Provided below is a summary of AS5 describing the top down approach for auditing of internal controls. The top down approach should be used for selecting controls that need to be tested during an audit. The auditor must be knowledgeable of the overall risks present within the internal controls generating the financial statements. Moving down, the auditor then must investigate entity-level controls, significant accounts and relevant assertions. Auditors will investigate areas that may create material misstatements on the financial statements. The auditor then tests these areas to verify no material misstatements have taken place.
Identifying Entity level controls
Entity-level tests will be chosen by auditors based on the strength of the company's internal controls. Entity-level controls can be environmental, monitoring or precision controls. Environmental controls work indirectly to identify misstatements in a timely basis. Monitoring controls find breakdowns in lower level controls. Precision controls find and prevent misstatements to assertions. When these Entity-level controls are strong and effective it will reduce the work of the auditor.
Get your grade
or your money back
using our Essay Writing Service!
Entity level controls are broad controls that apply to the entire business. These controls include the management override process, risk assessment, and monitoring of IT systems and operations. First the auditor must assess the Control Environment by investigating the commitment, ethics, engagement and oversight of the Board of directors, audit committee, and top management. They will look at these values and observe how they trickle down throughout the business. The auditor must also investigate how the Period-end financial reporting process works. The auditor takes into account who is involved, the technology used, the transactions, policies, and oversight when evaluating the period end financial reporting process.
Identifying Significant Accounts and Disclosures and Their Relevant Assertions
The auditor must find accounts and disclosures that contain reasonable possibility of material misstatement. The auditor will look at accounts that need proof and validation to check for material misstatement. This proof and validation will be completed with evidence of existence/occurrence, completeness, rights and obligations, and presentation and disclosure of transactions. When identifying these accounts that auditor must take into account quantitative and qualitative risks. These risks primarily generated from size, activity, and complexities of the accounts. The auditor will also look at accounts susceptible to fraud, losses, and changes from prior period disclosures. Some accounts may be susceptible to many different risks and should be mitigated with different types of controls. To find these potential material misstatements the auditor must continually ask "what could go wrong?" in these accounts. An auditor must think of motivation and incentives to commit fraud or misstatements in these accounts. This process should be used for both financial statement audits and internal control audits.
Understanding likely Sources of Misstatement
To understand the likely sources of misstatement the auditor will try to understand the process of authorization, recording, and flow of transactions. Auditors must find where material misstatements could occur and where fraud can take place. Review management controls and practices to find areas susceptible to fraud and misstatement. Due to the degree of judgment needed the auditor should work alone or supervise the work of those searching for sources of misstatement. Throughout the top down approach the auditor should understand how information technology will affect a company's transactions, and how internal controls may be affected. A walkthrough is generally the most effective way of understanding likely sources of misstatements. An auditor will follow the complete process of a transaction from its origination through IT to the financial statements. During the walkthrough the auditor will ask probing questions at points in which processing errors occur. These questions will help the auditor understand the procedures and controls in place. The questions the auditors ask may find or investigate risks beyond the transactions of the walkthrough.
Selecting Controls to test
The auditor will chose tests based on the information gathered about the strength of internal controls in place at the company. There is no need for redundancy in control tests. It is fine to use one control test that will address many risks. Or, it may take many control tests to address one risk. The decision of which tests should be selected is based on how control tests address the risk of detecting misstatement instead of how the control is categorized. It is most important to choose tests that will detect or find possibility of material misstatements.
Material Weakness Vs. Significant Deficiency
Always on Time
Marked to Standard
Both material weakness and significant deficiency address deficiencies in the internal controls for financial reporting that will not allow a company to report or detect a material misstatement on a timely basis. The key difference of these two terms is the degree of deficiency. While material weakness address issues of reasonable possibility of material misstatement, significant deficiency is less severe but, important enough to inform top oversight of the company.
These two terms are separated by a list of indicators for material weakness. They include the detection of fraud by senior management; reissued financial statements to correct material misstatement; material misstatements found by that auditor that would not have been detected by the company's internal controls; and ineffective oversight of external reporting, internal controls by the audit committee.
The auditor must report through written communication to the audit committee all material weaknesses found, ineffective oversight by the audit committee of financial reporting and internal controls, and significant deficiencies identified by the auditor during the audit.
The auditor must provide information on the audit report. According to AS5 the auditor must state their opinion on whether or not effective internal controls were in place at a specific date.