This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
A top-down approach should be used by the auditor to select and test the internal controls over financial reporting. The auditor has to fully understanding the risk to internal control over financial reporting before using the top-down approach at the financial statement level. Then the auditor focuses on the entity level in which they will review significant accounts and disclosures and also their relevant assertions. In this approach, auditor has to understand and beware that the accounts, disclosures, and assertions may present a reasonable possibility of material misstatement. The auditor then identifies the risks in the company's processes and tests the controls which sufficiently address the assessed risk of misstatement.
Entity Level Control
The auditor must test on the entity-level controls, since they are important to the auditor's conclusion about whether the company has an effective internal control over financial report. Entity-level controls vary in nature and precision. Some controls are indirect but are important, such as certain control environment controls. These controls may affect the time, nature, and procedures extent of other controls. Controls that are designed to identify possible breakdowns in the lower level are essential, because this may allow the auditor to reduce the testing of other controls related to that risk when they are operated effectively. Generally, there are eight types of entity-level controls, which include controls related to the control environment, controls over management override, the company's risk assessment process, centralized processing and controls, controls to monitor results of operations, controls to monitor other controls, controls over the period-end financial reporting process, and policies that address significant business control and risk management practices.
Since an effective internal control over financial reporting is very important, auditor must evaluate the company's control environment. As part of the evaluation, auditor should evaluate whether the management's philosophy and operating style promote an effective internal control, whether the company, especially the top management developed and understood integrity and ethical values, and whether the board of directors and auditor committees understand and exercise oversight responsibility over internal controls and financial reporting.
Period-end Financial Reporting Process
Because financial reports and auditor's opinions are important to internal controls over the financial reporting, auditor must evaluate the period-end financial reporting process. This process includes the procedures used to enter to transaction totals into general ledger, procedures related to select and apply the accounting policies, procedures used to initiate, authorize, record, and process journal entries, procedures used to record both recurring and nonrecurring adjustments of annual and quarterly financial statements, and procedures that used to prepare annual and quarterly financial statements and related disclosures. As part of evaluating the period-end financial reporting process, auditors should assess inputs, perform procedures, and output the company's process that the company uses to produce its annual and quarterly financial statements. Also, auditor should assess the extent of information technology that involved in the annual financial reports, who participates in management, the location where the reports generated, the methods used to adjust and consolidate entries, and the nature and extent of the oversight of the process by the board of directors and audit committees.
Identifying Significant Accounts and Disclosures and Their Relevant Assertions
Auditors should identify significant accounts and disclosures and their relevant assertions. The relevant assertions are financial statements assertions that may contain reasonable possibility of misstatement which would lead to misstatement of the financial statements. The financial assertions include existence or occurrence, completeness, valuation or allocation, rights and obligations, presentation and disclosure. To identify significant accounts and disclosures and their relevant assertions, the auditor should evaluate qualitative and quantitative risk factors related to the financial statement line items and disclosures.
According to the standard, the risk factors include:
Account's Size and composition,
Susceptibility to misstatement because of errors or fraud,
Volume of activity and complexity of each transaction processed through the account or reflected in the disclosure,
Nature of the account or disclosure,
Accounting and reporting complexities of the account or disclosure,
Account losses exposure,
Significant liabilities arise from the activities reflected in the account,
Related party transactions exist in the account, and
Changes of the characteristics of prior period's account or disclosure.
As part of identifying, the auditor should be able to determine some resources that may potentially lead to misstatement of the financial statements. In order to determine those resources, they should always ask themselves "what could go wrong?" within a significant account or assertion. The risk factors that auditor should evaluate are the same as evaluating significant accounts and assertions. Different components of a significant account or assertion have different risks. Therefore, different controls should be used. When a company has many departments and office locations, the auditor should determine significant accounts and disclosures and their relevant assertions based on the consolidated financial statements. In making those decisions, auditor should apply the directions in Appendix B for different locations scoping decisions.
Understanding Likely Sources of Misstatement
To further understand potential false resources and select the controls to test, auditors should understand the flow of transactions related to the relevant assertions, including how they are initiated, recorded, and authorized. Also, auditors should understand any points within the company's processes that could lead to misstatement and would be material. Auditor should identify controls are implemented in order to solve the potential misstatements and prevent or detect unauthorized acquisition, use, or disposition of the company's assets. Since performing the procedures requires a certain degree of judgment, the auditor should be able to achieve the objectives in paragraph 34 stated in the auditing standard, which is to supervise the work of others who provide direct assistance to the auditor. They should also understand how IT affects company's flow of transactions.
Performing walkthroughs are always the most effective way to achieve the objectives in paragraph 34 stated in the auditing standard. In this process, the auditor uses the same documents and IT that the company uses to follow the company's origination, including information system, until it reflects on the financial records. These procedures include combining inquiry, observation, inspection of relevant documents, and re-perform the controls. During the process, auditor will ask the company's personnel some questions about their understanding of what is required by the company's controls. These questions, combining with other walkthrough procedures, will give more information to the auditor about whether the design of controls is effective.
Selecting Controls to Test
The auditor should select the controls to test in order to make sure that the controls address the risk of misstatement of relevant assertions. There could be more than one control address one particular relevant assertion and vice versus, one control could address more than one relevant assertion. But it is unnecessary to test all controls related to a relevant assertions or to test redundant controls unless redundancy is a control objective. The decision of selecting controls to be tested depends on which controls, individually or in combination, sufficiently address the risk of misstatement of a relevant assertion instead of depends on how the control is labeled
Indicators of Material Weaknesses
According to the auditing standard, indicator of material weaknesses in internal control over financial reporting include:
On the part of senior management, identify fraud, whether or not material;
Restating previous financial statements in order to reflect the correction of a material misstatement;
Auditor's identification of a material misstatement of financial statements in the current period and indicate that the misstatement would not be detected by the company's internal control; and
Ineffective oversight of the company's external financial reporting and internal control over financial reporting by the company's audit committee.
When evaluating the severity of a deficiency, or combination of deficiencies, the auditor should determine the level of detail and degree of assurance that would satisfy prudent officials to manage their own affairs and therefore they have a reasonable assurance that all the recorded transactions and financial statements are compatible with general accepted accounting principles. If the auditor could not determine the level of detail and degree of assurance, they should treat the deficiency as an indicator of a material weakness.
Communicating Certain Matters
Auditor must have sufficient written commutations with the management level and audit committees when they discovered material weaknesses during the audit process, and these communications should be made before the issuance of the auditor's report on internal control. If the auditor's conclusion of the oversight of company's external financial reporting and internal controls over financial reporting is ineffective, auditor must have a written communication with the audit committees. Also, a written communication should be made if there are significant deficiencies, including deficiencies in internal control over financial reporting, but it is not necessary to repeat reporting the deficiencies that are previously communicated. Although the auditor is not required to perform the procedures that used to identify all the control deficiencies, they are required to communicate the internal control deficiencies with the audit committees. Since an audit over internal control does not assure that the deficiencies they identified are less severe than a material weakness, the auditor should not issue a report stating that there are no such deficiencies identified during the process. When auditing the internal control over financial reporting, auditor should be aware that fraud or illegal acts are possible during the process. Therefore, they must clearly identify their responsibilities under AU sec. 316, Consideration of Fraud in a Financial Statement Audit, AU sec. 317, Illegal Acts by Clients, and Section 10A of the Securities Exchange Act of 1934.
Reporting on Internal Control
According to the auditing standard, an audit report of internal controls over financial reporting consists of the following elements.
The word "independent" should be included in the title.
A statement that management is responsible for maintain and assessing an effective internal control over financial reporting.
An identification of management report of internal controls.
A statement that the auditor is responsible for expressing their opinions over company's internal controls based on their audit.
A definition of internal control over financial reporting
A statement that the audit was conducted with the standards of the Public Company Accounting Oversight Board.
A statement that, as required by the standards of PCAOB, the audit plan and perform the audit to obtain reasonable assurance about whether an effective control was maintained.
A statement that an audit includes understanding the internal control over financial reporting, assessing the risk that a material weakness exists, testing and evaluating the design and operating effectiveness of internal control based on the assessed risk, and performing such other procedures that are necessary.
A statement that the auditor believes the audit provides a reasonable basis for their opinions.
A paragraph stating that because of inherent limitations, internal control over financial reporting may not prevent or detect misstatements and that projections of any evaluation of effectiveness to future periods are subject to the risk that controls may become inadequate because of changes in conditions, or that the degree of compliance with the policies or procedures may deteriorate.
The auditor's opinion on whether the company maintained an effective internal control over financial reporting as of the specified date based on the control criteria.