When performing an audit over the internal control of financial reporting, a top-down approach is recommended in Auditing Standard No.5 released by the Public Company Accounting Oversight Board in 2007. A top-down approach is one of the auditing planning procedures used to choose what controls are needed in order to evaluate the internal control over financial reporting. As its name implies, the auditor when applying this approach towards the audit of internal control pays specific attention to the controls on a company-wide level and then narrows down their consideration to accounts, disclosures, and assertions which appeared more than likely to have been misstated materially. Afterwards, the auditor would then confirm the risks of misstatement and decides the controls to test accordingly.
I. Identifying entity-level controls
Entity-level controls are indeed needed to be tested by the auditor because of not only its weight on deciding whether more or less testing for the controls is needed but also its importance on influencing the auditor's opinion about its effectiveness on the company's internal control over financial reporting. These entity-level controls are subject to change and depend on the interaction and characters of the controls. For instance, if one control addresses part of another control, the auditor needs to save additional works or to rearrange the controls. The entity-level controls consists of those that a company needs to run its business effectively and flawlessly such controls are over the company's management activities, controls to monitor operations and other controls, and controls over financial reporting procedures and policies.
The auditor should in addition, conduct an analysis on the control environment and the end-period financial reporting process. The control environment refers to the attitudes and behaviors of management in efforts to sustain an effective internal control on financial reporting. The period-end financial reporting processes are the procedures taken in entering transactions totals, the selection and application of accounting policies, authorization and processing of journal entries, and the recording of reoccurring and non-reoccurring adjustments. The control environment and period-end of the financial reporting process possess the upmost influence on financial reporting in the auditor's opinion on the effectiveness of controls.
II. Identifying significant accounts and disclosures and their relevant assertions
The auditor is required to analyze important accounts, disclosures, and financially relevant assertions. In the line of analyzing the accounts, disclosures, and assertions, evaluation of risk factors in both the quality and quantity dimensions are needed. An example of a risk factor would be the likelihood of misstatement because of errors or frauds. The risk factors used by the auditor when identifying the important accounts, disclosures, and assertions are applied in the same manner as in the audit of internal control over financial reporting. Also, the auditor needs to identify any potential sources of financial misstatements.
III. Understanding likely sources of misstatement
The auditor should be aware of likely sources of misstatements in order to make an appropriate judgment on whether the test on controls works. The auditor should know more about the flow of transactions, the likelihood of material misstatement, and knowledge about the management controls over the company's processes. The auditor also needs to know the relationship between the IT and the company's flow of transaction. In order to do so, the auditor should follow rules of AU sec. 319, Consideration of Internal Control in a Financial Statement Audit.
Performing walkthroughs are the best auditing tool to determine likely sources of misstatement. In general, the auditor who applies this to audit of internal control questions, monitors, and examines documents subsequently. To perform a walkthrough, the auditor starts with tracking a transaction from its origin to the end in a way that the auditor also uses the same documents and information as the company. The auditor asks employees questions about the importance of the transaction or procedure and its validity when needed. Auditor's understanding gained through questioning the employees helps the auditor find what essential controls are missed.
IV. Selecting controls to test
The auditor needs to test controls that influence the auditor's opinion regarding to the company's controls. The auditor can reduce the number of the controls to be tested if either one control is related to the other or two assertions are so similar that can be tested by one control.
A material weakness versus, a significant deficiency
Both material weakness and significant deficiency are indicators reflecting the lack of internal control over financial reporting. The material weakness is used to alert the company about its problematical internal controls which fails to monitor or locate material misstatements in a timely manner. Like the material weakness, the significant deficiency represents a lack of internal control, but less problematical than the material weakness. The significant deficiency is an advisory indicator that it is worth to check up on the internal control over financial reporting.
When reviewing whether or not a deficiency should be considered as an indicator of material weaknesses, the auditor should determine if the transactions were believed to be essential in order to conform to the generally accepted accounting principles.
I. Indicators of material weaknesses
Recognition of either material fraud or non-material fraud of top management
Reproduced statement to correct a prior material misstatement
Auditor's recognition of financial misstatements that have neither been monitored nor caught
Audit committee which does not work adequately as an oversight of external and internal control over financial reporting
II. Communicating certain matters
Communication to management and the audit committee is critical for the auditor during the audit. This communication is largely done by writing and readily available before the auditor makes the issuance on the report about internal control over financial reporting. The auditor should engage in writing communication to management when a lack of internal control over financial reporting is detected during the audit procedure. The audit committee is also updated by the auditor about such communications as the auditor has made with management. The auditor writes to the audit committee if significant deficiencies are recognized during the audit. The auditor also writes to the board of directors regarding the malfunction of the oversight of the company's external control and internal control over financial reporting. Moreover, the auditor only needs to report material weaknesses or significant deficiencies that he or she has detected or known. In light of that, the auditor does not have to communicate any of those deficiencies in which have not been solidly proven.
In case of identifying fraud during the audit of internal control over financial reporting, the auditor should refer to AU sec. 316, Consideration of Fraud in a Financial Statement Audit, AU sec. 317, Illegal Acts by Clients, and Section 10A of the Securities Exchange Act of 1934.
III. Reporting on internal control
A heading with the word, "independent", signature of the auditor's firm, a name of the place where the audit report has been issued, and date
A statement that the auditor is responsible only for the audit of internal control over financial reporting that was performed with information and documents given by the company
A statement that the audit was conformed with the standards of the PCAOB
A statement that the audit procedures have met all material respects
A statement that describes an audit procedure
A statement that the audit opinion is reasonably provided