As it is stated in the opening summary, Auditing Standard No. 5 focuses on the "audit of internal control over financial reporting that is integrated with an audit of financial statements and related independence rule and conforming amendments". What this memo seeks to specifically accomplish is to provide a description of the top down approach to an audit of internal control as well as describing what a material weakness is versus a significant deficiency.
As described in paragraph 21 of AS5, the top down approach is more of a sequential thought process to follow rather than the exact order in which the auditor should perform in the auditing procedures. It begins with identifying the entity-level controls, then moves on to identifying the significant accounts and disclosures along with their relevant assertions, then understanding likely sources of misstatement in the significant accounts and disclosures, and finally selecting controls to test.
Get your grade
or your money back
using our Essay Writing Service!
When identifying the entity level controls, the auditor must test those controls that are important to the conclusion, resulting in either an increase or decrease in the amount of testing the auditor otherwise would have performed on the other controls. AS5 details that entity level controls vary in nature and precision, such as:
"Some controls have an important, indirect, effect on the likelihood that a misstatement will be detected"
"Some controls monitor the effectiveness of other controls"
"Some controls may be designed to operate at a level of precision to prevent or detect misstatements to one more relevant assertions."
As stated in AS5, entity level controls include: controls related to the control environment, controls over management override, the company's risk assessment process, centralized process and controls, controls to monitor results of operations, controls to monitor other controls, controls over the period-end financial reporting process, and policies that address significant business controls and risk management practices.
As part of identifying the entity level controls, the auditor must evaluate the control environment as well as the period end financial reporting process. When evaluating the control environment, that auditor should look at; management's philosophy and operating style towards effective internal controls, they have sound integrity and ethical values in place, and whether the Board or audit committee exercise and understand oversight responsibilities. The period end reporting process includes procedures; to enter transaction totals in the general ledger, those related to the selection/application of accounting policies, those used in journal entries in the general ledger, those used to record adjustments to the financial statements, and those used in preparing the financial statements. There is a list of what the auditor should asses when evaluating the period end financial reporting process which includes; inputs and outputs of the company process used in the financial statements, the extent of IT involvement, management participation, locations involved, types of adjusting and consolidating entries, and the amount of oversight by management, the board of directors, and the audit committee.
In summation of evaluating the entity level controls, it is clear that AS5 places a large emphasis on the auditor to examine all areas, as many controls may have impacts upon others that are not first apparent to the auditor. The auditor must carefully examine how each control is influenced, as these controls cover a wide variety of topics, and how their environment is influenced can be of great importance in understanding their effectiveness.
The next step in the top down approach is for the auditor to identify significant accounts and disclosures and their relevant assertions. AS5 describes relevant assertions as "those financial statement assertions that have a reasonable possibility of containing a misstatement that would cause the financial statements to be materially misstated." The assertions that are included in AS5 include existence or occurrence, completeness, valuation or allocation, rights and obligations and presentation and disclosure. AS5 lists several risk factors, both qualitative and quantitative, that the auditor should look at when identifying significant accounts and disclosures. These include: size and composition of the account, susceptibility to misstatement due to errors or fraud, the volume of activity as well as complexity and homogeneity, nature of the account or disclosure, accounting and reporting complexities, exposure to losses in the account, possibility of significant contingent liabilities, existence of related party transactions, and changes from the prior period in account or disclosure characteristics. AS5 also goes on to state that the auditor should ask themselves "what could go wrong?" with given accounts and disclosures in order to better determine potential misstatements, as well as stating that the risk factors associated with the auditing the internal control are the same as in the audit of financial statements. It also states that accounts and disclosures might be subject to differing risks, and such different controls would be necessary to counter those risks. And when a company has multiple locations, that auditor should examine the consolidated statements to in order to identify the significant accounts and disclosures.
Always on Time
Marked to Standard
For the next step in the process, AS5 lists 4 objectives with which the auditor should do to understand the likely sources of misstatements, which are; understanding the flow of transactions including how they are initiated, authorized, processed, and recorded, verifying the auditor has identified points within the company's processes where misstatements may happen that could be material, identify controls management has implemented, and identify controls that management has implemented over the prevention or detection of unauthorized acquisition, use or disposition of company assets that could be material. AS5 states that the above procedures should be carried directly by the auditor or by an assistant that the auditor supervises due to the degree of judgment required in carrying them out. In assessing IT, the auditor needs to understand how it affects the company and the flow of its transactions. It is not a separate evaluation, but part of the top-down approach.
AS5 states that walkthroughs are the most effective way to carry out the objectives listed above. Performing a walkthrough requires the auditor to follow a transaction completely through the entire process from start to end, examining key points and questioning personnel about the procedures and controls. This allows the auditor to gain a sufficient understanding in order to recognize areas of weakness or areas lacking in certain control procedures.
The final topic in discussing the top down approach is selecting controls to test. The controls that are the most important for the auditor's conclusion in assessing a company's risk of misstatement are the ones the auditor should test. AS5 also states that it isn't necessary to test controls that are related in that they address similar risk, and it is not necessary to test redundant controls. The decision on whether a control should be tested depends on how it addresses the risk of misstatement, not by the type of label given to the control.
AS5 defines a material weakness as a deficiency in internal control that there is a reasonable possibility, which means probable, that a material misstatement will not be detected or prevented by the controls. This is similar to a significant deficiency. However, a significant deficiency is not as severe as a material weakness but still requires attention. The indicators given to determine a material weakness are:
Restatement to correct a material misstatement
Identification of a material misstatement that would not have been detected by the company's internal controls
Ineffective company audit committee with oversight on the financial reporting and internal controls.
When reporting to the audit committee, the auditor is required to do many things. They must communicate all material weaknesses that were identified during the audit, which should be made prior to the auditors' report. They must also communicate in writing all significant deficiencies to the audit committee. If for any reason the auditor believes the audit committee is ineffective, the auditor should report their findings to the board of directors. The auditor must only communicate deficiencies they are aware of, and since the auditor cannot assure that it has found all deficiencies less severe than a material one, the auditor does not have to issue a statement that they are noted in the audit. If fraud or illegal acts are found, the auditor must reference the appropriate documents to determine their course of action.
When issuing an auditors' report, the auditor does not report as many specifics as it does with the audit committee report. Instead of communicating all material weaknesses found along with any significant deficiencies, that auditor must only communicate a statement of opinion on the results of the audit. This includes a statement on the auditors' opinion as to whether the company maintained effective internal control.