I am writing to summarize to you some of the new processes of the updated Auditing Standard 5(AS5) released by the Public Company Accounting Oversight Board on June 12, 2007. I will discuss of the top down approach of auditing internal controls, as well as the difference between a material weakness and a significant deficiency as described in AS5.
The top down approach to auditing internal controls begins with the auditor identifying the risks to internal control. As the method is named for, the auditor begins at the top with entity level controls and then works their way down. Entity level controls appear among the work done by the board of directors, top management, and the audit committee. Some of the entity level controls include environmental control, management override, and controls over period end financial reporting. AS5 also states that the nature and precision of entity level controls can vary. Examples of which are, environmental controls have an indirect impact on material misstatements; controls that monitor the effectiveness of other controls; and very precise controls that can adequately detect misstatements. Depending on what level of risk the auditor finds at the entity level control, they may need to increase or decrease the number of tests done to detect material misstatements. As part of this initial step the auditor must assess the overall control environment of the company. In order to do this the auditor must assess not only managements operating style and philosophies to make sure they are conducive to effective and accurate financial reporting system, that ethical values and integrity expectations have been developed and understood, and that the board of directors and the audit committee are aware and committed to their responsibilities to oversee financial reporting and internal controls. The final step in the entity level control assessment is to examine period end financial reporting process. The auditor must evaluate the process from the procedures for entering and recoding transactions and account information into the general ledger, to the procedures used to prepare the quarterly and yearend financial statements and disclosures. In this assessment it is important to note who is preparing or involved in the preparation, where the financial statements are being prepared, the types of adjusting and consolidating entries used, the extent to which information technology systems and used, and confirm the nature and extent of oversight process by board of directors and audit committee.
Second, the auditor must go through and identify the significant account, disclosures, and relevant assertions that should be top priority to exam. The auditor must determine where to look for material misstatements. Relevant assertions are identified as those assertions that have a reasonable possibility of containing misstatement and would therefore cause a material misstatement in the financial statements. Such relevant assertions are occurrence, completeness, evaluation, rights and obligations, and disclosure. Identifying risks in accounts and relative assertions requires both quantitative and qualitative risk factors and might include such things as the following: size of the account, composition of the account, account susceptibility to misstatement due to error or fraud, nature of account, changes in the prior period to account, and accounting or reporting complexities of the account. It is also important to note that some potential accounts might require different controls to manage differing risks.
Next, the auditor must understand the sources that a most likely to provide material misstatements. In order to do this there are certain objectives that the auditor must achieve. The auditor must understand the flow of transactions within the company and segregation of duties, verify the points within the company that the auditor has already identified as potentially risky, and identify what controls and preventions management already has in place. One of the best ways to achieve the objectives is by performing a walkthrough. A walkthrough will allow the auditor to follow a single transaction from its point of origin through the company's processes. The auditor can then understand the processes of significant transactions better, and have the opportunity talk with employees at each step.
Finally, the auditor must decide which controls will be tested, and how many tests are necessary. AS5 states that the auditor should test any controls that are important to the auditor's conclusion about the company's overall control over risk management. It is not necessary for the auditor to test controls that address the same assertion, or controls that are redundant. In fact, many controls can address the same issue. Choosing which controls to test should be based on which controls address the assessed risk of material misstatement.
In addition to the top down approached described by AS5, I will provide the described differences between a material weakness and significant deficiency. A material weakness is defined as a deficiency or combination of deficiencies in internal controls where there is a reasonable possibility that a material misstatement in the company's financial reports that will not be detected. Whereas a significant deficiency is defined as a similar deficiency in internal controls that is, however, less severe than a material weakness but is still important enough to require the attention of the audit committee and any others responsible for overseeing the company's financial reporting.
AS5 provides the following list of indicators of a material weakness: identification of fraud from senior management, restatement of previously issued financial statements to show corrections of material misstatements, material misstatements from the current period identified by the auditor that would not have been otherwise detected by company's internal control, and ineffective oversight by the audit committee of the company's financial reporting.
All material weaknesses and significant deficiencies must be communicated in writing by the auditor. The written report must be provided to the audit committee and to management before the auditor's option is issued. Significant deficiencies should be communicated to management as they are discovered throughout the audit, and the audit committee should be notified when such communication has taken place. Even if no significant deficiencies are found by the auditor, it is important for the auditor not to report that there are no deficiencies as they are not provided strong assurance to support that. Finally, the auditor must mention in the audit report of the existence of material weaknesses in internal controls.
