An audit of internal control begins by using a top-down approach. The top down approach starts with a companies financial statements, and the auditor gaining understanding of the risks related to internal control over financial reporting. Once the auditor has this background knowledge the next step is to look at entity-level controls and move downward to significant accounts, disclosures, and assertions that may indicate a material misstatement in the financial statements and disclosures. Once this is completed the auditor then confirms their understanding of the company and the risk associated with its processes. Lastly the auditor chooses which controls to test.
Its is the auditor’s responsibility to test entity-level controls that are relevant to the auditor’s final opinion on effectiveness of the company’s internal controls. The evaluation of these controls determines how intensely they are tested.
There are three different types of entity-level controls, which differ in their relationship and importance. The first type of entity-level control is one that controls the environment. This type of control is indirectly related to the likelihood that a misstatement would be detected or prevented in a timely manner. This type of control may also have an affect on the other controls the auditor chooses to test.
Controls that monitor the effectiveness of the other controls is the second type of control. These controls are structured to identify breakdowns in lower level controls. By themselves these controls do not adequately assess risk of misstatements. If these controls are working properly they may allow the auditor to cut down on the amount of testing done to other controls.
The third level of entity controls is designed to adequately prevent or detect misstatements on a timely basis. If these controls are effectively in place and working properly the auditor doesn’t need to test any other controls relating to that particular risk.
Entity-level controls consist of controls related to the control environment: the auditor must determine if management’s philosophy and operating style create an effective internal control over financial reporting, if integrity and ethical values are present, and if the Board or audit committee understands and participates in oversight responsibilities over financial reporting and internal controls.
Also included in entity-level controls are controls over: management override abilities, the company’s risk assessment, and monitoring results of the company’s operations. There are also controls in place over: internal audit activities, the audit committee, and self-assessment programs.
Lastly entity-level controls include controls over the process of period-end financial reporting and policies that address significant business controls and risk management practices. Due to the direct relation of the process of period-end financial reporting, and what the company reports the auditor must assess this entity-level control carefully. This process is made up of the procedures that: enter transaction totals into the general ledger; determine the selection and application of accounting polices; initiate, authorize, record and process journal entries into the general ledger; are used to make normal and abnormal adjustments to quarter and yearly financial statements; and prepare annual and quarterly financial statements and disclosures.
In order to properly assess this section of entity-controls and auditor should evaluate inputs, procedures performed, and outputs that the company has used to create their annual and quarter financial statements. The auditor should also evaluate the involvement of IT in the period-end financial reporting process, along with the individuals from management who are directly involved. Locations related to period-end financial reporting, types of adjusting and consolidating entries, and the nature and extent of oversight by managers, the board of directors and the audit committee, should also be evaluated by the auditor to determine the strength of the controls.
Auditors should also identify important accounts, disclosures, and relevant assertions that have a good possibility of containing a material misstatement. The financial statement assertions and auditor should identify are: existence, occurrence, completeness, valuation, allocation, rights and obligations, and Presentation and disclosure.
In order to identify important accounts, disclosures and assertions an auditor should evaluate the risk factors related to line items on financial statement and included disclosures. Risk factors are: size and composition; likelihood of misstatement because of errors or fraud; volume of activity, complexity, or uniformity of individual transactions; nature of the account or disclosure, complexity of the account or disclosure, exposure to loss in the account, likelihood of material liabilities due to activities in the account or a disclosure; related party transactions in a account; and changes in the account or disclosures from the previous period.
Along with understanding the risk factors associated with financial statement line items auditors should also aim for these objectives: understand the flow of a company’s transactions, how they are initiated, authorized, processed, and recorded; identify areas in the company’s processes where material misstatement is most likely; identify controls management has in place to prevent material misstatement; and identify controls over prevention and detection of unauthorized possession, use and disposal of the company’s assets with a potential result of causing a material misstatement on the financial statements.
While performing these activities it is important that the auditor stay independent of management. It is also important that the auditor understand how IT affects the company’s transactions, and the risk associated with it. These activities may be best understood while performing walkthroughs and interacting and asking questions of personnel.
After the auditor has completed all the steps and understands the company’s operations and high-risk areas, they must select which controls to test. This can be done my selecting controls that are important to the auditors opinion about the sufficiently of the controls in place to address the risk of material misstatement. There may be multiple controls that pertain to a risk, or one control may address multiple risks. It is not necessary to test all or redundant controls. The decision of which controls to test depends on how well the risk of misstatement can be tested.
A material weakness is a deficiency, or combination of deficiencies in internal control over a company’s financial reporting to the extent that it is “reasonably possible ” or “Probable” that a material misstatement will not be detected or prevented. A material weakness could result in misstated annual or quarterly financial statements. The difference between material weakness and significant deficiency is that a material weakness is more severe than a significant deficiency. A significant deficiency is important enough to pay attention to by those who over see the company’s financial reporting, but is not as likely to result in a material misstatement.
Indicators of material weakness over financial reporting are: the identification of fraud, material or not, committed by senior management; a restatement of recently issued financial statement to correct a material misstatement; identification of material misstatement of financial statement in the current period by the auditor, which would likely not have been detected by the company’s internal controls; ineffective oversight by the audit committee of the company’s external reporting and internal controls.
While examining the severity of one or many deficiencies the auditor should decide on a level of assurance that would ensure transactions are recorded as needed to prepare the financial statements in accordance with GAAP. If the auditor determines that the deficiency or deficiencies causes a lack of reasonable assurance that the financial statements can be in accordance with GAAP, then the auditor should treat it as an indicator of material weakness.
Once a thorough audit has been completed the findings of all material weaknesses found during the audit must be communicated in writing to the management and audit committee. This communication should be made before to the auditors report on internal control over financial reporting. If the conclusion of the audit includes that the oversight of the company’s internal control over financial reporting and financial reporting is ineffective it must be communicated to the board of directors in a written report. At this time the auditor should also communicate any significant deficiencies to the audit committee in writing.
Management should also receive a written report at the conclusion of the audit indicating any internal control weakness over financial reporting. This report should be made known to the audit committee at the time of issuance.
It is also important that when reporting their finding, the auditor doesn’t issue a report indicating that no deficiencies or weaknesses were noted during the audit due to the fact that not all controls were tested for material weaknesses.
Communicating the findings of an audit and reporting them differ, because an audit report has required elements that are not present in the communication of the findings. The auditors report on internal control must include these elements: a title that has the word independent; a statement about managements responsibilities for maintaining effective internal control over financial reporting; an identification of managements report on internal control; the auditors responsibility to give an opinion on the company’s internal control over financial statements based on the audit; and a definition of internal control. The audit report must also include the statements with the following elements: the audit was conducted in accordance with the PCAOB; the standards of the PCAOB require the auditor plan and perform the audit with reasonable assurance of effective internal control in all material respects; that an audit includes obtaining and understanding internal control, assessing the risk that a material weakness exist, testing and evaluating internal control based upon likely risk, and performing other procedures the auditor considered needed in the circumstances; the belief the auditor has that the audit provides a basis for their opinion; that internal control may not prevent or detect material misstatement, and that future periods are subject to risk due to changing conditions. The audit report should also include the auditor’s opinion of effective internal control in all material respects as of the specified date, based on control criteria. Along with a manual or printed signature of the auditor’s firm, city, state, and date of the audit report.