|
 |
|
Sarbanes Oxley Act -
Auditing Standards |
|
Public
Company Accounting Oversight
Board
Bylaws
and Rules – Standards – AS2
Auditing
Standard No. 2: An Audit of Internal Control
Over Financial Reporting Performed in
Conjunction With an Audit of Financial
Statements
APPENDIX
B
Additional
Performance Requirements and
Directions;
Extent-of-Testing
Examples
Tests to be Performed
When a Company Has
Multiple
Locations or Business
Units
B1.
To determine the locations or business units for
performing audit procedures,
the
auditor
should evaluate their relative financial
significance and the risk of
material
misstatement
arising from them. In making this evaluation,
the auditor should identify
the
locations or business units that are
individually important, evaluate
their
documentation
of controls, and test controls over significant
accounts and disclosures.
For
locations or business units that contain
specific risks that, by themselves,
could
create
a material misstatement, the auditor should
evaluate their documentation of
controls
and test controls over the specific
risks.
B2.
The auditor should determine the other locations
or business units that, when
aggregated,
represent a group with a level of financial
significance that could create
a
material
misstatement in the financial statements. For
that group, the auditor should
determine
whether there are company-level controls in
place. If so, the auditor
should
evaluate
the documentation and test such company-level
controls. If not, the auditor
should
perform tests of controls at some of the
locations or business units.
B3.
No further work is necessary on the remaining
locations or businesses,
provided
that
they are not able to create, either individually
or in the aggregate, a material
misstatement
in the financial statements.
Locations or Business
Units That Are Financially
Significant
B4.
Because of the importance of financially
significant locations or business
units,
the
auditor should evaluate management's
documentation of and perform tests
of
controls
over all relevant assertions related to
significant accounts and disclosures
at
each
financially significant location or business
unit, as discussed in paragraphs
83
through
105. Generally, a relatively small number of
locations or business units
will
encompass
a large portion of a company's operations and
financial position, making
them
financially significant.
B5.
In determining the nature, timing, and extent of
testing at the individual
locations
or
business units, the auditor should evaluate each
entity's involvement, if any, with
a
central
processing or shared service
environment.
Locations or Business
Units That Involve Specific
Risks
B6.
Although a location or business unit might not
be individually financially
significant,
it might present specific risks that, by
themselves, could create a
material
misstatement
in the company's financial statements. The
auditor should test the
controls
over the specific risks that could create a
material misstatement in the
company's
financial statements. The auditor need not test
controls over all relevant
assertions
related to all significant accounts at these
locations or business units.
For
example,
a business unit responsible for foreign exchange
trading could expose the
company
to the risk of material misstatement, even
though the relative financial
significance
of such transactions is low.
Locations or Business
Units That Are Significant Only When Aggregated
with
Other Locations and
Business Units
B7.
In determining the nature, timing, and extent of
testing, the auditor should
determine
whether management has documented and placed in
operation companylevel
controls
(See paragraph 53) over individually unimportant
locations and business
units
that, when aggregated with other locations or
business units, might have a
high
level
of financial significance. A high level of
financial significance could create
a
greater
than remote risk of material misstatement of the
financial statements.
B8.
For the purposes of this evaluation,
company-level controls are
controls
management
has in place to provide assurance that
appropriate controls exist
throughout
the organization, including at individual
locations or business units.
B9.
The auditor should perform tests of
company-level controls to determine
whether
such
controls are operating effectively. The auditor
might conclude that he or she
cannot
evaluate the operating effectiveness of such
controls without visiting some or
all
of
the locations or business
units.
B10.
If management does not have company-level
controls operating at these
locations
and business units, the auditor should determine
the nature, timing, and extent
of
procedures to be performed at each location,
business unit, or combination
of
locations
and business units. When determining the
locations or business units to
visit
and
the controls to test, the auditor should
evaluate the following factors:
•
The relative financial significance of each
location or business unit.
•
The risk of material misstatement arising from
each location or business unit.
•
The similarity of business operations and
internal control over financial
reporting
at
the various locations or business
units.
•
The degree of centralization of processes and
financial reporting
applications.
•
The effectiveness of the control environment,
particularly management's
direct
control
over the exercise of authority delegated to
others and its ability to
effectively
supervise activities at the various locations or
business units. An
ineffective
control environment over the locations or
business units might
constitute
a material weakness.
•
The nature and amount of transactions executed
and related assets at the
various
locations or business units.
•
The potential for material unrecognized
obligations to exist at a location
or
business
unit and the degree to which the location or
business unit could create
an
obligation on the part of the
company.
•
Management's risk assessment process and
analysis for excluding a location
or
business
unit from its assessment of internal control
over financial reporting.
B11.
Testing company-level controls is not a
substitute for the auditor's testing
of
controls
over a large portion of the company's operations
or financial position. If the
auditor
cannot test a large portion of the company's
operations and financial position
by
selecting
a relatively small number of locations or
business units, he or she
should
expand
the number of locations or business units
selected to evaluate internal
control
over
financial reporting.
Note:
The evaluation of whether controls over a large
portion of the company's
operations
or financial position have been tested should be
made at the overall
level,
not at the individual significant account
level.
|
|
| | |
