This is an analysis of the Public Company Accounting Oversight Board's (PCAOB) Auditing Standard No. 5 (AS5). The AS5 document is the most recently established set of guidelines for auditing companies' internal controls over their financial statements. The following analysis briefly explains the top-down approach as well as contrasting material weaknesses and significant deficiencies.
The top-down approach is a systematic approach for helping the auditors' decide which controls are to be tested. This approach uses a series of key steps to help the auditor reach their conclusion. These steps are not designed to be in any particular order, however, a specific sequence of these steps could be more beneficial in certain situations. The steps include: identifying the risks to internal control, determining the correct entity-level controls that fit the risk, and identifying accounts and disclosures.
The purpose of entity-level controls is to make sure the entity, or company, is demonstrating efficient internal control over their financial reporting. This entity-level testing results may have an impact on what other controls will be tested by the auditor. Some entity-level controls are more precise than others, and some are quicker than others. The right entity-level control must be selected for the relevant issue. Entity-level controls deal with the control environment. The control environment addresses management's attitudes and their actions. This includes management style, values, ethics, and corporate culture. Entity-level also controls management's ability to bend the rules for their personal benefit. It also controls the processes for risk assessment, operational results monitoring, company policies, and period-end financial reporting. Period-end financial reporting reviews the various procedures used when preparing financial statements. This includes procedures for selecting accounting policies, recording transactions and journal entries into the general ledger, and for recording adjustments to financial statements. When reviewing the period-end financial reports, the auditor looks at data used to put together financial statements, the usage of their information technologies in preparing the statements, who is involved, and locations involved.
Get your grade
or your money back
using our Essay Writing Service!
Another step in the top-down approach is the identification of accounts and disclosures. The relevant assertions must also be identified because these may contain the misstatements. Examples of financial assertions are: completeness, rights and obligations, and existence or occurrence. In order to identify accounts and disclosures, the auditor must assess risk factors, both qualitative and quantitative, that are related to the disclosures and statement line items. Some of these risk factors include: account size, susceptibility due to fraud, exposure to losses, and volume of activity. An auditor should be able to think of possible sources that could cause a material misstatement in the financial statements.
If an auditor must identify likely sources of misstatements then they must have a good understanding of certain concepts. One concept is understanding transactions and their behaviors such as when it was made and who authorized the transaction. Another concept is that an auditor must have a good understanding of the controls created by management. This helps when identifying possible misstatements. Lastly, the auditor must understand the role information technology (IT) plays in the transactions. These objectives require a good amount of judgment, therefore the auditor should perform these objectives themselves or provide direct supervision to those that are doing it. Walkthroughs are an effective way to perform these objectives. By doing this, the auditor follows the life cycle of the transaction, and can gain an understanding of the processes used.
When selecting a control to test an auditor must choose only controls that are relevant to the assessed risk. There may be more than one control that is relevant, however, one may affect the risk more than the other. An auditor needs to make sure they do not test redundant controls.
Moving on to contrast material weakness and significant deficiencies; significant deficiencies are deficiencies found in internal control's financial reporting. They are not as serious as material weaknesses, however, they still need to be corrected. When a significant deficiency occurs in an entity they are demonstrating their inability to report data reliably and there is a slight chance that the misstatement will not be detected. A material weakness is a significant deficiency, but there is a higher probability that the misstatement will not be detected. The following are indicators of material weaknesses:
Always on Time
Marked to Standard
Material or not, identify fraud for senior management.
Financial statements will be restated showing the corrections of misstatements.
The auditor must identify a material misstatement in the current period when the entity's internal control could not detect it.
The entity's audit committee provides ineffective oversight of external and internal financial reporting
An auditor must follow a set of procedures in order to effectively communicate the deficiencies to the right parties. When communicating a material weakness, an auditor must do so in writing to both management and the audit committee. Significant deficiencies should also be considered. If they are identified during the audit then the auditor must communicate this information in writing to the audit committee. All other deficiencies should also be reported in the same manner. It is not necessary to repeat any information from the material weakness or significant deficiencies. The auditor is only required to report deficiencies that he or she is aware of. All deficiencies may not be found.
This memo sums up the main points of the top-down approach found in the PCAOB's AS5, and it also explains the difference between a material weakness and a significant deficiency.