The PCAOB wants auditors to use the top down approach while auditing a company's internal controls system which starts off with a general understanding of total risk to internal controls over financial reporting. It allows the auditor to identify entity level controls which include controls over management override, company's risk assessment process, controls associated to the control environment, controls to monitor the operation results, centralized processing and controls, controls to monitor other controls, and controls over period ending and policies that show major practices of business control and risk management. The auditor must decide the levels of risk associated which of these entities and if and where additional testing is needed to allow an effective conclusion on internal controls.
All enittiy level controls differ from client to client and the auditor must understand how they could allow financial statement errors either directly or indirectly by affecting other controls.
* Controls monitor controls - must test effectiveness and if effective they can reduce testing on the controls being monitored by the system.
Control environment is one of the most important controls to internal control over financial reporting and the auditor must assess the style, philosophy, ethics and integrity, of management to determine if their actions are effective over the internal controls. The auditor must also assess if the Board and audit committees understands and takes action of their responsibilities.
In evaluating the period- end financial reporting process which is also very important the auditor should check the inputs, outputs, procedures, who participated, involved locations, and the amount of information technology used in producing the company's financial statements, as well as reviewing the oversight process by management, the board, and the audit committee. To do this the auditors must use procedures on making sure the above were done correctly to reduce risk including entering totals from transactions into the general ledger, evaluating who has authorization to initiate, record journal entries and recurring and nonrecurring adjustments. There also should be procedures on the application of accounting policies and prepping procedures of financial statements and disclosures.
To identify significant disclosures and accounts, the auditor should evaluate the qualitative and quantitative factors of risk and likely sources of misstatement related to the financial statements by asking themselves “what could go wrong?”. Then they must decide what their relevant assertions are to check for misstatement for example completeness, rights and obligations, the presentation and disclosure, existence of the occurrence, and valuation or allocation of transactions. These assertions should be the same throughout the audit of internal controls and financial reporting. Auditors must understand that different controls may be needed for different risks and if the company has more than one location the assertions should come from the consolidated finical statements.
The auditor should personally perform the following or pay close attention to the others who provide direct assistance to the auditor when they are using their judgment to understand how transactions are initiated, authorized, processed, and recorded related to the relevant assertions. This includes identifying areas where a misstatement could be material, and the controls management has created to protect those areas as well as the timely detection of unauthorized use or disposition of company's assets. The best way to accomplish this is to perform frequent walkthroughs and questioning of the employees which requires a combo of surveillance, inquiry, assessment of document and re-performance of controls by following a transaction from its origin through the company's process to the financial statements. The auditor must also consider the risks and effects of information technology on internal controls over financial reporting which is part of the top down approach.
In choosing which controls to examine the auditor should investigate the controls that are the most essential to their conclusion. The decision depends on which controls competently address the risk of misstatement to a certain relevant assertion. They do not need to test redundant controls or all the controls if there are multiple controls that hold risk of misstatement for one relevant assertion.
A deficiency in internal control exists when the controls operation or design doesn't allow employees or management to detect misstatements on a timely basis during their normal course of business. A deficiency can occur in design or operation, a design by either having a missing control or existing one is not properly designed, and by operation when its designed properly but does not operate as designed.
A material weakness is a deficiency or group of deficncies in internal control over financial reporting
There are multiple indicators of material Weakness in internal controls over financial reporting such as finding fraud done by senior management whether material or not, restatement of financial statements previously issued, an auditor finding material misstatement during current period that would not have showed up in company's internal controls, and by poor oversight by the audit committee. The auditor should decide the level of detail to look into deficiencies and extent of assurance needed to claim there is reasonable assurance the transaction follow GAAP and are recorded correctly to prepare the financial statements. If the extent of the deficiencies are too significant then this indicates a material weakness.
It is the auditors job to communicate certain material misstatements and deficiencies to certain groups such as the board, audit committee and management and the communication must all be in writing. For example all material weakness identified by an audit must be told to the audit committee and management before the audit report on internal control over financial reporting is issued. Also if the auditor decides the oversight by the audit committee of external financial reporting and internal controls are ineffective then they must conclude that to the board of Directors. All deficiencies in internal control over financial reporting identified must be reported to management and the auditor must inform the audit committee of that communication as well as all significant deficiencies must also be communicated to the audit committee. The auditor does not need to repeat past deficiencies that have already been communicated unless significant. An auditor does not need to check for nor report deficiencies that do not relate to internal controls and nor should they issue a report stating “no such deficiencies were noted during the audit”. Also if fraud is found while observing internal controls they must conclude their responsibilities under AU sec 316 and 317.
The audit report of internal control over financial reporting must include specific definitions, statements, and writing. The requirements are as follows the title must have the word independent in it, state the findings on managements report on internal controls, and a definition of internal control over financial reporting. The statement that management is in charge of maintaining effective internal controls and testing their effectiveness as well as the auditors statement of opinion on the company's internal controls based on the audit. There must be a statement of the requirements of an auditor by the PCAOB to plan and perform the audit to obtain reasonable assurance in all material respects and the statement that the audit was conducted in accordance to the PCAOB standards. A statement showing the audit assessed risk of a material weakness and their testing and evaluating procedures as well as their understanding of internal controls. The auditor must also state they believe the audit offers a reasonable foundation for their opinion, and their opinion in all material respects of the effectiveness of the company's internal controls and a paragraph on the inherent limitations. Lastly there must be a signature of the audit firm, and the date and location of where and when the audit report was issued.