Top down approach is what auditors should use when they audit internal control over financial reporting to identify risks and to select the controls to test. Top down approach starts from the financial statement level to entity level, and then goes to significant accounts, disclosures and assertions. This approach allows auditors to identify the reasonable possibility of material misstatements to the financial statements and related disclosures.
Identifying entity-level controls
Entity level controls are important in a way that they affect the auditor's conclusion about the effectiveness of company's internal control over financial reporting. Entity level controls are various in nature and precision. Some controls have an effect on the likelihood of detecting and preventing a misstatement on a timely basis, some others monitor the effectiveness of other controls, and the others might be designed to prevent or detect misstatements on a timely basis.
The two components of entity level controls are controls related to the control environment and controls over management override. When auditors evaluate control environment, they should assess if the operating style is effective, if proper integrity and ethical values are developed, and if the Board of directors or audit committee exercises oversight properly. Controls over management override are important for all companies, especially for smaller firms because senior management is highly involved in performing controls and in period-end financial reporting process. Period-end financial reporting process includes entering transaction totals into the general ledger, selecting and applying accounting policies, initiating, authorizing, recording, and processing journal entries in the general ledger, recording adjustments, and preparing financial statements and related disclosures. To evaluate these processes, the auditors should examine inputs, procedures performed, outputs used to produce financial statements, information technology involvement, participations of management, locations involved in process, types of adjusting and consolidating entries, and extent of oversight of the process.
Identifying significant accounts and disclosures and their relevant assertions
Get your grade
or your money back
using our Essay Writing Service!
When auditors are identifying significant accounts and disclosures and their relevant assertions, they should evaluate risk factors as well as the likely sources of potential misstatements. Relevant assertions include existence or occurrence, completeness, valuation or allocation, rights and obligations, and presentation and disclosures, which have a reasonable possibility of containing material misstatements. Risk factors include size and composition of the account, susceptibility to misstatement due to errors or fraud, volume of activity, complexity, and homogeneity of the individual transactions, nature of the account or disclosure, accounting and reporting complexities associated with the account or disclosure, exposure to losses in the account, possibility of significant contingent liabilities arising from the activities reflected in the account or disclosure, existence of related party transactions in the account, and changes from the prior period in account or disclosure characteristics. These risk factors are the same in the audit of internal control over financial reporting and in the audit of the financial statements. Since the components of a potential significant account or disclosure might be subject to differing risks, different controls might be necessary. When a company has a several locations or business units, the auditor should identify accounts, disclosures and assertions based on the consolidated financial statements.
Understanding likely sources of misstatement
To understand likely sources of misstatement, the auditors should achieve the objectives of understanding the flow of transactions related to the relevant assertions, identifying which part of the process could include misstatements, identifying the controls that management has implemented to address potential misstatements, and identifying the controls that are implemented to prevent or detect unauthorized use of company's assets which could lead a material misstatements. These objectives will be used as a part of judgment process. The best way to achieve these objectives is performing walkthroughs. In performing a walkthrough, the auditor follows a transaction from the origination to the process until it is reflected in the company's financial records. With performing a walkthrough the auditor questions the company's personnel to gain a sufficient understanding of the process and to identify whether the controls are effectively designed. It also allows the auditor to have a greater understanding of the company's several transactions of the process. Thus, it is the most effective way to achieve the objectives. Furthermore, to understand the likely sources of misstatements, the auditor should understand how IT affects the company's flow of transactions.
Selecting controls to test
Always on Time
Marked to Standard
When auditors are selecting controls to test, they should select the controls which will affect importantly on auditors' conclusions about the effectiveness of the controls. It will depend on how sufficiently the control addresses the assessed risk of misstatements to a relevant assertion, not depend on how the control is labeled. Also, a control does not have to address the assessed risk of misstatement to one relevant assertion. It could address the assessed risk to more than one relevant assertion, and also several controls might address the assessed risk to one relevant assertion.
Material weakness vs. significant deficiency
A material weakness and a significant deficiency are similar in a way that they both are deficiencies in internal control over financial reporting. However, a significant deficiency is not as severe as a material weakness. Thus, when there is a significant deficiency, it is not reported to outsiders, but it is reported to the board and to the management to warn that a significant deficiency could lead to a material misstatement. Also, the controls still can be reported as clean and effective. On the other hand, a material weakness means there is a reasonable possibility that controls will not be able to prevent or detect a material misstatement of the company's financial statements.
A list of indicators of material weaknesses
There are some indicators of material weakness. If an ineffective oversight is exercised by the audit committee and if there is an identification of fraud, they indicate the material weakness. Also, when the previously issued financial statements which had material misstatement have been corrected, and when material misstatements in current period are identified by the auditor, and they would not have been detected by the company's internal control, it shows that there is a material weakness in internal control over financial reporting. Lastly, when the auditor concludes that the deficiencies prevent prudent officials from concluding they have reasonable assurance that transactions are recorded according to generally accepted accounting principles, it indicates a material weakness.
Communication to the audit committee vs. the auditor's report
Material weaknesses that are identified during the audit should be communicated to management and the audit committee. Also, written communication should be made before the auditors issue auditor's report on internal control over financial reporting. In this process if the auditors think the company's external financial reporting and internal control are ineffective, it should be communicated to the board of directors first. In addition to material weaknesses, significant deficiencies should be communicated to the audit committees and management as well. Auditors are not required to repeat information that has been already written before, whether those were from auditor, internal auditors, or others within the organization. Auditors communicate deficiencies that they are aware of, but they are not required to work on process to identify all control deficiencies. Also, auditors do not have assurance that they have identified all deficiencies less severe than a material weakness. Thus, they cannot write a report saying that no deficiencies were noted during the audit. When the auditor becomes aware of fraud or illegal acts, the auditor should determine his/her responsibilities.
When auditors issue an auditor's report, some elements should be included. The elements are a title including the word, independent, a statement of management's responsibility for maintaining and assessing the effectiveness of internal control, management's report, auditor's responsibility of expressing an opinion based on his/her audit, definition of internal control over financial reporting, a statement that audit followed the standards of PCAOB and the requirements of those standards, processes of an audit, auditor's belief of the audit, inherent limitations of detecting misstatements, the auditor's opinion, signature of the auditor's firm, the city and state of the report, and the date of the audit report.