Question

Audit of Internal Control Over Financial Reporting that is Integrated with an Audit of Financial Statements," provides a guide for auditors when performing integrated audits. by visiting PCAOB website

How should the auditor determine which controls to test?

How might the auditor use evidence obtained in the audit of the financial statements when concluding on the effectiveness of internal control over financial reporting?

Answer 1

-Auditor should perform an audit of management's assessment of the effectiveness of internal control over financial reporting ("the audit of internal control over financial reporting") that is integrated with an audit of the financial statements.

-Effective internal control over financial reporting provides reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes.If one or more material weaknesses exist, the company's internal control over financial reporting cannot be considered effective.

-The auditor's objective in an audit of internal control over financial reporting is to express an opinion on the effectiveness of the company's internal control over financial reporting. Because a company's internal control cannot be considered effective if one or more material weaknesses exist, to form a basis for expressing an opinion, the auditor must plan and perform the audit to obtain appropriate evidence that is sufficient to obtain reasonable assurance about whether material weaknesses exist as of the date specified in management's assessment. A material weakness in internal control over financial reporting may exist even when financial statements are not materially misstated.

The audit of internal control over financial reporting should be integrated with the audit of the financial statements. The objectives of the audits are not identical, however, and the auditor must plan and perform the work to achieve the objectives of both audits.

- In an integrated audit of internal control over financial reporting and the financial statements, the auditor should design his or her testing of controls to accomplish the objectives of both audits simultaneously -

• To obtain sufficient evidence to support the auditor's opinion on internal control over financial reporting as of year-end, and
• To obtain sufficient evidence to support the auditor's control risk assessments for purposes of the audit of financial statements.

# Selection of control For Testing-

-The auditor should use a top-down approach to the audit of internal control over financial reporting to select the controls to test. A top-down approach begins at the financial statement level and with the auditor's understanding of the overall risks to internal control over financial reporting. The auditor then focuses on entity-level controls and works down to significant accounts and disclosures and their relevant assertions. This approach directs the auditor's attention to accounts, disclosures, and assertions that present a reasonable possibility of material misstatement to the financial statements and related disclosures. The auditor then verifies his or her understanding of the risks in the company's processes and selects for testing those controls that sufficiently address the assessed risk of misstatement to each relevant assertion.

-The auditor must test those entity-level controls that are important to the auditor's conclusion about whether the company has effective internal control over financial reporting. The auditor's evaluation of entity-level controls can result in increasing or decreasing the testing that the auditor otherwise would have performed on other controls.

-The auditor should test those controls that are important to the auditor's conclusion about whether the company's controls sufficiently address the assessed risk of misstatement to each relevant assertion.

-There might be more than one control that addresses the assessed risk of misstatement to a particular relevant assertion; conversely, one control might address the assessed risk of misstatement to more than one relevant assertion. It is neither necessary to test all controls related to a relevant assertion nor necessary to test redundant controls, unless redundancy is itself a control objective.

-The decision as to whether a control should be selected for testing depends on which controls, individually or in combination, sufficiently address the assessed risk of misstatement to a given relevant assertion rather than on how the control is labeled (e.g., entity-level control, transaction-level control, control activity, monitoring control, preventive control, detective control).

# Evidences & Conclusion-

- For each control selected for testing, the evidence necessary to persuade the auditor that the control is effective depends upon the risk associated with the control. The risk associated with a control consists of the risk that the control might not be effective and, if not effective, the risk that a material weakness would result. As the risk associated with the control being tested increases, the evidence that the auditor should obtain also increases.

-Although the auditor must obtain evidence about the effectiveness of controls for each relevant assertion, the auditor is not responsible for obtaining sufficient evidence to support an opinion about the effectiveness of each individual control. Rather, the auditor's objective is to express an opinion on the company's internal control over financial reporting overall. This allows the auditor to vary the evidence obtained regarding the effectiveness of individual controls selected for testing based on the risk associated with the individual control.

-The auditor must evaluate the evidences obtained and should analyze and assess the severity of each control deficiency that comes to his or her attention to determine whether the deficiencies, individually or in combination, are material weaknesses as of the date of management's assessment. In planning and performing the audit, however, the auditor is not required to search for deficiencies that, individually or in combination, are less severe than a material weakness.

-The severity of a deficiency depends on -

• Whether there is a reasonable possibility that the company's controls will fail to prevent or detect a misstatement of an account balance or disclosure; and
• The magnitude of the potential misstatement resulting from the deficiency or deficiencies.

-The severity of a deficiency does not depend on whether a misstatement actually has occurred but rather on whether there is a reasonable possibility that the company's controls will fail to prevent or detect a misstatement.

-After Evaluating the evidences the  auditor should form an opinion on the effectiveness of internal control over financial reporting by evaluating evidence obtained from all sources, including the auditor's testing of controls, misstatements detected during the financial statement audit, and any identified control deficiencies.If one or more material weaknesses exist, the company's internal control over financial reporting cannot be considered effective.