An Examination of an Entity s Internal Control Over Financial Reporting That Is Integrated With an Audit of Its Financial Statements

Transcription

1 ASB Meeting July 30 August 1, 2013 Agenda Item 3B AT Section 501 An Examination of an Entity s Internal Control Over Financial Reporting That Is Integrated With an Audit of Its Financial Statements Source: SSAE No. 15. This mapping document demonstrates how the material in extant AT section 501, An Examination of an Entity s Internal Control Over Financial Reporting That Is Integrated With an Audit of Its Financial Statements, has been reflected in proposed Chapter 1, Concepts Common to All Attestation Engagements, Chapter 2, Examination Engagements, and Chapter 7, An Examination of an Entity s Internal Control Over Financial Reporting That Is Integrated With an Audit of Its Financial Statements, of Statements on Standards for Attestation Engagements (SSAEs). This document shows how the extant requirements in AT section 501 have been treated in the SSAE Chapters as requirements (R), as application materials (A), or (N) not included. Exact wording of requirements and application guidance may have been redrafted in the clarity format to be more concise and less prescriptive. Explanations are provided where appropriate. AT Section 501, An Examination of an Entity s Internal Control Over Financial Reporting That Is Integrated With an Audit of Its Financial Statements Applicability.01 This section establishes requirements and provides guidance that applies when a practitioner fn 1 is engaged to perform an examination of the design and operating effectiveness of an entity s internal control over financial reporting (examination of internal control) fn 2 that is integrated with an audit of financial statements (integrated audit). fn 3 New paragraph reference 7.1 Disposition of Requirements and Explanation Prepared by: Maria Manasses (June 2013) Page 1 of 67

2 .02 Ordinarily, the auditor will be engaged to examine the effectiveness of the entity s internal control over financial reporting (hereinafter referred to as internal control) as of the end of the entity s fiscal year; however, management may select a different date. If the auditor is engaged to examine the effectiveness of an entity s internal control at a date different from the end of the entity s fiscal year, the examination should, nevertheless, be integrated with a financial statement audit (see paragraphs.18.19)..03 An auditor may be engaged to examine the effectiveness of an entity s internal control for a period of time. In that circumstance, the guidance in this section should be modified accordingly, and the examination of internal control should be integrated with an audit of financial statements that covers the same period of time..04 This section does not provide guidance for the following: a. Engagements to examine the suitability of design of an entity s internal control. Such engagements may be developed and performed under section 101, Attest Engagements fn 4 b. Engagements to examine controls over the effectiveness and efficiency of operations. Such engagements may be developed and performed under section 101. c. Engagements to examine controls over compliance with laws and regulations. See section 601, Compliance Attestation. d. Engagements to report on controls at a service organization. See section 801, Reporting on Controls at a Service Organization. e. Engagements to perform agreed-upon procedures on controls. See section 201, Agreed-Upon Procedures Engagements. [Revised, August 2011, to reflect conforming changes necessary due to the issuance of SSAE No. 16.].05 The auditor may be requested to perform certain nonattest services related to the entity s internal control in addition to the examination of internal control. The auditor should determine whether to perform such nonattest services after considering relevant 7.A18 A Moved to application guidance that is linked to the requirement in 7.9(c) R , 7.A13 R, A Overarching requirement to be independent is included in Agenda Item 3B Page 2 of 67

3 ethical requirements..06 An auditor should not accept an engagement to review an entity s internal control or a written assertion thereon. chapter 1. This paragraph as moved to application guidance, reiterating the requirement in chapter R The requirement is included in chapter 3, Review Engagements. Definitions and Underlying Concepts.07 For purposes of this section, the terms listed below are defined as follows: Control objective. The aim or purpose of specified controls. Control objectives ordinarily address the risks that the controls are intended to mitigate. In the context of internal control, a control objective generally relates to a relevant assertion for a significant account or disclosure and addresses the risk that the controls in a specific area will not provide reasonable assurance that a misstatement or omission in that relevant assertion is prevented, or detected and corrected on a timely basis. Deficiency. A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct misstatements on a timely basis. A deficiency in design exists when (a) a control necessary to meet the control objective is missing or (b) an existing control is not properly designed so that, even if the control operates as designed, the control objective would not be met. A deficiency in operation exists when a properly designed control does not operate as designed, or when the person performing the control does not possess the necessary authority or competence to perform the control effectively. Detective control. A control that has the objective of detecting and correcting errors or fraud that has already occurred that could result in a misstatement of the 7.7 Agenda Item 3B Page 3 of 67

4 financial statements. Financial statements and related disclosures. An entity s financial statements and notes to the financial statements as presented in accordance with the applicable financial reporting framework. fn 5 References to financial statements and related disclosures do not extend to the preparation of other financial information presented outside an entity s basic financial statements and notes. Internal control over financial reporting. fn 6 A process effected by those charged with governance, fn 7 management, and other personnel, designed to provide reasonable assurance regarding the preparation of reliable financial statements in accordance with the applicable financial reporting framework and includes those policies and procedures that fn 8 i. pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the entity; ii. provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with the applicable financial reporting framework, and that receipts and expenditures of the entity are being made only in accordance with authorizations of management and those charged with governance; and iii. provide reasonable assurance regarding prevention, or timely detection and correction of unauthorized acquisition, use, or disposition of the entity's assets that could have a material effect on the financial statements. Internal control has inherent limitations. Internal control is a process that involves human diligence and compliance and is subject to lapses in judgment and breakdowns resulting from human failures. Internal control also can be circumvented by collusion or improper management override. Because of such limitations, there is a risk that material misstatements will not be prevented, or detected and corrected on a timely basis by internal control. However, these inherent limitations are known aspects of the financial reporting process. Management's assertion. Management s conclusion about the effectiveness of Agenda Item 3B Page 4 of 67

5 the entity s internal control that is included in management s report on internal control. Material weakness. A deficiency, or a combination of deficiencies, in internal control such that there is a reasonable possibility fn 9 that a material misstatement of the entity s financial statements will not be prevented, or detected and corrected on a timely basis. Preventive control. A control that has the objective of preventing errors or fraud that could result in a misstatement of the financial statements. Relevant assertion. A financial statement assertion fn 10 that has a reasonable possibility of containing a misstatement or misstatements that would cause the financial statements to be materially misstated. The determination of whether an assertion is a relevant assertion is made without regard to the effect of controls. Significant account or disclosure. An account balance or disclosure that has a reasonable possibility that it could contain a misstatement that, individually or when aggregated with others, has a material effect on the financial statements, considering the risks of both overstatement and understatement. The determination of whether an account balance or disclosure is a significant account or disclosure is made without regard to the effect of controls. Significant deficiency. A deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance..08 Effective internal control provides reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes. If one or more material weaknesses exist, the entity s internal control cannot be considered effective..09 The auditor s objective in an examination of internal control is to form an opinion on the effectiveness of the entity s internal control. Because an entity s internal control cannot be considered effective if one or more material weaknesses exist, to form a basis 7.A4 7.6, 7.A3, 7.A5 N Included as the objective of the auditor. Agenda Item 3B Page 5 of 67

6 for expressing an opinion, the auditor should plan and perform the examination to obtain sufficient appropriate evidence to obtain reasonable assurance fn 11 about whether material weaknesses exist as of the date specified in management's assertion. A material weakness in internal control may exist even when financial statements are not materially misstated. The auditor is not required to search for deficiencies that, individually or in combination, are less severe than a material weakness..10 An auditor engaged to perform an examination of internal control should comply with the general, fieldwork, and reporting standards in section 101, and the specific performance and reporting requirements set forth in this section. In this section, the subject matter is the effectiveness of internal control, and the responsible party usually is management of the entity. Accordingly, the term management is used in this section to refer to the responsible party. 1.12, 2.4, 7.2, 7.8 R No longer necessary. Requirements are included in chapters 1 and 2. Paragraph 7.2 references these chapters..11 The auditor should use the same suitable and available control criteria fn 12 to perform his or her examination of internal control as management uses for its evaluation of the effectiveness of the entity s internal control..12 An auditor may perform an examination of internal control only if the following conditions are met: a. Management accepts responsibility for the effectiveness of the entity's internal control. b. Management evaluates the effectiveness of the entity's internal control using suitable and available criteria. c. Management supports its assertion about the effectiveness of the entity s internal control with sufficient appropriate evidence (see discussion beginning at paragraph.14) R 7.9 R , d. Management provides its assertion about the effectiveness of the entity s internal 7.9 Agenda Item 3B Page 6 of 67

7 control in a report that accompanies the auditor s report (see paragraph.95)..13 Management s refusal to furnish a written assertion should cause the auditor to withdraw from the engagement. However, if law or regulation does not allow the auditor to withdraw from the engagement and management refuses to furnish a written assertion, fn 13 the auditor should disclaim an opinion on internal control R Evidence Supporting Management s Assertion.14 Management is responsible for identifying and documenting the controls and the control objectives that they were designed to achieve. Such documentation serves as a basis for management s assertion. Documentation of the design of controls, including changes to those controls, is evidence that controls upon which management s assertion is based are identified. capable of being communicated to those responsible for their performance. capable of being monitored and evaluated by the entity..15 Management s documentation may take various forms, for example, entity policy manuals, accounting manuals, narrative memoranda, flowcharts, decision tables, procedural write-ups, or completed questionnaires. No one, particular form of documentation is prescribed, and the extent of documentation may vary depending upon the size and complexity of the entity and the entity s monitoring activities..16 Management s monitoring activities also may provide evidence of the design and operating effectiveness of internal control in support of management s assertion. Monitoring of controls is a process to assess the effectiveness of internal control performance over time. It involves assessing the effectiveness of controls on a timely basis, identifying and reporting deficiencies to appropriate individuals within the organization, and taking necessary corrective actions. Management accomplishes monitoring of controls through ongoing activities, separate evaluations, or a combination 7.A14 7.A15 7.A16 Agenda Item 3B Page 7 of 67

8 of the two..17 Ongoing monitoring activities are often built into the normal recurring activities of an entity and include regular management and supervisory activities. The greater the degree and effectiveness of ongoing monitoring, the less need for separate evaluations. Usually, some combination of ongoing monitoring and separate evaluations will ensure that internal control maintains its effectiveness over time. 7.A17 Integrating the Examination With the Financial Statement Audit.18 The examination of internal control should be integrated with an audit of financial statements. Although the objectives of the engagements are not the same, the auditor should plan and perform the integrated audit to achieve the objectives of both engagements simultaneously. The auditor should design tests of controls to obtain sufficient appropriate evidence to support the auditor's opinion on internal control as of the period-end; and to obtain sufficient appropriate evidence to support the auditor's control risk assessments for purposes of the audit of financial statements..19 The date specified in management s assertion (the as-of date of the examination) should correspond to the balance sheet date (or period ending date) of the period covered by the financial statements (see paragraph.02)..20 Obtaining sufficient appropriate evidence to support the operating effectiveness of controls for purposes of the financial statement audit ordinarily allows the auditor to modify the substantive procedures that otherwise would have been necessary to opine on the financial statements. (Integration is described further beginning at paragraph.159.).21 In some circumstances, particularly in some audits of smaller, less complex entities, the auditor might choose not to test the operating effectiveness of controls for purposes of the audit of the financial statements. In such circumstances, the auditor's tests of the operating effectiveness of controls would be performed principally for the purpose of 7.12 R, N The first requirement is redundant with the applicability of this standard and the remainder of this requirement. 7.9 R 7.A , 7.A22 R Agenda Item 3B Page 8 of 67

9 supporting his or her opinion on whether the entity's internal control is effective as of period-end. The auditor should consider the results of the financial statement auditing procedures in determining his or her risk assessments and the testing necessary to conclude on the operating effectiveness of a control. Planning the Examination.22 The auditor should plan the examination of internal control. Evaluating whether the following matters are important to the entity s financial statements and internal control and, if so, how they may affect the auditor's procedures, may assist the auditor in planning the examination: Knowledge of the entity s internal control obtained during other engagements performed by the auditor or, if applicable, during a review of a predecessor auditor s working papers Matters affecting the industry in which the entity operates, such as financial reporting practices, economic conditions, laws and regulations, and technological changes Matters relating to the entity's business, including its organization, operating characteristics, and capital structure The extent of recent changes, if any, in the entity, its operations, or its internal control The auditor's preliminary judgments about materiality, risk, and other factors relating to the determination of material weaknesses Deficiencies previously communicated to those charged with governance or management Legal or regulatory matters of which the entity is aware The type and extent of available evidence related to the effectiveness of the entity's internal control 7.15, 7.A23 R Agenda Item 3B Page 9 of 67

10 Preliminary judgments about the effectiveness of internal control Public information about the entity relevant to the evaluation of the likelihood of material financial statement misstatements and the effectiveness of the entity's internal control Knowledge about risks related to the entity evaluated as part of the auditor's client acceptance and retention evaluation The relative complexity of the entity's operations Role of Risk Assessment.23 Risk assessment underlies the entire examination process described by this section, including the determination of significant accounts and disclosures and relevant assertions, the selection of controls to test, and the determination of the evidence necessary to conclude on the effectiveness of a given control. When performing an examination of internal control that is integrated with an audit of financial statements, the fn 14 same risk assessment process supports both engagements..24 The auditor should focus more attention on the areas of highest risk. A direct relationship exists between the degree of risk that a material weakness could exist in a particular area of the entity s internal control and the amount of attention that would be devoted to that area. In addition, an entity s internal control is less likely to prevent, or detect and correct a misstatement caused by fraud than a misstatement caused by error. It is not necessary to test controls that, even if deficient, would not present a reasonable possibility of material misstatement to the financial statements. 7.A , 7.A25 R Scaling the Examination.25 The size and complexity of the entity, its business processes, and business units may affect the way in which the entity achieves many of its control objectives. Many smaller entities have less complex operations. Additionally, some larger, complex entities may have less complex units or processes. Factors that might indicate less complex operations 7.A26 Agenda Item 3B Page 10 of 67

11 include fewer business lines; less complex business processes and financial reporting systems; more centralized accounting functions; extensive involvement by senior management in the day-to-day activities of the business; and fewer levels of management, each with a wide span of control. Accordingly, a smaller, less complex entity, or even a larger, less complex entity might achieve its control objectives differently from a more complex entity..26 The size and complexity of the organization, its business processes, and business units also may affect the auditor's risk assessment and the determination of the necessary procedures and the controls necessary to address those risks. Scaling is most effective as a natural extension of the risk-based approach and applicable to examinations of all entities. 7.A27 Addressing the Risk of Fraud.27 When planning and performing the examination of internal control, the auditor should incorporate the results of the fraud risk assessment performed in the financial statement audit. As part of identifying and testing entity-level controls, as discussed beginning at paragraph.37, and selecting other controls to test, as discussed beginning at paragraph.54, the auditor should evaluate whether the entity s controls sufficiently address identified risks of material misstatement due to fraud fn 15 and the risk of management override of other controls. Controls that might address these risks include controls over significant, unusual transactions, particularly those that result in late or unusual journal entries; controls over journal entries and adjustments made in the period-end financial reporting process; controls over related party transactions; controls related to significant management estimates; and controls that mitigate incentives for, and pressures on, management to falsify or inappropriately manage financial results. 7.17, 7.A28 Agenda Item 3B Page 11 of 67

12 .28 If the auditor identifies deficiencies in controls designed to prevent, or detect and correct misstatements caused by fraud during the examination of internal control, he or she should take into account those deficiencies when developing his or her response to risks of material misstatement during the financial statement audit, as provided in paragraphs of AU-C section 240, Consideration of Fraud in a Financial Statement Audit. [Revised, December 2012, to reflect conforming changes necessary due to the issuance of SAS Nos ] 7.A29 A This is a financial statement audit requirement. Moved to application guidance and referenced the appropriate AU-C paragraphs. Using the Work of Others.29 The auditor should evaluate the extent to which he or she will use the work of others to reduce the work the auditor might otherwise perform himself or herself..30 AU-C section 610, The Auditor s Consideration of the Internal Audit Function in an Audit of Financial Statements, applies in an integrated audit. For purposes of the examination of internal control, however, the auditor may use the work performed by, or receive direct assistance from, internal auditors, entity personnel (in addition to internal auditors), and third parties working under the direction of management or those charged with governance that provide evidence about the effectiveness of internal control. In an integrated audit, the auditor also may use this work to obtain evidence supporting the assessment of control risk for purposes of the financial statement audit. [Revised, December 2012, to reflect conforming changes necessary due to the issuance of SAS Nos ].31 The auditor should obtain an understanding of the work of others sufficient to identify those activities related to the effectiveness of internal control that are relevant to planning the examination of internal control. The extent of the procedures necessary to obtain this understanding will vary, depending on the nature of those activities..32 The auditor should assess the competence and objectivity of the persons whose work the auditor plans to use to determine the extent to which the auditor may use their work. The higher the degree of competence and objectivity, the greater use the auditor may A , 7.A R Modified to align with Proposed SAS, Using the Work of Internal Auditors Agenda Item 3B Page 12 of 67

13 make of the work. The auditor should apply paragraphs of AU-C section 610 to assess the competence and objectivity of internal auditors. The auditor should apply the principles underlying those paragraphs to assess the competence and objectivity of persons other than internal auditors whose work the auditor plans to use. [Revised, December 2012, to reflect conforming changes necessary due to the issuance of SAS Nos ].33 For purposes of using the work of others, competence means the attainment and maintenance of a level of understanding, knowledge, and skills that enables that person to perform ably the tasks assigned to them, and objectivity means the ability to perform those tasks impartially and with intellectual honesty. To assess competence, the auditor should evaluate factors about the person's qualifications and ability to perform the work that the auditor plans to use. To assess objectivity, the auditor should evaluate whether factors are present that either inhibit or promote a person's ability to perform with the necessary degree of objectivity the work that the auditor plans to use. The effect of the work of others on the auditor s work also depends on the relationship between the risk associated with a control and the competence and objectivity of those who performed the work. As the risk associated with a control decreases, the necessary level of competence and objectivity decreases as well. In higher risk areas (for example, controls that address specific fraud risks), use of the work of others would be limited, if it could be used at all..34 The extent to which the auditor may use the work of others also depends, in part, on the risk associated with the control being tested (see paragraph.62). As the risk associated with a control increases, the need for the auditor to perform his or her own work on the control increases. Materiality.35 In planning and performing the examination of internal control, the auditor should use the same materiality used in planning and performing the audit of the entity s fn 16 financial statements. 7.21, 7.A32, 7.A33 7.A R Agenda Item 3B Page 13 of 67

14 Using a Top-Down Approach.36 The auditor should use a top-down approach fn 17 to the examination of internal control to select the controls to test. A top-down approach involves beginning at the financial statement level; using the auditor's understanding of the overall risks to internal control; focusing on entity-level controls; working down to significant accounts and disclosures and their relevant assertions; directing attention to accounts, disclosures, and assertions that present a reasonable possibility of material misstatement to the financial statements and related disclosures; verifying the auditor s understanding of the risks in the entity s processes; and selecting controls for testing that sufficiently address the assessed risk of material misstatement to each relevant assertion. 7.23, 7.A37 R Identifying Entity-Level Controls.37 The auditor should test those entity-level controls that are important to his or her conclusion about whether the entity has effective internal control. The auditor's evaluation of entity-level controls can result in increasing or decreasing the testing that he or she otherwise would have performed on other controls. 7.24, 7.A38 Agenda Item 3B Page 14 of 67

15 .38 Entity-level controls include controls related to the control environment; controls over management override; the entity's risk assessment process; fn 18 centralized processing and controls, including shared service environments; controls to monitor results of operations; controls to monitor other controls, including activities of the internal audit function, those charged with governance, and self-assessment programs; controls over the period-end financial reporting process; and programs and controls that address significant business control and risk management practices. 7.A39 Agenda Item 3B Page 15 of 67

16 .39 Entity-level controls vary in nature and precision: Some entity-level controls, such as certain control environment controls, have an important but indirect effect on the likelihood that a misstatement will be prevented, or detected and corrected on a timely basis. These controls might affect the other controls that the auditor selects for testing and the nature, timing, and extent of procedures the auditor performs on other controls. Some entity-level controls monitor the effectiveness of other controls. Such controls might be designed to identify possible breakdowns in lower level controls, but not at a level of precision that would, by themselves, sufficiently address the assessed risk that material misstatements to a relevant assertion will be prevented, or detected and corrected on a timely basis. These controls, when operating effectively, might allow the auditor to reduce the testing of other controls. Some entity-level controls might be designed to operate at a level of precision that would adequately prevent, or detect and correct on a timely basis misstatements to one or more relevant assertions. If an entity-level control sufficiently addresses the assessed risk of material misstatement, the auditor need not test additional controls relating to that risk. 7.A40 Control Environment Agenda Item 3B Page 16 of 67

17 .40 Because of its importance to effective internal control, the auditor should evaluate the control environment at the entity. When evaluating the control environment, the auditor should apply paragraphs.a71.a80 of AU-C section 315, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement. As part of evaluating the control environment, the auditor should assess whether management's philosophy and operating style promote effective internal control; whether sound integrity and ethical values, particularly of top management, are developed and understood; and whether those charged with governance understand and exercise oversight responsibility over financial reporting and internal control. [Revised, December 2012, to reflect conforming changes necessary due to the issuance of SAS Nos ] 7.25, 7.26 R Period-End Financial Reporting Process.41 Because of its importance to financial reporting and to the integrated audit, the auditor should evaluate the period-end financial reporting process. fn 19 The period-end financial reporting process includes the following: Procedures used to enter transaction totals into the general ledger Procedures related to the selection and application of accounting policies Procedures used to initiate, authorize, record, and process journal entries in the general ledger Procedures used to record recurring and nonrecurring adjustments to the financial statements Procedures for preparing financial statements and related disclosures 7.27 R Agenda Item 3B Page 17 of 67

18 .42 As part of evaluating the period-end financial reporting process, the auditor should assess the inputs, procedures performed, and outputs of the processes the entity uses to produce its financial statements; the extent of IT involvement in the period-end financial reporting process; who participates from management; the locations involved in the period-end financial reporting process; the types of adjusting and consolidating entries; and the nature and extent of the oversight of the process by management and those charged with governance R Identifying Significant Accounts and Disclosures and Their Relevant Assertions Agenda Item 3B Page 18 of 67

19 .43 The auditor should identify significant accounts and disclosures and their relevant assertions. To identify significant accounts and disclosures and their relevant assertions, the auditor should evaluate the qualitative and quantitative risk factors related to the financial statement line items and disclosures. Risk factors relevant to the identification of significant accounts and disclosures and their relevant assertions include size and composition of the account; susceptibility to misstatement due to errors or fraud; volume of activity, complexity, and homogeneity of the individual transactions processed through the account or reflected in the disclosure; nature of the account, class of transactions, or disclosure; accounting and reporting complexities associated with the account, class of transactions, or disclosure; exposure to losses in the account; possibility of significant contingent liabilities arising from the activities reflected in the account or disclosure; existence of related party transactions in the account; and changes from the prior period in the account, class of transactions, or disclosure characteristics..44 As part of identifying significant accounts and disclosures and their relevant assertions, the auditor also should determine the likely sources of potential misstatements that would cause the financial statements to be materially misstated. The auditor might determine the likely sources of potential misstatements by asking himself or herself "what could go wrong?" within a given significant account or disclosure..45 The risk factors that the auditor should evaluate in the identification of significant accounts and disclosures and their relevant assertions are the same in the examination of internal control as in the audit of the financial statements; accordingly, significant 7.29, 7.A , 7.A46 R 7.A44 A The requirement to evaluate risk factors is included in paragraph.43. Agenda Item 3B Page 19 of 67

20 accounts and disclosures and their relevant assertions are the same in an integrated audit. fn 20 Reworded as application guidance..46 The components of a potential significant account or disclosure might be subject to significantly different risks. If so, different controls might be necessary to adequately address those risks..47 When an entity has multiple locations or business units, the auditor should identify significant accounts and disclosures and their relevant assertions based on the consolidated financial statements. 7.A R Understanding Likely Sources of Misstatement.48 To further understand the likely sources of potential misstatements, and as a part of selecting the controls to test, the auditor should achieve the following objectives: Understand the flow of transactions related to the relevant assertions, including how these transactions are initiated, authorized, processed, and recorded Identify the points within the entity s processes at which a misstatement, including a misstatement due to fraud, could arise that, individually or in combination with other misstatements, would be material (for example, points at which information is initiated, transferred, or otherwise modified) Identify the controls that management has implemented to address these potential misstatements Identify the controls that management has implemented over the prevention, or timely detection and correction of unauthorized acquisition, use, or disposition of the entity s assets that could result in a material misstatement of the financial statements 7.32 R Agenda Item 3B Page 20 of 67

21 .49 Because of the degree of judgment required, the auditor should either perform the procedures that achieve the objectives in paragraph.48 himself or herself or supervise the work of others who provide direct assistance to the auditor, as described in AU-C section 610. [Revised, December 2012, to reflect conforming changes necessary due to the issuance of SAS Nos ].50 The auditor also should understand how IT affects the entity s flow of transactions. The auditor should apply paragraphs.a54.a60 of AU-C section 315, which discuss the effect of IT on internal control and the risks to assess. [Revised, December 2012, to reflect conforming changes necessary due to the issuance of SAS Nos ].51 The identification of risks and controls within IT is not a separate evaluation. Instead, it is an integral part of the top-down approach used to identify likely sources of misstatement and the controls to test, as well as to assess risk and allocate audit effort R 7.34, 7.A51 R, A Modified to remove reference to application guidance in a financial statement audit within a requirement for an internal control examination. 7.A51 Performing Walkthroughs.52 Performing walkthroughs will frequently be the most effective way of achieving the objectives in paragraph.48. A walkthrough involves following a transaction from origination through the entity s processes, including information systems, until it is reflected in the entity s financial records, using the same documents and IT that entity personnel use. Walkthrough procedures may include a combination of inquiry, observation, inspection of relevant documentation, recalculation, and control reperformance..53 A walkthrough includes questioning the entity s personnel about their understanding of what is required by the entity s prescribed procedures and controls at the points at which important processing procedures occur. These probing questions, combined with the other walkthrough procedures, allow the auditor to gain a sufficient understanding of the process and to be able to identify important points at which a necessary control is 7.A49 7.A50 Agenda Item 3B Page 21 of 67

22 missing or not designed effectively. Additionally, probing questions that go beyond a narrow focus on the single transaction used as the basis for the walkthrough may provide an understanding of the different types of significant transactions handled by the process. Selecting Controls to Test.54 The auditor should test those controls that are important to the auditor's conclusion about whether the entity s controls sufficiently address the assessed risk of material misstatement to each relevant assertion..55 There might be more than one control that addresses the assessed risk of material misstatement to a particular relevant assertion; conversely, one control might address the assessed risk of material misstatement to more than one relevant assertion. It may not be necessary to test all controls related to a relevant assertion nor necessary to test redundant controls, unless redundancy is, itself, a control objective..56 The decision concerning whether a control would be selected for testing depends on which controls, individually or in combination, sufficiently address the assessed risk of material misstatement to a given relevant assertion rather than on how the control is labeled (for example, entity-level control, transaction-level control, control activity, monitoring control, preventive control, or detective control) R 7.A52 7.A53 Testing Controls Evaluating Design Effectiveness.57 The auditor should evaluate the design effectiveness of controls by determining whether the entity s controls, if they are applied as prescribed by persons possessing the necessary authority and competence to perform the control effectively, satisfy the entity s control objectives, and can effectively prevent, or detect and correct misstatements caused by errors or fraud that could result in material misstatements in the financial statements R Agenda Item 3B Page 22 of 67

23 58 A smaller, less complex entity might achieve its control objectives in a different manner from a larger, more complex organization. For example, a smaller, less complex entity might have fewer employees in the accounting function, limiting opportunities to segregate duties and leading the entity to implement alternative controls to achieve its control objectives. In such circumstances, the auditor should evaluate whether those alternative controls are effective..59 Procedures performed to evaluate design effectiveness may include a mix of inquiry of appropriate personnel, observation of the entity s operations, and inspection of relevant documentation. Walkthroughs that include these procedures ordinarily are sufficient to evaluate design effectiveness. Testing Operating Effectiveness 7.A55, 7.A56 7.A54 A Duplicative requirement. Modified to refer to the overarching requirement in paragraph The auditor should test the operating effectiveness of a control by determining whether the control is operating as designed and whether the person performing the control possesses the necessary authority and competence to perform the control fn 21 effectively..61 Procedures performed to test operating effectiveness may include a mix of inquiry of appropriate personnel, observation of the entity s operations, inspection of relevant documentation, recalculation, and reperformance of the control R 7.A57 Relationship of Risk to the Evidence to Be Obtained.62 For each control selected for testing, the evidence necessary to persuade the auditor that the control is effective depends upon the risk associated with the control. The risk associated with a control consists of the risk that the control might not be effective and, if not effective, the risk that a material weakness exists. As the risk associated with the control being tested increases, the evidence that the auditor should obtain also increases. 7.38, 7.A59 R.63 Although the auditor should obtain evidence about the effectiveness of controls for 7.39, 7.A63 R Agenda Item 3B Page 23 of 67

24 each relevant assertion, he or she is not responsible for obtaining sufficient appropriate evidence to support an opinion about the effectiveness of each individual control. Rather, the auditor's objective is to express an opinion on the entity s internal control overall. This allows the auditor to vary the evidence obtained regarding the effectiveness of individual controls selected for testing based on the risk associated with the individual control..64 Factors that affect the risk associated with a control may include the nature and materiality of misstatements that the control is intended to prevent, or detect and correct; the inherent risk associated with the related account(s) and assertion(s); whether there have been changes in the volume or nature of transactions that might adversely affect control design or operating effectiveness; whether the account has a history of errors; the effectiveness of entity-level controls, especially controls that monitor other controls; the nature of the control and the frequency with which it operates; the degree to which the control relies on the effectiveness of other controls (for example, the control environment or IT general controls); the competence of the personnel who perform the control or monitor its performance and whether there have been changes in key personnel who perform the control or monitor its performance; whether the control relies on performance by an individual or is automated (that is, an automated control would generally be expected to be lower risk if relevant IT general controls are effective); fn 22 and the complexity of the control and the significance of the judgments that fn 23 would be made in connection with its operation. 7.A60 Agenda Item 3B Page 24 of 67

25 .65 When the auditor identifies control deviations, he or she should determine the effect of the deviations on his or her assessment of the risk associated with the control being tested and the evidence to be obtained, as well as on the operating effectiveness of the control..66 Because effective internal control cannot and does not provide absolute assurance of achieving the entity s control objectives, an individual control does not necessarily have to operate without any deviation to be considered effective..67 The evidence provided by the auditor's tests of the effectiveness of controls depends upon the mix of the nature, timing, and extent of the auditor's procedures. Further, for an individual control, different combinations of the nature, timing, and extent of testing may provide sufficient appropriate evidence in relation to the risk associated with the control..68 Walkthroughs may include a combination of inquiry of appropriate personnel, observation of the entity s operations, inspection of relevant documentation, recalculation, and reperformance of the control and might provide sufficient appropriate evidence of operating effectiveness, depending on the risk associated with the control being tested, the specific procedures performed as part of the walkthrough, and the results of those procedures R 7.A66 7.A64 7.A65 Nature of Tests of Controls.69 Some types of tests, by their nature, produce greater evidence of the effectiveness of controls than other tests. The following tests that the auditor might perform are presented in order of the evidence that they ordinarily would produce, from least to most: inquiry, observation, inspection of relevant documentation, recalculation, and reperformance of a control. Inquiry alone, however, does not provide sufficient appropriate evidence to support a conclusion about the effectiveness of a control..70 The nature of the tests of effectiveness that will provide sufficient appropriate evidence depends, to a large degree, on the nature of the control to be tested, including 7.A67 7.A68 Agenda Item 3B Page 25 of 67

26 whether the operation of the control results in documentary evidence of its operation. Documentary evidence of the operation of some controls, such as management's philosophy and operating style, might not exist..71 A smaller, less complex entity or unit might have less formal documentation regarding the operation of its controls. In those situations, testing controls through inquiry combined with other procedures, such as observation of activities, inspection of less formal documentation, recalculation, or reperformance of certain controls, might provide sufficient appropriate evidence about whether the control is effective. 7.A69 Timing and Extent of Tests of Controls.72 Testing controls over a longer period of time provides more evidence of the effectiveness of controls than testing over a shorter period of time. Further, testing performed closer to the date of management's assertion provides more evidence than testing performed earlier in the year. The auditor should balance performing the tests of controls closer to the as-of date with the need to test controls over a sufficient period of time to obtain sufficient appropriate evidence of operating effectiveness..73 Prior to the date specified in management's assertion, management might implement changes to the entity s controls to make them more effective or efficient or to address deficiencies. If the auditor determines that the new controls achieve the related objectives of the control criteria and have been in effect for a sufficient period to permit the auditor to assess their design and operating effectiveness by performing tests of controls, he or she will not need to test the design and operating effectiveness of the superseded controls for purposes of expressing an opinion on internal control. If the operating effectiveness of the superseded controls is important to the auditor's control risk assessment in the financial statement audit, the auditor should test the design and operating effectiveness of those superseded controls, as appropriate. (Integration is discussed beginning at paragraph.159.) 7.41, 7.A70 R 7.42, 7.A72.74 The more extensively a control is tested, the greater the evidence obtained from that 7.A71 Agenda Item 3B Page 26 of 67

27 test. Rollforward Procedures.75 When the auditor reports on the effectiveness of controls as of a specific date and obtains evidence about the operating effectiveness of controls at an interim date, he or she should determine what additional evidence concerning the operation of the controls for the remaining period is necessary..76 The additional evidence that is necessary to update the results of testing from an fn 24 interim date to the entity s period-end depends on the following factors: The specific control tested prior to the as-of date, including the risks associated with the control, the nature of the control, and the results of those tests The sufficiency of the evidence of operating effectiveness obtained at an interim date The length of the remaining period The possibility that there have been any significant changes in internal control subsequent to the interim date 7.43 R 7.A73 Special Considerations for Subsequent Years' Examinations.77 In subsequent years' examinations, the auditor should incorporate knowledge obtained during past examinations he or she performed of the entity s internal control into the decision making process for determining the nature, timing, and extent of testing necessary. This decision making process is described in paragraphs R Agenda Item 3B Page 27 of 67

28 .78 Factors that affect the risk associated with a control in subsequent years' examinations include those in paragraph.64 and the following: The nature, timing, and extent of procedures performed in previous examinations The results of the previous years' testing of the control Whether there have been changes in the control or the process in which it operates since the previous examination.79 After taking into account the risk factors identified in paragraphs.64 and.78, the additional information available in subsequent years' examinations might permit the auditor to assess the risk as lower than in the initial year. This, in turn, might permit the auditor to reduce testing in subsequent years..80 The auditor also may use a benchmarking strategy for automated application controls in subsequent years' examinations. Benchmarking is described further beginning at paragraph In addition, the auditor should vary the nature, timing, and extent of testing of controls from period to period to introduce unpredictability into the testing and respond to changes in circumstances. For this reason, the auditor might test controls at a different interim period, increase or reduce the number and types of tests performed, or change the combination of procedures used. 7.A75 7.A76 7.A , 7.A78 Evaluating Identified Deficiencies.82 The auditor should evaluate the severity of each deficiency to determine whether the deficiency, individually or in combination, is a material weakness as of the date of management's assertion R Agenda Item 3B Page 28 of 67