In the auditing standard number 5, how to identify a company's internal controls and how to identify the controls' weaknesses and strengths is discussed. The method an auditor uses to analyze a company's internal controls is the top-down approach. This method starts by realizing the overall risks associated with the financial statements. After realizing this, he must look at the company internal controls and see where there may be a risk of misstatement getting into the financial statements. He then looks closer and closer until he has found specific accounts and disclosures with the most misstatement risk. The auditor can then decide which controls to test and how much testing needs to be done in order to assure that the controls are working properly.
The auditor determines that he has more or less testing to do by understanding the controls of the company. The auditor decides which controls to test that will support his conclusion about how effective the controls are with regards to financial reporting. Varying in nature and precision, some of the company controls have an indirect impact on whether or not material misstatement will be prevented or even detected in a timely manner. They may be indirect, but they could be directly related to those controls that the auditor does decide to test. Some company level controls ensure the effectiveness of other controls by monitoring them constantly. If these types of controls are effective then the auditor may be able to reduce the amount of testing done on the controls being monitored. If some controls are so effective at monitoring other controls then the auditor may be able to skip testing that monitored area entirely. He should be very careful making this kind of decision since if wrong an entire risky area of controls would go without testing.
There are many controls at the company level that help monitor and protect the entire company from risk. These include controls about the way the company evaluates risk, controls over management override, controls that watch over results and statistics of operations, controls of the financial statement process and much more. Since there are so many controls, a good place for an auditor to start evaluation is the company's overall control environment. The control environment is the attitude and philosophies that upper management has. If upper management has a positive attitude towards ethics and integrity then its employees probably feel the same way. The better the control environment the less likely it is for there to be purposeful misstatement of financial statements. The period-end financial reporting process is very important to evaluate as well because if there is something wrong with the process then there could be an error with recording transactions. The auditor can evaluate who has authorization to do transactions, what type of complex entries exist, and what upper management oversees in the process. These types of assessments are necessary to determine if the period-end financial reporting process is effective in preventing misstatement. Understanding company level controls is very important to the auditing process.
The next step in the top-down approach is identifying important accounts, disclosures and relevant assertions subject to the most risk. Anything that is estimated like a valuation or allocation is an assertion with a reasonable chance of having a material misstatement therefore it should be tested more thoroughly. When searching for things in the financial statements that have more potential risk associated with them the auditor can look for things such as the size of the account, the complexity of the transaction, the estimated nature of an account, a related party transaction, or even possible fraud. When searching for possible misstatement in the financial statements the auditor can look for the same type of risk factors as looking at the company's internal controls. They are inherently related and therefore have the same risks.
Finding potential areas for misstatement is a very difficult task which takes a great deal of analysis and overall knowledge of the company. One of the major things that must be done in order to fully understand the likelihood of misstatement is to understand the flow of each and every type of transaction the company is related with. The auditor must get a feeling for how each transaction flows through the companies system and through its internal controls from who authorizes it to who records it. Auditors should also understand how the system tries to prevent and detect material errors or even fraud. This will most likely require the auditor to physically test the system by starting a test transaction and watching it from start to finish. This is known as a walkthrough and is one of the most effective ways to understand and test the process a transaction goes through. A walkthrough should be very detailed and include looking at original source documents and account records along with watching a transaction from start to finish. This will prove whether or not the process is working correctly as opposed to just guessing that a part of the system is susceptible to error. The auditor should also question employees on what they think is happening with each transaction and where they think potential risk may be hiding. Using the employees' knowledge or lack thereof about internal controls and processes may give clues as to where to look closer for errors or fraud. It is important to understand that since all transactions are done electronically. IT has a major impact on the flow of transactions as well. The auditor should therefore understand that much of the risk can come from IT which is part of understanding internal controls. Understanding that potential risk can come from many different sources is key to performing an effective audit.
In the end whatever risk of misstatement that was found, due to performing the top-down approach, has to be backed up by relevant sufficient evidence for the auditor's conclusion. Therefore, the auditor needs to choose the right controls to test in order to adequately investigate these potential risks. Look at what controls are associated with any significant accounts, assertions, or other major potential risk areas found while performing the top-down approach. When deciding which controls to test, the auditor should choose the combination of tests that will give the most relevant evidence possible in backing up his conclusion. The combination should address any major potential risk of misstatement found while investigating the company.
When analyzing a company's internal controls, the auditor is trying to find anything that may result in a potential risk of misstatement in the financial statements. The auditor is looking for a significant deficiency and more importantly, a material weakness in the internal controls. A material weakness is an insufficiency in the company's internal controls that has a likely chance of not preventing an error or finding an existing error which may result in a material misstatement in the financial statements. A significant deficiency is the same as a material weakness except it is not as severe. Both need to be brought up to the company, but a material weakness needs to be investigated and tested.
Searching for material weaknesses in a company's internal controls can be very difficult and takes a lot of analysis, testing, and intuition. There are, however, some indications that make it easier to spot a material weakness. Any corrections that have been made to the financial statements, any sign of the audit committee not paying enough attention to financial reporting, and any fraud detected can be an indication of a deficiency in internal controls. Overall, any sign that the company's internal controls would have not found the material misstatement if the auditor wasn't there is an indication that material weaknesses exist. The company's internal controls should be efficient enough to prevent and detect errors on its own without the help of auditors.
Before the auditor writes a report about internal controls, he must discuss in writing with management any material weaknesses found. The significant deficiencies also need to be communicated to the audit committee. If the auditor thinks that the audit committee is not overseeing the financial reporting process sufficiently enough then the auditor has to write the board of directors letting them know. If while, conducting the audit, a fraudulent act was detected then the auditor needs to follow the code and act accordingly.
After the written communication is given to management and the audit committee, the auditor must write his report on internal controls expressing how effective he feels the company's controls are at detecting and preventing errors. There are several elements, expressed in audit standard 5, that must be in this report such as a title that has the word independent in it, a statement about the auditors responsibility regarding the audit of internal controls, a statement about the way in which the audit was performed and how it follows the standards of the PCAOB, and a statement regarding the auditors feeling that the company's internal controls were effective over the financial statements and therefore detecting or preventing material misstatements on the financial statements. The audit report should express to the company how the auditor feels about the internal controls after doing extensive analysis and searching for material weaknesses, but is not guaranteeing that he found every possible weakness that may be present in the system.
