By James Hamilton, J.D., LL.M.
While auditors generally applied the new standard for internal control reporting to focus on the areas presenting more significant audit risk, a PCAOB report found deficiencies in some engagement teams' implementation of certain aspects of the standard. The report is based on PCAOB inspections that examined portions of approximately 250 audits of internal control over financial reporting by the eight largest domestic registered firms in 2007 and 2008. AS No. 5 became effective for audits for fiscal years ending on or after Nov. 15, 2007, and replaced AS No. 2. The period covered by the report was a transition period for both auditors and preparers of financial statements.
The organizing principle of AS5 is the top-down concept, under which the auditor focuses on entity-level controls and works downward, planning the audit so that the testing of lower level controls is influenced by the strengths and weaknesses of those above. Board inspectors found that the auditors' work in the area could have been more effective.
For example, some auditors did not evaluate entity level controls beyond those associated with the control environment and the period-end financial reporting process. Some auditors identified entity-level controls that appeared to be designed to operate with a high degree of precision, said the report, but failed to obtain sufficient audit evidence of their operating effectiveness. There also were instances where the auditors identified and tested entity-level controls and found them to be designed and operating with a high degree of precision, but did not alter their tests of process-level controls in response to that assessment.
More broadly, on selecting the controls to test, some auditors did not consider the assessed level of risk, or the controls selected were not designed to address the risk of misstatement to the relevant assertions. Board inspectors also observed situations where auditors failed to test a relevant control appropriately or, in some cases, at all. In other instances, auditors tested certain controls without testing the system-generated data on which the tested controls depended.
Inspectors also observed instances where the evidence gathered by the auditor was insufficient to support a conclusion that the controls were operating effectively, yet the audit team relied on the supposed effectiveness of those controls to reduce the scope of other audit procedures.
Under AS No. 5, auditors must also evaluate the severity of each control deficiency that comes to their attention to determine whether the deficiencies individually, or in combination, are material weaknesses as of the date of management's assessment. Board inspectors found that some auditors inappropriately based their conclusions about the severity of control deficiencies solely on the materiality of the identified errors in the financial statements. Also, some auditors failed to consider relevant risk factors when evaluating the severity of identified control deficiencies.
AS No. 5 provides that auditors may use the work of others to reduce their own work, but the extent to which the auditor does so should depend on the risk associated with the controls being tested, as well as on the competence and objectivity of the others. Board inspectors found that, in some instances, the extent of the auditor's use of the work of others to reduce the auditor's own work was greater than was appropriate under AS No. 5 considering the level of risk associated with the control being tested, such as in the area of controls over journal entries. It was also found that some auditors performed few or no procedures to assess the competence of the others relative to the task being performed, or they did not adequately assess the objectivity of the others, particularly where the work was performed by company personnel other than internal auditors.
.