Risk Assessment Key to SEC-PCAOB Top-Down Approach to Internal Controls
The top-down approach to internal controls favored by the new SEC-PCAOB regime heavily relies on risk assessment, with the Board’s new Auditing Standard No. 5 requiring risk assessment at each of the decision points in a top-down approach. In fact, risk assessment underlies the entire audit process mandated by the new standard, including the determination of significant accounts and disclosures and relevant assertions, the selection of controls to test, and the determination of the evidence necessary for a given control.
AS5 defines relevant assertions as those financial statement assertions that have a reasonable possibility of containing a misstatement that would cause the financial statements to be materially misstated.
In the Board’s view, focusing auditor attention on the areas of greatest risk is likely to produce a more effective audit and substantially decrease the opportunity for a material weakness to go undetected. The proper use of risk assessment also enhances audit efficiency because the auditor does not spend time testing controls that, even if deficient, would not present a reasonable possibility of material misstatements in the financial statements.
Moreover, a direct relationship exists between the degree of risk that a material weakness could exist in a particular area of the company's internal controls and the amount of audit attention that should be devoted to that area. In addition, the risk that a company's internal controls will fail to prevent or detect misstatement caused by fraud usually is higher than the risk of failure to prevent or detect error. Auditors should focus more of their attention on the areas of highest risk.
Under the top-down approach embodied in AS5, the auditor is required to test those controls that address the assessed risk of misstatement to each relevant assertion. These are the most important controls to test.
When using a top-down approach, the auditor identifies the controls to test by starting at the top, which is the financial statement and the entity-level controls. A top-down approach first begins at the financial statement level and with the auditor's understanding of the overall risks to internal controls. Note that the top-down approach describes the auditor's sequential thought process in identifying risks and the controls to test, not necessarily the order in which the auditor will perform the auditing procedures.
The auditor next focuses on entity-level controls and works down to significant accounts and disclosures and their relevant assertions. This approach directs the auditor's attention to accounts, disclosures, and assertions that present a reasonable possibility of material misstatement to the financial statements. Auditors must then verify their understanding of the risks in the company's processes and select for testing those controls that sufficiently address the assessed risk of misstatement to each relevant assertion.