oxley Act to perform an integrated audit—an audit of both the financial statements and internal control over financial reporting (ICFR). This requirement is governed by PCAOB Auditing Standard No. 2201 (AS 2201), which sets forth the standards for planning, performing, and reporting on an audit of internal control. Understanding how the auditor evaluates and reports on internal control is a critical AUD exam topic.
An integrated audit combines the financial statement audit and the internal control audit into a single, coordinated engagement. The auditor issues an opinion on ICFR in addition to the opinion on the financial statements.
Scope of the Internal Control Audit
The scope of the ICFR audit applies to issuers only. Nonissuers are not required to have an audit of internal control, though their auditors must still consider internal control as part of the financial statement audit (for risk assessment purposes under AU-C 315).
In an integrated audit, the auditor must:
- Plan and perform the audit of internal control together with the audit of the financial statements
- Use the work performed in each audit to inform the other
- Form a separate opinion on the effectiveness of ICFR as of the entity's fiscal year-end
Example: Gies Co., a publicly traded manufacturer, engages its auditor for the annual audit. Because Gies Co. is an SEC registrant, the engagement is an integrated audit. The auditor must issue two opinions: one on the financial statements and one on the effectiveness of Gies Co.'s ICFR.
Top-Down, Risk-Based Approach
AS 2201 requires the auditor to use a top-down, risk-based approach to identify the controls to test. This means:
- Start at the financial statement level — Understand entity-level controls (such as the control environment, risk assessment process, and monitoring activities)
- Focus on significant accounts and disclosures — Identify which accounts and disclosures present a reasonable possibility of material misstatement
- Identify relevant assertions — For each significant account, determine which assertions (existence, completeness, valuation, etc.) are most at risk
- Select controls to test — Choose controls that address the identified risks for each relevant assertion
- Test the operating effectiveness of selected controls
The top-down approach means the auditor does not test every control. Instead, the auditor focuses on controls that are most likely to prevent or detect a material misstatement. Entity-level controls are evaluated first because strong entity-level controls can reduce the amount of detailed testing needed at the transaction level.
Entity-Level Controls
Entity-level controls include:
- Control environment elements (tone at the top, management philosophy, ethical values)
- Risk assessment processes
- Centralized processing and controls (e.g., shared services centers)
- Controls to monitor results of operations and other controls
- Controls over the period-end financial reporting process
- Policies that address significant business control and risk management practices
Classification of Control Deficiencies
A central concept in reporting on internal control is the classification of deficiencies. There are three levels:
| Classification | Definition | Reporting Requirement |
|---|---|---|
| Control deficiency | A control is designed, implemented, or operated in a way that does not allow management or employees to prevent or detect misstatements on a timely basis | No specific external reporting required; may be communicated to management |
| Significant deficiency | A deficiency, or combination of deficiencies, that is less severe than a material weakness, yet important enough to merit the attention of those charged with governance | Must be communicated in writing to the audit committee |
| Material weakness | A deficiency, or combination of deficiencies, such that there is a reasonable possibility that a material misstatement will not be prevented or detected on a timely basis | Must be communicated in writing to the audit committee; requires an adverse opinion on ICFR |
The threshold for a material weakness is reasonable possibility—not "probable" and not "remote." This is an intermediate likelihood standard. A "reasonable possibility" exists when the chance of a material misstatement is more than remote but need not be probable.
Example: During the integrated audit of MAS Inc., the auditor discovers that no one reviews the bank reconciliation prepared by the accounts payable clerk—the same person who processes cash disbursements. This lack of segregation of duties over cash, combined with the absence of a compensating review control, constitutes a material weakness because there is a reasonable possibility that a material misstatement in cash could go undetected.
Reporting Requirements
Adverse Opinion for Material Weakness
If one or more material weaknesses exist as of the assessment date, the auditor must issue an adverse opinion on internal control. There is no option to qualify the ICFR opinion when a material weakness exists—the only permissible opinion is adverse.
Unqualified Opinion on ICFR
If no material weaknesses are identified, the auditor issues an unqualified (clean) opinion stating that the entity maintained effective internal control over financial reporting in all material respects.
Significant Deficiencies
Significant deficiencies do not affect the auditor's opinion on ICFR. However, the auditor must communicate significant deficiencies to the audit committee in writing.
| ICFR Finding | Opinion on ICFR |
|---|---|
| No material weakness | Unqualified |
| Material weakness identified | Adverse |
| Significant deficiency only | Unqualified (but communicated to audit committee) |
| Scope limitation | Qualified or disclaimer |
Unlike the financial statement opinion (which can be qualified, adverse, or disclaimed), the ICFR opinion only has three possible outcomes: unqualified, adverse, or disclaimer. There is no qualified opinion on ICFR for a material weakness. An adverse opinion is mandatory.
Communication of Deficiencies
The auditor has specific communication obligations:
To the Audit Committee
- Material weaknesses — must be communicated in writing before the issuance of the auditor's report on ICFR
- Significant deficiencies — must be communicated in writing to the audit committee
To Management
- All deficiencies identified during the audit (including those less severe than significant deficiencies) should be communicated to management in writing
- Management is responsible for assessing and remediating identified deficiencies
Example: Kingfisher Industries' auditor identifies three control deficiencies in the revenue cycle, one of which individually constitutes a significant deficiency. The auditor communicates all three deficiencies to management in writing. The significant deficiency is also communicated in writing to the audit committee. Because none of the deficiencies—individually or in combination—rise to the level of a material weakness, the auditor issues an unqualified opinion on ICFR.
Relationship Between ICFR Opinion and Financial Statement Opinion
The two opinions in an integrated audit are related but separate:
- An adverse opinion on ICFR does not automatically mean the financial statement opinion is also adverse
- The auditor can issue an adverse opinion on ICFR and an unqualified opinion on the financial statements if the auditor has expanded substantive testing to obtain sufficient evidence despite the material weakness
- However, a material weakness should cause the auditor to reassess the nature, timing, and extent of financial statement audit procedures
| ICFR Opinion | Financial Statement Opinion | Is This Possible? |
|---|---|---|
| Unqualified | Unqualified | ✅ Yes (most common) |
| Adverse | Unqualified | ✅ Yes (expanded substantive testing) |
| Adverse | Qualified or Adverse | ✅ Yes (if material misstatement found) |
| Unqualified | Adverse | ✅ Yes (rare—FS issue unrelated to controls) |
A very common exam question: "If the auditor issues an adverse opinion on ICFR, must the auditor also issue an adverse opinion on the financial statements?" The answer is no. The opinions are independent. The auditor may still issue an unqualified financial statement opinion if sufficient substantive procedures confirm the financial statements are fairly presented.
Combined vs. Separate Reports
The auditor may present the ICFR opinion and the financial statement opinion in either a combined report or separate reports:
| Format | Description |
|---|---|
| Combined report | A single document containing both the opinion on the financial statements and the opinion on ICFR. This is the more common approach. |
| Separate reports | Two distinct reports—one on the financial statements and one on ICFR. Each report must reference the other. |
When using separate reports, the report on ICFR must include a reference to the separate financial statement audit report, and the financial statement report must reference the ICFR report.
Example: BIF Partners' auditor issues a combined report that includes an unqualified opinion on BIF Partners' financial statements and an adverse opinion on ICFR due to a material weakness in the entity's inventory valuation controls. Both opinions appear in a single document, with the adverse ICFR opinion clearly separated from the unqualified financial statement opinion.
Summary
| Topic | Key Point |
|---|---|
| Integrated audit | Required for issuers—covers both financial statements and ICFR |
| Standard | PCAOB AS 2201 |
| Approach | Top-down, risk-based |
| Material weakness | Reasonable possibility of undetected material misstatement → adverse ICFR opinion |
| Significant deficiency | Less severe; communicated to audit committee but no opinion modification |
| ICFR opinions available | Unqualified, adverse, or disclaimer (no qualified option) |
| FS and ICFR opinions | Related but separate—adverse ICFR does not mandate adverse FS opinion |
| Report format | Combined or separate (combined is more common) |