This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
When performing an audit of internal control over financial reporting, an auditor should always use the top-down approach in order to determine what needs to be tested. The financial statement level is the starting point for the top-down approach and then moves down to single entity controls and then further down to important accounts and disclosures. It is crucial for the auditor to have an understanding of all the risks associated with each level of controls. By using this approach, accounts, disclosures, and assertions with the highest risk for a material misstatement are the focus and this approach makes it so that the auditor can ensure that all controls related to those accounts and assertions are tested.
Entity-level controls are categorized into three groups. One group consists of controls that indirectly influence the chance of a misstatement being detected or prevented and may change the steps taken to test the other controls chosen for testing. The next category of controls are those that observe other controls to ensure that they are working properly in order to detect problems caused by controls below them. If the auditor approves that these controls are successful, the testing of other controls may be decreased. The last type of entity-level controls are the most accurate at preventing or detecting misstatements and if proven to be effective at managing a given risk, the auditor does not have to perform further tests to any controls linked to that risk. All entity-level controls must be tested by the auditor if they strengthen the assumption of whether a company's internal control system over financial reporting is useful for preventing or detecting misstatements. By analyzing entity-level controls, an auditor can change how much testing will be executed on other controls.
Entity-level controls consist of controls connected to the risk controlling environment of the company. This is a significant control used to determine the effectiveness of internal control over financial reporting therefore the auditor must examine the management of the company. The auditor must consider whether upper management recognized and operated the company with integrity and ethics, whether management emphasized useful internal control over financial reporting, and whether the audit committee actually carried out the task of supervising internal control. Entity-level controls also include, those that influence management's power to override, controls that oversee the operations of a company, controls that observe other controls, the risk evaluation system, controls related to the reporting of financial statements at the end of each period, and the guidelines that focus on the overall risk management strategy of the company.
The financial reporting method used to produce statements is crucial to the auditor's conclusion of the effectiveness of internal control over financial reporting. The auditor must focus on the financial reporting procedure which consists of, the process of entering transactions into the general ledger, choosing major accounting policies, authorizing and recording journal entries in the general ledger, recording adjustments on the period-end financial statements, and composing the year end and quarterly financial statements with associated disclosures. When testing the process of financial reporting, the auditor should also analyze the technology system used to aid the reporting process, the inputs and outputs as well as the steps taken to assemble the financial statements, the management personnel involved, the locations included in the process, the adjusting entries included, and the amount of supervision provided by the audit committee, management, and board of directors.
The auditor is responsible for determining which accounts and disclosures are considered to have a reasonable possibility of being misstated on the financial statements. Each account and disclosure is connected with an assertion that the misstatement will have a material effect on the financial statements. Such assertions include the existence of an account, whether it is complete, and how it is valued and presented on the financial statements. The auditor must analyze the risks associated with all the financial statement accounts and disclosures in order to determine which are considered important. These risks consist of the size of the account, the likelihood of errors, the complexity of transactions, the type of accounts involved, and the difficulties involved in reporting certain accounts. The auditor must identify where misstatements could occur by evaluating the important accounts and determining the problems within that account. However, the aspects of an account might be affected by varying risks therefore different control tests might have to be used on an account in order to accurately test the ability of overcoming risk. The accounts and disclosures as well as their associated assertions that are deemed important are the same for an audit of internal control and for an audit of financial statements. If a company is comprised of multiple business entities, the auditor is required to use the consolidated financial statements in order to determine the important accounts and disclosures and their related assertions.
It is important for the auditor to accomplish certain steps in order to determine where misstatements could occur. These goals include knowing the process for recording transactions connected to the assertions being tested, confirming that the auditor knows where misstatements could occur, determining the control system used by management to deal with misstatements, and determining the process that management used to detect or prevent a misstatement from occurring. It is the auditor's responsibility to either personally go through these steps or to monitor that it gets done by somebody closely connected to the auditor. In addition to understanding the process for recording transactions, the auditor needs to know how the company's IT system is involved in this process and should use the paragraphs that focus on IT risk to evaluate the system effect on internal control. The most efficient and accurate approach to accomplishing the goals mentioned above would be to conduct a walkthrough of the company, where the auditor tracks a transaction through the entire process. The auditor would then reconcile their findings with those reported on the financial statements. Throughout the walkthrough, the auditor is to question management and other company employees to make sure they understand what the process consists of. This provides the auditor with some of the answers needed to confirm whether an effective control system is used by the company.
In determining what controls should be tested, the auditor should focus on those that are significantly related to their opinion of whether the company's internal control system is effective at overcoming the risks of misstatement associated with each assertion. Although some controls can relate to more than one assertion, it is not required to retest repetitive controls or to test every control linked to a specific assertion. The testing of a control is determined by whether the control is effective at managing the risk associated with misstatement for a certain assertion.
A material weakness is described to be a flaw in the internal control system resulting in a reasonable possibility that a significant misstatement will occur in the company's financial statements. Compared to a material weakness, a significant deficiency is defined as a weakness in the internal control system that is not as significant as a material weakness but still significant enough to be monitored by those who overlook the company's reporting.
A material weakness may exist if certain red flags appear within a company. These signs consist of management determining that fraud occurred, a correction taking place on a past financial statement, the determination by the auditor that the internal control system of a company would not have detected a misstatement, and poor supervision by the audit committee. Another warning that a material weakness may exist is if the auditor concludes that a deficiency might affect the ability for authorities to guarantee that the preparation of financial statements in accordance with GAAP was done correctly.
After completion of the audit, the auditor must provide a written report to management and the audit committee containing all the material weaknesses and deficiencies. The auditor must provide a written report to the board of directors if it is determined that the audit committee is unsuccessful at monitoring the external and internal control over financial reporting. The last written report is given to management describing all the deficiencies in internal control over financial reporting and the audit committee must be told that this communication with management occurred. It is not necessary for the auditor to test all controls and determine every deficiency that exists but the auditor should describe all weaknesses that are known. If the auditor happens to come across fraud, he or she should refer to the sections related to fraud and illegal acts to determine what steps to take.
An auditor's report must consist of many different components. Some of these include the date of the report, city and state where the report was given, signature of the auditor's firm, the opinion on the effectiveness of internal control over financial reporting, a statement that the audit was performed in conformity with the PCAOB standards, and a statement by management stating they are liable for providing internal control over financial reporting. The auditor's report requires the auditor to provide statements that the audit conducted supports the final opinion as well as many other statements relating to the internal control over financial statements but does not require any communication of material weaknesses or significant deficiencies. Those are communicated directly in the written reports issued to management, the audit committee, and if necessary, the board of directors.