Exploring a top down approach to internal control


I am going to summarize to you the parts of Auditing Standard No. 5 that deal with the top down approach to an audit of internal control and what a material weakness is versus a significant deficiency. The purpose of this memo is to explain and summarize these two parts of Auditing Standard No. 5 so that you can better understand what each does.

The top down approach describes the auditor's process of identifying risks in order to select which controls they will test in performing an audit of internal control over financial reporting. The top down approach has four basic but important steps that attempt to identify risks properly. The four basic steps include identifying entity-level controls, identifying significant accounts and disclosures and their relevant assertions, understanding likely sources of misstatement, and selecting controls to test.

In the first step the auditor tests entity-level controls that will be important for the auditor to make a conclusion which can increase or decrease the tests on controls that will take place later in the audit. Entity-level controls can affect whether a misstatement will be discovered in a timely manner as well as affecting the effectiveness in lower-level controls. In contrast the controls might be effective in preventing errors and doing so on a timely basis. Entity-level controls include but is not limited to; the company's risk assessment process, controls to monitor results of operations, controls related to the control environment, and policies that address significant business control practices. An auditor must also assess the control environment to evaluate managements operating style of promoting effective internal control and ethical values with a lot of emphasis on top management. Another entity-level control the auditor is supposed to evaluate is the period end financial reporting process in order to check procedures like transactions in the general ledger and preparing quarterly financial statements and the discloses that go with them. The last control deals with understanding who the process of period end financial reporting as well as who participates in reporting and the extent of oversight by management.

Lady using a tablet
Lady using a tablet


Essay Writers

Lady Using Tablet

Get your grade
or your money back

using our Essay Writing Service!

Essay Writing Service

The second step is for the auditor to identify significant accounts and disclosures and their relevant assertions. Relevant assertions are assertions in the financial statements that could contain a misstatement that could cause the financial statements to be materially misstated. Assertions can include completeness, valuation, and presentation. Also the auditor must evaluate qualitative and quantitative risk factors that include but are not limited to; size and composition of accounts, the reporting complexities associated with the account, and the existence of related party transactions. The auditor should also determine sources of potential misstatement that could cause materially misstated financial statements. One helpful aspect is that the risk factors that are identified and evaluated for an audit of internal control over financial reporting is the same for an audit of financial statements. Lastly if a company has multiple locations for their business and its activities then the auditor should identify the relevant assertions based on the consolidated financial statements.

The third step for the auditor is to understand sources that have the possibility of being misstatements. Objectives that the auditor should follow include understanding how transactions are authorized, processed, and recorded. Another is making sure and finding misstatements that added together could cause a material misstatement. Further they need to understand how management tries to fix problems that arise and how management has implemented a timely detection so a material misstatement can be fixed in a timely manner. The previous steps above are difficult to do unless properly trained so the auditor should do them their self or supervise their help closely. The auditor is required to be fluent with IT because it processes the flow of transactions for the clients. To check to flow of transactions one of the best ways is to perform a walkthrough as transactions are entered and processed throughout a client's systems all the way until they end up on the financial statements. Throughout the walk through the auditor should question the client's employees multiple times in order to understand and learn more knowledge about the client and its systems. Talking to client's employees is a great way to learn beyond the transaction the auditor is processing because questions can lead to unexpected answers that go beyond what the auditor originally thought.

Lady using a tablet
Lady using a tablet


Writing Services

Lady Using Tablet

Always on Time

Marked to Standard

Order Now

The last step is for the auditor to select controls to test. The auditor needs to test controls that are going to have the highest significance on the auditor's conclusion. This should bring into question whether or not the company internal controls affectively avoided the risk of misstatement. It's important to note to it may take more than one test in order to address the risk of a particular misstatement for the particular assertion. In order to determine which controls need to be tested by the auditor it needs to sufficiently conclude about the risk of misstatement to the assertion.

The second part of Auditing Standard No.5 that I am going to explain is the deference in significant deficiency vs. a material weakness. Beyond explaining the general differences I will list the indicators of a material weakness as well as explain how a material weakness and significant deficiency are communicated to an audit committee vs. the audit report.

By definition of Auditing Standard No.5 a deficiency exists when "the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely bases". A deficiency happens when a control does not do its task and a deficiency in operation is when a control does not do its operation or the person administering the control has no authority to do so. After understanding a deficiency now you can understand that a significant deficiency is a single or combination of deficiencies that is not as severe as a material weakness, yet severe enough to give attention to.

A material weakness compared to a significant deficiency is similar in that it is a deficiency or combination of deficiencies that add up to a reasonable possibility that a material misstatement will show up on the clients financial statements or will be undetected on a timely basis. Some of the indicators of a material weakness if the internal control over financial reporting include but is not limited to; identification of fraud whether its small or big, restatement of past financial statement in order to correct their misstatements, ineffective oversight of controls, and identifying a misstatement on the financial statements. When an auditor determines how bad a deficiency or multiple deficiencies are it's the auditors job to evaluate the level of assurance that is needed to satisfy that reasonable assurance that transaction are recorded properly on the financial statements. If the auditor finds that the deficiency could stop officials in conduct of their own affairs because transaction could stop them from reporting correct amounts on their financial statements then the auditor will should say the deficiency is a material weakness or an indicator of one.

In communication the material weaknesses the auditor should write them to management before the auditor's report is finalized. If the conclusion finds the controls ineffective the board of directors should be notarized in writing. Similarly the significant deficiencies should be communicated to the audit committee and management but the deficiencies that were reported by others such as the internal auditors do not need to be repeated in the writing. Also, the auditor should not say that no deficiencies were found during the audit. In the case of finding fraud or illegal acts the auditor should follow AU sec. 316.

In summing up Auditing Standards No.5 and the top down approach you should clearly understand how to identify controls, significant accounts, and sources of misstatement better. Similarly you should understand some key differences of a material weakness and a significant deficiency and how they are reported.