This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
The PCAOB's Auditing Standard #5 requires the auditor to use a top down approach when auditing the effectiveness of internal control over financial statements of a company. The top down approach means that the auditor must look at the big picture of the financial statements and their significant elements and work their way toward more specific accounts and disclosures that may be at risk for material misstatement.
Once the auditor has identified the significant risks of internal control over the financial statements, the auditor will move to the entity-level controls. Entity level controls are broad internal controls that the auditor uses to test the effectiveness of the internal controls. The testing of the entity level controls will tell the auditor whether they need to increase or decrease the number of internal control tests performed.
There are three main types of entity level controls that provide different results for the auditor. The first type of entity level controls has an indirect effect on whether a material misstatement is prevented or found. The outcomes of these entity level control tests will determine what further tests the auditor will perform on internal controls as well as the time and extent of the tests. The second type of entity level control is used for monitoring other lower level internal controls and may reduce the number of further internal control tests if shown effective. Lastly, the third type are directly used for preventing and detecting material misstatement and may prevent further testing on that particular assertion.
Some common entity level controls include controls over management override, the company's risk assessment process, controls to monitor operations and other controls, and processing controls. One of the most important entity level controls is over the control environment. The control environment is a significant part of the assessment of the effectiveness of internal control over financial reporting and can be evaluated by the auditor by whether management's style encourages internal control over financial reporting, top management has made the ethics and integrity values of the company understood, and whether the audit committee handles their responsibility of financial reporting and internal control.
Another important entity level control is over the period end financial reporting process. This process includes procedures of entering ledger transactions, selecting and applying accounting policies, recording and authorizing journal entries to the general ledger, making regular and irregular adjustments to the financial statements, and actually preparing the annual statements. In order to evaluate these procedures, the auditor will determine the effectiveness of the processes, inputs, and outputs of preparing the financial statements. The auditor will assess the information technology used, what part of management is involved in the process, where it is prepared, and significant types of consolidating and adjusting journal entries. Assessment of the oversight of the Board, management, and the audit committee is also taken into account.
Next, the auditor will determine the most important accounts and disclosures and their possibility of causing material misstatement in the financial reporting. This possibility is their relevant assertion. Financial statement assertions consist of existence, completeness, valuation, rights and obligations, and presentation and disclosure. To establish the significant accounts and their relative assertions, the auditor must identify qualitative and quantitative risks related to the elements such as size, vulnerability to fraud or error, associated complexities, changes from past periods, related party transactions, potential for loss, amount of activity through the account, and possibility of contingent liabilities. These same risk factors are used in the audit of internal control as for the audit of financial statements. For each of the accounts or disclosures, the auditor must think about what could go wrong in each and take this into account. The auditor may have to use different tests for different elements of each account or disclosure if there is potential for more than one type of risk. If the business has more than one residence, the auditor should use the consolidated financial statements.
The standard proposes a few objectives the auditor should meet in order to fully understand where potential material misstatements may occur. For each relevant assertion, the auditor must understand the process of each associated transaction and the places in each process where fraud or material error can happen. Once the auditor has identified and understood these sources for potential misstatement, they must identify the controls that are currently in place to prevent or detect illicit use or possession of the company's assets that could possibly lead to material misstatement of financial reporting. The auditor should also take consideration of the implementation and effect of IT on the business's transaction processes as this is an integrated part of the top down approach to auditing. These objectives should be done by the auditor or by those directly supervised by the auditor in order to provide the best judgment possible.
The most effective way to achieve the objectives stated above is the walkthrough. A walkthrough is a step by step process where the auditor begins with the origination of a business transaction and follows its journey all the way to the financial statements taking into consideration any information technology used in the process. The auditor should observe, questions employees, use all original documents of the company, and go through all controls and processes used by the business in order to gain a better understanding of the sources of potential misstatement and missing or ineffective controls during the transaction.
The auditor will select which controls to test based on their determination of how effective the implemented controls attend to potential misstatements of relevant assertions. Each relevant assertion may have more than one control to test or one control test may pertain to more than one relevant assertion. The auditor does not need to test more than one control for each assertion unless redundancy is a control issue. The choice of whether to test a control or not should be based on whether it addresses the possible risk of material misstatement of the assertion rather than what kind of control it is such as entity level or preventative.
For the purposes of this standard, the term, "material weakness" is meant to be defined as a deficiency, or a combination of deficiencies, associated with internal controls over financial reporting; that there is a reasonable possibility of material misstatement in a business's yearly or periodical financial statements that will not be prevented or detected on a timely basis. A material weakness can be indicated by identifiable fraud by senior management, whether it is material or not. It is also identifiable by the restatement of previous financial statements to reflect the correction of a material misstatement as well as the determination of material misstatement in the financial statements by the auditor in the current period that indicate the internal controls of the company would not have detected the misstatement. A material weakness is also specified by ineffective oversight of the business's external financial reporting and internal control over financial reporting by the audit committee. When deciding on the severity of a deficiency, the standard proposes that the auditor must consider the level of detail and degree of assurance that would appease significant officials in conduct of affairs so that they have assurance that the transactions are recorded as required to prepare financial statements in accordance with GAAP. If the auditor finds that the deficiency does not provide this reasonable assurance, the deficiency should be considered an indicator of material weakness.
Contrastingly, for the purposes of this standard, a "significant deficiency" is a deficiency, or a combination of deficiencies in internal control over financial reporting that is less than a material weakness, but considerable enough to mention by the individuals responsible for the oversight of the business's financial reporting. While a significant deficiency is still important to the oversight board, it is not as substantial as a material weakness.
The standard identifies that the auditor must communicate all material weakness to management and the audit committee in writing prior to the issuance of the auditor's report on internal control over financial reporting. If the material weakness points to the ineffectiveness of the oversight board over external financial reporting and internal control, the auditor will communicate this material weakness to the board of directors in writing. Significant deficiencies identified must also be communicated to the audit committee in writing. Any other deficiencies identified which are less severe than material weaknesses should be communicated to management in writing and the audit committee should be informed when this communication is made. Repeating of previous written communication of deficiencies by any members in the organization is unnecessary. The auditor is only required to perform tests and communicate deficiencies of internal control in which the auditor is knowledgeable about and therefore should not issue a report communicating that there are no deficiencies less severe than a material weakness.
The auditor's report on internal control over financial reporting must include a number of details. The title must contain the word "independent" and include a statement saying that management is ultimately responsible for maintaining and assessing effective internal control over financial reporting. The report will identify management's report on internal control and state that it is only the auditor's responsibility to issue an opinion on the company's effectiveness of internal control based on their audit. The definition of internal control as stated in this standard will be provided as well as assurance that the audit was conducted in accordance with the standards of the PCAOB, which require the auditor to plan and perform an audit that provides reasonable assurance whether or not effective internal control over financial reporting was used in all material aspects. The auditor's report must also include statements about the process and understanding of the internal audit as well as the fact that the auditor believes the internal control audit provides reasonable basis for the opinion expressed. A paragraph explaining that due to obvious limitations, internal control may not prevent or detect misstatements of financial reporting and changes in future periods provide risk for controls becoming inadequate. The report must end with the auditor's opinion in all material aspects whether there is effective internal control over financial reporting as of that date followed by a signature, location of issuance, and date.