This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
The Public Accounting Oversight Board (PCAOB) recently released auditing standard number 5 (AS5) which pertains to "An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements" which establishes certain requirements for which an auditor may use while performing an audit on their clienteles management assessment over their internal control procedures and the efficiency of those procedures. This memo focuses on a narrow part of the AS5 but is vital in its importance of understanding and recognizing the changes that has been made to it. In this memo I will focus on the summarizing of the top down approach to an audit of internal control as well as describe to you the differences between a material weakness and a significant deficiency and the communication of the audit results.
The main purpose of using a top down approach is to make it easy for auditors to choose which controls they wish to test. Based on the auditor's findings by using this approach, they can select certain controls in which they want to be tested that adequately attend to the risk of a misstatement. This approach begins with the auditors understanding the risks that are related with the financial reporting on the financial statements. Once an understanding is established, the auditor then focuses their attention on identifying entity level controls.
When identifying entity level controls it is important to know what those controls include. The entity level controls include such things as: the control environment, the controls over management override, the companies risk assessment process, centralized processing and controls, controls to monitor the result of operations, controls to monitor other controls, controls over the period end financial reporting process, and also policies that address significant business control and risk management practices (information shown in the AS5). The auditor tests these controls in order to see if the company has an efficient internal control system for their financial reporting. An important thing to note is that by testing these controls it ultimately factors in or out additional testing used for other controls. It is also important to know that entity level controls vary in character. Some controls indirectly have an effect on the possibility of detecting a misstatement while others are intended for just that reason, so being able to know these controls and how they interact within the internal control environment is a significant step in accurately testing the controls.
Understanding the control environment holds more importance than others in that it directly relates to the effectiveness of financial reporting. When evaluating the environment the auditor needs to pay special attention to and assess whether there are strong ethical and moral values implemented into the work force, especially at the management level, and whether the management teams operating style is embedded throughout the company as an effective and efficient source directly relating to the internal control over financial reporting.
Because of its importance in financial reporting and internal control, understanding the year-end financial reporting process is critical. This process includes everything from the procedures used when you enter a transaction into the general ledger all the way to the preparation of the annual or quarterly financial statements and related disclosures. The auditor needs to be able to assess the inputs, processes, and outputs in preparing the financial statements. Also gaining an understanding of IT involvement is important as well as who does what, adjusting entry procedures, location in which everything takes place, and management oversight. Knowing all this will ensure that the appropriate assessed risk it being taken care of.
The next step is to identify significant accounts and disclosures and their relevant assertions. A financial statement assertion is deemed to be relevant if the possible misstatement would cause the financial statements to be materially misstated. The financial statement assertions which are present in AS5 are: existence or occurrence, completeness, valuation or allocation, rights and obligations, and presentation and disclosure. In order to identify the relevant assertions that are in accounts and disclosures, the auditor must assess the "qualitative and quantitative risk factors" (AS5) that are related to the line items and disclosures present on the financial statements. Risk factors that are informative in this step are such things as the size and composition of the account, vulnerability that a misstatement can occur do to error or fraud, amount and complexity of the transactions that run through the account, the underlying nature, how complex the account is, exposures to losses, possibility of contingent liabilities, also changes in the characteristics of the account. When looking for accounts and disclosures relevant assertions, the auditor should also be asking themselves what could go wrong and where, so they can determine likely sources of potentially misstated financial statements that would make the financial statements materially misstated. It is important to note that the evaluated risk factors found in identifying significant accounts and disclosures and their relevant assertions and the audit of internal control over financial reporting are the same. With this understanding it will help to narrow down the amount of accounts tested and help bring misstatements to the surface.
There is a lot of judgment that is made by the auditor and so it is highly recommended that the auditor perform in the audit. If that is not the case, the auditor should supervise others who carry on the procedures. When performing an audit the auditor should set out key objectives in which they wish to obtain. Some objectives include: gaining an understanding of how the transactions flow throughout the company relative to the assertion, verifying the areas in which the auditor sees that misstatements that are material in matter may occur, making sure that management has implemented adequate controls to mitigate the risk of a misstatement, and making sure management has implemented detection and prevention controls to catch the risks at the time they hit or before in order to save the financial statements from being misstated. The above mentioned objectives serve as a great way to start conducting your audit. Also, knowing the clients IT system and how it works improves the confidence in making a judgment. The most efficient way to achieve the objectives of the audit is do engage in a walkthrough in which the auditor takes a transaction and follows it through the system from the time of its origin into the system to the time at which it is reflected on the company's financial records. Asking personnel questions along the way will also help to get a full view of how the system works and the process it takes.
After the auditor has gathered relevant information the last step is to actually test those controls. The auditor should focus on the controls that are important to his conclusion about how sufficient the company's controls address each relevant assertion. This top down approach is widely used and is very effective in testing controls to ensure the reliability a company gives its customers. To recap what I have just previously discussed, the auditor performs this approach by focusing on the broadest level in the clients processes which is the financial statements and then works their way down until you can narrow out certain transactions to test and perform a walkthrough on. This is the essence of a top down approach.
The next topic in which I would like to talk about is the difference between a material weakness and a significant deficiency. A material weakness is a deficiency in internal control over financial reporting in which there exists a reasonable possibility that a misstatement that is material that will not be detected or prevented in a timely manner on the company's financial statements. A significant deficiency is a deficiency in internal control over financial reporting that is not as critical as a material weakness is but is important enough for the people who are responsible for financial reporting to pay close attention to it. Although both terms are much alike it is difficult to assess whether a risk is severe enough to be material in nature or whether it should just be monitored, therefore it is important to distinguish when a possible misstatement is either a material weakness or a significant deficiency. Some indicators that allows us to classify a misstatement as material are; if a fraud has been committed by senior management, no matter how small the offense is, it is always considered to be material, if issued financial statements need to be restated to imitate the correction of a misstatement, if the auditor found a misstatement in the financial statements that would otherwise go undetected, and also if the audit committee is inefficient in overseeing the company. One way to decide whether these indicators are of material weakness status is to determine whether customers(investors?) would change their minds of having reasonable assurance that the financial statements are stated correctly. If the answer is no, the indicator is material in nature.
Once the auditor has decided whether the risks are either a material weakness or a significant deficiency they must communicate all material weaknesses, in written form, to the audit committee and management. The written form just mentioned above should be submitted before the auditor's report on internal control over the financial reporting within the company. If the auditor's conclusion about the oversight that the audit committee performs on the company's external and internal control on financial reporting is deemed inefficient, the auditor must write that conclusion and disclose it to the board of directors.
As for significant deficiencies, the auditor must communicate these in writing to the audit committee. The auditor must also communicate in writing the deficiencies in internal control over the financial reporting process that are not material in nature to management. These communications must be mentioned to the audit committee. All deficiencies need to be communicated but none have to be repeated. Once a deficiency is written in communication, nothing else needs to be said about it. Since the auditor's scope of what they audit is narrow it is impossible to catch all deficiencies present, therefore the auditor is solely responsible for the deficiencies that they are aware of and does not need to note that there may be a possibility of a deficiency still existing in the company. In the chance of a possible fraudulent act being committed the auditor needs to reference their responsibility to take action under AU sec. 316, AU sec. 317, and Section 10A of the Securities Exchange Act of 1934. Everything previously mentioned is communicated to the audit committee.
As for what the audit report communicates, the report must include certain elements. First and foremost the title needs to include the word independent. Since an auditor's independence from the company is viewed as having high importance, it comes to no shock that the report must state the auditor's independence from the client. Next is a statement that says that it is the management's responsibility to maintain and assess the effectiveness of internal control on financial reporting. Then, there is the management's recognition on internal control. After this the auditor has his statement about how it is his responsibility to give an opinion on the effectiveness of internal control over financial reporting that reflects the results in his audit. A definition of internal control over financial reporting that is stated in AS5 follows next. A statement that says the audit was performed in accordance with the PCAOB standards is added in after the definition. Next you have a statement that the PCAOB requires the auditor to plan and perform their audit in order to receive reasonable assurance that the internal control over financial reporting was effective and maintained in all material aspects. The report then includes the procedure the auditor performs in gathering his information, such as their understanding of internal controls to testing the effectiveness of those controls based on assessed risk. After explaining the procedure that the auditor performed, the auditor then needs to put in a statement saying their audit is a reasonable base for their opinion. A section needs to state that the audit may not prevent or detect future risks due to changes in the environment but rather at a specified date based on the audit the company contained effective internal controls over financial reporting. The auditors firm needs to then sign it either manually or printed. The city and state of where the audit was conducted needs to be added as well as the date of the audit report. Once all these elements are present on the report, the report will be finished.
I hope this memo has been enlightening and has given you a better understanding of certain aspects of AS5. Although there is much more information inside the standard the points I have touched based on above have significant value in understanding the audit process. Thank you for reading.