Many nonprofit organizations and commercial businesses that apply for government grants or contracts are required to go through pre-award survey procedures. These procedures are designed so that the government gains an understanding about the suitability of an entity’s internal controls prior to making an award to the entity. In some cases, the entity’s auditor is requested to provide a written report on the design (but not the operation) of the entity’s internal control over financial reporting.

In December 2008, the AICPA issued Interpretation No. 7 of AT Section 101: Attest Engagements, “Reporting on the Design of Internal Control.” In its interpretation, AICPA made the following conclusions:

1.            An auditor may not issue a report on the suitability of the design of internal controls based on the auditor’s risk assessment procedures applied in the performance of the audit of the entity’s financial statements. Such risk assessment procedures are designed to gain a sufficient understanding of an entity and its environment, including internal controls, to plan and perform audit procedures. These procedures do not provide a sufficient basis for reporting on the suitability of the design of an entity’s internal controls.

2.            A practitioner may, however, perform an examination under either AT Section 101 (Attest Engagements) or AT 201 (Agreed Upon Procedures) to management’s written assertion about the suitability of the design of an entity’s internal control. If the engagement is structured as an agreed-upon procedures engagement, certain portions of AT section 601 (Compliance Attestation) should also be complied with. The Interpretation provides an example of a report that could be provided in connection with these engagements.

Of course, auditors should never sign a prescribed form that is to be submitted regarding the design of an entity’s internal controls if it is not consistent with these standards and interpretations. In such cases, the auditor should modify the prescribed form or refer to an attachment that contains appropriate language.