|
 |
|
Sarbanes Oxley Act -
Auditing Standards |
|
Public
Company Accounting Oversight
Board
Bylaws
and Rules – Standards – AS2
Auditing
Standard No. 2: An Audit of Internal Control
Over Financial Reporting Performed in
Conjunction With an Audit of Financial
Statements
98. Timing of Tests of
Controls. The auditor must perform tests
of controls over a
period
of time that is adequate to determine whether,
as of the date specified in
management's
report, the controls necessary for achieving the
objectives of the control
criteria
are operating effectively. The period of time
over which the auditor performs
tests
of controls varies with the nature of the
controls being tested and with
the
frequency
with which specific controls operate and
specific policies are applied.
Some
controls
operate continuously (for example, controls over
sales), while others operate
only
at certain times (for example, controls over the
preparation of monthly or
quarterly
financial
statements and controls over physical inventory
counts).
99.
The auditor's testing of the operating
effectiveness of such controls should
occur
at
the time the controls are operating. Controls
"as of" a specific date
encompass
controls
that are relevant to the company's internal
control over financial reporting
"as
of"
that specific date, even though such controls
might not operate until after
that
specific
date. For example, some controls over the
period-end financial reporting
process
normally operate only after the "as of" date.
Therefore, if controls over the
December
31, 20X4 period-end financial reporting process
operate in January 20X5,
the
auditor should test the control operating in
January 20X5 to have sufficient
evidence
of
operating effectiveness "as of" December 31,
20X4.
100.
When the auditor reports on the effectiveness of
controls "as of" a specific
date
and
obtains evidence about the operating
effectiveness of controls at an interim
date,
he
or she should determine what additional evidence
to obtain concerning the
operation
of
the control for the remaining period. In making
that determination, the auditor
should
evaluate:
•
The specific controls tested prior to the "as
of" date and the results of
those
tests;
•
The degree to which evidence about the operating
effectiveness of those
controls
was obtained;
•
The length of the remaining period;
and
•
The possibility that there have been any
significant changes in internal
control
over financial reporting subsequent to the
interim date.
101.
For controls over significant nonroutine
transactions, controls over accounts
or
processes
with a high degree of subjectivity or judgment
in measurement, or controls
over
the recording of period-end adjustments, the
auditor should perform tests of
controls
closer to or at the "as of" date rather than at
an interim date. However, the
auditor
should balance performing the tests of controls
closer to the "as of" date with
the
need
to obtain sufficient evidence of operating
effectiveness.
102.
Prior to the date specified in management's
report, management might
implement
changes to the company's controls to make them
more effective or efficient
or
to address control deficiencies. In that case,
the auditor might not need to
evaluate
controls
that have been superseded. For example, if the
auditor determines that the
new
controls achieve the related objectives of the
control criteria and have been
in
effect
for a sufficient period to permit the auditor to
assess their design and
operating
effectiveness
by performing tests of controls,15/ he or she
will not need to evaluate the
design
and operating effectiveness of the superseded
controls for purposes of
expressing
an opinion on internal control over financial
reporting.
15/
Paragraph 179 provides reporting directions in
these circumstances when
the
auditor has not been able to obtain evidence
that the new controls were
appropriately
designed or have been operating effectively for
a sufficient period of
time.
103.
As discussed in paragraph 207, however, the
auditor must communicate all
identified
significant deficiencies and material weaknesses
in controls to the audit
committee
in writing. In addition, the auditor should
evaluate how the design and
operating
effectiveness of the superseded controls relates
to the auditor's reliance on
controls
for financial statement audit
purposes.
104.
Extent of Tests of Controls. Each year the
auditor must obtain sufficient
evidence
about whether the company's internal control
over financial reporting,
including
the controls for all internal control
components, is operating effectively.
This
means
that each year the auditor must obtain evidence
about the effectiveness of
controls
for all relevant assertions related to all
significant accounts and disclosures
in
the
financial statements. The auditor also should
vary from year to year the
nature,
timing,
and extent of testing of controls to introduce
unpredictability into the testing
and
respond
to changes in circumstances. For example, each
year the auditor might test
the
controls at a different interim period; increase
or reduce the number and types
of
tests
performed; or change the combination of
procedures used.
105.
In determining the extent of procedures to
perform, the auditor should design
the
procedures
to provide a high level of assurance that the
control being tested is
operating
effectively. In making this determination, the
auditor should assess the
following
factors:
•
Nature of the control. The auditor should
subject manual controls to more
extensive
testing than automated controls. In some
circumstances,
testing
a single operation of an automated control may
be sufficient to
obtain
a high level of assurance that the control
operated effectively,
provided
that information technology general controls
also are operating
effectively.
For
manual controls, sufficient evidence about the
operating
effectiveness
of the controls is obtained by evaluating
multiple operations
of
the control and the results of each operation.
The auditor also should
assess
the complexity of the controls, the significance
of the judgments
that
must be made in connection with their operation,
and the level of
competence
of the person performing the controls that is
necessary for the
control
to operate effectively. As the complexity and
level of judgment
increase
or the level of competence of the person
performing the control
decreases,
the extent of the auditor's testing should
increase.
•
Frequency of operation. Generally, the more
frequently a manual control
operates,
the more operations of the control the auditor
should test. For
example,
for a manual control that operates in connection
with each
transaction,
the auditor should test multiple operations of
the control over
a
sufficient period of time to obtain a high level
of assurance that the
control
operated effectively. For controls that operate
less frequently,
such
as monthly account reconciliations and controls
over the period-end
financial
reporting process, the auditor may test
significantly fewer
operations
of the control. However, the auditor's
evaluation of each
operation
of controls operating less frequently is likely
to be more
extensive.
For
example, when evaluating the operation of a
monthly
exception
report, the auditor should evaluate whether the
judgments made
with
regard to the disposition of the exceptions were
appropriate and
adequately
supported.
Note:
When sampling is appropriate and the population
of controls to be
tested
is large, increasing the population size does
not proportionately
increase
the required sample size.
•
Importance of the control. Controls that are
relatively more important
should
be tested more extensively. For example, some
controls may
address
multiple financial statement assertions, and
certain period-end
detective
controls might be considered more important than
related
preventive
controls. The auditor should test more
operations of such
controls
or, if such controls operate infrequently, the
auditor should
evaluate
each operation of the control more
extensively.
106.
Use of Professional Skepticism when Evaluating
the Results of Testing. The
auditor
must conduct the audit of internal control over
financial reporting and the audit
of
the
financial statements with professional
skepticism, which is an attitude that includes
a
questioning
mind and a critical assessment of audit
evidence. For example, even
though
a control is performed by the same employee whom
the auditor believes
performed
the control effectively in prior periods, the
control may not be operating
effectively
during the current period because the employee
could have become
complacent,
distracted, or otherwise not be effectively
carrying out his or her
responsibilities.
Also,
regardless of any past experience with the
entity or the auditor's
beliefs
about management's honesty and integrity, the
auditor should recognize the
possibility
that a material misstatement due to fraud could
be present. Furthermore,
professional
skepticism requires the auditor to consider
whether evidence obtained
suggests
that a material misstatement due to fraud has
occurred. In exercising
professional
skepticism in gathering and evaluating evidence,
the auditor must not be
satisfied
with less-than-persuasive evidence because of a
belief that management is
honest.
107.
When the auditor identifies exceptions to the
company's prescribed control
procedures,
he or she should determine, using professional
skepticism, the effect of the
exception
on the nature and extent of additional testing
that may be appropriate or
necessary
and on the operating effectiveness of the
control being tested. A
conclusion
that
an identified exception does not represent a
control deficiency is appropriate only
if
evidence
beyond what the auditor had initially planned
and beyond inquiry supports
that
conclusion.
|
|
.
| | |
