I am going to summarize to you the parts of Auditing Standard No. 5 that deal with the top down approach to an audit of internal control, and what a material weakness is versus a significant deficiency. The purpose of this memo is to explain and summarize these two parts of Auditing Standard No. 5 so that you can better understand what each does.
The top down approach describes the auditor's process of identifying risks in order to select which controls they will test to assure a successful audit of internal control over financial reporting. The top down approach has four basic, but important, steps that attempt to properly identify risks. The four basic steps are identifying entity-level controls, identifying significant disclosures and accounts and their claims, understanding likely sources of misstatement, and selecting controls to test.
In the first step, the auditor tests entity-level controls that will be important for the auditor to make a conclusion that can increase or decrease the tests on controls, which will take place later in the audit. Entity-level controls can affect whether a misstatement will be discovered in a timely manner, as well as affecting the effectiveness in lower-level controls. Four major entity-level controls include the company's risk assessment process, controls to monitor results of operations, controls related to the control environment, and policies that address significant business control practices. An auditor must also assess the control environment to evaluate management's operating style of promoting effective internal control and ethical values with significant emphasis on top management. Another entity-level control the auditor is supposed to evaluate is the period end financial reporting process. This is done in order to check procedures such as transactions in the general ledger and preparing quarterly financial statements and the discloses that go with them. The last control deals with understanding who the process of period end financial reporting, as well as who participates in reporting and the extent of oversight by management.
The second step is to identify noteworthy accounts and disclosures and their applicable assertions. Applicable assertions are assertions in the financial statements that could contain a misstatement that could materially misstate the financial statements. Assertions can include completeness, valuation, and presentation. Also, the auditor must evaluate qualitative and quantitative risk factors that include the size and composition of accounts, the complexities coupled with reporting some accounts, and the existence of related party transactions. The auditor should also determine sources of potential misstatement that could cause materially misstated financial statements. One helpful aspect is that the risk factors that are identified and evaluated for an audit of internal control over financial reporting is the same for an audit of financial statements. Lastly, if a company has multiple locations for their business and its activities, then the auditor should identify the applicable assertions that go with the consolidated financial statements.
The third step for the auditor is to understand sources that have the possibility of being misstatements. Objectives that the auditor should follow include understanding how transactions are authorized, processed, and recorded. Furthermore the objective is to find misstatements that added together could cause a material misstatement. Additionally, they need to understand how management tries to fix problems that arise and how management has implemented a timely detection so a material misstatement can be fixed in a timely manner. The previous steps listed above are difficult to do unless properly trained, so the auditor should do them or supervise their help closely. The auditor is required to be fluent with IT because it processes the flow of transactions for the clients. To check the flow of transactions, one of the best ways is to perform a walkthrough as transactions are entered and processed throughout a client's systems all the way until they end up on the financial statements. During the walk through the auditor should question the client's employees multiple times in order to understand and learn more knowledge about the client and their systems. Talking to a client's employees is a great way to learn beyond the transaction the auditor is processing because questions can lead to unexpected answers that go beyond what the auditor originally thought.
The last step is for the auditor to select controls to test. The auditor needs to test controls that are going to have the highest significance on the auditor's conclusion. This should bring into question whether or not the company's internal controls affectively avoided the risk of misstatement. It's important to note that it may take more than one test in order to address the risk of a particular misstatement for the particular assertion.
The second part of Auditing Standard No.5 that I am going to explain is the deference in significant deficiency versus a material weakness. Beyond explaining the general differences, I will list the indicators of a material weakness, as well as explain how a material weakness and significant deficiency are communicated to an audit committee versus the audit report.
According to Auditing Standard No.5 a deficiency exists when a control is ineffective for management or employees to avoid or discover misstatements on a timely bases. A deficiency happens when a control does not do its task, and a deficiency in operation is when a control does not do its operation or the person administering the control has no authority to do so. After understanding a deficiency, you can now understand that a significant deficiency is a single or combination of deficiencies that is not as severe as a material weakness, yet severe enough to give attention to.
A material weakness compared to a significant deficiency is similar in that it is a deficiency or combination of deficiencies that add up to a reasonable possibility that a material misstatement will show up on the clients financial statements or will be undetected on a timely basis. Some of the indicators of a material weakness of the internal control over financial reporting include the identification of fraud whether its small or big, restatement of past financial statement in order to correct their misstatements, ineffective oversight of controls, and identifying a misstatement on the financial statements. When an auditor determines how bad a deficiency or multiple deficiencies are it's then the auditors job to evaluate the level of assurance that is needed to reasonable assurance that transaction are recorded properly on the financial statements. If the auditor finds that the deficiency could stop officials in conduct of their own affairs because transaction could stop them from reporting correct amounts on their financial statements, then the auditor should say the deficiency is a material weakness or an indicator of one.
In communicating the material weaknesses the auditor should write about the weaknesses to management before the auditor's report is finalized. If the conclusion finds the controls ineffective the board of directors should be notified in writing. Similarly, the significant deficiencies should be communicated to the audit committee and management, but the deficiencies that were reported by others, such as the internal auditors, do not need to be repeated in the writing. Also, the auditor should not say that no deficiencies were found during the audit. In the case of finding fraud or illegal acts the auditor should follow AU sec. 316.
In summing up Auditing Standards No.5 and the top down approach you should clearly understand how to identify controls, significant accounts, and sources of misstatement better. Similarly, you should understand some key differences of a material weakness and a significant deficiency and how they are reported.
