In releasing Accounting Standard 5, "An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements", the PCAOB suggests that an auditor use the top down approach in performing an integrated audit. The purpose of this memo is to describe the top down approach as directed in Accounting Standard 5 and to differentiate the aspects of a material weakness versus a significant deficiency.
The auditor begins an internal control audit by selecting the appropriate controls in which to test. The PCAOB recommends that the auditor assert the top down approach in selecting these appropriate internal controls. AS5 directs the auditor to identify entity level controls, identify significant accounts and disclosures and their relevant assertions, understand the likely sources of misstatement, and finally select the controls to test in using the top down approach. AS5 is an outline of the auditor's sequential thought process and not necessarily the order in which the audit will be conducted.
Get your grade
or your money back
using our Essay Writing Service!
To properly understand a company's internal control, the auditor will usually start by assessing the entity-level controls of a client. The auditor must test entity-level controls that are consequential to testing whether or not the client has effective internal controls over financial reporting. In assessing entity-level controls, the auditor can use his subjective judgment to determine the extent that he will investigate other internal controls. The auditor must identify that entity level controls vary in nature and precision. Certain entity level controls such as the control environment, will have an indirect effect on the detection of material misstatements. The auditor can use the top down approach to test an assertion of possible misstatement at a higher level and need not test lower level controls if the higher level test properly addresses the assessed risk of misstatement.
The auditor must be selective in choosing the internal controls to test. AS5 states the areas of internal control as; controls to the related control environment, controls over management override, the company's risk assessment process, centralized processing and controls, monitoring results of operations, controls to audit other controls (i.e. the audit committee), controls over period-end financial reporting, and business control and risk management practices. In most cases, the auditor will initially evaluate the control environment of a client. In evaluating the control environment, the auditor will assess management's philosophy and operating style, the integrity and ethical values of the company, and the level of oversight exerted by the audit committee.
An essential element of assessing controls on the entity level is examination of the period-end financial reporting process. Without the correct procedures and proper authorization in making transactions, selecting accounting policies, and preparing quarterly and annual financial statements, the auditor could identify issues on the entity level and easily diagnose problems in other areas of the audit. The auditor must identify the who is involved in the transactions, the timing of the financial reports is plausible, and the location of where elements of financial reporting take place. Also, the client must have proper oversight of their financial reporting which is also assessed in evaluating the control environment.
The top down approach, as stated in AS5, requires the auditor to identify significant accounts and disclosures and their relevant assertions. A key element of this portion of the top down approach is the competence of the auditor him/herself. The auditor must identify which areas of the internal controls have reasonable possibility of containing a misstatement that would cause financial reports to be materially misstated in the form of a reasonable assertion. Assertions must evaluate but are not limited to; existence, completeness, correct valuation or allocation, and proper presentation and disclosure of financial information. Assessing risk using the top down approach requires the auditor to use common sense in the fact that, what is the motivation for the client to materially misstate financial information? More often than not, the material misstatement will be to the benefit of the company. Significant accounts and disclosures can be assessed using qualitative and quantitative risk factors related to financial statement line items. Qualitative and quantitative risk factors include the size, complexity, susceptibility of misstatement, and consistency of financial reporting.
A relevant assertion is subject to the opinion of the auditor. The auditor must use his/her judgment to identify areas that could contain material misstatement. Different risks are associated with varying controls and assessing these risks requires an examination of multiple different aspects of controls. For example, if a company has many different locations, the auditor should use the financial statements as its source of making relevant assertions rather than the information at one certain location.
Always on Time
Marked to Standard
The competence and skill of the auditor is exemplified in his/her ability to understand the likely sources of misstatement. On a general level, there should be an understanding of management's implemented controls as well as how transactions are initiated, authorized, processed, and recorded. With a general knowledge of management's philosophies and the process of transactions, the top down style assertion that the auditor can make is usually able to pinpoint material misstatements with more accuracy. IT is another increasingly integral part of internal audits. The auditor must understand IT's role within the operations of the company to fully understand the internal control environment. IT is not a separate evaluation; rather it is incorporated into the financial reporting process and should be considered in all elements of the internal control audit.
One of the most effective procedures in evaluating internal controls and the overall operations of a company is performing a walkthrough. Walkthroughs enable the auditor to oversee a process or transaction from its beginning until it is presented on the financial statements. Walkthrough procedures usually include a combination of inquiry, observation, inspection of relevant documentation, and re-performance of controls.