Attestation Report
An attestation report on internal control over financial reporting is the report issued by a registered public accounting firm under SOX Section 404(b) that expresses an independent opinion on whether a public company's ICFR is effective as of the fiscal year-end, based on the auditor's own independent assessment conducted in accordance with PCAOB auditing standards.
The attestation report required by SOX Section 404(b) is governed by PCAOB Auditing Standard AS 2201, which requires the auditor to plan and perform the integrated audit to obtain reasonable assurance about whether material weaknesses exist in ICFR as of the fiscal year-end date. Reasonable assurance is a high but not absolute level of assurance — the same standard applied to the financial statement audit — meaning the auditor is not guaranteeing the absence of all control deficiencies, but is providing a high degree of confidence about the absence of material weaknesses.
The integrated audit requires the auditor to perform top-down, risk-based testing of internal controls. The auditor begins with entity-level controls — the overarching control environment, risk assessment, and monitoring activities that set the tone for control effectiveness across the organization. The auditor then identifies significant accounts and disclosures, maps them to relevant business processes, identifies key controls within those processes, and tests the design and operating effectiveness of those controls. Where IT general controls support the reliability of automated controls, those IT controls must be tested as well.
The attestation report takes one of two forms. An unqualified opinion states that, in the auditor's opinion, the company maintained, in all material respects, effective internal control over financial reporting as of the specified date based on criteria in the COSO framework. An adverse opinion states that, in the auditor's opinion, the company did not maintain effective ICFR, because one or more material weaknesses existed. The PCAOB does not permit auditors to issue qualified opinions on ICFR — the opinion is binary: effective or not effective.
The attestation report is included in the company's Form 10-K along with management's assessment. Investors reading both documents can compare management's conclusions against those of the independent auditor. While management and auditor conclusions almost always agree when a company is subject to 404(b) attestation — because differences are typically resolved during the audit process — there are cases where the auditor identifies material weaknesses that management did not disclose, representing a significant breakdown in management's own assessment process.
For investors, the presence of a 404(b) attestation report is a meaningful quality signal in its own right. Empirical research finds that 404(b) filers have lower restatement rates, higher earnings quality scores, and lower cost of equity capital than comparable companies exempt from auditor attestation requirements, demonstrating the independent value the attestation provides beyond management's self-assessment.