Auditing Standard No. 5 addresses the auditing of internal controls over financial reporting and how that is integrated with the auditing of financial statements. Because internal controls (or lack thereof) can greatly impact the quality and reliability of financial statements, it is very important to understand the necessary procedures for conducting an effective audit of such controls. The PCAOB recommends using the top-down approach to identify possible areas of control weaknesses and to select which controls to test. Using this approach, the auditor is to begin their analysis at the financial statement level before working their way down through entity-level controls, ultimately narrowing their scope to significant accounts and disclosures and their applicable assertions.
By starting at the top, the auditor can gain familiarity with the overall risks of internal control during the production of the financial statements and get big picture idea of the company procedures before narrowing the scope of their audit. After that, they can move on to identify the important entity-level controls necessary of evaluation in order to determine internal control effectiveness. Some important areas to consider at this stage include:
The control environment. It is crucial that the auditor approves of management's ethical values and philosophies over internal control, in addition to recognizing the audit committee's oversight responsibilities. If the auditor develops skepticism about management's intentions or the audit committee's oversight policies, a red flag should go up concerning the risk of material misstatements. Included in this assessment should be an evaluation of the controls over management override and manipulation of financial reporting processes to make sure management cannot easily access and tamper with company data.
The period-end financial reporting process. The auditor should review the inputs, procedures performed, use of information technology, and outputs of the processes the company uses during the financial reporting process. This includes the location of the financial reporting development as well as the types of adjusting and consolidating entries the company uses. The auditor should also assess the degree of involvement by management, the board of directors, and the audit committee in the oversight process and who the participating players are in preparing the financial statements.
Based on the auditor's opinion of these controls, they must determine the proper level of testing needed to gain reasonable assurance of the control's effectiveness.
The next step in the top-down approach is to identify the significant accounts and disclosures (as well as their relevant assertions) that have a reasonable possibility of containing a material misstatement. In order to identify these accounts, the auditor needs to consider the qualitative and quantitative risk factors that relate to financial statement line items and disclosures. Some factors to take into account when determining where the risk lies include the size and composition of the account, the presence of related party transactions, and the volume of activity and the complexity of the transactions in the account. The main goal is for the auditor to identify any areas of possible misstatement and to verify that the financial statement assertions are complete, properly valued, and presented with full disclosure.
Although it sounds quite simple, the duty of the auditor to determine the likely culprits of a potential material misstatement isn't easy. It is of great help for the auditor to understand the way that transactions flow through the company and the corresponding control barriers in place that have been implemented by management. By performing the procedures themselves, or overseeing others as they conduct transactions, the auditor can gain better familiarity with the system in place, the information technology used during the reporting process, and the quality of the controls. One of the best ways to accomplish this objective is to perform a walkthrough, during which an auditor follows a transaction from its instigation through the company's processes until it reaches the financial records, using the same documents and IT that company employees use. During the walkthrough, it is appropriate for the auditor to question staff about their understanding of the company procedures and controls, allowing the auditor to develop a sufficient familiarity of the process and recognize where controls could be implemented further or redeveloped to be more effective.
The last step in the top-down approach is for the auditor to determine which controls to test. Based on the conclusions drawn from their previous evaluations, the auditor should test the controls that pertain to the assertions that the auditor is questionable about. If testing the control will sufficiently address the assessed risk of a material misstatement of an assertion, it would be worthwhile for the auditor to test it.
When conducting a top-down audit, it is important for the auditor to have an understanding of the difference between a material weakness and a significant deficiency. A material weakness in financial reporting occurs when there is an insufficiency, or a combination of insufficiencies, that would create a reasonable probability of a material misstatement appearing on a company's financial statements that could not be avoided or uncovered in a timely manner. Indicators of material weaknesses include:
Identification of fraud of any magnitude by seniority management;
Restatement of previously issued financial statements due to a correction of a material misstatement;
Identification by the auditor of a material misstatement that would not have been detected by the company's internal controls; and
Ineffective oversight by the audit committee of the company's external financial reporting and internal control over financial reporting.
Similar to a material weakness, a significant deficiency is also a risk of insufficiency in the financial reporting, however, it is less severe in scope. Significant deficiencies, although less material in capacity, are still important enough to deserve the attention of those responsible for the company's financial reports, but isn't as likely to result in a material misstatement of the financial statements. Knowing the difference between these two deficiencies can help the auditor prioritize the risks associated with each assertion. When determining the proper amount of control testing needed to be done, perhaps the best overall judgment for an auditor to use is to determine the level of assurance necessary to satisfy any prudent official in conducting their own affairs. That is, provide enough assurance to reassure prudent officials that the financial statements are in conformity with GAAP, and treat any deficiencies in complying with GAAP as material weaknesses.
After the auditor has identified the material weaknesses and significant deficiencies, they must be communicated both directly to the audit committee and in an auditor's report. Prior to the issuance of the audit report, the auditor must convey in writing all material weaknesses identified during the audit to the audit committee and management. Significant deficiencies must also be communicated in writing to the audit committee. In addition, the auditor must provide management with a written summary of the deficiencies in internal control over financial reporting, and inform the audit committee when such a statement has been produced. When conveying these weaknesses, the auditor isn't required to detect all internal control weaknesses, but rather report on all of the ones of which he or she is aware of. If the auditor concludes that the oversight of financial reporting and internal controls by the audit committee is insufficient, they must report that deficiency in writing to the board of directors.
In addition to direct communication with the audit committee and management, the auditor must also provide an auditor's report on the audit of internal control over financial reporting that will be available to the user(s) of the financial statements. A big portion of the report is dedicated to making clear the user(s) the main purposes of the audit and clarifying the responsibilities delegated to management and to the auditor. Required in the audit report are statements verifying:
The responsibilities of management for maintaining and assessing effective internal control over financial reporting and providing a report of their procedures;
The auditor's responsibility of expressing an opinion based on his or her audit, in addition to the belief by the auditor that the audit provided a reasonable basis for his or her opinion;
The definition of internal control;
Assurance that the audit was conducted in accordance with the standards of the PCAOB, which requires the auditor to plan and perform the audit to obtain reasonable assurance about the effectiveness of the maintenance of internal control over the financial reporting process in all material respects;
The various elements that an audit entails;
A disclosure that identifies the possibility of misstatements to occur due to inherent limitations and that projections of any evaluation of effectiveness to future periods are subject to the risks that controls may become insufficient or the level of compliance with policies may falter;
The auditor's opinion on whether the company maintained, in all material respects, effective internal controls over financial reporting as of the specified date.
In addition to these statements, the auditor's report should also include a title that includes the word independent, a manual or printed signature of the auditor's firm, the date of the audit report and the city and state (or city and country for non-U.S. auditors) from which the auditor's report has been issued.
As one can see, communication with the audit committee by the auditor serves to provide the committee with information that may help it fulfill its oversight role of the entity's financial accounting, reporting, and disclosure process, even before the financial statements are disclosed. By informing the committee of important areas of concern, they can take the necessary steps to improve their internal controls and the accuracy of their financial statements before they are issued. As more of a final product, the audit report serves to render an opinion to financial statement users on the reported financial statements after the audit committee has had the chance to address some of the issues communicated to them by the auditor. The audit report, then, will give the final say to the users for assurance, hopefully after having given the company a chance to improve their controls with the help of the auditor's communication throughout the audit process.
