Joanne M. Flood - Wiley Practitioner's Guide to GAAS 2020

3 Obtain the entity’s forms and documents, such as the following:Purchase requisitionsPurchase ordersSales authorizationsSales ordersSales invoicesProduction ordersProduction requisitionsReceiptsChecksPayroll cardsSales returns and creditsPurchase returns and credits

4 Examine work area that will be allocated to the auditor.

5 Walk through the accounting area:Observe work conditions.Meet employees.Determine employee functions.

During the visit to the client’s facility, the auditor should do the following:

1 Meet with management.

2 Walk through a production cycle and note the following:Initiation of orderRequisition of materialsMovement of productionCompletion of productionStorage of completed productShipment to customer

3 Document flow of production.

4 Note conditions of facility and equipment.

5 Visit materials stockroom, observe condition of the inventory, and review the following:Inventory recordsReceiving reportsInventory reports

For a continuing client, information about the business is obtained from the following:

1 Client’s permanent file

2 Prior year’s audit documentation

3 Prior year’s audit team

4 Client’s current year budgets

5 Client’s current year interim financial statements

6 Members who had professional assignments with the client during the year; these assignments include the following:Review of interim financial statementsIncome tax planningSystems and other consulting services

7 Discussions with client management

The in-charge auditor and the staff member who will supervise the audit should visit the client before beginning the audit to determine the following:

1 Change in product line

2 Addition or deletion of factories, offices, warehouses, or showrooms

3 Addition of new administrative departments

4 Acquisition of subsidiaries

5 Existence of new or continuing related parties

6 Changes in production or distribution methods

7 Changes in sources of financing

8 Changes in internal control

9 Acquisition of new office equipment, such as computers

10 Changes in key personnel

11 New long-term commitments, such as:LeasesEmployment contracts

12 Adoption of employee compensation and benefit plans

Section 315 does not provide any definitive guidance on how auditors can most effectively and efficiently comply with the requirement to evaluate control design on every engagement. However, auditors of nonpublic companies would be well served to apply the lessons learned by auditors of public companies who have been required to audit their clients’ internal controls ever since the Sarbanes-Oxley Act became effective.

In the years immediately following the effective dates of Section 404 of the Sarbanes-Oxley Act (SOX 404), many auditors adopted an evaluation approach that started by identifying all (or nearly all) of the company’s controls and then documenting and testing each of these to determine whether internal control as a whole was effective. As can be imagined, this approach was extremely time-consuming and costly. Moreover, this “bottom-up” approach was unnecessary to achieve the overall objective of management’s evaluation.

In 2007, the SEC revised its rules and described a “risk-based, top-down” approach to understanding internal control. Auditors of nonpublic companies are not required to use this approach. However, applying its basic principles will provide an effective and efficient approach to meeting the requirements of Section 315.

In general, the key steps in this approach include the following:

1 Ask “what can go wrong?” in the preparation of the financial statements. The auditor should use knowledge of the client, external events and circumstances, and the application of GAAP to identify risks that the entity’s financial statements could be misstated. Once they are identified, the auditor should assess the relative magnitude of these risks.

2 Identify controls that address the “what can go wrongs.” The entity should have controls in place to mitigate those misstatement risks that are of some significance. The auditor will focus attention on those controls whose failure is most likely to result in a material misstatement. To make this determination, the auditor will consider both:The likelihood that the control will fail, andIf it did fail, the significance of the misstatement that would result.For example, an entity may have controls over its bank balances (e.g., month-end bank reconciliations) and its petty cash on hand. Auditors will focus on the controls over the company’s bank balances, because the risks related to the control failure of the reconciliation are greater than the risks related to the petty cash. That is, if the bank reconciliations fail, the misstatement of the financial statements could be material; if petty cash was misstated, the misstatement would not be material.

3 Obtain an understanding of relevant controls from the “top” down. This process of identifying controls should begin at the “top,” with the broadest, most pervasive controls, and then proceed “downward” to more direct, specific controls.

The consideration of the risk of material misstatement is crucial when planning and performing an evaluation of internal control. It is this consideration that helps direct the auditor’s focus to the most critical areas of the company’s internal control system. In a similar fashion, beginning at the “top” of the system and working “down” will help drive efficiency and direct the focus of the evaluation of internal control design.

But where is the “top” of an internal control system? And once the auditor is there, what direction is “down”? To answer these questions requires an understanding of three key principles of internal control design:

1 Within any organization, controls operate at two distinct levels: the broad, general entity level and the more focused and specific activity level.

2 Controls are designed to mitigate risks. Some controls address risks directly, whereas other controls address the same risks indirectly.

3 At the activity level, controls can be designed to either:Prevent errors from entering the financial information system, orDetect and correct errors that have already entered the system.

Entity-level controls sit at the “top” of the internal control structure. For example, these controls might include the company’s hiring and training policies and the firewall protecting its network. There are relatively few entity-level controls. This is because, by their nature, entity-level controls have a broad (though indirect) effect on the company’s financial reporting risks (as indicated by the relative size of the entity). For example, a firewall might cover the company’s inventory system, billing and receivables, and general ledger system all at once.

Entity-level controls have a very indirect effect on the financial statements. For example, the quality of the company’s training can improve job performance and reduce the risk of misstatement, but training alone is not sufficient to prevent or detect an error.

At the lowest level of the pyramid are the company’s most specific, narrowly focused activity- level controls. For example, an edit check to ensure that a date is formatted mm/dd/yyyy is an activity-level control. This control is specifically directed to one field on a single data entry form. The control is designed to prevent an error from entering the information, and it is typical for controls at this level of the pyramid to be preventive controls, designed to be performed on every transaction.