|
 |
|
Sarbanes Oxley Act -
Auditing Standards |
|
Public
Company Accounting Oversight
Board
Bylaws
and Rules – Standards – AS2
Auditing
Standard No. 2: An Audit of Internal Control
Over Financial Reporting Performed in
Conjunction With an Audit of Financial
Statements
36.
Due Professional Care.
The
auditor must exercise due professional care in
an audit of internal control over
financial
reporting. One important tenet of due
professional care is exercising
professional
skepticism.
In
an audit of internal control over financial
reporting, exercising professional
skepticism
involves
essentially the same considerations as in an
audit of financial statements, that is,
it
includes a critical assessment of the work that
management has performed in
evaluating
and
testing controls.
37.
Fieldwork and Reporting Standards. This standard
establishes the fieldwork and
reporting
standards applicable to an audit of internal
control over financial
reporting.
38.
The concept of materiality, as discussed in
paragraphs 22 and 23, underlies
the
application
of the general and fieldwork
standards.
Planning the
Engagement
39.
The audit of internal control over financial
reporting should be properly
planned
and
assistants, if any, are to be properly
supervised. When planning the audit
of
internal
control over financial reporting, the auditor
should evaluate how the
following
matters
will affect the auditor's
procedures:
•
Knowledge of the company's internal control over
financial reporting
obtained
during other engagements.
•
Matters affecting the industry in which the
company operates, such as
financial
reporting practices, economic conditions, laws
and regulations,
and
technological changes.
•
Matters relating to the company's business,
including its organization,
operating
characteristics, capital structure, and
distribution methods.
•
The extent of recent changes, if any, in the
company, its operations, or its
internal
control over financial
reporting.
•
Management's process for assessing the
effectiveness of the company's
internal
control over financial reporting based upon
control criteria.
•
Preliminary judgments about materiality, risk,
and other factors relating to
the
determination of material
weaknesses.
•
Control deficiencies previously communicated to
the audit committee or
management.
•
Legal or regulatory matters of which the company
is aware.
•
The type and extent of available evidence
related to the effectiveness of
the
company's internal control over financial
reporting.
•
Preliminary judgments about the effectiveness of
internal control over
financial
reporting.
•
The number of significant business locations or
units, including
management's
documentation and monitoring of controls over
such
locations
or business units. (Appendix B, paragraphs B1
through B17,
discusses
factors the auditor should evaluate to determine
the locations at
which
to perform auditing
procedures.)
Evaluating
Management's Assessment
Process
40.
The auditor must obtain an understanding of, and
evaluate, management's
process
for assessing the effectiveness of the company's
internal control over financial
reporting.
When obtaining the understanding, the auditor
should determine whether
management
has addressed the following
elements:
•
Determining which controls should be tested,
including controls over all
relevant
assertions related to all significant accounts
and disclosures in
the
financial statements. Generally, such controls
include:
–
Controls over initiating, authorizing,
recording, processing, and
reporting
significant accounts and disclosures and
related
assertions
embodied in the financial
statements.
–
Controls over the selection and application of
accounting policies
that
are in conformity with generally accepted
accounting principles.
–
Antifraud programs and
controls.
–
Controls, including information technology
general controls, on
which
other controls are dependent.
–
Controls over significant nonroutine and
nonsystematic
transactions,
such as accounts involving judgments and
estimates.
–
Company level controls (as described in
paragraph 53), including:
–
The control environment and
–
Controls over the period-end financial reporting
process,
including
controls over procedures used to enter
transaction
totals
into the general ledger; to initiate, authorize,
record,
and
process journal entries in the general ledger;
and to
record
recurring and nonrecurring adjustments to
the
financial
statements (for example,
consolidating
adjustments,
report combinations, and
reclassifications).
Note:
References to the period-end financial
reporting
process
in this standard refer to the preparation of
both
annual
and quarterly financial
statements.
•
Evaluating the likelihood that failure of the
control could result in a
misstatement,
the magnitude of such a misstatement, and the
degree to
which
other controls, if effective, achieve the same
control objectives.
•
Determining the locations or business units to
include in the evaluation for
a
company with multiple locations or business
units (See paragraphs B1
through
B17).
•
Evaluating the design effectiveness of
controls.
•
Evaluating the operating effectiveness of
controls based on procedures
sufficient
to assess their operating effectiveness.
Examples of such
procedures
include testing of the controls by internal
audit, testing of
controls
by others under the direction of management,
using a service
organization's
reports (See paragraphs B18 through B29),
inspection of
evidence
of the application of controls, or testing by
means of a selfassessment
process,
some of which might occur as part of
management's
ongoing
monitoring activities. Inquiry alone is not
adequate to complete
this
evaluation. To evaluate the effectiveness of the
company's internal
control
over financial reporting, management must have
evaluated
controls
over all relevant assertions related to all
significant accounts and
disclosures.
•
Determining the deficiencies in internal control
over financial reporting that
are
of such a magnitude and likelihood of occurrence
that they constitute
significant
deficiencies or material
weaknesses.
•
Communicating findings to the auditor and to
others, if applicable.
•
Evaluating whether findings are reasonable and
support management's
assessment.
41.
As part of the understanding and evaluation of
management's process, the
auditor
should obtain an understanding of the results of
procedures performed by
others.
Others include internal audit and third parties
working under the direction of
management,
including other auditors and accounting
professionals engaged to
perform
procedures
as a basis for management's assessment.
Inquiry
of management and others is the beginning point
for obtaining an understanding
of
internal control over financial reporting, but
inquiry alone is not adequate for reaching
a
conclusion on any aspect of internal control
over financial reporting
effectiveness.
Note:
Management cannot use the auditor's procedures
as part of the basis for
its
assessment of the effectiveness of internal
control over financial
reporting.
|
|
.
| | |
