AS 2300 and the Audit of Internal Control

The Public Company Accounting Oversight Board (PCAOB) provides standards for auditing a public company’s internal control over financial reporting (ICFR). This audit evaluates the effectiveness of controls a company has in place to ensure its financial statements are reliable. For public companies, this audit is mandatory and performed alongside the traditional audit of the financial statements. The process provides investors with an opinion on the company’s control environment.

The Integrated Audit Framework

This process is known as an integrated audit, combining the audit of financial statements with the audit of ICFR. The objective is to form two opinions: one on the financial statements and another on the effectiveness of ICFR. The two audits are interwoven, and findings from one can directly influence the other. For instance, a weakness in internal controls could heighten the risk of material misstatement, prompting the auditor to perform more extensive testing on specific account balances.

Internal Control Over Financial Reporting (ICFR) is a process designed to provide reasonable assurance regarding the reliability of financial reporting and preparing financial statements for external purposes. It comprises policies and procedures for maintaining records that accurately reflect company transactions. These controls also ensure transactions are recorded as necessary to permit preparing financial statements in accordance with generally accepted accounting principles.

Management’s assessment and the auditor’s evaluation of ICFR are based on a suitable control framework. The most widely used in the United States is the “Internal Control — Integrated Framework” from the Committee of Sponsoring Organizations of the Treadway Commission (COSO). This framework provides a basis for companies to design, implement, and assess their internal controls.

Planning the ICFR Audit

Planning an ICFR audit uses a “top-down approach,” where the auditor begins with a high-level view and narrows the focus to important areas. The process starts at the financial statement level by considering company-wide risks and entity-level controls. These are controls with a pervasive effect on the company, such as the control environment and the period-end financial reporting process.

From this perspective, the auditor identifies significant accounts, disclosures, and their relevant assertions. A relevant assertion is a management representation within the financial statements, such as the “existence” of a cash balance. The auditor uses risk assessment procedures to determine the likelihood of a misstatement and identify controls that would prevent or detect it.

This risk-based approach ensures that the audit effort is concentrated on the areas of highest risk. Factors influencing this risk assessment include the complexity of transactions, the degree of judgment involved in valuing an account, and the susceptibility of an asset to loss or fraud. The outcome of this planning process is a detailed audit plan that specifies which controls will be selected for testing.

Executing the Audit Procedures

Once the audit plan is established, the auditor executes procedures to test the selected controls. This involves evaluating two aspects of each control: its design effectiveness and its operating effectiveness. A test of design effectiveness determines if the control is capable of preventing or detecting material misstatements. An auditor might evaluate flowcharts, narratives, and policy manuals to make this determination.

Testing for operating effectiveness assesses if the control is functioning as designed and if the person performing it is qualified. This involves gathering evidence about how the control was applied, the consistency of its application, and by whom it was applied during the audit period.

Auditors use several procedures to test operating effectiveness:

• Inquiry involves asking company personnel about the control, but it is rarely sufficient on its own.
• Observation consists of watching the control being performed.
• Inspection of relevant documentation involves examining records for evidence of the control’s application, such as a manager’s signature on an expense report.
• Re-performance involves the auditor independently executing the control procedure to verify its effectiveness and is the most persuasive form of evidence.

Evaluating Deficiencies and Forming an Opinion

During testing, auditors may identify control deficiencies, which are categorized by severity. The least severe is a control deficiency, which exists when a control’s design or operation does not allow for the timely prevention or detection of misstatements by employees in their normal duties.

A more serious issue is a significant deficiency, which is a control deficiency, or combination of them, that is less severe than a material weakness yet important enough to merit attention by those overseeing financial reporting. An example is a lack of segregation of duties in a process that poses a notable risk.

The most severe category is a material weakness. This is a deficiency, or combination of deficiencies, in ICFR where there is a reasonable possibility that a material misstatement of the financial statements will not be prevented or detected on a timely basis.

The auditor must evaluate each deficiency found, both individually and in the aggregate. A collection of minor control deficiencies could, when considered together, amount to a significant deficiency or a material weakness. The final determination of whether any material weaknesses exist is the basis for the auditor’s opinion on the effectiveness of the company’s ICFR.

Reporting on Internal Control

The culmination of the audit of internal control is the auditor’s report, a formal communication to stakeholders on the effectiveness of the company’s ICFR. The report defines internal control over financial reporting, states the audit was conducted in accordance with PCAOB standards, and describes the inherent limitations of any internal control system, which can provide only reasonable assurance.

An unqualified opinion is issued when the auditor concludes the company maintained effective ICFR in all material respects. Conversely, if the auditor identifies one or more material weaknesses, they must issue an adverse opinion. An adverse opinion states that the company’s ICFR was not effective.

An auditor may issue a disclaimer of opinion when unable to obtain sufficient appropriate evidence to form an opinion, which is a scope limitation. The report outlines the basis for the opinion, and if an adverse opinion is issued, it includes a description of the identified material weakness.