|
 |
|
Sarbanes Oxley Act -
Auditing Standards |
|
Public
Company Accounting Oversight
Board
Bylaws
and Rules – Standards – AS2
Auditing
Standard No. 2: An Audit of Internal Control
Over Financial Reporting Performed in
Conjunction With an Audit of Financial
Statements
83.
Identifying Controls to Test. The auditor should
obtain evidence about the
effectiveness
of controls (either by performing tests of
controls himself or herself, or
by
using
the work of others) (14) for all relevant
assertions related to all significant
accounts
and
disclosures in the financial statements. After
identifying significant
accounts,
relevant
assertions, and significant processes, the
auditor should evaluate the
following
to
identify the controls to be
tested:
•
Points at which errors or fraud could
occur;
•
The nature of the controls implemented by
management;
•
The significance of each control in achieving
the objectives of the control
criteria
and whether more than one control achieves a
particular objective
or
whether more than one control is necessary to
achieve a particular
objective;
and
•
The risk that the controls might not be
operating effectively. Factors
that
affect
whether the control might not be operating
effectively include the
following:
–
Whether there have been changes in the volume or
nature of
transactions
that might adversely affect control design or
operating
effectiveness;
–
Whether there have been changes in the design of
controls;
–
The degree to which the control relies on the
effectiveness of other
controls
(for example, the control environment or
information
technology
general controls);
–
Whether there have been changes in key personnel
who perform
the
control or monitor its
performance;
–
Whether the control relies on performance by an
individual or is
automated;
and
–
The complexity of the control.
(14)
See paragraphs 108 through 126 for additional
direction on using the work
of
others.
84.
The auditor should clearly link individual
controls with the significant
accounts
and
assertions to which they
relate.
85.
The auditor should evaluate whether to test
preventive controls, detective
controls,
or a combination of both for individual relevant
assertions related to
individual
significant
accounts. For instance, when performing tests of
preventive and detective
controls,
the auditor might conclude that a deficient
preventive control could be
compensated
for by an effective detective control and,
therefore, not result in a
significant
deficiency or material weakness.
For
example, a monthly reconciliation control
procedure, which is a detective control,
might
detect an out-of-balance situation resulting
from an unauthorized transaction
being
initiated due to an ineffective authorization
procedure, which is a preventive control.
When
determining whether the detective control is
effective, the auditor should evaluate
whether
the detective control is sufficient to achieve
the control objective to which the preventive
control relates.
Note:
Because effective internal control over
financial reporting often includes
a
combination
of preventive and detective controls, the
auditor ordinarily will test a
combination
of both.
86.
The auditor should apply tests of controls to
those controls that are important
to
achieving
each control objective. It is neither necessary
to test all controls nor is it
necessary
to test redundant controls (that is, controls
that duplicate other controls
that
achieve
the same objective and already have been
tested), unless redundancy is itself
a
control
objective, as in the case of certain computer
controls.
87.
Appendix B, paragraphs B1 through B17, provide
additional direction to the
auditor
in determining which controls to test when a
company has multiple locations
or
business
units. In these circumstances, the auditor
should determine significant
accounts
and their relevant assertions, significant
processes, and major classes of
transactions
based on those that are relevant and significant
to the consolidated
financial
statements. Having made those determinations in
relation to the consolidated
financial
statements, the auditor should then apply the
directions in Appendix B.
Testing and
Evaluating Design Effectiveness
88.
Internal control over financial reporting is
effectively designed when the
controls
complied
with would be expected to prevent or detect
errors or fraud that could result
in
material
misstatements in the financial statements. The
auditor should determine
whether
the company has controls to meet the objectives
of the control criteria by:
•
Identifying the company's control objectives in
each area;
•
Identifying the controls that satisfy each
objective; and
•
Determining whether the controls, if operating
properly, can effectively
prevent
or detect errors or fraud that could result in
material
misstatements
in the financial statements.
89.
Procedures the auditor performs to test and
evaluate design effectiveness
include
inquiry, observation, walkthroughs, inspection
of relevant documentation, and
a
specific
evaluation of whether the controls are likely to
prevent or detect errors or
fraud
that
could result in misstatements if they are
operated as prescribed by
appropriately
qualified
persons.
90.
The procedures that the auditor performs in
evaluating management's
assessment
process and obtaining an understanding of
internal control over financial
reporting
also provide the auditor with evidence about the
design effectiveness of
internal
control over financial
reporting.
91.
The procedures the auditor performs to test and
evaluate design effectiveness
also
might provide evidence about operating
effectiveness.
Testing and
Evaluating Operating
Effectiveness
92.
An auditor should evaluate the operating
effectiveness of a control by
determining
whether the control is operating as designed and
whether the person
performing
the control possesses the necessary authority
and qualifications to perform
the
control effectively.
93.
Nature of Tests of Controls. Tests of controls
over operating effectiveness
should
include a mix of inquiries of appropriate
personnel, inspection of
relevant
documentation,
observation of the company's operations, and
reperformance of the
application
of the control. For example, the auditor might
observe the procedures for
opening
the mail and processing cash receipts to test
the operating effectiveness of
controls
over cash receipts. Because an observation is
pertinent only at the point in
time
at which it is made, the auditor should
supplement the observation with inquiries
of
company
personnel and inspection of documentation about
the operation of such
controls
at other times. These inquiries might be made
concurrently with performing
walkthroughs.
94.
Inquiry is a procedure that consists of seeking
information, both financial and
nonfinancial,
of knowledgeable persons throughout the company.
Inquiry is used
extensively
throughout the audit and often is complementary
to performing other
procedures.
Inquiries may range from formal written
inquiries to informal oral
inquiries.
95.
Evaluating responses to inquiries is an integral
part of the inquiry procedure.
Examples
of information that inquiries might provide
include the skill and competency
of
those
performing the control, the relative sensitivity
of the control to prevent or
detect
errors
or fraud, and the frequency with which the
control operates to prevent or
detect
errors
or fraud. Responses to inquiries might provide
the auditor with information
not
previously
possessed or with corroborative evidence.
Alternatively, responses might
provide
information that differs significantly from
other information the auditor
obtains
(for
example, information regarding the possibility
of management override of
controls).
In
some cases, responses to inquiries provide a
basis for the auditor to modify
or
perform
additional procedures.
96.
Because inquiry alone does not provide
sufficient evidence to support
the
operating
effectiveness of a control, the auditor should
perform additional tests of
controls.
For example, if the company implements a control
activity whereby its sales
manager
reviews and investigates a report of invoices
with unusually high or low
gross
margins,
inquiry of the sales manager as to whether he or
she investigates
discrepancies
would be inadequate. To obtain sufficient
evidence about the operating
effectiveness
of the control, the auditor should corroborate
the sales manager's
responses
by performing other procedures, such as
inspecting reports or other
documentation
used in or generated by the performance of the
control, and evaluate
whether
appropriate actions were taken regarding
discrepancies.
97.
The nature of the control also influences the
nature of the tests of controls
the
auditor
can perform. For example, the auditor might
examine documents regarding
controls
for which documentary evidence exists. However,
documentary evidence
regarding
some aspects of the control environment, such as
management's philosophy
and
operating style, might not exist.
In
circumstances in which documentary evidence of
controls or the performance of controls
does
not exist and is not expected to exist, the
auditor's tests of controls would consist
of
inquiries
of appropriate personnel and observation of
company activities.
As
another example, a signature on a voucher
package to indicate that the signer
approved
it
does not necessarily mean that the person
carefully reviewed the package before signing.
The
package may have been signed based on only a
cursory review (or without any review).
As
a result, the quality of the evidence regarding
the effective operation of the control
might
not
be sufficiently persuasive. If that is the case,
the auditor should reperform the control
(for
example, checking prices, extensions, and
additions) as part of the test of the control.
In
addition, the auditor might inquire of the
person responsible for approving voucher
packages
what
he or she looks for when approving packages and
how many errors have been
found
within voucher packages. The auditor also might
inquire of supervisors whether
they
have any knowledge of errors that the person
responsible for approving the
voucher
packages failed to detect.
|
|
.
| | |
