Auditing Standard number 5, as outlined by the Public Company Accounting Oversight Board, creates guidelines regarding the manner in which an auditor should approach an audit of a company’s management’s assessment of that company’s internal controls over financial reporting, as well as an audit of that company’s financial statements. Of particular note are the Standard’s outlines of the top-down approach in which an auditor is expected to work his or her way down in testing controls from the most broad level to the most specific, and the Standard’s definitions of material weaknesses and significant deficiencies. Understanding these concepts is key to understanding the Standard, and thus, essential in performing audits on internal controls over financial reporting and on financial statements.
Using a top down approach to choose which controls to test regarding an audit of internal control over financial reporting calls for the auditor to begin with the most broad controls, and make his or her way down to the most detailed and specific controls. It is important for the auditor to test these internal controls, as many companies may attempt to ignore certain regulations, or in some cases, not correctly understand or employ them. Internal controls on the financial statement level are the first to undergo scrutiny, followed by entity-level controls, and then significant accounts and disclosures as well as their relevant assertions. The top down approach is utilized to allow for the auditor’s focus on potential mistreatments of accounts disclosures, and assertions.
The top down approach begins with examining the financial statement level, understanding the risks to internal control over financial reporting, and evaluating whether these controls are satisfactory. Once the controls on the financial statement level are tested, the auditor may move to identify and examine entity-level controls. Entity level controls are narrower and more complex than controls on the financial statement level, and include a number of different controls such as controls over management override, risk assessment processes, and controls over financial reporting processes, among others. The auditor must scrutinize the procedures used for each entity level control and determine whether there may be issues with these control procedures. For example, the auditor must examine the procedures used by the company to produce its annual and quarterly financial statements.
After an auditor scrutinizes the internal controls on the entity level, he or she should switch focus to significant accounts and their disclosures, as well as their relevant assertions, which include any assertions made by the company’s management that have a reasonable possibility of having a misstatement that may cause a material misstatement in the company’s financial statements. The auditor is expected to identify the relevant accounts, and then assess the risk factors connected with these accounts. A good deal of the identification process involves the auditor’s understanding of what could cause potential misstatements. As such, the auditor is expected to perform walkthroughs, in which he or she closely follows a particular transaction through the company’s complete process. Walkthroughs are also suggested to be performed in combination with other methods of scrutiny, such as observation and questioning during their process. In selecting which controls to test, it is important for the auditor to consider which ones will have a potential risk of misstatement, and have a significant effect on the auditor’s conclusion of such.
Material Weakness vs. Significant Deficiency
In understanding the difference between a material weakness and a significant deficiency, it is important to first understand what a deficiency is. Deficiencies can exist in both design and operation, and they disallow employees from preventing, or in some cases, identifying financial misstatements. Material weaknesses exist when there is a reasonable possibility that a misstatement will occur as a result of one or more deficiencies. A significant deficiency, although less severe than a material weakness, occurs when a deficiency in internal control over financial reporting is worth looking at as a potential cause of future misstatement.
There are many indicators of material weakness outlined by the Standard that help to serve an auditor in identifying such weaknesses. These indicators include the identification of fraud practices by senior management, restatements of financial statements that appear to correct misstatement, misstatement of current financial statements, and ineffective oversight of internal controls by the company’s audit committee.
In addition, the auditor is expected to take steps in reporting material weaknesses as well as significant deficiencies in a company’s internal controls over financial reporting. Both material weaknesses and significant deficiencies must be communicated to the audit committee in writing; however, while all material weaknesses must be identified, the auditor is not obligated to report any significant deficiencies that he or she is not aware of. Moreover, both material weaknesses and significant deficiencies must be reported to management of the company being audited, with less importance given to significant deficiencies than to material weaknesses in the write-up.
The guidelines created by Auditing Standard number 5 help to establish a standard by which auditors must abide, and helps them through the process of auditing a company’s internal controls over financial reporting and that company’s financial statements. The top down approach creates a systematic process by which auditors can zero in on potential mistreatments of accounts disclosures, and assertions. Understanding material weaknesses and significant deficiencies is imperative in the process of identifying and reporting such mistreatments and misstatements.