The top down approach to an audit of internal control begins at the financial statement level and auditors' understanding of the effectiveness of internal controls over financial reporting for the company. You start at the top of the corporate hierarchy including the board of directors, the audit committee and top management. This is done by evaluating the company's control environment. The entity should have ethical and behavioral standards which are well communicated and upheld throughout the company. This tone should include management's actions to remove the incentives for employees to engage in unethical behavior. This is accomplished through policy statements, codes of conduct and leading by example. The board of directors and audit committee are responsible for the oversight of the top management. You want the board of directors to be independent of management, to have good corporate governance (for example the CEO is not also the chair of the board). The board needs to have competent, ethical and engaged members. You also need to understand top managements philosophy and operating style. They set the tone at the top, establish and articulate financial reporting objectives, and select accounting principles. They need to be committed to accurate financial accounting. The organizational structure should have clearly defined lines of responsibility, authority and accountability.
Get your grade
or your money back
using our Essay Writing Service!
Next the auditor must identify and test the entity-level controls which are important to reaching their conclusions about the effectiveness of the internal controls over financial reporting. Entity level controls include controls related to the control environment, controls over management override, the company's risk assessment process, centralized processing and controls including shared service environments, controls to monitor results of operations, controls to monitor other controls including activities of the internal audit function, the audit committee, and self-assessment programs, controls over the period-end financial reporting process and policies that address significant business control and risk management practices.
Stepping lower, the auditor must now evaluate the period-end financial reporting process. This includes procedures used to enter transactions totals into the general ledger, procedures related to the selection and application of accounting policies, procedures used to initiate, record and process journal entries in the general ledger, procedures used to record reoccurring and nonrecurring adjustments to the annual and quarterly financial statements and related disclosures. The auditor must also identify significant accounts and disclosures and their relevant assertions, being any assertion which has a reasonable possibility of containing a misstatement which would cause the financial statements to be materially misstated. These assertions include existence or occurrence, completeness, valuation or allocation, rights and obligations, and presentation and disclosure. The auditor must also understand that the components of a potential significant risk account or disclosure may be subject to significantly differing risks and as such differing controls may be necessary to address those risks. For example accounts receivable, allowance for uncollectible accounts and inventory accounts typically carry higher amounts of risk and even with proper controls in place still may contain above an acceptable amount of residual risk.
Once the auditor has this understanding they can understand likely sources of misstatement. To further understand this the auditor needs to understand the flow of transactions related to the relevant assertions, including how the transactions are initiated, authorized, processed, and recorded; to verify they have identified the points within the company's processes which a misstatement, including fraud, could arise that, individually or in combination with other misstatements, would be material; to identify the controls that management has implemented to address these potential misstatements; and to Identify the controls management has implemented over the prevention or timely detection of unauthorized acquisition, use, or disposition of the company's assets which could result in a material misstatement of the financial statements. To obtain an understanding of the control activities in accounting processes the auditor can perform a walkthrough, take plant and operational tours, review client-prepared documentation and review the prior-years' audit documentation.
Finally the auditor should select the controls to test. These controls should be important to the auditors' conclusion on whether the company's controls sufficiently address the assessed risk of misstatement to each relevant assertion. The auditor should be knowledgeable and efficient in his selection, if one control addresses the assessed risk of misstatement for more than one relevant assertion it is not necessary to test the control multiple times, unless the control calls for redundancy. Also while performing a walkthrough the auditor can ask questions of the employees about their understanding of what is required by the company's procedures and controls. These questions, combined with other walkthrough procedures can be used to allow the auditor to gain a sufficient understanding of the processes and their strengths and weaknesses and to potentially allow the auditor to gain an understanding of different types of significant transactions handled by the process.
Always on Time
Marked to Standard
"A material weakness is a deficiency, or a combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the company's annual or interim financial statements will not be prevented or detected on a timely basis."
"A significant deficiency is a deficiency, or a combination of deficiencies, in internal control over financial reporting that is less severe than a material weakness, yet important enough to merit attention by those responsible for oversight of the company's financial reporting."
A material weakness occurs where there is a reasonable possibility that the absence of effective controls would allow material misstatements to occur in the financial statements and not be detected or corrected on a timely basis. A significant deficiency is important enough that the auditor has to bring it to the attention of management and the audit committee but the deficiency does not rise to the level of a material weakness. A material weakness is reported to everyone where a significant deficiency is only reported to management and the board of directors but not to outsiders.
Indicators of material weaknesses include:
- Identification of fraud, whether or not material, on the part of senior management.
- Restatement of previously issued financial statements to reflect the correction of a material misstatement.
- Identification by the auditor of a material misstatement of financial statements in the current period in circumstances that indicate that the misstatement would not have been detected by the company's internal control over financial reporting.
- Ineffective oversight of the company's external financial reporting and internal control over financial reporting by the company's audit committee.
The auditor must communicate all material weaknesses identified during the audit in writing to management and the audit committee prior to the issuance of the auditor's report. If the auditor determines the oversight of the company's external financial reporting and internal control over financial reporting by the audit committee is ineffective the auditor must communicate that conclusion in writing to the board of directors. The auditor must communicate all significant deficiencies in writing to the audit committee. The auditor is not required to perform procedures that are sufficient to identify all control deficiencies, rather they report the deficiencies in internal control over financial reporting of which they are aware. Because an audit of internal control over financial reporting does not provide the auditor with assurance that they have identified all deficiencies less severe than a material weakness, the auditor should not issue a report stating that no such deficiencies were noted during the audit. Lastly the auditor should communicate to management in writing all deficiencies in internal control over financial reporting identified during the audit and inform the audit committee when this communication has been made. When making this communication, it is not necessary for the auditor to repeat information about such deficiencies which have been included in previously issued written communications, whether those communications were made by the auditor, internal auditors, or others within the organization.