In the wake of the PCAOB’s adoption of a new auditing standard on internal control over financial reporting, the Board’s chief auditor, Thomas Ray, has examined AS5 and offered some important advice on this new principles-based standard. In remarks at the annual SEC and Financial Reporting Institute Conference, he said that the focus on fraud is an integral part of the identification and testing of entity-level controls (popularly known as company-level controls) under the new standard. In the chief auditor’s view, the area of entity-level controls is ripe for further innovation and development He also believes that the increased focus on principles in the new standard will permit the auditor to more easily and appropriately tailor the audit to a company's specific facts and circumstances.
According to the chief auditor, AS5’s top-down approach directs the auditor's attention to accounts, disclosures, and assertions that present a reasonable possibility of material misstatement to the financial statements. The risk of material misstatement, therefore, is an explicit focus of the approach.
Furthermore, this top-down approach describes the auditor's sequential thought process in identifying risks and the controls to test, not necessarily the order in which the auditor will perform the procedures. This thought process, emphasized Mr. Ray, is most important in identifying those controls that should be tested. The auditor is free to perform the testing in the order that makes most sense given the specific facts and circumstances of the company.
AS 5 drops the requirement that the auditor identify significant processes and major classes of transactions.
Rather, as a part of selecting the controls to test, the auditor should understand the flow of transactions related to the relevant assertions, including how those transactions are processed, and recorded. Thus, while these concepts of major classes of transactions and significant processes will continue to remain important and useful to auditors, observed the Board officer, to focus the auditor on them as an end in itself might have entailed work unrelated to risks of material misstatement. and reduced the ability of the auditor to tailor the work to the specific circumstances of the engagement. .