In the auditing process, an auditor should use the top-down approach in the audit of internal control over financial reporting in order to select the appropriate controls to test. When beginning a top-down approach, the auditor starts out at the financial statement level, along with his or hers understanding of the overall risks to internal control over financial reporting, and then works his or her way down to the entity level. Once the necessary controls are determined for the entity level, the auditor then moves down toward key accounts and disclosures and their applicable assertions. Using the top-down approach helps direct an auditor's awareness to accounts, disclosures, and assertions that are more likely to create material misstatements to financial statements and related disclosures. Afterward, the auditor selects the necessary testing of controls that adequately address the reviewed risk of misstatements to each pertinent assertion due to his or her understanding of the company's risks under their internal control processes.
Get your grade
or your money back
using our Essay Writing Service!
At the entity level, the identification of the controls must be essential to the auditor's conclusion on whether the firm has effective internal control over their financial reporting. Controls at the entity level vary in nature and accuracy. Environment controls are critical, but can be indirectly effective on the likelihood that misstatements are detected or prevented on a regular basis. When conducting controls for the entity level, finding controls that are effectively designed to identify other possible lower level controls can both save the auditor time and reduce their testing of other controls. Also, some entity level controls may be designed to operate at a precision level which accurately prevent and detect misstatements that have more than one assertion. In this case, the auditor does not need to test extra controls relating to potential risks.
There is a variety of entity level controls to understand in order to decide on particular tests to conduct. One entity control is those related to the control environment. This includes understanding management's philosophy, operating style, integrity and ethical values that are promoting effective internal control over financial reporting. Also, evaluating controls over management override can help determine fraud or intentional misstatements of financial reporting at the senior management level. Other entity level controls can include a company's risk assessment process, centralized processing, shared service environments, and more importantly controls on monitoring the internal audit function, the audit committee, and self assessment programs.
Lastly, auditors have a high stake in understanding the period-end financial reporting process because it is both vital to financial reporting and the auditor's opinion on the internal control over financial reporting. This process includes understanding the procedures in entering transactions into general ledgers, selections and applications of accounting policies, and to initiate, authorize, record, and process journal entries. However, this occurs after the "as of" date of the managements assessment of the period end financial reporting process. In order to evaluate the period end financial reporting process, auditors should assess how inputs, procedures performed, and outputs are conducted throughout the company to produce their financial statements. Internal technology is also beneficial in assessing the period ending financial reporting process because it can help successfully identify possible areas in the IT that have risks to misstating financial statements.
Once the auditor has done all they can to understand and evaluate the controls at the entity level, he or she then identifies key accounts and disclosures and their relevant assertions. The relevant assertions against financial statements are ones that have potential to being materially misstated. Financial statement assertions will include their existence/occurrence, completeness, valuation/allocation, rights and obligations, and presentation and disclosure. Particular risk factors that are related to identifying significant accounts and disclosures and their relevant assertions comprise of their size and composition of the account, and susceptibility of being misstated because of errors or fraud. Also the volume, complexity and homogeneity of the activities during their individual transactions processed in the account or reflected in the disclosure can be potential risk factors. It can also include the nature of the account, exposure to losses, likelihood of imperative dependent liabilities arising from the activities, and also the existence of related party transactions in the account. Auditor's risk factors of evaluating the identification of major accounts and disclosures and their relevant assertions are both the same for the audit report of internal control over financial reporting and also the audit of financial statements.
Always on Time
Marked to Standard
An Auditor must understand likely sources of potential misstatements, and in order to select good controls to test, he or she must achieve certain objectives. One objective is to recognize the flow of transactions that are initiated, authorized, processed and recorded in relevance to the auditor's assertions. Also, they should identify points within the firms processes at which misstatements can arise and be material. Auditors should discover management's controls that have been implemented in addressing the possible misstatements. A great way for auditors to achieve these objectives and identify the controls for finding potential misstatements is to perform a walkthrough in the company. Many times this is an effective way because auditors can follow transactions from their original initiate all the way through the businesses processes until it is reflected in their financial records. Walkthroughs include inquiries, observations, inspections of applicable documentation, and re-performance of controls. It is also the auditor's duty to ask questions to management and certain personnel about their personal understanding of the procedures and controls implemented.
After an auditor has conducted an understanding of a company's controls and procedures at the financial level, entity level, and identified significant accounts and disclosures and their relevant assertions, he or she must select controls to test. The most important controls to test are those that are imperative to the auditor's conclusion about whether the firm's controls adequately address the assessed risk of misstatement to each pertinent assertion.
Material Weakness vs. Significant Deficiency
A material weakness is a deficiency or many deficiencies within an internal control over financial reporting that has a good chance of having materially misstated annual or interim financial statements, which will not be prevented or detected on a suitable basis. There are multiple indicators of material weaknesses within a company. One of these indicators is the identification of fraud on the senior management level. Also, restating previous issued financial statements to reflect a correction of a material misstatement can be another indicator of material weakness. Lastly, ineffective oversight of a company's external financial reporting and internal control over financial reporting by the company's audit committee also has an indicator of material weakness.
On the other hand, a significant deficiency is one or more deficiencies in internal control over financial reporting that is less harsh than a material weakness. Although not as severe, it is still important enough for to create attention for those responsible for the oversight of a company's financial reporting.
Once an audit has been completed, the auditor must communicate his or hers identifications of material weaknesses to the management and audit committee in writing. If the auditor finds the firm's oversight of external financial reporting and internal control over financial reporting to be ineffective by the audit committee, it must be communicated to the board of directors in writing. Also, any identified deficiencies throughout the audit that are significant should be concluded and communicated to the audit committee in writing. It is not necessary for the auditor to identify all control deficiencies, but only those that he or she is aware of throughout the audit.
When reporting on internal control, the auditor must include certain elements on their auditor's report of internal control over financial reporting. Some of these elements include a title with the word independent in it, statement of management's responsibilities on maintaining effective internal control over financial reporting, identification of managements report on internal control, a statement on the auditor's duties and responsibilities throughout the audit, and that the audit was performed in agreement with the standards of the PCAOB. Most importantly, the audit report must contain the auditor's opinion on whether the company has upheld an effective internal control over financial reporting based on the control criteria conducted by the auditor.