Evaluating the Significance of a Deficiency
SEC & PCAOB > PCAOB > Auditing Standard No. 2 > Evaluating the Significance of a Deficiency
PCAOB Release 2004-001
March 9, 2004
Page A–59 – Standard
137. When evaluating the significance of a deficiency in internal control over financial reporting, the auditor also should determine the level of detail and degree of assurance that would satisfy prudent officials in the conduct of their own affairs that they have reasonable assurance that transactions are recorded as necessary to permit the preparation of financial statements in conformity with generally accepted accounting principles. If the auditor determines that the deficiency would prevent prudent officials in the conduct of their own affairs from concluding that they have reasonable assurance,17/ then the auditor should deem the deficiency to be at least a significant deficiency. Having determined in this manner that a deficiency represents a significant deficiency, the auditor must further evaluate the deficiency to determine whether individually, or in combination with other deficiencies, the deficiency is a material weakness.
Note: Paragraphs 9 and 10 provide the definitions of significant deficiency and
material weakness, respectively.
138. Inadequate documentation of the design of controls and the absence of sufficient documented evidence to support management's assessment of the operating effectiveness of internal control over financial reporting are control deficiencies. As with other control deficiencies, the auditor should evaluate these deficiencies as to their significance.
139. The interaction of qualitative considerations that affect internal control over
financial reporting with quantitative considerations ordinarily results in deficiencies in the 17/ See SEC Staff Accounting Bulletin Topic 1M2, Immaterial Misstatements That Are Intentional, for further discussion about the level of detail and degree of assurance that would satisfy prudent officials in the conduct of their own affairs. following areas being at least significant deficiencies in internal control over financial reporting:
• Controls over the selection and application of accounting policies that are
in conformity with generally accepted accounting principles;
• Antifraud programs and controls;
• Controls over non-routine and non-systematic transactions; and
• Controls over the period-end financial reporting process, including controls
over procedures used to enter transaction totals into the general ledger;
initiate, authorize, record, and process journal entries into the general
ledger; and record recurring and nonrecurring adjustments to the financial
140. Each of the following circumstances should be regarded as at least a significant deficiency and as a strong indicator that a material weakness in internal control over financial reporting exists:
• Restatement of previously issued financial statements to reflect the
correction of a misstatement.
Note: The correction of a misstatement includes misstatements due to
error or fraud; it does not include restatements to reflect a change in
accounting principle to comply with a new accounting principle or a
voluntary change from one generally accepted accounting principle to
another generally accepted accounting principle.
• Identification by the auditor of a material misstatement in financial
statements in the current period that was not initially identified by the
company's internal control over financial reporting. (This is a strong
indicator of a material weakness even if management subsequently
corrects the misstatement.)
• Oversight of the company's external financial reporting and internal control
over financial reporting by the company's audit committee is ineffective.
(Paragraphs 55 through 59 present factors to evaluate when determining
whether the audit committee is ineffective.)
• The internal audit function or the risk assessment function is ineffective at
a company for which such a function needs to be effective for the
company to have an effective monitoring or risk assessment component,
such as for very large or highly complex companies.
Note: The evaluation of the internal audit or risk assessment functions is
similar to the evaluation of the audit committee, as described in
paragraphs 55 through 59, that is, the evaluation is made within the
context of the monitoring and risk assessment components. The auditor is
not required to make a separate evaluation of the effectiveness and
performance of these functions. Instead, the auditor should base his or her evaluation on evidence obtained as part of evaluating the monitoring and risk assessment components of internal control over financial reporting.
• For complex entities in highly regulated industries, an ineffective regulatory compliance function. This relates solely to those aspects of the ineffective regulatory compliance function in which associated violations of laws and regulations could have a material effect on the reliability of financial reporting.
• Identification of fraud of any magnitude on the part of senior management.
Note: The auditor is required to plan and perform procedures to obtain reasonable assurance that material misstatement caused by fraud is detected by the auditor. However, for the purposes of evaluating and reporting deficiencies in internal control over financial reporting, the auditor should evaluate fraud of any magnitude (including fraud resulting in immaterial misstatements) on the part of senior management of which he or she is aware. Furthermore, for the purposes of this circumstance, "senior management" includes the principal executive and financial
officers signing the company's certifications as required under Section 302 of the Act as well as any other member of management who play a significant role in the company's financial reporting process.
• Significant deficiencies that have been communicated to management and the audit committee remain uncorrected after some reasonable period of time.
• An ineffective control environment.
141. Appendix D provides examples of significant deficiencies and material