In auditing it is important to use a top down approach when selecting which controls will be tested in an audit of internal controls. This means starting at the financial statements level and then moving on to entity level controls. This process leads the auditor to focus on areas in the financial statement and disclosures that are more likely to have any material misstatements. It is important to test entity level controls to gain a level of assurance that internal controls are effective. Once this testing has been done the auditor can gauge how well they can trust the companies information, and determine how much further testing needs to be done. There are multiple types of entity level controls. Control environment controls may have an indirect effect on other internal controls. The entity may also have controls to monitor how well the other controls function. The third category of controls is those that actually detect and prevent misstatements. Some specific controls include those to monitor environment, check management changes, assess risk, monitor results, monitor quarterly and yearly financial statements, as well as controls that monitor other controls. An important step in making sure that these controls can be relied on is looking at the environment the controls operate in, by evaluating the philosophies of the company and how internal audits are conducted. Another step is to evaluate how end of the period financial statements are constructed, and to make sure that the controls are sound. This involves looking at all relevant procedures, and evaluating who participates. In addition to evaluating controls it is important for the auditor to look at the assertions made about important accounts and disclosures. An assertion is deemed important when there is a high likelihood of material misstatements. Assertions related to financial statements include existence, completeness, valuation, allocation, rights and obligations, and how they are presented or disclosed. In determining if an account is significant the auditor needs to look at risk factors such as the size of the account, how likely a misstatement is, complexity of transactions, likelihood of losses, possibility of material related activities, occurrence of related party transactions, and large changes from previous periods. The auditor should look for potential areas where things could go wrong to help identify what might cause material misstatements. The auditor should evaluate the same risks for the same accounts and disclosures when looking at financial statements and internal controls. However, there may be more than one control associated with a single assertion. If the business has multiple locations, the auditor should use a consolidated financial statement when determining significant accounts and controls. In order to understand the sources of mistakes the auditor needs to understand how the company does transactions, check that they have identified proper significant assertions and disclosures, check that they have identified important controls, and identify controls used by management to prevent and detect misstatement. Since there is a large amount of personal opinion in these tasks, the auditor should perform them himself or oversee a team. It is important for the auditor to understand how technology is involved in transactions, and what controls are placed on it. To determine how transactions are handled it is best to perform a walkthrough, and follow one transaction from beginning to end. The auditor should question pertinent personnel at each important stage during the walkthrough to help understand the process.
The auditor should choose to test important controls that may have an impact on misstatements in the final financial statements. This may mean needed to test multiple controls for one assertion, but the auditor should not have to test all controls. Both significant deficiency and material weakness are defined as one or more deficiencies in internal controls that pertain to financial accounting. The difference is that a material weakness is more severe, but both require attention. A material weakness might be suspected if the auditor finds evidence of fraud, restatement of previous period's financial statements, a misstatement in the current period that would not have been caught by internal controls, or insufficient oversight by the company's audit committee. When the auditor finds this sort of evidence they need to determine the severity of the deficiency, and determine what level of assurance needs to be put in to place to prevent further deficiencies. If the auditor believes that the deficiencies might affect the way other informed individuals conduct their business with the company, then they need to use it as a sign of potential material misstatement. Before the auditor issues their report they need provide the company with a written copy of any material weaknesses that they discovered in the course of their audit. They also must inform the board of directors if they find the company's internal controls related to financial accounting insufficient. Next they must inform the audit committee of any significant deficiencies discovered during the audit. Management should be informed of any deficiencies in internal control, and let the audit committee know that they have done so. This does not mean that the auditor is obliged to find and communicate all deficiencies, they are only responsible to inform the company of those that they have found. This also means that if the auditor has not found any deficiencies, that they cannot claim there are none. If at any time during an audit the auditor becomes aware of fraud , they are to determine their responsibilities in the SEC act of 1934. There are fourteen required elements in the auditor's report on internal controls. They are as follows: a title that informs of the auditors independence, a statement of managements responsibilities over internal control, managements report on their internal controls, a statement of the auditors responsibility to provide an opinion, the definition of internal controls over financial reporting, a statement on conducting the audit under PCAOB standards, a statement on the requirements placed on the auditor by the PCAOB, a statement that the auditor has an understanding of internal controls and how to test them, a statement of the auditors belief in their work, a statement that internal controls may not prevent or detect all future mistakes, the auditors opinion on internal controls, the signature of the firm, the city and state in which the report was issued, and the date of the audit.