SEC & PCAOB > PCAOB > Auditing Standard No. 2 > Definitions Related to Internal Controls Over Financial Reporting
PCAOB Release 2004-001
March 9, 2004
Page A–7 – Standard
Definitions Related to Internal Control Over Financial Reporting
7. For purposes of management's assessment and the audit of internal control over financial reporting in this standard, internal control over financial reporting is defined as follows:
A process designed by, or under the supervision of, the company's principal
executive and principal financial officers, or persons performing similar functions,
and effected by the company's board of directors, management, and other
personnel, to provide reasonable assurance regarding the reliability of financial
reporting and the preparation of financial statements for external purposes in
accordance with generally accepted accounting principles and includes those
policies and procedures that:
(1) Pertain to the maintenance of records that, in reasonable detail, accurately
and fairly reflect the transactions and dispositions of the assets of the company;
(2) Provide reasonable assurance that transactions are recorded as
necessary to permit preparation of financial statements in accordance with
generally accepted accounting principles, and that receipts and expenditures of the company are being made only in accordance with authorizations of management and directors of the company; and
(3) Provide reasonable assurance regarding prevention or timely detection of
unauthorized acquisition, use or disposition of the company's assets that
could have a material effect on the financial statements.
Note: This definition is the same one used by the SEC in its rules requiring
management to report on internal control over financial reporting, except the
word "registrant" has been changed to "company" to conform to the wording in
this standard. (See Securities Exchange Act Rules 13a-15(f) and 15d-15(f).2/)
Note: Throughout this standard, internal control over financial reporting (singular) refers to the process described in this paragraph. Individual controls or subsets of controls are referred to as controls or controls over financial reporting.
8. A control deficiency exists when the design or operation of a control does not
allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis.
• A deficiency in design exists when (a) a control necessary to meet the control objective is missing or (b) an existing control is not properly designed so that, even if the control operates as designed, the control objective is not always met.
• A deficiency in operation exists when a properly designed control does not
operate as designed, or when the person performing the control does not
9. A significant deficiency is a control deficiency, or combination of control
deficiencies, that adversely affects the company's ability to initiate, authorize, record, process, or report external financial data reliably in accordance with generally accepted accounting principles such that there is more than a remote likelihood that a misstatement of the company's annual or interim financial statements that is more than inconsequential will not be prevented or detected.
Note: The term "remote likelihood" as used in the definitions of significant
deficiency and material weakness (paragraph 10) has the same meaning as the
term "remote" as used in Financial Accounting Standards Board Statement No.
5, Accounting for Contingencies ("FAS No. 5"). Paragraph 3 of FAS No. 5 states:
When a loss contingency exists, the likelihood that the future event or events will confirm the loss or impairment of an asset or the incurrence of a liability can range from probable to remote. This Statement uses the terms probable, reasonably possible, and remote to identify three areas within that range, as follows:
a. Probable. The future event or events are likely to occur.
b. Reasonably possible. The chance of the future event or events occurring is more than remote but less than likely.
c. Remote. The chance of the future events or events occurring is slight.
Therefore, the likelihood of an event is "more than remote" when it is either
reasonably possible or probable.
Note: A misstatement is inconsequential if a reasonable person would conclude,
after considering the possibility of further undetected misstatements, that the
misstatement, either individually or when aggregated with other misstatements,
would clearly be immaterial to the financial statements. If a reasonable person
could not reach such a conclusion regarding a particular misstatement, that
misstatement is more than inconsequential.
10. A material weakness is a significant deficiency, or combination of significant
deficiencies, that results in more than a remote likelihood that a material misstatement of the annual or interim financial statements will not be prevented or detected.
Note: In evaluating whether a control deficiency exists and whether control
deficiencies, either individually or in combination with other control deficiencies,
are significant deficiencies or material weaknesses, the auditor should consider
the definitions in paragraphs 8, 9 and 10, and the directions in paragraphs 130
through 137. As explained in paragraph 23, the evaluation of the materiality of
the control deficiency should include both quantitative and qualitative considerations. Qualitative factors that might be important in this evaluation
include the nature of the financial statement accounts and assertions involved
and the reasonably possible future consequences of the deficiency. Furthermore, in determining whether a control deficiency or combination of deficiencies is a significant deficiency or a material weakness, the auditor should evaluate the effect of compensating controls and whether such compensating controls are effective.
11. Controls over financial reporting may be preventive controls or detective controls.
• Preventive controls have the objective of preventing errors or fraud from
occurring in the first place that could result in a misstatement of the financial statements.
• Detective controls have the objective of detecting errors or fraud that have
already occurred that could result in a misstatement of the financial statements.
12. Even well-designed controls that are operating as designed might not prevent a misstatement from occurring. However, this possibility may be countered by
overlapping preventive controls or partially countered by detective controls. Therefore, effective internal control over financial reporting often includes a combination of preventive and detective controls to achieve a specific control objective. The auditor's procedures as part of either the audit of internal control over financial reporting or the audit of the financial statements are not part of a company's internal control over financial reporting. 1/ See 17 C.F.R. 240.13a-14(a) or 17 C.F.R. 240.15d-14(a), whichever applies. 2/ See 17 C.F.R. 240, 13a-15(f) and 15d-15(f). possess the necessary authority or qualifications to perform the control effectively.