AS5 creates a guideline and requirements for audits of both a company's financial statements and internal controls. A combined audit must follow these guidelines and use them to provide reasonable assurance to the users that the statements are fairly presented and there are no material weaknesses in the controls that a company has in place. Any weaknesses or deficiencies found in an audit must be disclosed to the company and an opinion should be given at the end that describes the assurance level of the auditor.
AS5 requires auditors to use a "top-down approach" to perform an audit over internal controls. Such an approach requires them to use a strategic and comprehensive thought process to determine possible risks and ways in which to test those areas for possible weaknesses or misstatements. According to AS5, the top-down approach usually begins with a look at the financial statements and the company's overall outlook. From there, the auditor will determine risks that might be present from the nature of the business or the company's environment. From identified risks, the auditor should create tests specific to the company's individual situation to test the controls. Depending upon the auditor's initial observations, large or small quantities of testing should be completed to provide assurance that controls are strong.
The top-down approach states that an auditor should look to the "entity level" next and should assess the controls to determine the need for more comprehensive testing in the other areas. This testing includes testing of the control environment, management overrides, and the company's risk assessment process. These will all indicate the overall feeling of the company and will help the auditor determine whether controls testing should be stronger in other areas.
More specifically, entity level controls have an effect on whether or not a misstatement will be detected by the company. The auditor should determine whether they are strong enough on their own to prevent misstatements or if they are not, the auditor must investigate more into areas that would be affected by the specific control. If a company has very strong moral values and has put into place very strong control procedures in their company, chances are that the high standards will create an environment in which controls are high. If these controls appear to be in good order, then controls in other areas might not need to be tested as stringently.
After considering the overall environment of the company, the auditor should also look at the financial reporting process. The following can provide clues to the auditor in order to help them to determine areas that they should concentrate on: procedures for entering transactions, procedures for implementing accounting policies, and procedures for adjusting entries. If it appears that an error has been made or that there is not due care in the procedures, the auditor will know to double check anything related to that specific area. If a company has weak procedures or does not follow their procedures, testing must be completed more carefully.
AS5 also states that an auditor should check important accounts related to the assertions that are applicable to the situation. The specific accounts that should be checked are the ones in which there is a chance that they would contain a misstatement, causing the financial statements, as a whole, to be misstated. Generally speaking, the assertions regard the existence of transactions, completeness of transactions and records, valuation of accounts, and presentation. Auditors must make sure to test that what is presented in the statements is represented fairly. The auditor should use the risk factors previously pointed out to determine the accounts to double check. Usually, accounts are chosen based on their size, susceptibility to misstatement, volume of activity, complexities, and changes.
The "top-down approach" essentially describes the approach auditors should take to determine that they understand the client. They must understand how the client's transactions work, how the transactions flow through the system, where errors would most likely occur, and the controls that have been implemented in the system. Using this approach, auditors must then test the vulnerable places in order to support their final conclusion to be written in the audit report.
Also, in AS5, the meanings of material weakness and significant deficiency are defined and specified. Significant deficiencies are ones that are not as severe as material weaknesses, but are important enough that they might cause a problem in the financial statements. Significant deficiencies might be found in the design or operation of a company. Design deficiencies result from missing or incomplete controls while operation deficiencies arise from controls that are in place, but do not operate correctly. These should both be communicated to the audit committee of their client. It is also recommended that auditors should communicate deficiencies to management, as well.
A material weakness is more severe than a significant deficiency. It means that there is a "reasonable possibility" that a material misstatement would not be prevented or detected by the controls in place by the audit client. A reasonable possibility of a misstatement occurs when it is "reasonably possible" or "probable" that it will occur. Material weaknesses are often indicated by fraud, restatements of previous financial statements, or oversight of reporting by the company's audit committee. If the auditor feels that a deficiency might prevent rational officials or managers from determining that they are reasonable assured, the auditor should consider the deficiency to be an indicator of a material weakness. If a normal person is not assured, the auditor should not be assured. Any material weaknesses that are uncovered must be pointed out to management and the audit committee in written form. The written statement should be made before the final auditor's report is completed, so that management knows ahead of time where it lacks control.
The auditor's report should be written to the management of the company being audited. It should make clear that management is responsible for internal controls and that the auditor's duty is to issue an opinion on the effectiveness of the controls. Auditors must gain an understanding of the client (through the top-down approach) and must provide a statement that says they have a reasonable basis for the opinion they issue. The report should also include that opinion.
The auditor's responsibility is to learn about their client and report on the client's controls and financial statements. With AS5, the requirements to do so are clearer than before. They are laid out in the top down approach and the ways that different discrepancies are to be reported are indicated, also.
