|
|
 |
|
Sarbanes Oxley Act -
Auditing Standards |
|
Public
Company Accounting Oversight
Board
Bylaws
and Rules – Standards – AS2
Auditing
Standard No. 2: An Audit of Internal Control
Over Financial Reporting Performed in
Conjunction With an Audit of Financial
Statements
135.
Several factors affect the magnitude of the
misstatement that could result from
a
deficiency
or deficiencies in controls. The factors
include, but are not limited to,
the
following:
•
The financial statement amounts or total of
transactions exposed to the
deficiency.
•
The volume of activity in the account balance or
class of transactions
exposed
to the deficiency that has occurred in the
current period or that is
expected
in future periods.
136.
In evaluating the magnitude of the potential
misstatement, the auditor
should
recognize
that the maximum amount that an account balance
or total of transactions
can
be overstated is generally the recorded amount.
However, the recorded amount is
not
a limitation on the amount of potential
understatement. The auditor also
should
recognize
that the risk of misstatement might be different
for the maximum possible
misstatement
than for lesser possible
amounts.
137.
When evaluating the significance of a deficiency
in internal control over
financial
reporting,
the auditor also should determine the level of
detail and degree of assurance
that
would satisfy prudent officials in the conduct
of their own affairs that they
have
reasonable
assurance that transactions are recorded as
necessary to permit the
preparation
of financial statements in conformity with
generally accepted accounting
principles.
If
the auditor determines that the deficiency would
prevent prudent officials
in
the conduct of their own affairs from concluding
that they have reasonable
assurance,17/
then the auditor should deem the deficiency to
be at least a significant
deficiency.
Having determined in this manner that a
deficiency represents a
significant
deficiency,
the auditor must further evaluate the deficiency
to determine whether
individually,
or in combination with other deficiencies, the
deficiency is a material
weakness.
Note:
Paragraphs 9 and 10 provide the definitions of
significant deficiency and
material
weakness, respectively.
17/
See SEC Staff Accounting Bulletin Topic 1M2,
Immaterial Misstatements
That Are
Intentional, for further
discussion about the level of detail and degree
of
assurance
that would satisfy prudent officials in the
conduct of their own
affairs.
138.
Inadequate documentation of the design of
controls and the absence of
sufficient
documented
evidence to support management's assessment of
the operating
effectiveness
of internal control over financial reporting are
control deficiencies. As with
other
control deficiencies, the auditor should
evaluate these deficiencies as to
their
significance.
139.
The interaction of qualitative considerations
that affect internal control
over
financial
reporting with quantitative considerations
ordinarily results in deficiencies in
the
following
areas being at least significant deficiencies in
internal control over financial
reporting:
•
Controls over the selection and application of
accounting policies that are
in
conformity with generally accepted accounting
principles;
•
Antifraud programs and
controls;
•
Controls over non-routine and non-systematic
transactions; and
•
Controls over the period-end financial reporting
process, including controls
over
procedures used to enter transaction totals into
the general ledger;
initiate,
authorize, record, and process journal entries
into the general
ledger;
and record recurring and nonrecurring
adjustments to the financial
statements
140.
Each of the following circumstances should be
regarded as at least a
significant
deficiency
and as a strong indicator that a material
weakness in internal control
over
financial
reporting exists:
•
Restatement of previously issued financial
statements to reflect the
correction
of a misstatement.
Note:
The correction of a misstatement includes
misstatements due to
error
or fraud; it does not include restatements to
reflect a change in
accounting
principle to comply with a new accounting
principle or a
voluntary
change from one generally accepted accounting
principle to
another
generally accepted accounting
principle.
•
Identification by the auditor of a material
misstatement in financial
statements
in the current period that was not initially
identified by the
company's
internal control over financial reporting. (This
is a strong
indicator
of a material weakness even if management
subsequently
corrects
the misstatement.)
•
Oversight of the company's external financial
reporting and internal control
over
financial reporting by the company's audit
committee is ineffective.
(Paragraphs
55 through 59 present factors to evaluate when
determining
whether
the audit committee is
ineffective.)
•
The internal audit function or the risk
assessment function is ineffective
at
a
company for which such a function needs to be
effective for the
company
to have an effective monitoring or risk
assessment component,
such
as for very large or highly complex
companies.
Note:
The evaluation of the internal audit or risk
assessment functions is
similar
to the evaluation of the audit committee, as
described in
paragraphs
55 through 59, that is, the evaluation is made
within the
context
of the monitoring and risk assessment
components. The auditor is
not
required to make a separate evaluation of the
effectiveness and
performance
of these functions. Instead, the auditor should
base his or
her
evaluation on evidence obtained as part of
evaluating the monitoring
and
risk assessment components of internal control
over financial
reporting.
•
For complex entities in highly regulated
industries, an ineffective
regulatory
compliance function. This relates solely to
those aspects of the
ineffective
regulatory compliance function in which
associated violations of
laws
and regulations could have a material effect on
the reliability of
financial
reporting.
•
Identification of fraud of any magnitude on the
part of senior management.
Note:
The auditor is required to plan and perform
procedures to obtain
reasonable
assurance that material misstatement caused by
fraud is
detected
by the auditor. However, for the purposes of
evaluating and
reporting
deficiencies in internal control over financial
reporting, the
auditor
should evaluate fraud of any magnitude
(including fraud resulting
in
immaterial misstatements) on the part of senior
management of which
he
or she is aware.
Furthermore,
for the purposes of this
circumstance,
"senior
management" includes the principal executive and
financial
officers
signing the company's certifications as required
under Section 302
of
the Act as well as any other member of
management who play a
significant
role in the company's financial reporting
process.
•
Significant deficiencies that have been
communicated to management and
the
audit committee remain uncorrected after some
reasonable period of
time.
•
An ineffective control
environment.
141.
Appendix D provides examples of significant
deficiencies and material
weaknesses.
|
|
| | |
