The Public Company Accounting Oversight Board implemented Auditing Standard 5 (AS5) in 2007, which established an audit of internal control over financial reporting. The standard was implemented to offer direction for auditors to identify internal control weaknesses more effectively and efficiently within financial reports.
AS5 offers a top-down approach within the audit of internal control. It is top-down in the sense that it begins at the financial statement level, works down to the entity-level controls, and then travels down to significant accounts and disclosures. The top-down approach allows the auditor to focus on the disclosures, assertions and accounts that have a possibility of containing material misstatements. After analyzing and developing an understanding of the company's processes, the auditor will have more knowledge in assessing which controls to test. The process describes the auditor's thought process in identifying the risks and which controls should be tested. This type of approach is more principles based and places more judgment with the auditor.
Get your grade
or your money back
using our Essay Writing Service!
The entity-level controls that the auditor should test are those that have the most effect on the internal control process of financial reporting. The environmental controls will affect the timing, extent of procedures and nature which the auditor must perform. Controls that monitor the effectiveness of controls allow a reduction of time required to test further controls. The entity-level controls that sufficiently prevent or detect misstatements allows the auditor to not have to test controls related to that risk. The entity-level controls are related to the control environment, management override, the risk assessment process of a company, centralized processing, the controls that monitor the results of operations, controls which monitor other controls, period-end financial reporting process controls and policies that address business control and risk management.
The control environment allows the auditor to evaluate management's philosophy and operating style, the development and understanding of integrity and ethical values, and whether the Board of Directors or audit committee is responsible for the internal control and financial reporting. Walkthroughs are an effective method for gathering appropriate information and understanding the company's procedures. The walkthrough process is a combination of observation, inspection of documents, inquiry, and the re-performance of controls. In determining which controls should be tested, the auditor must decide which controls properly address the risk of misstatement. The auditor should first choose the controls which are most important to the auditor's conclusion regarding the sufficiency and risk of misstatement.
Understanding the probable sources of potential misstatements is an important aspect in selecting the controls in which to test. In order for an auditor to recognize the sources of misstatements, the auditor must understand the flow of transactions, identify the controls that have been placed to prevent misstatements, and identify the controls that have been placed to detect unauthorized use of the assets, and identify the points where a misstatement could occur. The auditor may either perform the work themselves or supervise those who are doing the work. Achieving the appropriate objectives in identifying potential misstatements allow the auditor to select the proper controls to test. In order for the internal control to be considered effective the auditor's report must provide reasonable assurance that there is not material weaknesses within the company's financial reporting. The auditor gains reasonable assurance by obtaining sufficient evidence that properly addresses the internal control over financial reports and any material weaknesses or deficiencies that occur within controls.
The auditor must assess how severe each deficiency is in the control and determine if it is a material weakness. A material weakness is considered a deficiency within the internal control over financial reporting. The deficiency may be an individual deficiency or a combination of deficiencies demonstrating there is a reasonable possibility that the company's annual or interim financial statements contain material misstatement. The severity of a deficiency occurring depends on whether the company's control fails to detect or prevent a misstatement and the degree of possible misstatements that arise from a deficiency. The indicators of material weakness include:
The identification that the senior manager has committed fraud
The correction of a material misstatement that was previously stated on financial statements
The identification of a material misstatement that would not have been detected during the current period by the company's internal control
Always on Time
Marked to Standard
The audit committee's oversight of the company's internal control and external financial reporting
The auditor must also determine the detail and degree of assurance that accurately demonstrates the conduct of officials' affairs that they have reasonable assurance that the transactions are recorded as necessary to permit the preparation of financial statements in conformity with generally accepted accounting principles. A significant deficiency can be differentiated from a material weakness because it is less sever yet it still merits the attention of those responsible of the company's financial reporting. Through the process of evaluation, a material weakness may be determined by the auditor if a deficiency does exist that would prevent officials from conducting their business with reasonable assurance. The auditor must form an opinion on how effective the internal control over financial reporting is and identify any deficiencies within the control.
After the evaluation of the controls has been assessed, the auditor must communicate with the audit committee material weaknesses that were discovered during the audit. Communication with the audit committee must be in writing and reflect all material weaknesses identified, the effectiveness of the audit, significant deficiencies, and all deficiencies that were in internal control over financial reporting. The auditor should not, however, report that no deficiencies were discovered. If a fraud or illegal act has been discovered the auditor must act within the guidelines set forth by government guidelines. The report must include the following elements:
The word independent in the title
Report that details management is responsible for sustaining effective internal control over financial reporting
Recognition of management's report on internal control
Auditor's responsibility is to express an opinion on the company's internal control over financial reporting based on their audit
A definition of internal control
Statement that the Public Company Accounting Oversight Board standards were used to conduct the audit
Statement that the Public Company Accounting Oversight Board standards require that the auditor perform and plans the audit in order to gain reasonable assurance
Statement that an audit includes assessing the risk of a material weakness, testing the design and operating effectiveness of internal control, evaluating the design and operating effectiveness of internal control, performing all procedures necessary to complete the audit under the given circumstances and assessing the risk that a material weakness exists
Statement that the reasonable basis for the auditor's opinion is what the auditor believes
Paragraph stating that internal control over financial reporting may not prevent or detect misstatements
Based on the control criteria, the auditor's opinion on whether or not the company sustained effective internal control
Either a printed or manual signature of the audit firm that prepared the report
The state and city which the audit report has been issued
The audit report's date
The auditor report can be either a separate report on the internal control and financial statements or a combined report containing both the financial statements and opinion on the internal control. The implementation of AS5 provided a top-down approach that gave more judgment to the auditor and allowed for an understanding of the auditor's thought process in testing and evaluating controls. The standard provides an explanation of deficiencies and the manner in which to report such deficiencies to the audit committee.