|
|
 |
|
Sarbanes Oxley Act -
Auditing Standards |
|
Public
Company Accounting Oversight
Board
Bylaws
and Rules – Standards – AS2
Auditing
Standard No. 2: An Audit of Internal Control
Over Financial Reporting Performed in
Conjunction With an Audit of Financial
Statements
126. The following
examples illustrate how to apply the directions
discussed in this
section:
• Controls over
the period-end financial reporting process. Many
of the
controls over the
period-end financial reporting process address
significant
risks of
misstatement of the accounts and disclosures in
the annual and
quarterly
financial statements, may require significant
judgment to
evaluate their
operating effectiveness, may have a higher
potential for
management
override, and may affect accounts that require a
high level of
judgment or
estimation.
Therefore, the
auditor could determine
that,
based on the
nature of controls over the period-end financial
reporting
process, he or she
would need to perform more of the tests of
those
controls himself
or herself. Further, because of the nature of
the controls,
the auditor should
use the work of others only if the degree of
competence
and objectivity of
the individuals performing the work is high;
therefore, the
auditor might use
the work of internal auditors to some extent but
not the
work of others
within the company.
• Information
technology general controls. Information
technology general
controls are part
of the control activities component of internal
control;
therefore, the
nature of the controls might permit the auditor
to use the
work of others.
For example,
program change controls over
routine
maintenance
changes may have a highly pervasive effect, yet
involve a
low degree of
judgment in evaluating their operating
effectiveness, can be
subjected to
objective testing, and have a low potential for
management
override.
Therefore, the
auditor could determine that, based on the
nature
of these program
change controls, the auditor could use the work
of others
to a moderate
extent so long as the degree of competence and
objectivity
of the individuals
performing the test is at an appropriate level.
On the other hand,
controls to detect attempts to override controls
that prevent
unauthorized
journal entries from being posted may have a
highly
pervasive effect,
may involve a high degree of judgment in
evaluating their
operating
effectiveness, may involve a subjective
evaluation, and may
have a reasonable
possibility for management override.
Therefore, the
auditor could determine that, based on the
nature of these controls
over
systems access, he
or she would need to perform more of the tests
of
those controls
himself or herself. Further, because of the
nature of the
controls, the
auditor should use the work of others only if
the degree of
competence and
objectivity of the individuals performing the
tests is high.
• Management
self-assessment of controls. As described in
paragraph 40,
management may
test the operating effectiveness of controls
using a self
assessment
process. Because such an assessment is made by
the same
personnel who are
responsible for performing the control, the
individuals
performing the
self-assessment do not have sufficient
objectivity as it
relates to the
subject matter. Therefore, the auditor should
not use their
work.
• Controls over
the calculation of depreciation of fixed assets.
Controls over
the calculation of
depreciation of fixed assets are usually not
pervasive,
involve a low
degree of judgment in evaluating their
operating
effectiveness, and
can be subjected to objective testing. If
these
conditions
describe the controls over the calculation of
depreciation of
fixed assets and
if there is a low potential for management
override, the
auditor could
determine that, based on the nature of these
controls, the
auditor could use
the work of others to a large extent (perhaps
entirely) so
long as the degree
of competence and objectivity of the
individuals
performing the
test is at an appropriate
level.
• Alternating
tests of controls. Many of the controls over
accounts payable,
including controls
over cash disbursements, are usually not
pervasive,
involve a low
degree of judgment in evaluating their
operating
effectiveness, can
be subjected to objective testing, and have a
low
potential for
management override. When these conditions
describe the
controls over
accounts payable, the auditor could determine
that, based
on the nature of
these controls, he or she could use the work of
others to a
large extent
(perhaps entirely) so long as the degree of
competence and
objectivity of the
individuals performing the test is at an
appropriate level.
However, if the
company recently implemented a major
information
technology change
that significantly affected controls over
cash
disbursements, the
auditor might decide to use the work of others
to a
lesser extent in
the audit immediately following the information
technology
change and then
return, in subsequent years, to using the work
of others
to a large extent
in this area. As another example, the auditor
might use
the work of others
for testing controls over the depreciation of
fixed assets
(as described in
the point above) for several years' audits but
decide one
year to perform
some extent of the work himself or herself to
gain an
understanding of
these controls beyond that provided by
performing a
walkthrough.
Forming an Opinion on
the Effectiveness of Internal Control Over
Financial
Reporting
127. When forming
an opinion on internal control over financial
reporting, the auditor
should evaluate
all evidence obtained from all sources,
including:
• The adequacy of
the assessment performed by management and
the
results of the
auditor's evaluation of the design and tests of
operating
effectiveness of
controls;
• The negative
results of substantive procedures performed
during the
financial
statement audit (for example, recorded and
unrecorded
adjustments
identified as a result of the performance of the
auditing
procedures);
and
• Any identified
control deficiencies.
128. As part of
this evaluation, the auditor should review all
reports issued during the
year by internal
audit (or similar functions, such as loan review
in a financial institution)
that address
controls related to internal control over
financial reporting and evaluate
any
control
deficiencies identified in those reports. This
review should include
reports
issued by internal
audit as a result of operational audits or
specific reviews of key
processes if those
reports address controls related to internal
control over financial
reporting.
129. Issuing an
Unqualified Opinion. The auditor may issue an
unqualified opinion
only when there
are no identified material weaknesses and when
there have been no
restrictions on
the scope of the auditor's work. The existence
of a material weakness
requires the
auditor to express an adverse opinion on the
effectiveness of internal
control over
financial reporting (See paragraph 175), while a
scope limitation requires
the auditor to
express a qualified opinion or a disclaimer of
opinion, depending on the
significance of
the limitation in scope (See paragraph
178).
130. Evaluating
Deficiencies in Internal Control Over Financial
Reporting. The auditor
must evaluate
identified control deficiencies and determine
whether the deficiencies,
individually or in
combination, are significant deficiencies or
material weaknesses. The
evaluation of the
significance of a deficiency should include both
quantitative and
qualitative
factors.
131. The auditor
should evaluate the significance of a deficiency
in internal control
over financial
reporting initially by determining the
following:
• The likelihood
that a deficiency, or a combination of
deficiencies, could
result in a
misstatement of an account balance or
disclosure; and
• The magnitude of
the potential misstatement resulting from the
deficiency
or
deficiencies.
132. The
significance of a deficiency in internal control
over financial reporting
depends on the
potential for a misstatement, not on whether a
misstatement actually
has
occurred.
133. Several
factors affect the likelihood that a deficiency,
or a combination of
deficiencies,
could result in a misstatement of an account
balance or disclosure. The
factors include,
but are not limited to, the
following:
• The nature of
the financial statement accounts, disclosures,
and
assertions
involved; for example, suspense accounts and
related party
transactions
involve greater risk.
• The
susceptibility of the related assets or
liability to loss or fraud; that
is,
greater
susceptibility increases
risk.
• The
subjectivity, complexity, or extent of judgment
required to determine
the amount
involved; that is, greater subjectivity,
complexity, or judgment,
like that related
to an accounting estimate, increases
risk.
• The cause and
frequency of known or detected exceptions for
the
operating
effectiveness of a control; for example, a
control with an
observed
non-negligible deviation rate is a
deficiency.
• The interaction
or relationship of the control with other
controls; that is, the
interdependence or
redundancy of the control.
• The interaction
of the deficiencies; for example, when
evaluating a
combination of two
or more deficiencies, whether the deficiencies
could
affect the same
financial statement accounts and
assertions.
• The possible
future consequences of the
deficiency.
134. When
evaluating the likelihood that a deficiency or
combination of deficiencies
could result in a
misstatement, the auditor should evaluate how
the controls interact with
other controls.
There are controls, such as information
technology general controls,
on
which other
controls depend. Some controls function together
as a group of controls.
Other controls
overlap, in the sense that these other controls
achieve the same
objective.
|
|
| | |
