Auditing Standard No. 2An Audit of Internal Control Over Financial Reporting Performed in Conjunction With an Audit of Financial StatementsAdditional Performance Requirements and Directions; Extent-of-Testing Examples
Tests to be Performed When a Company Has Multiple Locations or Business UnitsB1. To determine the locations or business units for performing audit procedures, the auditor should evaluate their relative financial significance and the risk of material misstatement arising from them. In making this evaluation, the auditor should identify the locations or business units that are individually important, evaluate their documentation of controls, and test controls over significant accounts and disclosures. For locations or business units that contain specific risks that, by themselves, could create a material misstatement, the auditor should evaluate their documentation of controls and test controls over the specific risks. Show
B2. The auditor should determine the other locations or business units that, when aggregated, represent a group with a level of financial significance that could create a material misstatement in the financial statements. For that group, the auditor should determine whether there are company-level controls in place. If so, the auditor should evaluate the documentation and test such company-level controls. If not, the auditor should perform tests of controls at some of the locations or business units. B3. No further work is necessary on the remaining locations or businesses, provided that they are not able to create, either individually or in the aggregate, a material misstatement in the financial statements. Locations or Business Units That Are Financially SignificantB4. Because of the importance of financially significant locations or business units, the auditor should evaluate management's documentation of and perform tests of controls over all relevant assertions related to significant accounts and disclosures at each financially significant location or business unit, as discussed in paragraphs 83 through 105. Generally, a relatively small number of locations or business units will encompass a large portion of a company's operations and financial position, making them financially significant. B5. In determining the nature, timing, and extent of testing at the individual locations or business units, the auditor should evaluate each entity's involvement, if any, with a central processing or shared service environment. Locations or Business Units That Involve Specific RisksB6. Although a location or business unit might not be individually financially significant, it might present specific risks that, by themselves, could create a material misstatement in the company's financial statements. The auditor should test the controls over the specific risks that could create a material misstatement in the company's financial statements. The auditor need not test controls over all relevant assertions related to all significant accounts at these locations or business units. For example, a business unit responsible for foreign exchange trading could expose the company to the risk of material misstatement, even though the relative financial significance of such transactions is low. Locations or Business Units That Are Significant Only When Aggregated with Other Locations and Business UnitsB7. In determining the nature, timing, and extent of testing, the auditor should determine whether management has documented and placed in operation company-level controls (See paragraph 53) over individually unimportant locations and business units that, when aggregated with other locations or business units, might have a high level of financial significance. A high level of financial significance could create a greater than remote risk of material misstatement of the financial statements. B8. For the purposes of this evaluation, company-level controls are controls management has in place to provide assurance that appropriate controls exist throughout the organization, including at individual locations or business units. B9. The auditor should perform tests of company-level controls to determine whether such controls are operating effectively. The auditor might conclude that he or she cannot evaluate the operating effectiveness of such controls without visiting some or all of the locations or business units. B10. If management does not have company-level controls operating at these locations and business units, the auditor should determine the nature, timing, and extent of procedures to be performed at each location, business unit, or combination of locations and business units. When determining the locations or business units to visit and the controls to test, the auditor should evaluate the following factors:
B11. Testing company-level controls is not a substitute for the auditor's testing of controls over a large portion of the company's operations or financial position. If the auditor cannot test a large portion of the company's operations and financial position by selecting a relatively small number of locations or business units, he or she should expand the number of locations or business units selected to evaluate internal control over financial reporting.
Locations and Business Units That Do Not Require TestingB12. No testing is required for locations or business units that individually, and when aggregated with others, could not result in a material misstatement to the financial statements. Multi-Location Testing Considerations FlowchartB13. Illustration B-1 depicts how to apply the directions in this section to a hypothetical company with 150 locations or business units, along with the auditor's testing considerations for those locations or business units. Illustration B-1 * Numbers represent number of locations affected. ** See paragraph B7. Special SituationsB14. The scope of the evaluation of the company's internal control over financial reporting should include entities that are acquired on or before the date of management's assessment and operations that are accounted for as discontinued operations on the date of management's assessment. The auditor should consider this multiple locations discussion in determining whether it will be necessary to test controls at these entities or operations. B15. For equity method investments, the evaluation of the company's internal control over financial reporting should include controls over the reporting in accordance with generally accepted accounting principles, in the company's financial statements, of the company's portion of the investees' income or loss, the investment balance, adjustments to the income or loss and investment balance, and related disclosures. The evaluation ordinarily would not extend to controls at the equity method investee. B16. In situations in which the SEC allows management to limit its assessment of internal control over financial reporting by excluding certain entities, the auditor may limit the audit in the same manner and report without reference to the limitation in scope. However, the auditor should evaluate the reasonableness of management's conclusion that the situation meets the criteria of the SEC's allowed exclusion and the appropriateness of any required disclosure related to such a limitation. If the auditor believes that management's disclosure about the limitation requires modification, the auditor should follow the same communication responsibilities as described in paragraphs 204 and 205. If management and the audit committee do not respond appropriately, in addition to fulfilling those responsibilities, the auditor should modify his or her report on the audit of internal control over financial reporting to include an explanatory paragraph describing the reasons why the auditor believes management's disclosure should be modified. B17. For example, for entities that are consolidated or proportionately consolidated, the evaluation of the company's internal control over financial reporting should include controls over significant accounts and processes that exist at the consolidated or proportionately consolidated entity. In some instances, however, such as for some variable interest entities as defined in Financial Accounting Standards Board Interpretation No. 46, Consolidation of Variable Interest Entities, management might not be able to obtain the information necessary to make an assessment because it does not have the ability to control the entity. If management is allowed to limit its assessment by excluding such entities, 1/ the auditor may limit the audit in the same manner and report without reference to the limitation in scope. In this case, the evaluation of the company's internal control over financial reporting should include evaluation of controls over the reporting in accordance with generally accepted accounting principles, in the company's financial statements, of the company's portion of the entity's income or loss, the investment balance, adjustments to the income or loss and investment balances, and related disclosures. However, the auditor should evaluate the reasonableness of management's conclusion that it does not have the ability to obtain the necessary information as well as the appropriateness of any required disclosure related to such a limitation. Use of Service OrganizationsB18. AU sec. 324, Service Organizations, applies to the audit of financial statements of a company that obtains services from another organization that are part of its information system. The auditor may apply the relevant concepts described in AU sec. 324 to the audit of internal control over financial reporting. Further, although AU sec. 324 was designed to address auditor-to-auditor communications as part of the audit of financial statements, it also is appropriate for management to apply the relevant concepts described in that standard to its assessment of internal control over financial reporting. B19. Paragraph .03 of AU sec. 324 describes the situation in which a service organization's services are part of a company's information system. If the service organization's services are part of a company's information system, as described therein, then they are part of the information and communication component of the company's internal control over financial reporting. When the service organization's services are part of the company's internal control over financial reporting, management should consider the activities of the service organization in making its assessment of internal control over financial reporting, and the auditor should consider the activities of the service organization in determining the evidence required to support his or her opinion.
B20. Paragraphs .07 through .16 in AU sec. 324 describe the procedures that management and the auditor should perform with respect to the activities performed by the service organization. The procedures include:
B21. Evidence that the controls that are relevant to management's assessment and the auditor's opinion are operating effectively may be obtained by following the procedures described in paragraph .12 of AU sec. 324. These procedures include:
Note: The service auditor's report referred to above means a report with the service auditor's opinion on the service organization's description of the design of its controls, the tests of controls, and results of those tests performed by the service auditor, and the service auditor's opinion on whether the controls tested were operating effectively during the specified period (in other words, "reports on controls placed in operation and tests of operating effectiveness" described in paragraph .24b of AU sec. 324). A service auditor's report that does not include tests of controls, results of the tests, and the service auditor's opinion on operating effectiveness (in other words, "reports on controls placed in operation" described in paragraph .24a of AU sec. 324) does not provide evidence of operating effectiveness. Furthermore, if the evidence regarding operating effectiveness of controls comes from an agreed-upon procedures report rather than a service auditor's report issued pursuant to AU sec. 324, management and the auditor should evaluate whether the agreed-upon procedures report provides sufficient evidence in the same manner described in the following paragraph. B22. If a service auditor's report on controls placed in operation and tests of operating effectiveness is available, management and the auditor may evaluate whether this report provides sufficient evidence to support the assessment and opinion, respectively. In evaluating whether such a service auditor's report provides sufficient evidence, management and the auditor should consider the following factors:
Note: These factors are similar to factors the auditor would consider in determining whether the report provides sufficient evidence to support the auditor's assessed level of control risk in an audit of the financial statements as described in paragraph .16 of AU sec. 324. B23. If the service auditor's report on controls placed in operation and tests of operating effectiveness contains a qualification that the stated control objectives might be achieved only if the company applies controls contemplated in the design of the system by the service organization, the auditor should evaluate whether the company is applying the necessary procedures. For example, completeness of processing payroll transactions might depend on the company's validation that all payroll records sent to the service organization were processed by checking a control total. B24. In determining whether the service auditor's report provides sufficient evidence to support management's assessment and the auditor's opinion, management and the auditor should make inquiries concerning the service auditor's reputation, competence, and independence. Appropriate sources of information concerning the professional reputation of the service auditor are discussed in paragraph .10a of AU sec. 543, Part of Audit Performed by Other Independent Auditors. B25. When a significant period of time has elapsed between the time period covered by the tests of controls in the service auditor's report and the date of management's assessment, additional procedures should be performed. The auditor should inquire of management to determine whether management has identified any changes in the service organization's controls subsequent to the period covered by the service auditor's report (such as changes communicated to management from the service organization, changes in personnel at the service organization with whom management interacts, changes in reports or other data received from the service organization, changes in contracts or service level agreements with the service organization, or errors identified in the service organization's processing). If management has identified such changes, the auditor should determine whether management has performed procedures to evaluate the effect of such changes on the effectiveness of the company's internal control over financial reporting. The auditor also should consider whether the results of other procedures he or she performed indicate that there have been changes in the controls at the service organization that management has not identified. B26. The auditor should determine whether to obtain additional evidence about the operating effectiveness of controls at the service organization based on the procedures performed by management or the auditor and the results of those procedures and on an evaluation of the following factors. As these factors increase in significance, the need for the auditor to obtain additional evidence increases.
B27. If the auditor concludes that additional evidence about the operating effectiveness of controls at the service organization is required, the auditor's additional procedures may include:
B28. Based on the evidence obtained, management and the auditor should determine whether they have obtained sufficient evidence to obtain the reasonable assurance necessary for their assessment and opinion, respectively. B29. The auditor should not refer to the service auditor's report when expressing an opinion on internal control over financial reporting. Examples of Extent-of-Testing DecisionsB30. As discussed throughout this standard, determining the effectiveness of a company's internal control over financial reporting includes evaluating the design and operating effectiveness of controls over all relevant assertions related to all significant accounts and disclosures in the financial statements. Paragraphs 88 through 107 provide the auditor with directions about the nature, timing, and extent of testing of the design and operating effectiveness of internal control over financial reporting. B31. Examples B-1 through B-4 illustrate how to apply this information in various situations. These examples are for illustrative purposes only. Example B-1 - Daily Programmed Application Control and Daily Information Technology-Dependent Manual Control The auditor has determined that cash and accounts receivable are significant accounts to the audit of XYZ Company's internal control over financial reporting. Based on discussions with company personnel and review of company documentation, the auditor learned that the company had the following procedures in place to account for cash received in the lockbox:
To determine whether misstatements in cash (existence assertion) and accounts receivable (existence, valuation, and completeness) would be prevented or detected on a timely basis, the auditor decided to test the controls provided by the system in the daily reconciliation of lock box receipts to customer accounts, as well as the control over reviewing and resolving unapplied cash in the Unapplied Cash Exception Report. Nature, Timing, and Extent of Procedures. To test the programmed application control, the auditor:
In addition, the auditor had evaluated and tested general computer controls, including program changes (for example, confirmation that no unauthorized changes are undertaken) and logical access (for example, data file access to the file downloaded from the banks and user access to the cash and accounts receivable modules) and concluded that they were operating effectively. To determine whether such programmed controls were operating effectively, the auditor performed a walkthrough in the month of July. The computer controls operate in a systematic manner, therefore, the auditor concluded that it was sufficient to perform a walkthrough for only the one item. During the walkthrough, the auditor performed and documented the following items:
To test the detective control of review and follow up on the Daily Unapplied Cash Exception Report, the auditor:
Because the tests of controls were performed at an interim date, the auditor had to determine whether there were any significant changes in the controls from interim to year-end. Therefore, the auditor asked company personnel about the procedures in place at year-end. Such procedures had not changed from the interim period, therefore, the auditor observed that the controls were still in place by scanning Daily Unapplied Cash Exception Reports to determine the control was performed on a timely basis during the period from September to year-end. Based on the auditor's procedures, the auditor concluded that the employee was clearing exceptions in a timely manner and that the control was operating effectively as of year-end. Example B-2 - Monthly Manual Reconciliation The auditor determined that accounts receivable is a significant account to the audit of XYZ Company's internal control over financial reporting. Through discussions with company personnel and review of company documentation, the auditor learned that company personnel reconcile the accounts receivable subsidiary ledger to the general ledger on a monthly basis. To determine whether misstatements in accounts receivable (existence, valuation, and completeness) would be detected on a timely basis, the auditor decided to test the control provided by the monthly reconciliation process. Nature, Timing, and Extent of Procedures. The auditor tested the company's reconciliation control by selecting a sample of reconciliations based upon the number of accounts, the dollar value of the accounts, and the volume of transactions affecting the account. Because the auditor considered all other receivable accounts immaterial, and because such accounts had only minimal transactions flowing through them, the auditor decided to test only the reconciliation for the trade accounts receivable account. The auditor elected to perform the tests of controls over the reconciliation process in conjunction with the auditor's substantive procedures over the accounts receivable confirmation procedures, which were performed in July. To test the reconciliation process, the auditor:
Based on the auditor's procedures, the auditor concluded that the reconciliation control was operating effectively as of year-end. Example B-3 - Daily Manual Preventive Control The auditor determined that cash and accounts payable were significant accounts to the audit of the company's internal control over financial reporting. Through discussions with company personnel, the auditor learned that company personnel make a cash disbursement only after they have matched the vendor invoice to the receiver and purchase order. To determine whether misstatements in cash (existence) and accounts payable (existence, valuation, and completeness) would be prevented on a timely basis, the auditor tested the control over making a cash disbursement only after matching the invoice with the receiver and purchase. Nature, Timing, and Extent of Procedures. On a haphazard basis, the auditor selected 25 disbursements from the cash disbursement registers from January through September. In this example, the auditor deemed a test of 25 cash disbursement transactions an appropriate sample size because the auditor was testing a manual control performed as part of the routine processing of cash disbursement transactions through the system. Furthermore, the auditor expected no errors based on the results of company-level tests performed earlier. [If, however, the auditor had encountered a control exception, the auditor would have attempted to identify the root cause of the exception and tested an additional number of items. If another control exception had been noted, the auditor would have decided that this control was not effective. As a result, the auditor would have decided to increase the extent of substantive procedures to be performed in connection with the financial statement audit of the cash and accounts payable accounts.]
Because the auditor performed the tests of controls at an interim date, the auditor updated the testing through the end of the year (initial tests are through September to December) by asking the accounts payable clerk whether the control was still in place and operating effectively. The auditor confirmed that understanding by performing a walkthrough of one transaction in December. Based on the auditor's procedures, the auditor concluded that the control over making a cash disbursement only after matching the invoice with the receiver and purchase was operating effectively as of year-end. Example B-4 - Programmed Prevent Control and Weekly Information Technology-Dependent Manual Detective Control The auditor determined that cash, accounts payable, and inventory were significant accounts to the audit of the company's internal control over financial reporting. Through discussions with company personnel, the auditor learned that the company's computer system performs a three-way match of the receiver, purchase order, and invoice. If there are any exceptions, the system produces a list of unmatched items that employees review and follow up on weekly. In this case, the computer match is a programmed application control, and the review and follow-up of the unmatched items report is a detective control. To determine whether misstatements in cash (existence) and accounts payable/inventory (existence, valuation, and completeness) would be prevented or detected on a timely basis, the auditor decided to test the programmed application control of matching the receiver, purchase order, and invoice as well as the review and follow-up control over unmatched items. Nature, Timing, and Extent of Procedures. To test the programmed application control, the auditor:
In addition, the auditor had evaluated and tested general computer controls, including program changes (for example, confirmation that no unauthorized changes are undertaken to the functionality and that changes to reports are appropriately authorized, tested, and approved before being applied) and logical access (for example, user access to the inventory and accounts payable modules and access to the area on the system where report code is maintained), and concluded that they were operating effectively. (Since the computer is deemed to operate in a systematic manner, the auditor concluded that it was sufficient to perform a walkthrough for only the one item.) To determine whether the programmed control was operating effectively, the auditor performed a walkthrough in the month of July. As a result of the walkthrough, the auditor performed and documented the following items:
To test the detect control of review and follow up on the Unmatched Items Report, the auditor performed the following procedures in the month of July for the period January to July:
To determine that the company had not made significant changes in their controls from interim to year-end, the auditor discussed with company personnel the procedures in place for making such changes. Since the procedures had not changed from interim to year-end, the auditor observed that the controls were still in place by scanning the weekly Unmatched Items Reports to determine that the control was performed on a timely basis during the interim to year-end period. Based on the auditor's procedures, the auditor concluded that the employee was clearing exceptions in a timely manner and that the control was operating effectively as of year-end. 1/ It is our understanding that the SEC Staff may conclude that management can limit the scope of its assessment if it does not have the authority to affect, and therefore cannot assess, the controls in place over certain amounts. This would relate to entities that are consolidated or proportionately consolidated when the issuer does not have sufficient control over the entity to assess and affect controls. If management's report on its assessment of the effectiveness of internal control over financial reporting is limited in that manner, the SEC staff may permit the company to disclose this fact as well as information about the magnitude of the amounts included in the financial statements from entities whose controls cannot be assessed. This disclosure would be required in each filing, but outside of management's report on its assessment of the effectiveness of internal control over financial reporting. What are the five procedures used for tests of controls?There are five main methods to walk through and test each control in place at the service organization. These methods include (listed in order of complexity from lowest to highest): inquiry, observation, examination or inspection of evidence, re-performance, and computer assisted audit technique (CAAT).
When performing a substantive test of a random sample of cash disbursements an auditor is supplied?When performing a substantive test of a random sample of cash disbursements, an auditor is supplied with a photocopy of vendor invoices supporting the disbursements for one particular vendor rather than the original invoices.
Which of the following is an internal control that will prevent paid cash disbursement documents from being presented for payment a second time?Which of the following is an internal control that will prevent paid cash disbursement documents from being presented for payment a second time? The official signing the check compares the check with the documents and should deface the documents.
What are the types of test of controls?What are Tests of Controls?. Reperformance Classification. Auditors may initiate a new transaction, to see which controls are used by the client and the effectiveness of those controls.. Observation Classification. ... . Inspection Classification.. |