|
Public
Company Accounting Oversight
Board
Bylaws
and Rules – Standards – AS2
Auditing
Standard No. 2: An Audit of Internal Control
Over Financial Reporting Performed in
Conjunction With an Audit of Financial
Statements
42. Management's
Documentation. When determining whether
management's
documentation
provides reasonable support for its assessment,
the auditor should
evaluate
whether such documentation includes the
following:
•
The design of controls over all relevant
assertions related to all
significant
accounts
and disclosures in the financial statements. The
documentation
should
include the five components of internal control
over financial
reporting
as discussed in paragraph 49, including the
control environment
and
company-level controls as described in paragraph
53;
•
Information about how significant transactions
are initiated, authorized,
recorded,
processed and reported;
•
Sufficient information about the flow of
transactions to identify the points
at
which
material misstatements due to error or fraud
could occur;
•
Controls designed to prevent or detect fraud,
including who performs the
controls
and the related segregation of
duties;
•
Controls over the period-end financial reporting
process;
Controls
over safeguarding of assets (See paragraphs C1
through C6); and
•
The results of management's testing and
evaluation.
43.
Documentation might take many forms, such as
paper, electronic files, or
other
media,
and can include a variety of information,
including policy manuals,
process
models,
flowcharts, job descriptions, documents, and
forms. The form and extent of
documentation
will vary depending on the size, nature, and
complexity of the company.
44.
Documentation of the design of controls over
relevant assertions related to
significant
accounts and disclosures is evidence that
controls related to
management's
assessment
of the effectiveness of internal control over
financial reporting, including
changes
to those controls, have been identified, are
capable of being communicated
to
those
responsible for their performance, and are
capable of being monitored by
the
company.
Such documentation also provides the foundation
for appropriate
communication
concerning responsibilities for performing
controls and for the
company's
evaluation of and monitoring of the effective
operation of controls.
45.
Inadequate documentation of the design of
controls over relevant
assertions
related
to significant accounts and disclosures is a
deficiency in the company's
internal
control
over financial reporting. As discussed in
paragraph 138, the auditor
should
evaluate
this documentation deficiency. The auditor might
conclude that the deficiency
is
only a deficiency, or that the deficiency
represents a significant deficiency or
a
material
weakness. In evaluating the deficiency as to its
significance, the auditor
should
determine
whether management can demonstrate the
monitoring component of
internal
control
over financial reporting.
46.
Inadequate documentation also could cause the
auditor to conclude that there
is
a
limitation on the scope of the
engagement.
Obtaining an
Understanding of Internal Control Over Financial
Reporting
47.
The auditor should obtain an understanding of
the design of specific controls
by
applying
procedures that include:
•
Making inquiries of appropriate management,
supervisory, and staff
personnel;
•
Inspecting company documents;
•
Observing the application of specific controls;
and
•
Tracing transactions through the information
system relevant to financial
reporting.
48.
The auditor could also apply additional
procedures to obtain an understanding
of
the
design of specific controls.
49.
The auditor must obtain an understanding of the
design of controls related to
each
component of internal control over financial
reporting, as discussed below.
• Control Environment.
Because of the pervasive effect of the
control
environment
on the reliability of financial reporting, the
auditor's
preliminary
judgment about its effectiveness often
influences the nature,
timing,
and extent of the tests of operating
effectiveness considered
necessary.
Weaknesses in the control environment should
cause the
auditor
to alter the nature, timing, or extent of tests
of operating
effectiveness
that otherwise should have been performed in the
absence
of
the weaknesses.
• Risk Assessment.
When
obtaining an understanding of the
company's
risk
assessment process, the auditor should evaluate
whether
management
has identified the risks of material
misstatement in the
significant
accounts and disclosures and related assertions
of the financial
statements
and has implemented controls to prevent or
detect errors or
fraud
that could result in material misstatements. For
example, the risk
assessment
process should address how management considers
the
possibility
of unrecorded transactions or identifies and
analyzes significant
estimates
recorded in the financial statements. Risks
relevant to reliable
financial
reporting also relate to specific events or
transactions.
• Control Activities. The
auditor's understanding of control activities
relates
to
the controls that management has implemented to
prevent or detect
errors
or fraud that could result in material
misstatement in the accounts
and
disclosures and related assertions of the
financial statements. For the
purposes
of evaluating the effectiveness of internal
control over financial
reporting,
the auditor's understanding of control
activities encompasses a
broader
range of accounts and disclosures than what is
normally obtained
for
the financial statement audit.
• Information and
Communication. The auditor's
understanding of
management's
information and communication involves
understanding the
same
systems and processes that he or she addresses
in an audit of
financial
statements. In addition, this understanding
includes a greater
emphasis
on comprehending the safeguarding controls and
the processes
for
authorization of transactions and the
maintenance of records, as well
as
the period-end financial reporting process
(discussed further beginning
at
paragraph 76).
• Monitoring.
The auditor's
understanding of management's monitoring
of
controls
extends to and includes its monitoring of all
controls, including
control
activities, which management has identified and
designed to
prevent
or detect material misstatement in the accounts
and disclosures
and
related assertions of the financial
statements.
50.
Some controls (such as company-level controls,
described in paragraph 53)
might
have a pervasive effect on the achievement of
many overall objectives of the
control
criteria. For example, information technology
general controls over program
development,
program changes, computer operations, and access
to programs and
data
help ensure that specific controls over the
processing of transactions are
operating
effectively.
In contrast, other controls are designed to
achieve specific objectives of
the
control
criteria. For example, management generally
establishes specific controls,
such
as
accounting for all shipping documents, to ensure
that all valid sales are
recorded.
51.
The auditor should focus on combinations of
controls, in addition to
specific
controls
in isolation, in assessing whether the
objectives of the control criteria
have
been
achieved. The absence or inadequacy of a
specific control designed to
achieve
the
objectives of a specific criterion might not be
a deficiency if other controls
specifically
address the same criterion. Further, when one or
more controls achieve the
objectives
of a specific criterion, the auditor might not
need to evaluate other controls
designed
to achieve those same
objectives.
|
