SEC & PCAOB > PCAOB > Auditing Standard No. 2 > Definitions Related to Internal Controls Over Financial Reporting

PCAOB Release 2004-001
March 9, 2004
Page A7 Standard

Definitions Related to Internal Control Over Financial Reporting

7. For purposes of management's assessment and the audit of internal control over financial reporting in this standard, internal control over financial reporting is defined as follows:

A process designed by, or under the supervision of, the company's principal executive and principal financial officers, or persons performing similar functions, and effected by the company's board of directors, management, and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles and includes those policies and procedures that:

(1) Pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the company;

(2) Provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the company are being made only in accordance with authorizations of management and directors of the company; and

(3) Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the company's assets that could have a material effect on the financial statements.

Note: This definition is the same one used by the SEC in its rules requiring management to report on internal control over financial reporting, except the word "registrant" has been changed to "company" to conform to the wording in this standard. (See Securities Exchange Act Rules 13a-15(f) and 15d-15(f).2/) Note: Throughout this standard, internal control over financial reporting (singular) refers to the process described in this paragraph. Individual controls or subsets of controls are referred to as controls or controls over financial reporting.

8. A control deficiency exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis.

A deficiency in design exists when (a) a control necessary to meet the control objective is missing or (b) an existing control is not properly designed so that, even if the control operates as designed, the control objective is not always met.

A deficiency in operation exists when a properly designed control does not operate as designed, or when the person performing the control does not

9. A significant deficiency is a control deficiency, or combination of control deficiencies, that adversely affects the company's ability to initiate, authorize, record, process, or report external financial data reliably in accordance with generally accepted accounting principles such that there is more than a remote likelihood that a misstatement of the company's annual or interim financial statements that is more than inconsequential will not be prevented or detected.

Note: The term "remote likelihood" as used in the definitions of significant deficiency and material weakness (paragraph 10) has the same meaning as the term "remote" as used in Financial Accounting Standards Board Statement No. 5, Accounting for Contingencies ("FAS No. 5"). Paragraph 3 of FAS No. 5 states: When a loss contingency exists, the likelihood that the future event or events will confirm the loss or impairment of an asset or the incurrence of a liability can range from probable to remote. This Statement uses the terms probable, reasonably possible, and remote to identify three areas within that range, as follows:

a. Probable. The future event or events are likely to occur.
b. Reasonably possible. The chance of the future event or events occurring is more than remote but less than likely.
c. Remote. The chance of the future events or events occurring is slight. Therefore, the likelihood of an event is "more than remote" when it is either reasonably possible or probable.

Note: A misstatement is inconsequential if a reasonable person would conclude, after considering the possibility of further undetected misstatements, that the misstatement, either individually or when aggregated with other misstatements, would clearly be immaterial to the financial statements. If a reasonable person could not reach such a conclusion regarding a particular misstatement, that misstatement is more than inconsequential.

10. A material weakness is a significant deficiency, or combination of significant deficiencies, that results in more than a remote likelihood that a material misstatement of the annual or interim financial statements will not be prevented or detected.

Note: In evaluating whether a control deficiency exists and whether control deficiencies, either individually or in combination with other control deficiencies, are significant deficiencies or material weaknesses, the auditor should consider the definitions in paragraphs 8, 9 and 10, and the directions in paragraphs 130 through 137. As explained in paragraph 23, the evaluation of the materiality of the control deficiency should include both quantitative and qualitative considerations. Qualitative factors that might be important in this evaluation include the nature of the financial statement accounts and assertions involved and the reasonably possible future consequences of the deficiency. Furthermore, in determining whether a control deficiency or combination of deficiencies is a significant deficiency or a material weakness, the auditor should evaluate the effect of compensating controls and whether such compensating controls are effective.

11. Controls over financial reporting may be preventive controls or detective controls.
Preventive controls have the objective of preventing errors or fraud from occurring in the first place that could result in a misstatement of the financial statements.
Detective controls have the objective of detecting errors or fraud that have already occurred that could result in a misstatement of the financial statements.

12. Even well-designed controls that are operating as designed might not prevent a misstatement from occurring. However, this possibility may be countered by overlapping preventive controls or partially countered by detective controls. Therefore, effective internal control over financial reporting often includes a combination of preventive and detective controls to achieve a specific control objective. The auditor's procedures as part of either the audit of internal control over financial reporting or the audit of the financial statements are not part of a company's internal control over financial reporting. 1/ See 17 C.F.R. 240.13a-14(a) or 17 C.F.R. 240.15d-14(a), whichever applies. 2/ See 17 C.F.R. 240, 13a-15(f) and 15d-15(f). possess the necessary authority or qualifications to perform the control effectively.