The purpose of this memo is to summarize selected paragraphs of AS5 to form an understanding of how the top down approach is applied to an audit of internal controls. It is also to explain the difference between a material weakness and a significant deficiency by providing a list of indicators of material weaknesses, as well as an explanation of how both a material weakness and a significant deficiency will be communicated to the audit committee and on the auditor’s report.
Top Down Approach
The purpose of using the top down approach for an audit of internal controls is to allow the auditor to take a systematic approach to identify risks and select which controls to test. The top down approach begins with the auditor forming a general understanding of the entity and the industry in which it operates. This is accomplished by looking at the company’s financial statements, and acquiring general business knowledge.
The auditor then looks at the entity-level controls of the company to ensure that sufficient policies and procedures are implemented to recognize misstatements, due to error or fraud, in a timely manner so that material misstatements do not affect the financial statements. The two most important types of entity-level controls are those related to the control environment, and those over the period-end financial reporting process. Controls over the control environment should assess how management promotes ethical values and integrity, as well as whether or not the Board of Directors or the audit committee has assumed the responsibility of the accuracy and completeness of the financial statements and internal controls. Controls over the period-end financial reporting process should assess the methods used to enter information to the general ledger, how much IT is used in the financial reporting process, types of adjusting and consolidation entries, and the involvement of management, Board of Directors, and the audit committee in the period-ending financial reporting process.
Other entity-level controls that must be taken into account include controls over management override, the company’s risk assessment process, centralized processing controls, controls that monitor operations, and controls that monitor other controls. It is important to understand that entity-level controls vary both in nature and precision. Some entity-level controls only indirectly affect the likelihood of detecting or preventing material misstatements, whereas others are specifically designed to monitor the effectiveness of the other controls. The more precise the control, the less tests the auditor must perform on those controls.
Next, the auditor identifies any significant accounts and disclosures, and their relevant assertions. Relevant assertions are basically risky financial statement assertions. Financial statement assertions show that a transaction has occurred, is complete, is valued correctly, has transferred ownership to the company, and is properly presented on the financial statements. A relevant assertion, therefore, would be any of these financial statement assertions that are exceptionally vulnerable to having a misstatement and could cause the financial statements to be materially misstated. Significant accounts and disclosures that require more attention are those that are larger in size, are more susceptible to misstatements, are very complex, contain a larger volume of transactions during the period, have realized losses during the period, involve a high likelihood of related party transactions within the account, or there has been a significant change in the accounting methods used from last year. It is beneficial for the auditor to go through the financial statements, and for each account and disclosure brainstorm all the ways it could have been misstated to identify as many risky areas as possible. Risk factors, as well as significant accounts and disclosures, and their relevant assertions will be the same for both the audit of internal controls as well as the financial statement audit. When auditing an enterprise with multiple business entities, the auditor should use the consolidated financial statements to identify significant accounts and disclosures.
The next step is for the auditor to understand likely sources of misstatement. In order to do this, the auditor should achieve a series of objectives. These objectives include the auditor being able to show where there are vulnerabilities in a company’s internal controls that could result in material misstatements to the financial statements, and what controls management has implemented to reduce these risks. The best way for the auditor to achieve these objectives is by performing walkthroughs. A walkthrough is when the auditor follows a transaction from its origination until it reaches the financial records, and makes sure that all of the control procedures were conducted properly. It is important that the auditor conducts these types of procedures him or herself and takes careful notes about what type of information technology is used, as well as what personnel is involved in each processing procedure.
The final step in the top down approach is to select which controls to test. The auditor should test each control that is the most important in determining whether or not a particular risk has been sufficiently addressed. If two controls address the same risk, it may not be necessary to test both controls. Also, it may not be necessary to address two risks separately if one control sufficiently addresses both of them. Together, the tests of these internal controls will provide the auditor with a conclusion about the effectiveness of the internal controls over financial reporting.
Material Weakness or Significant Deficiency
The difference between a material weakness and a significant deficiency is simply that a significant deficiency is less severe. A significant deficiency is, however, still risky enough for the auditor to let management know so that they may have a chance to get rid of the problem. If management does not sufficiently address the problem within one year, the deficiency becomes a material weakness. All material weaknesses must be communicated to both management and the audit committee as well as mentioned in the auditor’s report on internal controls over financial reporting. A material weakness is a problem with the internal controls over financial reporting that will most likely result in an important error on the financial statements that would alter creditors and investors opinions about the company.
Indicators of Material Weaknesses
Auditing Standard five mentions four important indicators of material weaknesses to help the auditor determine what deficiencies are considered material weaknesses. The first indicator of material weakness is if there is any evidence that shows there may be fraud present. The second occurs when management alters the financial statements to fix a material misstatement that they found. The third is when the auditor finds a material misstatement and informs management about the problem. The fourth is an assessment of the audit committee. If the audit committee is doing a poor job acting as oversight over the financial reporting process of the company, there may be an increased likelihood of a material weakness. If any or all of these indicators are present for a given deficiency, the auditor should compare the facts with what a reasonable professional would consider to be in accordance with GAAP. If this is determined not to be true, the auditor must consider this deficiency a material weakness and disclose it on the auditor’s report of internal controls over financial reporting.
Communicating to the Audit Committee and on the Auditor’s report
The auditor is required to report any and all deficiencies found to management in writing and tell the audit committee about this communication. If the deficiency has already been revealed to management through different means, the auditor does not need to repeat this communication. If a material weakness is discovered, the auditor must communicate it to management and the audit committee first, and then disclose it in the auditor’s report. If a deficiency is determined to be significant, the audit committee, as well as management, must be informed in writing. The auditor is not responsible to report control deficiencies he or she is not aware of, nor is he or she responsible to provide assurance that all deficiencies have been discovered.
The top down approach is a systematic method of assessing risk that an auditor uses to locate specific areas of risk in a company’s internal controls over financial reporting, and select the best tests to make sure these risks are sufficiently addressed. The top down approach requires the auditors to start by understanding a company and its industry, then moving down to the company’s entity-level controls, then to significant accounts and disclosures and their relevant assertions, then double check that the auditor has a complete understanding of the risks, and then finally select the controls that are necessary to test to make sure that all risks have been addressed. The main difference between a material weakness and a significant deficiency is that a significant deficiency is less severe. Also, although both must be communicated, in writing, to both management and the audit committee, only a material weakness must be disclosed in the auditor’s report.