The Public Company Accounting Oversight Board (PCAOB) released Audit Standard Five (AS5) on June 12th, 2007. AS5 is described by the PCAOB as "An Audit of Internal Control Over Financial Reporting That Is integrated with An Audit of Financial Statements." The standard was approved by the SEC with the intentions that the new standard will increase the efficiency of compliance to the Sarbanes Oxley Act. Audit Standard Five became effective to all publicly-traded companies on or after the fiscal year of November 15, 2007 and applies today.
A large section of AS5 is an approach to the audit of internal control over financial reporting referred to as the Top-Down approach. This approach is used by auditors to help them determine which controls they should test. The first step that an auditor must take is over viewing the financial statements in order to obtain in understanding of how all the risks for internal control impact the companies financial reporting. Next, the auditor begins looking over the company starting at the top with entity-level controls; then begins working his way down to all the significant accounts, disclosures and assertions being made that may contain misstatements or false information.
While starting at the top the auditor must make sure that they select and test all of the key entity-level internal controls that will affect how their evaluation of how effective the companies internal control over financial reporting is. Entity-levels controls include a vast array processes and operations which must be taken into consideration. Some more important and note worthy ones are as follows:
Controls over management override; this control is significant for all companies and especially crucial for small companies. They play a key role in effectively using internal control over financial reporting because of the involvement that management takes in the influence on the financial reporting process.
Controls related to the control environment, the company's risk assessment, centralized processing and controls, controls to monitor results of operations, controls over the period-end financial reporting process.
All of the controls at the entity-level vary in two characteristics, nature and precision. The controls can either directly or indirectly affect the likelihood that misstatements are made. Other controls are used more for monitoring the effectiveness of other controls, which may allow an auditor to reduce the amount of testing he must perform when these controls seem reliable. Finally, some of the controls are created to prevent and detect misstatements or errors which may also help a auditor cut down the extent of testing they must perform.
Another factor that plays an important role in the Top-Down approach is the control environment which the auditor must also assess in order to conclude the effectiveness of a companies internal controls over financial reporting. These checks include evaluating a companies philosophies, operating style, ethics, integrity, and the overall effectiveness of the board of directors. Next, it is time for the Auditor to review the period-end financial reporting process. This included all of the necessary steps, checks and preparation that a company takes before finalizing their financial reports. The auditor must also asses how management impacts the final results, where the preparation of the financial reports takes place and any factors that could lead to inaccurate reporting. When an auditor has successfully completed these steps they should be comfortable in stating they can prove with evidence that the company's controls sufficiently address the assessed risk of misstatement from all of influencing factors.
When the auditor begins the step of looking into significant accounts, disclosures and the company's relevant assertions they need to look for the ones that may contain errors or misstatements with sufficient materially to the financial statements. Factors that may influence the likelihood of misstatements can be both qualitative and quantitative such as; size, susceptibility, nature of account, exposure to losses, ect. During this step it is important for the auditor to understand what kind of things could go wrong, be incorrect, lead to errors, or cause misstatements. To be sure that an auditor has sufficiently checked for or found any and all misstatements and auditor should be able to; understand the flow of transactions that lead to assertions, have a strong understanding of controls the management has implemented, and be able to verify that they have checked the points where misstatement, fraud or error could have occurred. Also the auditor should have a strong grasp of how information technology plays a role in the reporting of financial reporting.
Finally, in the Top-Down process the auditor must select the controls to test that are important to their conclusion of how a company's controls sufficiently address the assessed risk of misstatement to each assertion deemed important. Not all controls must be tested, and some controls may test multiple assertions so the auditor can select which ones to test to best conclude all relevant assertions are correctly stated.
Another important section of the AS5 release is the section of evaluating identified control deficiencies. For this section it is important to understand the differences between material weakness and significant deficiency. First, off when an auditor is evaluating the severity of a deficiency it may or may not be material, however the auditor only needs to worry about material deficiencies. Deficiencies' materiality depends on probability that the company's controls will fail to prevent and detect misstatements; and also it depends on the magnitude that the misstatement may have on financial reports. Deficiencies are areas where the controls misstatements can arise because of inefficient controls. The material weakness that may arise from deficiencies depends on indicators such as; 1) identification of fraud by senior managers, 2) restatement of previously issued financial statements to show the correction of a material misstatement 3) the auditor identifies current misstatements in the financial statements that would have otherwise not been detected 4) realization of an ineffective oversight of external financial reporting and internal control over financial reporting by the company's audit committee. If the auditor finds any of the above than they have reason to believe that indeed the control deficiency or deficiencies do lead to a material weakness. Therefore a material weakness can be one or more deficiencies in the internal control of a company that leads the possibility that a misstatement of their financial statements that would not be detected or prevented in a timely manor. On the other hand a significant deficiency or deficiencies in the internal control of a company's financial reporting, is less severe or important as a material weakness, however it still must be dealt with and receive attention to determine what is going on.
Another way that the types of deficiencies differ is in the way that they must be communicated. Since material weaknesses are more important the auditor must in writing tell the management and audit committee of all the material weaknesses that were found. This must also be done before the auditor issues their report on internal control over financial reporting. Also, if the auditor has determined that the oversight of the control system and financial reporting process is ineffective then the auditor must communicate this conclusion with the board of directors. Next, for all of the significant deficiencies that the auditor has found he must in writing also communicate all of these to the audit committee only. Finally, the auditor should then communicate to management all other deficiencies that were found during the process.