The purpose of this memo is to summarize the top down approach, point the difference between material weakness and significant deficiency, state the written communications between the auditor and the audit committee, and represent the needed elements in the auditing report.
The top-down approach is to breakdown the system, level by level, to analyze the details of basic element. According to AS5, auditors first use the financial statements as the original source and then move to some important accounts for detailed information in order to figure out the reasonable relationship among those accounts and figures and eventually select a control to test.
First, as an auditor, you must have a full picture of the whole organization's internal control. It will give you the original and overview, not detailed, of information on whether the system over financial reporting works effectively or not. Then as the auditor you can revise your testing at the first place.
Different natures or background of entities have different control systems. Some may focus on one specific level and some may not. If an entity doesn't use the specific and effective control, we need to test more control systems and avoid cross affects.
When analyzing the whole entity control, which includes control environment, risk assessment, control activities, information and communication and monitoring, the auditor has to pay attention to some elements such as the control environment, management override and the financial reporting process. As to control environment, the more effective management's philosophy and operating style shows in internal control over financial reporting, the less risk in internal controls; the more top managers show honest and royalty, the more employees present faith to the company; the more responsible audit committee understands, the more confidence in the internal controls. considering financial reporting process is vital to both financial statement and internal control over financial statements, auditor must know the details on how accountants create general ledger or periodically reports(quarterly, semi, annually, annually), what method they use to prepare some entries, such as depreciation expense, accounts receivable, accounts payable and interest payable, whether the subsidiary performance is included and the nature and the changes of the audit committee, the board of directors. After the first step, auditors have the basic, foundation information of the internal controls.
If auditors just look at thoe numbers in the statements, auditors will find nothing but some perfect balanced figures for the organization, which need to be audited, provide the financial statements by itself. The true story, however, is always behind those numbers. So we need move to the second step to find further detail information about whether the organization cooked the books to make some fictitious transactions and revenues.
Second, auditors dig detail accounts information. Since, Internal controls aims to provide a reasonable, not the perfect, assurance for the management, which means it may cause some small misstatements. In order to explain those complicated uncontrollable situation, the company will write down some notes in the financial statements. What auditors need to do is to find whether those particular cases actually happened, released to the public, had related effects to the final results and eventually ended. Also, auditors should point out the total financial statements including the subsidiary's financial statements if the company has one and then make his opinions in a more reasonable basis by considering more different financial conditions. Then auditors evaluate the reasonable relationship between the accounts and evaluate what the related risk it will occur. Whether the account calculated under a reasonable size or volume, represented in a doubtful base, changed former accounting method and accounted properly and accurately are the basic standards for ranking the risk.
Furthermore, auditors not only need to find those common risks but also have an open mind to those potential risks which cause fraud statements. Moreover, different potential risks need different controls in order to work more effectively. In order to obtain better understanding of those potential risks or factors which causes misstatements, auditors should have a clear logic flow of the relationship between those significant important accounts and the related assertions, point the controls which management keep away those misstatements risks and comprehend the whole management process on the basis of controls. Auditors, for the sake of performing more effectively and efficiently in understanding those potential misstatements, usually use walkthrough strategy. They track one random transaction through the entire control systems to find whether it shows in the financial records accurately. Auditors directly face employees and ask them questions about the management process or controls. Employees have more insight about the company, so they sometimes can provide detailed and true current information to the auditors, which will save auditors time in figure out some important but neglected problems. Due to the requirements, auditors can't be both the supervisor and the performer who processes the control.
Last, auditor should choose controls to test. After all the information has collected, auditors will gain an insight view of what accounts or risks is vital to the company and test it. Regard to several related risk controls, the most efficient control which shows the most relevant should be chosen to test, instead of testing all or several of them. Also, test those controls affects auditors opinion.
According to AS5, material weakness, a deficiency or combined deficiencies, is reasonable possible cause misstatement of financial statements without prevented or detected, which is more serious than the significant deficiency in internal control over financial reporting. But auditors can't neglect those significant deficiencies. Auditors use detailed information and assurance as standards to differentiate severity. When a deficiency, or combined deficiencies, affects releasing a reasonable assurance of the transaction, it is treated as material weakness. Otherwise, it is not treated as material weakness. A material weakness includes: define fraud on the basis of CFO's, CEO's and others' who take responsibility in reporting process own opinion or combined opinions; change the former financial statements in order to correct the current misstatements; find undetected misstatement by auditor currently; audit committee ignores the external financial and internal control over financial reporting in vain.
After finishing all the audit work and before issuing the auditor report, audit must communicate audit committee and management through written. The written communication happens between auditor and the audit committee when some significant deficiencies or material misstatements was detected by the auditor or between the auditor and the board of director when the company has inefficient and ineffective in internal or external controls or between auditor and management when auditor found any deficiencies. And auditors don't need to provide an efficient and effective internal control to prevent deficiencies but the auditor committee needs to inform the auditor if he find some deficiencies in its systems. Since the definition between a deficiency and a material weakness are based on auditors' subjective opinions, auditors can't state no deficiencies were detected. Auditors may have access to gain confidential information during auditing, however, they can't use what they obtained to against the company or tell others even what the company does is illegal, except required by the government. In other words, though there is an illegal act but it does not affect internal control over financial report, auditor issues a qualified opinion.
After written communication, auditors must issue a report, which must include write 'independent' in the title of the report, state management should keep maintaining and improving the internal control system, define management's report on internal control, state auditor's opinion, follow the definition of internal control in AS5 A5, state the process of auditing comply with PCAOB standards, state effective internal control over financial reporting in all aspects under the standards of PCAOB, illustrate the process of auditing (understanding, assessing, evaluating, designing and performing), state auditor's opinion on a reasonable base, create an paragraph to state that the controls may be ineffective or the process will be improper in the future or changing conditions, point auditor's opinion based on criteria showing the company use effective internal controls by the given time, write or print auditor's firm, in which city and state(country, if is a non US auditor) issues the report and date of the report.
I will be very glad if you have time to further discuss the AS5 with me.
