Objective of the
Auditor
The objective of the auditor is to appropriately communicate
to those charged with governance and management significant deficiencies in
internal control that the auditor has identified during the audit and that, in
the auditor’s professional judgment, is of sufficient importance to merit attention
by governance and management persons.
Definitions
Deficiency in
internal control—a deficiency in internal control exists when the design or
operation of a control does not allow management or employees, in the normal
course of performing their assigned functions, to prevent, or detect and
correct, misstatements on a timely basis.
A deficiency in design exists when a control necessary to
meet the control objective is missing or an existing control is not properly
designed so that, even if the control operates as designed, the control
objective would not be met.
A deficiency in operation exists when a properly designed
control does not operate as designed or when the person performing the control
does not possess the necessary authority or competence to perform the control
effectively.
Material weakness—a
deficiency or a combination of deficiencies, in internal control, such that
there is a reasonable possibility that a material misstatement of the entity’s
financial statements will not be prevented, or detected and corrected, on a
timely basis.
Significant
deficiency--a deficiency, or a combination of deficiencies, in internal
control that is less severe than a material weakness yet important enough to
merit attention by those charged with governance.
Illustrative Letters
This SAS contains illustrative written communications which
can be downloaded from www.aicpa.org :
·
Exhibit A: Illustrative Written Communication
·
Exhibit B: Illustrative No Material Weakness
Communication
·
Exhibit C: Examples of Circumstances That May Be
Deficiencies, Significant Deficiencies, or Material Weaknesses
Practical Note:
Internal control is always relevant to the nature, size
and complexity of a reporting entity.
Therefore, so should be the contents of the internal control
communication letter. Smaller entities
will ordinarily have more informal control activities performed by one or a few
individuals. For smaller entities, key
controls performed at the entity level will ordinarily have the most pervasive
effects for preventing errors or fraud from occurring and going undetected.
Evaluating Control
Deficiencies
Consideration of the
magnitude of a potential deficiency and whether there is a reasonable
possibility that controls will not prevent, detect or correct it is
necessary to determine its severity.
The magnitude of
a deficiency is related to financial statement amounts or totals of
transactions considering both volume and activity.
A reasonable
possibility of preventing, detecting or correcting a potential misstatement
is affected by risk factors that could cause a misstatement of an account
balance. Those risk factors include:
- Nature of accounts, transactions classes and relevant assertions involved—the risk inherent in the information can be significant or not.
- Susceptibility of loss or fraud of related asset or liability—ease of misappropriation or misstatement will affect risk.
- Ability to determine the amount involved—the subjectivity, complexity or amount of judgment required may increase risk.
- Offsetting controls—they may or may not prevent, detect or correct misstatements.
- Relationship to other deficiencies—the number of deficiencies could increase the risk of misstatement.
- Future effects of the deficiency—probable changes in size of the entity, volume of transactions, increases or decreases in personnel and other factors may increase or decrease risk.
Deficiencies
affecting the same account, transaction, disclosure, assertion or
component of internal controls should be considered together to determine
significant deficiencies or material weaknesses. Offsetting or compensating controls may limit
the severity of a deficiency, but tests of controls or more extensive systems
walk-through procedures must be performed to evaluate their operating
effectiveness.
Following is a list
of situations that may result in control deficiencies, significant deficiencies,
or material weaknesses:
·
Inadequate
or insufficient design of internal control over:
o
Financial
statement preparation.
o
Significant
transactions or account balances.
o
The
control environment.
o
Segregation
of duties among personnel.
o
Information
processing.
o
Hiring
qualified personnel.
·
Properly
designed controls that are not operated properly for:
o
A
significant transaction, process or account.
o
Producing
complete and accurate reports.
o
Safeguarding
assets.
o
Reconciliation
of subsidiary ledgers.
o
Preventing
management override of controls.
Some deficiencies
that are commonly considered at least significant deficiencies and must be separately
identified in the letter:
·
The
absence of anti-fraud programs.
·
No
controls over non-routine transactions are operating.
·
No
controls over the use of accounting principles.
·
No
controls over general ledger accounting activities and the financial
reporting process.
Certain
circumstances are always indicative of material weaknesses, which must be
separately identified in the letter:
- Any fraud by senior management, regardless of amount.
- Prior period restatements due to error or fraud.
- An auditor’s identification of a material misstatement that was not detected by controls. These usually will result in proposed journal entries.
- Ineffective governance over financial reporting and internal control.
If the circumstance
is determined not to be a material weakness, the auditor must consider what
“prudent officials” would conclude in the same circumstances. In a seminar on fraud in Miami, participants were asked what standard they use to determine if a fraud occurred. A participant responded his standard was the Miami Herald (local newspaper) standard! In
other words, what a newspaper reporter might define as fraud could differ from audit
standards. What a prudent official might
define as a material weakness could be different than an auditor’s definition!
Part 2 will discuss other issues from AU-C Section 265.
My exclusive presentation of webcasts on CPE
Credit.com and self-study courses covering various applications of auditing
standards can be accessed by clicking the appropriate box on the left side of
my home page, www.cpafirmsupport.com.
Registered users on my website receive a 20% discount on CPE materials
presented by myself and numerous other authors on a variety of professional
topics.
My assistance in CPA firm quality control
consulting, audit planning and peer review preparation can be obtained by
sending an email using the “Contact Us” tab on my home page.
No comments:
Post a Comment