Auditing Standard No. 5 (AS5) was implemented on June 12, 2007 for the purpose of focusing auditors on the most important matters in audit of internal controls. AS5 is known as "An Unit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements." Within AS5 is guidance for using the top-down approach for selecting certain internal controls to be tested. Headlines within the top down approach include:
Identifying Entity-Level Controls
Identifying significant accounts and disclosures and their relevant assertions
Understanding likely sources of misstatement
Selecting controls to test
Top-Down Approach
In selecting control tests for the audit of internal control over financial reporting an auditor should use the top-down approach. To begin the top-down approach the auditor starts at the financial statement level and the understanding of the overall risk to internal controls over financial reporting. Next the auditor focuses on entity level controls and works down to important accounts and disclosures. The top-down approach guides auditors to accounts, disclosures and assertions that bestow risk of material misstatement in the financial statements and related disclosures. With understanding of the risks in the company's business activity, the auditor selects controls to be tested that address high risk of misstatement.
Identifying Entity-Level Controls
Testing relevant entity level controls is important for the auditor conclusion on whether the company has affective internal control or not. The evaluation of these controls can lead to increasing or decreasing testing that auditors would of executed on other controls. Higher-level controls might be designed to catch possible breakdowns in lower level controls.
An example of entity level controls is controls related to the control environment that the auditor should consider. This consists of whether the managers' business style promotes effective internal controls in reporting financial information and whether ethical values are promoted within and are understood. Another entity level control is control over management override. This control is important to internal control of the financial statements of all companies, but specifically important to smaller businesses because of greater involvement of higher management engaged in a variety of duties where segregation of duties is reduced.
Identifying Significant Accounts and Disclosures and their Relevant Assertions
The auditor should identify important accounts and disclosures and the possibility of them containing a misstatement that would cause the financial statement to be materially misstated. To identify the assertions the auditor should examine the qualitative and quantitative risk factors associated to the financial statement as well as determine the likely sources of the undeveloped misstatement by asking themselves "what could go wrong?" within certain accounts or disclosures. Consolidated financial statements should be used by the auditor in figuring out significant accounts and disclosures and possible misstatements within, when a company is involved with various business locations.
Understanding Likely Sources of Misstatement
In selected controls to test and understanding the likely source of misstatement the auditor should understand the flow of transactions, how Information Technology (IT) affects the flow of the transactions, and identify the steps management has taken to address potential misstatements. Because of the great deal of judgment involved in these activities, the auditor should perform the steps personally or closely supervise those who provide assistance in the audit. The most affective way to achieve the steps to understanding likely sources of misstatements is by performing walkthroughs. Walkthroughs help the auditor follow transactions from origination through the company's process, including IT, and to the final source document. In performing walkthrough, the auditor should question the company's personnel about their understanding of the flow of information.
Selecting Controls to Test
The controls that are critical to the auditor's conclusion about whether the company controls adequately convey the chance of misstatement are the controls that should be tested. More then one control may be needed to address possible risks within a relevant assertion. Decisions on what controls to be tested also depends on whether controls can independently or in combination be used to judge the risk of a potential misstatement.
Material Weakness versus a Significant Deficiency
A material weakness and a significant deficiency are similar in that they are both deficiencies, or a mixture of deficiencies dealing with matters in internal control over financial reporting. The difference between material weakness and significant deficiency is that material weakness is a deficiency where the likelihood of the event is either "reasonably possible" or probable" (FAS 5) that a material misstatement of a business's period-ending financial statements will not be prevented or detected on a timely basis. A list of indicators of material weaknesses from AS5 is:
Identification of fraud, whether or not material, on the part of senior management (PCAOB AS5, p.69)
Restatement of previously issued financial statements to reflect the correction of a material misstatement (PCAOB AS5, p.69)
Identification by the auditor of a material misstatement of financial statements in the current period in circumstances the indicate the misstatement would not have been detected by the company's internal control over financial reporting (PCAOB AS5, p.69)
Ineffective oversight of the company's eternal financial reporting and internal control over financial reporting by the company's audit committee (PCAOB AS5, p.69)
A significant deficiency is a deficiency that is less severe then a material weakness, yet it is important enough to bring to the attention of management and the audit committee, but not outsiders.
Communicating Certain Matters
Communication, in writing, from the auditor to management and the audit committee is required when material weaknesses are identified during the audit. Communication should be made before the auditor issues the report on internal control over financial reporting. The auditor must report material weaknesses to the board of directors if they feel the report to the company's audit committee is ineffective. Deficiencies that the auditor feels are significant deficiencies should be reported to the audit committee, in writing. Significant deficiencies should not be reported to the public in the auditor's report.
