The Standard advises the auditor to use a top-down approach in performing internal control audit. This approach begins at the financial statements level, with the auditor's understanding of the company's overall risks to internal control over financial reporting and its entity-level controls, traces risks of material misstatement back to significant individual accounts, disclosures and assertions, nails down the likely sources of misstatement to such accounts and disclosures, and then determines what controls should be tested.
As per the Standard, the starting point of the top-down approach is identifying entity-level controls, which include the company's control environment and risk assessment process, controls over the period-end financial reporting process, controls to monitor results of operations, controls to monitor other controls, controls over management override, centralized processing and controls, and policies with regard to significant business control and risk management practices. Among them, the control environment is the most pervasive element. Factors to be considered in evaluating the control environment are: integrity and ethical values, particularly of top management; management's philosophy and operating style; and effectiveness of the board of directors and the audit committee in exercising oversight responsibilities over financial reporting and internal control. Period-end financial reporting process is also an important risk area. It is comprised of procedures to enter transaction totals into the general ledger, to select and apply accounting policies, to initiate, authorize, record, and process journal entries in the general ledger, to record recurring and nonrecurring adjustments to the annual and quarterly financial statements, as well as procedures for preparing annual and quarterly financial statements and related disclosures. An auditor should assess various elements of this process, including inputs, procedures performed, outputs, adjusting and consolidating entries, locations involved in the process, involvement of information technology, management's participation, and oversight by management, the board of directors, and the audit committee, for evaluation of its control quality.
Get your grade
or your money back
using our Essay Writing Service!
The next step in this top-down approach is identifying significant accounts, disclosures and their relevant assertions. The Standard breaks down the financial statement assertions into existence or occurrence, completeness, valuation or allocation, rights and obligations, and presentation and disclosure. Risk factors related to identification of these significant accounts, disclosures and assertions are: size and composition of the account; susceptibility to misstatement; volume of activity, complexity, and homogeneity of the individual transactions processed through the account or reflected in the disclosure; nature of the account or disclosure; accounting and reporting complexities associated with the account or disclosure; exposure to losses in the account; possibility of significant contingent liabilities arising from the activities reflected in the account or disclosure; existence of related party transactions in the account; and changes from the prior period in account or disclosure characteristics. The auditor should also base the determinations about significant accounts, disclosures and their relevant assertions first on the company's consolidated financial statements, if applicable, and then apply the regulations concerning multiple location scoping decisions.
After performing the above work, the auditor comes down to the point of understanding the likely sources of misstatement, which involves understanding the flow of transactions related to the relevant assertions from initiation, authorization, processing to recording; verifying the identification of the material misstatement points within the company's processes; identifying the controls that management has implemented to address these potential misstatements; and identifying the controls that management has implemented over the prevention or timely detection of unauthorized acquisition, use, or disposition of the company's assets that could be a source of material misstatement of the financial statements. The most effective approach to determining sources of material misstatement is through performing walkthroughs. The auditor follows a transaction from its beginning until it is reflected in the company's financial records, using the same documents and information technology that company personnel uses. Inquiry with probing questions is employed in the walkthrough procedures to gain a sufficient understanding of the process, and to locating points of missed controls. Other commonly used methods in the walkthroughs are observation, inspection of relevant documentation, and re-performance of controls.
Sufficient information is now available for the auditor to make informed decisions on which controls to test. The controls selected should be relevant to his/ her conclusion about the effectiveness of the internal control over financial reporting, and should address the assessed risk of misstatement to their related assertions.
Material weakness vs. significant deficiency
Always on Time
Marked to Standard
Two types of control deficiencies are specifically emphasized in the Standard: material weakness and significant deficiency. A material weakness is a deficiency, or a combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the company's annual or interim financial statements will not be prevented or detected on a timely basis. A significant deficiency, is a deficiency, or a combination of deficiencies, in internal control over financial reporting that is less severe than a material weakness, yet important enough to merit attention by those responsible for oversight of the company's financial reporting.
The following occurrences indicate the existence of material weakness: identification of fraud, whether or not material, on the part of senior management; restatement of previously issued financial statements to reflect the correction of a material misstatement; identification by the auditor of a material misstatement of financial statements in the current period pointing to the failure of the company's internal control in detecting financial misstatement; and ineffective oversight of the company's external financial reporting and internal control over financial reporting by the company's audit committee.
If the auditor determines that a deficiency, or combination of deficiencies, might prevent prudent officials in the conduct of their own affairs from concluding that they have reasonable assurance that transactions are recorded as necessary to permit the preparation of financial statements in conformity with generally accepted accounting principles, then the auditor should treat the deficiency, or combination of deficiencies, as an indicator of a material weakness.
The auditor must, prior to the issuance of the auditor's report on internal control over financial reporting, communicate in writing to management and the audit committee all material weaknesses identified during the audit. Ineffective oversight by the company's audit committee should also be communicated in writing to the board of directors. Significant deficiencies identified during the audit should be communicated, in writing, to the audit committee. All deficiencies in internal control over financial reporting (i.e., those deficiencies less severe than material weaknesses) identified during the audit should be communicated to the management and the audit committee should be informed of such communication. The auditor is only obligated to communicate deficiencies in internal control over financial reporting of which he or she is aware.
The auditor should not issue a report stating that no deficiencies less severe than a material weakness were noted during the audit. If there are deficiencies that, individually or in combination, result in one or more material weaknesses, the auditor must express an adverse opinion on the company's internal control over financial reporting, unless there is a restriction on the scope of the engagement.