Question

What is the auditor’s responsibility for obtaining an understanding of internal control? How does that responsibility differ for audits of public and nonpublic company’s? Include in your discussion the Sarbanes- Oxley Act.

Answer 1

The auditor's responsilbility in an audit of internal control over financial reporting is to express an opinion on the effectiveness of the company's internal control over financial reporting. Because a company's internal control cannot be considered effective if one or more material weaknesses exist, to form a basis for expressing an opinion, the auditor must plan and perform the audit to obtain appropriate evidence that is sufficient to obtain reasonable assurance5 about whether material weaknesses exist as of the date specified in management's assessment. A material weakness in internal control over financial reporting may exist even when financial statements are not materially misstated.

In the US, public companies are required by Sarbanes–Oxley Section 404 ("SOX") to have management and the external auditor report on the adequacy of the company's internal control on financial reporting ("ICFR"). This is a costly and time consuming requirement, as documenting and testing important financial manual and automated controls requires enormous effort. So for public companies in the US you have no choice (setting aside certain exceptions, such as the JOBS Act which is not relevant to this answer).

In the US, public companies are required by Sarbanes–Oxley Section 404 ("SOX") to have management and the external auditor report on the adequacy of the company's internal control on financial reporting ("ICFR"). This is a costly and time consuming requirement, as documenting and testing important financial manual and automated controls requires enormous effort. So for public companies in the US you have no choice (setting aside certain exceptions, such as the JOBS Act which is not relevant to this answer).

Auditors use an audit risk model to asses the overall risk of an engagement. During planning auditors look at the inherent and control risks associated with an audit. When the auditor's assessment of inherent and control risk is high (due to lack of control testing, high risk transactions, or lack of controls), the auditor needs to test more items (pull larger samples or lower scopes to cover transaction/accounts with smaller dollar amounts) to be confident that the financial statements are free of material error. If the auditor tests controls and the controls are operating and designed effectively, then they can raise the scope and lower the number of items they sample to feel confident that the financial statements are materially correct.

Simple analysis is performed at this point. If control testing results in a savings of time, due to a reduction in substantive testing, then that will be chosen. If the auditor feels like it would take too much time to document and test controls, or if they are confident that controls will fail, then the auditor will chose to substantively test balances without looking at controls.

Another view for public vs private co. is there is no difference between an auditors consideration of internal controls on an audit engagement for a nonpublic vs public entity. Once you decide to test controls the process of identifying controls relevant to the audit, determining an audit strategy, performing a walkthrough and control testing is essentially the same. The facts and circumstances are generally client/transaction-class/location specific but the assessment process is generally the same. In short, the auditor asks the same questions and adjusts their strategy based on the answers. Public vs. private does not much matter once the decision has been made to test controls.