Auditing Standards

Public Company Accounting Oversight Board

Bylaws and Rules – Standards – AS2

Auditing Standard No. 2: An Audit of Internal Control Over Financial Reporting Performed in Conjunction With an Audit of Financial Statements

42. Management’s Documentation. When determining whether management’s
documentation provides reasonable support for its assessment, the auditor should
evaluate whether such documentation includes the following:
 
• The design of controls over all relevant assertions related to all significant
accounts and disclosures in the financial statements. The documentation
should include the five components of internal control over financial
reporting as discussed in paragraph 49, including the control environment
and company-level controls as described in paragraph 53;
 
• Information about how significant transactions are initiated, authorized,
recorded, processed and reported;
 
• Sufficient information about the flow of transactions to identify the points at
which material misstatements due to error or fraud could occur;
 
• Controls designed to prevent or detect fraud, including who performs the
controls and the related segregation of duties;
 
• Controls over the period-end financial reporting process;
Controls over safeguarding of assets (See paragraphs C1 through C6); and
 
• The results of management’s testing and evaluation.
 
43. Documentation might take many forms, such as paper, electronic files, or other
media, and can include a variety of information, including policy manuals, process
models, flowcharts, job descriptions, documents, and forms. The form and extent of
documentation will vary depending on the size, nature, and complexity of the company.
 
44. Documentation of the design of controls over relevant assertions related to
significant accounts and disclosures is evidence that controls related to management’s
assessment of the effectiveness of internal control over financial reporting, including
changes to those controls, have been identified, are capable of being communicated to
those responsible for their performance, and are capable of being monitored by the
company. Such documentation also provides the foundation for appropriate
communication concerning responsibilities for performing controls and for the
company’s evaluation of and monitoring of the effective operation of controls.
 
45. Inadequate documentation of the design of controls over relevant assertions
related to significant accounts and disclosures is a deficiency in the company’s internal
control over financial reporting. As discussed in paragraph 138, the auditor should
evaluate this documentation deficiency. The auditor might conclude that the deficiency
is only a deficiency, or that the deficiency represents a significant deficiency or a
material weakness. In evaluating the deficiency as to its significance, the auditor should
determine whether management can demonstrate the monitoring component of internal
control over financial reporting.
 
46. Inadequate documentation also could cause the auditor to conclude that there is
a limitation on the scope of the engagement.
 
Obtaining an Understanding of Internal Control Over Financial Reporting
 
47. The auditor should obtain an understanding of the design of specific controls by
applying procedures that include:
 
• Making inquiries of appropriate management, supervisory, and staff
personnel;
 
• Inspecting company documents;
 
• Observing the application of specific controls; and
 
• Tracing transactions through the information system relevant to financial
reporting.
 
48. The auditor could also apply additional procedures to obtain an understanding of
the design of specific controls.
 
49. The auditor must obtain an understanding of the design of controls related to
each component of internal control over financial reporting, as discussed below.
 
• Control Environment. Because of the pervasive effect of the control
environment on the reliability of financial reporting, the auditor’s
preliminary judgment about its effectiveness often influences the nature,
timing, and extent of the tests of operating effectiveness considered
necessary. Weaknesses in the control environment should cause the
auditor to alter the nature, timing, or extent of tests of operating
effectiveness that otherwise should have been performed in the absence
of the weaknesses.
 
• Risk Assessment. When obtaining an understanding of the company’s
risk assessment process, the auditor should evaluate whether
management has identified the risks of material misstatement in the
significant accounts and disclosures and related assertions of the financial
statements and has implemented controls to prevent or detect errors or
fraud that could result in material misstatements. For example, the risk
assessment process should address how management considers the
possibility of unrecorded transactions or identifies and analyzes significant
estimates recorded in the financial statements. Risks relevant to reliable
financial reporting also relate to specific events or transactions.
 
• Control Activities. The auditor’s understanding of control activities relates
to the controls that management has implemented to prevent or detect
errors or fraud that could result in material misstatement in the accounts
and disclosures and related assertions of the financial statements. For the
purposes of evaluating the effectiveness of internal control over financial
reporting, the auditor’s understanding of control activities encompasses a
broader range of accounts and disclosures than what is normally obtained
for the financial statement audit.
 
• Information and Communication. The auditor’s understanding of
management’s information and communication involves understanding the
same systems and processes that he or she addresses in an audit of
financial statements. In addition, this understanding includes a greater
emphasis on comprehending the safeguarding controls and the processes
for authorization of transactions and the maintenance of records, as well
as the period-end financial reporting process (discussed further beginning
at paragraph 76).
 
• Monitoring. The auditor’s understanding of management’s monitoring of
controls extends to and includes its monitoring of all controls, including
control activities, which management has identified and designed to
prevent or detect material misstatement in the accounts and disclosures
and related assertions of the financial statements.
 
50. Some controls (such as company-level controls, described in paragraph 53)
might have a pervasive effect on the achievement of many overall objectives of the
control criteria. For example, information technology general controls over program
development, program changes, computer operations, and access to programs and
data help ensure that specific controls over the processing of transactions are operating
effectively. In contrast, other controls are designed to achieve specific objectives of the
control criteria. For example, management generally establishes specific controls, such
as accounting for all shipping documents, to ensure that all valid sales are recorded.
 
51. The auditor should focus on combinations of controls, in addition to specific
controls in isolation, in assessing whether the objectives of the control criteria have
been achieved. The absence or inadequacy of a specific control designed to achieve
the objectives of a specific criterion might not be a deficiency if other controls
specifically address the same criterion. Further, when one or more controls achieve the
objectives of a specific criterion, the auditor might not need to evaluate other controls
designed to achieve those same objectives.