This document contains a synopsis of Appendix A to the PCAOB’s Auditing Standard #5 for Independent Auditors, opining on internal controls for financial reporting (ICFR) for SEC reporting companies. Appendix A contains discussion by the PCAOB of how and why the standard was adopted.

The proposed standard on auditing internal control was structured around the top-down approach to identifying the most important controls to test. This approach follows the same principles that apply to the financial statement audit – the auditor determines the areas of focus through the identification of significant accounts and disclosures and relevant assertions. Under the proposed standard, the auditor would specifically identify major classes of transactions and significant processes before identifying the controls to test.

In response to comments about the level of detail in the requirements of the proposed standard, the Board has reconsidered whether the final standard should include the identification of major classes of transactions and significant processes as a specifically required step in the top-down approach. As a practical matter, the auditor will generally need to understand the company's processes to appropriately identify the correct controls to test. The Board believes, however, that specific requirements directing the auditor how to obtain that understanding are unnecessary and could contribute to a "checklist approach" to compliance, particularly for auditors who have a long-standing familiarity with the company. Accordingly, the Board has removed the requirements to identify major classes of transactions and significant processes from the final standard. While this should allow auditors to apply more professional judgment as they work through the top-down approach, the end point is the same as in the proposed standard – the requirement to test those controls that address the assessed risk of misstatement to each relevant assertion.

The proposed standard on auditing internal control emphasized entity-level

controls because of their importance both to the auditor's ability to appropriately tailor the audit through a top-down approach – specifically by identifying and testing the most important controls – and to effective internal control. Additionally, the proposed standard emphasized that these controls might, depending on the circumstances, allow the auditor to reduce the testing of controls at the process level. Commenters suggested the proposed standard did not provide enough direction on how entity-level controls can significantly reduce testing, and some suggested that controls that operate at the level of precision necessary to do so are uncommon. Many commenters suggested incorporating in the final standard the discussion of direct versus indirect entity-level controls that was included in the SEC's proposed management guidance.

The Board continues to believe entity-level controls, depending on how they are designed and operate, can reduce the testing of other controls related to a relevant assertion. This is either because the entity-level control sufficiently addresses the risk related to the relevant assertion, or because the entity-level controls provide some assurance so that the testing of other controls related to that assertion can be reduced.

In response to comments and in order to clarify these concepts, the Board included in the final standard a discussion of three broad categories of entity-level controls, which vary in nature and precision, along with an explanation of how each category might have a different effect on the performance of tests of other controls. The final standard explains that some controls, such as certain control environment controls, have an important but indirect effect, on the likelihood that a misstatement will be detected or prevented on a timely basis. These controls might affect the other controls the auditor selects for testing and the nature, timing, and extent of procedures the auditor performs on other controls.

The final standard explains that other entity-level controls may not operate at the level of precision necessary to eliminate the need for testing of other controls, but can reduce the required level of testing of other controls, sometimes substantially. This is because the auditor obtains some of the supporting evidence related to a control from an entity-level control and the remaining necessary evidence from the testing of the control at the process level. Controls that monitor the operation of other controls are the best example of these types of controls. These monitoring controls help provide assurance that the controls that address a particular risk are effective and, therefore, they can provide some evidence about the effectiveness of those lower-level controls, reducing the testing of those controls that would otherwise be necessary.

Lastly, the final standard explains that some entity-level controls might operate at a level of precision that, without the need for other controls, sufficiently addresses the risk of misstatement to a relevant assertion. If a control sufficiently addresses the risk in this manner, the auditor does not need to test other controls related to that risk.

The proposed standard on auditing internal control would have required auditors to perform a walkthrough of each significant process each year. This proposed requirement represented a change from Auditing Standard No. 2, which required a walkthrough of each major class of transactions within a significant process.

Commenters were split on the question of whether the re-calibration from major class of transactions to significant process in the proposed standard would result in a reduction of effort. Some issuers and auditors suggested that walkthroughs are already being performed on significant processes, while other issuers and auditors commented that this proposed requirement would make a difference. A few commenters suggested that a walkthrough of each significant process was insufficient and would negatively affect audit quality, but many others stated that walkthroughs should not be required at all.

In evaluating these comments, the Board focused principally on the objectives it believes are achieved through a properly performed walkthrough. The Board firmly believes those objectives should be met for the auditor to verify that he or she has a sufficient understanding of the points within the processes where misstatements could occur and to properly identify the controls to test. Procedures that fulfill those objectives also play an important role in the evaluation of the effectiveness of the design of the controls. The Board believes that, in some instances, the requirement to perform a walkthrough may have overshadowed the objectives it was meant to achieve. This may have resulted in some walkthroughs being performed to meet the requirement but failing to achieve the intended purpose. The final standard, therefore, focuses specifically on achieving certain important objectives, and the performance requirement is based on fulfilling those objectives as they relate to the understanding of likely sources of misstatement and the selection of controls to test. While a walkthrough will frequently be the best way of attaining these goals, the auditor's focus should be on the objectives, not on the mechanics of the walkthrough. In some cases, other procedures may be equally or more effective means of achieving them.

At the time the Board proposed Auditing Standard No. 5 for public comment, the

Board also proposed an auditing standard entitled Considering and Using the Work of Others in an Audit that would have superseded the Board's interim standard AU sec. 322, The Auditor's Consideration of the Internal Audit Function in an Audit of Financial Statements ("AU sec. 322"), and replaced the direction on using the work of others in an audit of internal control in Auditing Standard No. 2.

As discussed in the proposing release, the Board had several objectives in proposing this standard. The first was to better integrate the financial statement audit and the audit of internal control by having only one framework for using the work of others in both audits. Additionally, the Board wanted to encourage auditors to use the work of others to a greater extent when the work is performed by sufficiently competent and objective persons. Among other things, under the proposed standard auditors would have been able to use the work of sufficiently competent and objective company personnel – not just internal auditors – and third parties working under the direction of management or the audit committee for purposes of the financial statement audit as well as the audit of internal control.

The Board received numerous comments on the proposed standard on using the work of others. Commenters generally indicated support for a single framework regarding the auditor's use of the work of others in an integrated audit. Some, however, suggested retaining existing AU sec. 322 as the basis for that single framework. They expressed the view that the objective of removing barriers to integration and using the work of others to the fullest extent appropriate could be achieved by retaining AU sec. 322 and going forward with the proposed removal of the "principal evidence" provision. At the same time, some other commenters suggested the proposed standard did not go far enough in encouraging auditors to use the work of others.

After considering these comments, the Board continues to believe that a single framework for the auditor's use of the work of others is preferable to separate frameworks for the audit of internal control and the audit of financial statements. The factors used to determine whether and to what extent it is appropriate to use the work of others should be the same for both audits. At the same time, the Board agreed with those commenters who suggested that better integration of the audits could be achieved without replacing the existing auditing standard. The Board therefore has decided to retain AU sec. 322 for both audits and incorporate language into Auditing Standard No. 5 that establishes these integration concepts rather than adopt the proposed standard on considering and using the work of others. Consistent with the proposal, however, Auditing Standard No. 5 allows the auditor to use the work of others to obtain evidence about the design and operating effectiveness of controls and eliminates the principal evidence provision.

Recognizing that issuers might employ personnel other than internal auditors to perform activities relevant to management's assessment of internal control over financial reporting, the final standard allows the auditor to use the work of company personnel other than internal auditors, as well as third parties working under the direction of management or the audit committee. In line with the overall risk-based approach to the audit of internal control over financial reporting, the extent to which the auditor may use the work of others depends, in part, on the risk associated with the control being tested. As the risk decreases, so does the need for the auditor to perform the work him or herself. The impact of the work of others on the auditor’s work also depends on the relationship between the risk and the competence and objectivity of those who performed the work. As the risk decreases, the necessary level of competence and objectivity decreases as well. Likewise, in higher risk areas (for example, controls that address specific fraud risks), use of the work of others would be limited, if it could be used at all.

Finally, the Board understands that some of the work performed by others for the purposes of management's assessment of internal controls can be relevant to the audit of financial statements. Therefore, in an integrated audit, the final standard allows the auditor to use the work of these sufficiently competent and objective others – not just internal auditors – to obtain evidence supporting the auditor's assessment of control risk for purposes of the audit of financial statements. The Board believes this provision will promote better integration of the audit of internal control with the audit of financial statements.