To realize companies' objectives, one critical thing is that companies should ensure the accuracy and reliability of their financial reporting. Companies should exercise sufficient controls to guarantee this, that is, they have to establish a set of effective internal controls over financial reporting. Because of the importance of internal controls over financial reporting, it merits much attention by auditors. The audit results of internal controls over financial reporting give the basis for auditors to perform the most efficient audit and obtain the most proper opinions.
Generally, a company has multiple internal controls in operation. It is time-consuming and there is no need to test all the controls. For the efficiency consideration, the auditor should decide which controls to test through some certain methods. The top-down approach guides the auditor to think in sequential and rigorous fashion to indentify controls to test. The top-down approach begins at the financial statement level and with the auditor's knowledge of the overall risks to internal control over financial reporting. Then he, or she, focuses on entity-level controls and works down to significant accounts and disclosures and their relevant assertions. Following that, the auditor verifies his or her understanding of the risks in the company's processes and selects for testing those controls that sufficiently address the assessed risk of misstatement to each relevant assertion.
Based on the auditor's understanding of the overall risks to internal control over financial reporting, the auditor should test the important entity-level controls, the evaluation of which will put impact on the auditor's task. The five components of the COSO internal control, integrated framework must be tested, risk assessment to indentify significant risks related to financial reporting, control environment affecting the commitment and behavior of management and employees , control activities either at policy level or in processing procedures, information and communication for ensuring that information will be detected and exchanged timely between management, and monitoring providing feedback on the effectiveness of the other aspects of internal control.
After reviewing the entity-level controls, the auditor should go on identifying significant accounts and disclosures and their relevant assertions. A significant account or disclosure means that there is a reasonably possibility that the account or disclosure could contain a misstatement that may affect the financial statement. Whether it is significant or not depends on inherent risk. The auditor should pay high attention to those risk factors, like susceptibility to be recorded incorrectly, size and composition of the account, nature of the account or disclosure, existence of related part transactions in the account, etc. For a retail company, the audit may have to scrutiny the sales account and inventory account for fictitious transactions. Also, the auditor must think about the likely sources for the potential misstatement. To understanding the likely sources, the auditor should understand the flow of transactions related to relevant assertions, verify the auditor's discovery of material points that maybe misstated, and identify the controls the management has implemented to deal with these potential misstatements. To achieve the above objectives, the auditor can perform walkthroughs, make inquiries of client personnel, observation of control operations, and review client-prepared documentations. The auditor also should master the IT influence on financial reporting since it is very pervasive to use computer techniques in assisting recording transaction information and producing financial reporting. The auditor should understand how the accounting information system works and the control activities companies imposed on it, such as access control and edit control.
Having a deep understanding of the company's internal control over financial reporting, the auditor now has to test the controls that are important to the auditor's conclusion about the effectiveness and sufficiency of the company's internal control. The criteria as to which controls should be selected is that the sufficient influence of the controls, individually or in combination, on the assessed risk of misstatement to a given relevant assertion.
Material Weakness vs. Significant Deficiency
A material weakness is a deficiency, or a combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the company's annual or interim financial statements will not be prevented or detected on a timely basis. The discovery of a material misstatement of an account balance normally means that there was a breakdown in internal controls and that there was a material weakness.
A significant deficiency is a deficiency, or a combination of deficiencies, in internal control over financial reporting that is less severe than a material weakness; yet important enough to merit attention by those responsible for oversight of the company's financial reporting.
There are some indicators of material weakness in internal control over financial reporting that the auditor should be on the alert:
Identification of fraud, whether or not material, on the part of senior management who play a significant role in the company's financial reporting process;
Restatement of previously issued financial statements to reflect the correction of a material misstatement, which means the company had a great loophole of the control on the misstatement that are not prevented and detected on a timely bases;
Identification by the auditor of a material misstatement of financial statements in the current period in circumstances that indicate that the misstatement would not have been detected by the company's internal control over financial reporting;
Ineffective oversight of the company's external financial reporting and internal control over financial reporting by the company's audit committee;
A deficiency, or a combination of deficiencies, that might prevent prudent officials in the conduct of their own affairs from assuring that transactions are recorded as necessary to permit the preparation of financial statements in compliance with generally accepted accounting principles.
The auditor should always keep alert to those indicators and communicate the deficiencies with management and audit committee as soon as they are discovered. The auditor must report all material weaknesses, in writing, to management and audit committee during the audit. Also the auditor should make sure that such a written communication be made prior to the issuance of the auditor's opinion on internal control over financial reporting. If the auditor summarizes that the oversight of the company's external financial reporting and internal control over financial reporting is ineffective, which is an indicator of a material weakness, then the auditor must communicate this situation in writing to the board of directors. Besides material weaknesses, the auditor should consider other deficiencies as well. When identifying significant deficiencies during the audit; the auditor must communicate such deficiencies, in writing, to the audit committee.
Communicating deficiencies, either material weaknesses or significant deficiencies, with the management and audit committee is an important aspect before issuing the auditor's report on internal control. Among the elements of auditor's report on internal control, one is a statement including the risk assessment of the existence of a material weakness and significant deficiencies, the testing and evaluation of the effectiveness of internal control based on the assessed risk. The auditor should give reasonable opinions on the possibility of material weaknesses and significant deficiencies according to their understanding of the company's internal control over financial reporting and their expertise and experience.