|
Public
Company Accounting Oversight
Board
Bylaws and Rules – Standards – AS2
Auditing Standard No. 2: An Audit of Internal
Control Over Financial Reporting Performed in
Conjunction With an Audit of Financial
Statements
52. Identifying
Company-Level Controls. Controls that
exist at the company-level
often have a pervasive impact on controls at
the process, transaction, or application
level. For that reason, as a practical
consideration, it may be appropriate for the
auditor
to test and evaluate the design effectiveness
of company-level controls first, because
the results of that work might affect the way
the auditor evaluates the other aspects of
internal control over financial reporting.
53. Company-level controls are controls such
as the following:
• Controls within the control environment,
including tone at the top, the
assignment of authority and responsibility,
consistent policies and
procedures, and company-wide programs, such as
codes of conduct and
fraud prevention, that apply to all locations
and business units (See
paragraphs 113 through 115 for further
discussion);
• Management's risk assessment process;
• Centralized processing and controls,
including shared service environments;
• Controls to monitor results of operations;
• Controls to monitor other controls,
including activities of the internal audit
function, the audit committee, and
self-assessment programs;
• The period-end financial reporting process;
and
• Board-approved policies that address
significant business control and risk
management practices.
Note: The controls listed above are not
intended to be a complete list of
company-level controls nor is a company
required to have all the controls in the
list to support its assessment of effective
company-level controls. However,
ineffective company-level controls are a
deficiency that will affect the scope of
work performed, particularly when a company
has multiple locations or business
units, as described in Appendix B.
54. Testing company-level controls alone is
not sufficient for the purpose of
expressing an opinion on the effectiveness of
a company's internal control over financial
reporting.
55.
Evaluating the Effectiveness of the Audit
Committee's Oversight of the
Company's
External Financial Reporting and Internal
Control Over Financial Reporting.
The company's audit committee plays an
important role within the control environment
and monitoring components of internal control
over financial reporting. Within the
control environment, the existence of an
effective audit committee helps to set a
positive
tone at the top. Within the monitoring
component, an effective audit committee
challenges the company's activities in the
financial arena.
Note: Although the audit committee plays an
important role within the control
environment and monitoring components of
internal control over financial
reporting, management is responsible for
maintaining effective internal control
over financial reporting. This standard does
not suggest that this responsibility
has been transferred to the audit committee.
Note: If no such committee exists with respect
to the company, all references to
the audit committee in this standard apply to
the entire board of directors of the
company. (8) The auditor should be aware that
companies whose securities are
not listed on a national securities exchange
or an automated inter-dealer
quotation system of a national securities
association (such as the New York
Stock Exchange, American Stock Exchange, or
NASDAQ) may not be required
to have independent directors for their audit
committees.
In this case, the auditor should not consider
the lack of independent directors at these
companies indicative, by itself, of a control
deficiency. Likewise, the independence
requirements of Securities Exchange Act Rule
10A-3 (9) are not applicable to the
listing of non-equity securities of a
consolidated or at least 50 percent
beneficially
owned subsidiary of a listed issuer that is
subject to the requirements of
Securities Exchange Act Rule 10A-3(c)(2). (10)
Therefore, the auditor should interpret
references to the audit committee in this
standard,
as applied to a subsidiary registrant, as
being consistent with the provisions of
Securities
Exchange Act Rule 10A-3(c)(2). (11)
Furthermore, for subsidiary registrants,
communications required by this standard to be
directed to the audit committee should be made
to the same committee or equivalent body
that pre-approves the retention of the auditor
by or on behalf of the subsidiary registrant
pursuant
to Rule 2-01(c)(7) of Regulation S-X (12)
(which might be, for example, the audit
committee of the subsidiary registrant, the
full board of the subsidiary registrant,
or the audit committee of the subsidiary
registrant's parent).
In all cases, the auditor should interpret the
terms "board of directors" and "audit
committee"
in this standard as being consistent with
provisions for the use of those terms as
defined in relevant SEC rules.
(8) See 15 U.S.C. 78c(a)58 and 15 U.S.C.
7201(a)(3).
(9) See 17 C.F.R. 240.10A-3.
(10) See 17 C.F.R. 240.10A-3(c)(2).
(11) See 17 C.F.R. 240.10A-3(c)(2).
(12) See 17 C.F.R. 210.2-01(c)(7).
56. The company's board of directors is
responsible for evaluating the performance
and effectiveness of the audit committee; this
standard does not suggest that the
auditor is responsible for performing a
separate and distinct evaluation of the audit
committee. However, because of the role of the
audit committee within the control
environment and monitoring components of
internal control over financial reporting, the
auditor should assess the effectiveness of the
audit committee as part of understanding
and evaluating those components.
57. The aspects of the audit committee's
effectiveness that are important may vary
considerably with the circumstances. The
auditor focuses on factors related to the
effectiveness of the audit committee's
oversight of the company's external financial
reporting and internal control over financial
reporting, such as the independence of the
audit committee members from management and
the clarity with which the audit
committee's responsibilities are articulated
(for example, in the audit committee's
charter) and how well the audit committee and
management understand those
responsibilities.
The auditor might also consider the audit
committee's involvement and
interaction with the independent auditor and
with internal auditors, as well as interaction
with key members of financial management,
including the chief financial officer and
chief accounting officer.
58. The auditor might also evaluate whether
the right questions are raised and
pursued with management and the auditor,
including questions that indicate an
understanding of the critical accounting
policies and judgmental accounting estimates,
and the responsiveness to issues raised by the
auditor.
59. Ineffective oversight by the audit
committee of the company's external financial
reporting and internal control over financial
reporting should be regarded as at least a
significant deficiency and is a strong
indicator that a material weakness in internal
control over financial reporting exists.
60. Identifying Significant Accounts. The
auditor should identify significant accounts
and disclosures, first at the
financial-statement level and then at the
account or
disclosure-component level. Determining
specific controls to test begins by
identifying
significant accounts and disclosures within
the financial statements. When identifying
significant accounts, the auditor should
evaluate both quantitative and qualitative
factors.
61. An account is significant if there is more
than a remote likelihood that the account
could contain misstatements that individually,
or when aggregated with others, could
have a material effect on the financial
statements, considering the risks of both
overstatement and understatement. Other
accounts may be significant on a qualitative
basis based on the expectations of a
reasonable user. For example, investors might
be
interested in a particular financial statement
account even though it is not quantitatively
large because it represents an important
performance measure.
Note: For purposes of determining significant
accounts, the assessment as to
likelihood should be made without giving any
consideration to the effectiveness
of internal control over financial reporting.
62. Components of an account balance subject
to differing risks (inherent and
control) or different controls should be
considered separately as potential significant
accounts. For instance, inventory accounts
often consist of raw materials (purchasing
process), work in process (manufacturing
process), finished goods (distribution
process), and an allowance for obsolescence.
63. In some cases, separate components of an
account might be a significant
account because of the company's
organizational structure. For example, for a
company that has a number of separate business
units, each with different
management and accounting processes, the
accounts at each separate business unit
are considered individually as potential
significant accounts.
|
