Читать книгу Wiley Practitioner's Guide to GAAS 2020 - Joanne M. Flood - Страница 237

In the years immediately following the effective dates of Section 404 of the Sarbanes-Oxley Act (SOX 404), many auditors adopted an evaluation approach that started by identifying all (or nearly all) of the company’s controls and then documenting and testing each of these to determine whether internal control as a whole was effective. As can be imagined, this approach was extremely time-consuming and costly. Moreover, this “bottom-up” approach was unnecessary to achieve the overall objective of management’s evaluation.

In 2007, the SEC revised its rules and described a “risk-based, top-down” approach to understanding internal control. Auditors of nonpublic companies are not required to use this approach. However, applying its basic principles will provide an effective and efficient approach to meeting the requirements of Section 315.

In general, the key steps in this approach include the following:

1 Ask “what can go wrong?” in the preparation of the financial statements. The auditor should use knowledge of the client, external events and circumstances, and the application of GAAP to identify risks that the entity’s financial statements could be misstated. Once they are identified, the auditor should assess the relative magnitude of these risks.

2 Identify controls that address the “what can go wrongs.” The entity should have controls in place to mitigate those misstatement risks that are of some significance. The auditor will focus attention on those controls whose failure is most likely to result in a material misstatement. To make this determination, the auditor will consider both:The likelihood that the control will fail, andIf it did fail, the significance of the misstatement that would result.For example, an entity may have controls over its bank balances (e.g., month-end bank reconciliations) and its petty cash on hand. Auditors will focus on the controls over the company’s bank balances, because the risks related to the control failure of the reconciliation are greater than the risks related to the petty cash. That is, if the bank reconciliations fail, the misstatement of the financial statements could be material; if petty cash was misstated, the misstatement would not be material.

3 Obtain an understanding of relevant controls from the “top” down. This process of identifying controls should begin at the “top,” with the broadest, most pervasive controls, and then proceed “downward” to more direct, specific controls.