The PCAOB released AS5 "An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements" in 2007, effective for fiscal years ending on November 15, 2007 and after. The document AS5 serves as the standard for performing audits of management's assessment of the effectiveness of internal control over financial reporting. Specifically, AS5 details fieldwork and reporting standards for these audits.
AS5 describes the top-down approach thought process auditors should use to identify risks and the controls to test during the audit. The auditor's goal is to identify areas where reasonable possibility of material misstatement to the financial statements exists. The auditor first assesses risk at the financial statement level (overall risks to internal control over financial reporting), then entity-level controls, and finally significant accounts and disclosures and their relevant assertions. The auditor uses his or her understanding of the risks identified to select and test controls that sufficiently address the effectiveness of internal control over financial reporting and ultimately the risk of misstatement to relevant assertions.
Get your grade
or your money back
using our Essay Writing Service!
An evaluation of the effectiveness of entity-level controls can increase or decrease tests performed on lower controls. Entity-level controls operate in various capacities; some indirectly affect the likelihood of misstatement (ex. the control environment), some directly monitor the effectiveness of lower-level controls, and some prevent or detect misstatements to relevant assertion(s) with such precision that further testing of the assessed risk is unnecessary. AS5 lists several entity-level controls including those over management override, risk assessment processes, systems that monitor results of operations or other controls, and policies that address business control and risk management practices. AS5 gives special attention to entity-level controls related to the control environment and period-end financial reporting process. The control environment includes management's philosophy and operating style, the soundness and ethical values of top management in particular, and the competence and effectiveness of the Board of Directors and the audit committee in their oversight duties. The control environment sets the tone for control and reporting integrity. The period-end financial reporting process includes (AS5 paragraph 26):
Procedures used to enter transaction totals into the general ledger;
Procedures related to the selection and application of accounting principles;
Procedures used to initiate, authorize, record, and process journal entries in the general ledger;
Procedures used to record recurring and nonrecurring adjustments to the annual and quarterly financials statements;
Procedures for preparing annual and quarterly financial statements and related disclosures.
In evaluating these procedures the auditor should assess the role of information technology, the participation of persons in management, and the degree of oversight practiced by management, the Board, and the audit committee. Additionally the auditor should assess the inputs, procedures, and outputs used to produce annual and quarterly statements, the types of adjusting and consolidating entries, and locations involved in each step of the process.
After evaluating entity-level controls, the auditor should identify significant accounts and disclosures and their relevant assertions. Relevant assertions having a reasonable possibility of containing material misstatement include occurrence, completeness, valuation, rights and obligations, and presentation and disclosure. Risks to these assertions and the significant accounts and disclosures supporting the assertions are the same as in an audit of the financial statements. Risk factors include the account's size, susceptibility to fraud/error, volume of transactions, exposure to losses, and related contingent liabilities, and the existence of related party transactions within the account and changes from prior period account characteristics. Controls over accounts possessing these or other risks are candidates for testing.
In selecting controls to test the auditor must gain an understanding of the likely sources of misstatement. AS5 provides these four objectives:
Understand the flow of transactions related to relevant assertions;
Identify points in the company's processed where misstatement could occur, individually or in combination with other misstatements;
Identify controls implemented to address these potential misstatements;
Identify controls implemented to prevent or detect unauthorized activity with company assets.
In meeting these objectives the auditor should understand the role of IT and its risks and controls as they are inseparable from internal control. To better understand company processes, the auditor should perform walkthroughs to observe, inspect, and determine the existence and effectiveness of control procedures in practice.
Always on Time
Marked to Standard
The final step in the top down approach is to formally select controls to test. Auditors should select those controls that sufficiently address the assessed risk of misstatement. A particular assessed risk may require multiple controls for different aspects of the risk, but testing should not be redundant if it is determined that fewer controls sufficiently address the assessed risk.
In testing and assessing controls, the auditor must determine the severity of weaknesses discovered. The distinction between a 'material weakness' and a 'significant deficiency' has special implications for the auditor's conclusions and communication about internal control over financial reporting. As stated in AS5 paragraph A11, a significant deficiency is a deficiency, or combination of deficiencies, in internal control over financial reporting that is less severe than a material weakness, yet important enough to merit attention by oversight bodies. If a deficiency, or combination of deficiencies, would prevent a prudent official from having reasonable assurance that the financial statements are prepared according to generally accepted accounting principles then a material weakness exists. As stated AS5 in paragraph A7, a material weakness is a deficiency, or combination of deficiencies, in internal control over financial reporting such that there is reasonable possibility (or probability) that a material misstatement in the company's financial statements would not be prevented or detected in a timely way. Indicators that material weaknesses in internal control over financial reporting may exist include:
Fraud by members of senior management;
Material misstatements in prior periods, requiring restatement of the financial statements;
Material misstatements in the current period not prevented or detected by current controls;
Ineffective oversight by the company's audit committee.
Material weaknesses or significant deficiencies in internal control over financial reporting require different communication from the auditor to the client. Prior to issuance of the auditor's report, the auditor must communicate all material weaknesses to management and the audit committee. All less than material deficiencies must be communicated to management, but only significant deficiencies must be reported to the audit committee. In the auditor's report, the auditor issues an opinion about whether the company maintained effective internal control over financial reporting in all material respects. Therefore significant deficiencies would not be reflected in the auditor's report.
AS5 established fieldwork standards and guidelines that focus audit work and increase the likelihood that auditors will identify material weaknesses in internal control over financial reporting. Taking a top-down approach results in a more efficient audit. Deficiencies in internal control over financial reporting classified as significant deficiencies or material weaknesses warrant special communication to the audit committee. Results of the audit culminate in the auditor's report, which contains an opinion on the risk of material misstatement to the financial statements arising from a material weakness in controls.