|
|
 |
|
Sarbanes Oxley Act -
Auditing Standards |
|
Public
Company Accounting Oversight
Board
Bylaws
and Rules – Standards – AS2
Auditing
Standard No. 2: An Audit of Internal Control
Over Financial Reporting Performed in
Conjunction With an Audit of Financial
Statements
Using the Work of
Others
108.
In all audits of internal control over financial
reporting, the auditor must
perform
enough
of the testing himself or herself so that the
auditor's own work provides the
principal
evidence for the auditor's opinion. The auditor
may, however, use the work of
others
to alter the nature, timing, or extent of the
work he or she otherwise would
have
performed.
For
these purposes, the work of others includes
relevant work performed by
internal
auditors, company personnel (in addition to
internal auditors), and third
parties
working
under the direction of management or the audit
committee that provides
information
about the effectiveness of internal control over
financial reporting.
Note:
Because the amount of work related to obtaining
sufficient evidence to
support
an opinion about the effectiveness of controls
is not susceptible to
precise
measurement, the auditor's judgment about
whether he or she has
obtained
the principal evidence for the opinion will be
qualitative as well as
quantitative.
For example, the auditor might give more weight
to work he or she
performed
on pervasive controls and in areas such as the
control environment
than
on other controls, such as controls over
low-risk, routine transactions.
109.
The auditor should evaluate whether to use the
work performed by others in the
audit
of internal control over financial reporting. To
determine the extent to which
the
auditor
may use the work of others to alter the nature,
timing, or extent of the work
the
auditor
would have otherwise performed, in addition to
obtaining the principal
evidence
for
his or her opinion, the auditor
should:
a.
Evaluate the nature of the controls subjected to
the work of others (See
paragraphs
112 through 116);
b.
Evaluate the competence and objectivity of the
individuals who performed
the
work (See paragraphs 117 through 122);
and
c.
Test some of the work performed by others to
evaluate the quality and
effectiveness
of their work (See paragraphs 123 through
125).
Note:
AU sec. 322, The Auditor's Consideration of the
Internal Audit Function in
an Audit of Financial
Statements, applies to using
the work of internal auditors
in
an
audit of the financial statements. The auditor
may apply the relevant concepts
described
in that section to using the work of others in
the audit of internal control
over
financial reporting.
110.
The auditor must obtain sufficient evidence to
support his or her opinion.
Judgments
about the sufficiency of evidence obtained and
other factors affecting the
auditor's
opinion, such as the significance of identified
control deficiencies, should be
those
of the auditor. Evidence obtained through the
auditor's direct personal
knowledge,
observation, reperformance, and inspection is
generally more persuasive
than
information obtained indirectly from others,
such as from internal auditors,
other
company
personnel, or third parties working under the
direction of management.
111.
The requirement that the auditor's own work must
provide the principal evidence
for
the auditor's opinion is one of the boundaries
within which the auditor determines
the
work
he or she must perform himself or herself in the
audit of internal control over
financial
reporting.
Paragraphs
112 through 125 provide more specific and
definitive
direction
on how the auditor makes this determination, but
the directions allow the
auditor
significant flexibility to use his or her
judgment to determine the work
necessary
to
obtain the principal evidence and to determine
when the auditor can use the work
of
others
rather than perform the work himself or herself.
Regardless of the auditor's
determination
of the work that he or she must perform himself
or herself, the auditor's
responsibility
to report on the effectiveness of internal
control over financial
reporting
rests
solely with the auditor; this responsibility
cannot be shared with the other
individuals
whose work the auditor uses. Therefore, when the
auditor uses the work of
others,
the auditor is responsible for the results of
their work.
112.
Evaluating the Nature of the Controls Subjected
to the Work of Others. The
auditor
should evaluate the following factors when
evaluating the nature of the
controls
subjected
to the work of others. As these factors increase
in significance, the need for
the
auditor to perform his or her own work on those
controls increases. As these
factors
decrease
in significance, the need for the auditor to
perform his or her own work on
those
controls decreases.
•
The materiality of the accounts and disclosures
that the control addresses
and
the risk of material
misstatement.
•
The degree of judgment required to evaluate the
operating effectiveness
of
the control (that is, the degree to which the
evaluation of the
effectiveness
of the control requires evaluation of subjective
factors rather
than
objective testing).
•
The pervasiveness of the
control.
•
The level of judgment or estimation required in
the account or disclosure.
•
The potential for management override of the
control.
113.
Because of the nature of the controls in the
control environment, the
auditor
should
not use the work of others to reduce the amount
of work he or she performs on
controls
in the control environment. The auditor should,
however, consider the results
of
work performed in this area by others because it
might indicate the need for the
auditor
to increase his or her work.
114.
The control environment encompasses the
following factors:16/
•
Integrity and ethical values;
•
Commitment to competence;
•
Board of directors or audit committee
participation;
•
Management's philosophy and operating
style;
•
Organizational structure;
•
Assignment of authority and responsibility;
and
•
Human resource policies and
procedures.
16/
See the COSO report and paragraph .110 of AU
sec. 319, Internal Control
in a Financial
Statement Audit, for additional
information about the factors included
in
the
control environment.
115.
Controls that are part of the control
environment include, but are not limited
to,
controls
specifically established to prevent and detect
fraud that is at least
reasonably
possible
to result in material misstatement of the
financial statements.
Note:
The term "reasonably possible" has the same
meaning as in FAS No. 5.
See
the first note to paragraph 9 for further
discussion.
116.
The auditor should perform the walkthroughs (as
discussed beginning at
paragraph
79) himself or herself because of the degree of
judgment required in
performing
this work. However, to provide additional
evidence, the auditor may also
review
the work of others who have performed and
documented walkthroughs. In
evaluating
whether his or her own evidence provides the
principal evidence, the
auditor's
work on the control environment and in
performing walkthroughs constitutes
an
important
part of the auditor's own work.
117.
Evaluating the Competence and Objectivity of
Others. The extent to which the
auditor
may use the work of others depends on the degree
of competence and
objectivity
of the individuals performing the work. The
higher the degree of competence
and
objectivity, the greater use the auditor may
make of the work; conversely, the
lower
the
degree of competence and objectivity, the less
use the auditor may make of the
work.
Further, the auditor should not use the work of
individuals who have a low
degree
of
objectivity, regardless of their level of
competence. Likewise, the auditor should
not
use
the work of individuals who have a low level of
competence regardless of their
degree
of objectivity.
|
|
.
| | |
