AUD ICFR reporting coverage for issuer requirements, integrated audits, deficiency communication, and report structure.
This chapter focuses on reporting related to internal control over financial reporting. The core issue is how ICFR findings are evaluated, communicated, and combined with the financial statement audit in public-company settings.
ICFR questions often turn on classification. A control deficiency, significant deficiency, and material weakness can have different communication and reporting consequences, especially when the engagement is an integrated audit of an issuer.
| ICFR issue | What to decide first | Common AUD trap |
|---|---|---|
| Issuer requirement | Whether PCAOB integrated-audit reporting applies. | Applying nonissuer communication rules to issuer ICFR reporting. |
| Deficiency severity | Whether the issue is a control deficiency, significant deficiency, or material weakness. | Treating all control problems as report-modifying issues. |
| Integrated audit link | How ICFR conclusions interact with financial statement audit work. | Assuming a clean financial statement opinion automatically means effective ICFR. |
| Report format | Whether combined or separate reports are used and how the opinions are presented. | Confusing report form with the underlying opinion conclusion. |
| Step | What to resolve | Reporting effect |
|---|---|---|
| Determine engagement type | Issuer integrated audit, nonissuer communication, or other control-related work. | The applicable standards and report requirements differ. |
| Identify the control issue | Design deficiency, operating deficiency, scope limitation, or management assertion issue. | Classification depends on the nature and effect of the problem. |
| Assess severity | Likelihood and magnitude of potential misstatement. | Severity drives significant-deficiency or material-weakness conclusions. |
| Link to financial statement audit | Whether the control issue affects substantive work or the financial statement opinion. | ICFR and financial statement opinions are related but not identical. |
| Select report form | Combined or separate reporting, opinion wording, and communications. | Report format follows the conclusion; it does not create the conclusion. |
| Checkpoint | What to evaluate | Reporting consequence |
|---|---|---|
| Likelihood | Whether the deficiency could allow a misstatement to occur and not be prevented or detected. | Likelihood is part of classifying severity. |
| Magnitude | Whether the potential misstatement could be material. | Material magnitude can elevate the issue to a material weakness. |
| Compensating controls | Whether other controls reduce the likelihood or magnitude effectively. | Weak compensating controls may not change the conclusion. |
| Financial statement effect | Whether substantive procedures found or did not find a misstatement. | A clean financial statement opinion does not prove ICFR is effective. |
| Communication level | Management, audit committee, report users, or public report. | The audience changes with deficiency severity and engagement type. |