|
|
 |
|
Sarbanes Oxley Act -
Auditing Standards |
|
Public
Company Accounting Oversight
Board
Bylaws
and Rules – Standards – AS2
Auditing
Standard No. 2: An Audit of Internal Control
Over Financial Reporting Performed in
Conjunction With an Audit of Financial
Statements
Requirement for
Written Representations
142. In an audit
of internal control over financial reporting,
the auditor should obtain
written
representations from
management:
a. Acknowledging
management's responsibility for establishing
and
maintaining
effective internal control over financial
reporting;
b. Stating that
management has performed an assessment of
the
effectiveness of
the company's internal control over financial
reporting and
specifying the
control criteria;
c. Stating that
management did not use the auditor's procedures
performed
during the audits
of internal control over financial reporting or
the financial
statements as part
of the basis for management's assessment of
the
effectiveness of
internal control over financial
reporting;
d. Stating
management's conclusion about the effectiveness
of the
company's internal
control over financial reporting based on the
control
criteria as of a
specified date;
e. Stating that
management has disclosed to the auditor all
deficiencies in
the design or
operation of internal control over financial
reporting identified
as part of
management's assessment, including separately
disclosing to
the auditor all
such deficiencies that it believes to be
significant
deficiencies or
material weaknesses in internal control over
financial
reporting;
f. Describing any
material fraud and any other fraud that,
although not
material, involves
senior management or management or other
employees
who have a
significant role in the company's internal
control over financial
reporting;
g. Stating whether
control deficiencies identified and communicated
to the
audit committee
during previous engagements pursuant to
paragraph 207
have been
resolved, and specifically identifying any that
have not; and
h. Stating whether
there were, subsequent to the date being
reported on, any
changes in
internal control over financial reporting or
other factors that
might
significantly affect internal control over
financial reporting,
including
any corrective
actions taken by management with regard to
significant
deficiencies and
material weaknesses.
143. The failure
to obtain written representations from
management, including
management's
refusal to furnish them, constitutes a
limitation on the scope of the
audit
sufficient to
preclude an unqualified opinion. As discussed
further in paragraph 178,
when management
limits the scope of the audit, the auditor
should either withdraw from
the engagement or
disclaim an opinion. Further, the auditor should
evaluate the effects
of management's
refusal on his or her ability to rely on other
representations, including,
if applicable,
representations obtained in an audit of the
company's financial
statements.
144. AU sec. 333,
Management Representations, explains matters
such as who
should sign the
letter, the period to be covered by the letter,
and when to obtain an
updating
letter.
Relationship of an
Audit of Internal Control over Financial
Reporting
to an Audit of
Financial Statements
145. The audit of
internal control over financial reporting should
be integrated with the
audit of the
financial statements. The objectives of the
procedures for the audits are
not
identical,
however, and the auditor must plan and perform
the work to achieve the
objectives of both
audits.
146. The
understanding of internal control over financial
reporting the auditor
obtains
and the procedures
the auditor performs for purposes of expressing
an opinion on
management's
assessment are interrelated with the internal
control over financial
reporting
understanding the auditor obtains and procedures
the auditor performs to
assess control
risk for purposes of expressing an opinion on
the financial statements.
As a result, it is
efficient for the auditor to coordinate
obtaining the understanding
and
performing the
procedures.
Tests of Controls in
an Audit of Internal Control Over Financial
Reporting
147. The objective
of the tests of controls in an audit of internal
control over financial
reporting is to
obtain evidence about the effectiveness of
controls to support the
auditor's opinion
on whether management's assessment of the
effectiveness of the
company's internal
control over financial reporting is fairly
stated. The auditor's
opinion
relates to the
effectiveness of the company's internal control
over financial reporting as
of a point in time
and taken as a whole.
148. To express an
opinion on internal control over financial
reporting effectiveness as
of a point in time,
the auditor should obtain evidence that internal
control over financial
reporting has
operated effectively for a sufficient period of
time, which may be less
than
the entire period
(ordinarily one year) covered by the company's
financial statements.
To express an
opinion on internal control over financial
reporting effectiveness taken
as
a
whole, the auditor must
obtain evidence about the effectiveness of
controls over all
relevant
assertions related to all significant accounts
and disclosures in the
financial
statements. This
requires that the auditor test the design and
operating effectiveness of
controls he or she
ordinarily would not test if expressing an
opinion only on the
financial
statements.
149. When
concluding on the effectiveness of internal
control over financial
reporting
for purposes of
expressing an opinion on management's
assessment, the auditor
should
incorporate the
results of any additional tests of controls
performed to achieve the
objective related
to expressing an opinion on the financial
statements, as discussed in
the following
section.
Tests of Controls in
an Audit of Financial
Statements
150. To express an
opinion on the financial statements, the auditor
ordinarily performs
tests of controls
and substantive procedures. The objective of the
tests of controls the
auditor performs
for this purpose is to assess control risk. To
assess control risk for
specific financial
statement assertions at less than the maximum,
the auditor is required
to obtain evidence
that the relevant controls operated effectively
during the entire
period
upon which the
auditor plans to place reliance on those
controls. However, the
auditor
is not required to
assess control risk at less than the maximum for
all relevant
assertions and,
for a variety of reasons, the auditor may choose
not to do so.18/
18/ See paragraph
160 for additional documentation requirements
when the
auditor assesses
control risk as other than
low.
151. When
concluding on the effectiveness of controls for
the purpose of assessing
control risk, the
auditor also should evaluate the results of any
additional tests of
controls performed
to achieve the objective related to expressing
an opinion on
management's
assessment, as discussed in paragraphs 147
through 149.
Consideration of
these results may require the auditor to alter
the nature, timing, and
extent of
substantive procedures and to plan and perform
further tests of controls,
particularly in
response to identified control
deficiencies.
|
|
.
| | |
