|
|
 |
|
Sarbanes Oxley Act -
Auditing Standards |
|
Public
Company Accounting Oversight
Board
Bylaws
and Rules – Standards – AS2
Auditing
Standard No. 2: An Audit of Internal Control
Over Financial Reporting Performed in
Conjunction With an Audit of Financial
Statements
Effect of Tests of
Controls on Substantive
Procedures
152.
Regardless of the assessed level of control risk
or the assessed risk of
material
misstatement
in connection with the audit of the financial
statements, the auditor should
perform
substantive procedures for all relevant
assertions related to all
significant
accounts
and disclosures. Performing procedures to
express an opinion on internal
control
over financial reporting does not diminish this
requirement.
153.
The substantive procedures that the auditor
should perform consist of tests
of
details
of transactions and balances and analytical
procedures. Before using the
results
obtained
from substantive analytical procedures, the
auditor should either test the
design
and operating effectiveness of controls over
financial information used in
the
substantive
analytical procedures or perform other
procedures to support the
completeness
and accuracy of the underlying information. For
significant risks of
material
misstatement, it is unlikely that audit evidence
obtained from substantive
analytical
procedures alone will be
sufficient.
154.
When designing substantive analytical
procedures, the auditor also
should
evaluate
the risk of management override of controls. As
part of this process, the
auditor
should evaluate whether such an override might
have allowed adjustments
outside
of the normal period-end financial reporting
process to have been made to
the
financial
statements. Such adjustments might have resulted
in artificial changes to the
financial
statement relationships being analyzed, causing
the auditor to draw erroneous
conclusions.
For this reason, substantive analytical
procedures alone are not well
suited
to detecting fraud.
155.
The auditor's substantive procedures must
include reconciling the
financial
statements
to the accounting records. The auditor's
substantive procedures also
should
include
examining material adjustments made during the
course of preparing the
financial
statements. Also, other auditing standards
require auditors to perform
specific
tests
of details in the financial statement audit. For
instance, AU sec. 316,
Consideration of
Fraud in a Financial Statement
Audit, requires the
auditor to perform
certain
tests of details to further address the risk of
management override, whether or
not
a specific risk of fraud has been identified.
Paragraph .34 of AU Sec. 330,
The
Confirmation
Process, states that there
is a presumption that the auditor will request
the
confirmation
of accounts receivable. Similarly, paragraph .01
of AU Sec. 331,
Inventories, states that
observation of inventories is a generally
accepted auditing
procedure
and that the auditor who issues an opinion
without this procedure "has the
burden
of justifying the opinion
expressed."
156.
If, during the audit of internal control over
financial reporting, the auditor
identifies
a
control deficiency, he or she should determine
the effect on the nature, timing,
and
extent
of substantive procedures to be performed to
reduce the risk of material
misstatement
of the financial statements to an appropriately
low level.
Effect of Substantive
Procedures on the Auditor's Conclusions About
the
Operating
Effectiveness of
Controls
157.
In an audit of internal control over financial
reporting, the auditor should
evaluate
the
effect of the findings of all substantive
auditing procedures performed in the audit
of
financial
statements on the effectiveness of internal
control over financial
reporting.
This
evaluation should include, but not be limited
to:
•
The auditor's risk evaluations in connection
with the selection and
application
of substantive procedures, especially those
related to fraud
(See
paragraph 26);
•
Findings with respect to illegal acts and
related party transactions;
•
Indications of management bias in making
accounting estimates and in
selecting
accounting principles; and
•
Misstatements detected by substantive
procedures. The extent of such
misstatements
might alter the auditor's judgment about the
effectiveness
of
controls.
158.
However, the absence of misstatements detected
by substantive procedures
does
not provide evidence that controls related to
the assertion being tested are
effective.
Documentation
Requirements
159.
In addition to the documentation requirements in
AU sec. 339, Audit
Documentation, the auditor should
document:
•
The understanding obtained and the evaluation of
the design of each of
the
five components of the company's internal
control over financial
reporting;
•
The process used to determine significant
accounts and disclosures and
major
classes of transactions, including the
determination of the locations
or
business units at which to perform
testing;
•
The identification of the points at which
misstatements related to
relevant
financial
statement assertions could occur within
significant accounts and
disclosures
and major classes of
transactions;
•
The extent to which the auditor relied upon work
performed by others as
well
as the auditor's assessment of their competence
and objectivity;
•
The evaluation of any deficiencies noted as a
result of the auditor's
testing;
and
•
Other findings that could result in a
modification to the auditor's
report.
160.
For a company that has effective internal
control over financial reporting,
the
auditor
ordinarily will be able to perform sufficient
testing of controls to be able to
assess
control
risk for all relevant assertions related to
significant accounts and disclosures at
a
low
level. If, however, the auditor assesses control
risk as other than low for
certain
assertions
or significant accounts, the auditor should
document the reasons for that
conclusion.
Examples of when it is appropriate to assess
control risk as other than low
include:
•
When a control over a relevant assertion related
to a significant account or
disclosure
was superseded late in the year and only the new
control was
tested
for operating effectiveness.
•
When a material weakness existed during the
period under audit and was
corrected
by the end of the period.
161.
The auditor also should document the effect of a
conclusion that control risk is
other
than low for any relevant assertions related to
any significant accounts in
connection
with the audit of the financial statements on
his or her opinion on the audit
of
internal
control over financial
reporting.
|
|
| | |
