Appendix B: Special Topics

Auditing Standard No. 5

An Audit of Internal Control Over Financial Reporting that is Integrated with an Audit of Financial Statements

APPENDIX B - Special Topics

Integration of Audits

B1.      Tests of Controls in an Audit of Internal Control. The objective of the tests of controls in an audit of internal control over financial reporting is to obtain evidence about the effectiveness of controls to support the auditor's opinion on the company's internal control over financial reporting. The auditor's opinion relates to the effectiveness of the company's internal control over financial reporting as of a point in time and taken as a whole .

B2.      To express an opinion on internal control over financial reporting as of a point in time, the auditor should obtain evidence that internal control over financial reporting has operated effectively for a sufficient period of time, which may be less than the entire period (ordinarily one year) covered by the company's financial statements. To express an opinion on internal control over financial reporting taken as a whole, the auditor must obtain evidence about the effectiveness of selected controls over all relevant assertions. This requires that the auditor test the design and operating effectiveness of controls he or she ordinarily would not test if expressing an opinion only on the financial statements.

B3.      When concluding on the effectiveness of internal control over financial reporting for purposes of expressing an opinion on internal control over financial reporting, the auditor should incorporate the results of any additional tests of controls performed to achieve the objective related to expressing an opinion on the financial statements, as discussed in the following section.

B4.      Tests of Controls in an Audit of Financial Statements. To express an opinion on the financial statements, the auditor ordinarily performs tests of controls and substantive procedures. The objective of the tests of controls the auditor performs for this purpose is to assess control risk. To assess control risk for specific financial statement assertions at less than the maximum, the auditor is required to obtain evidence that the relevant controls operated effectively during the entire period upon which the auditor plans to place reliance on those controls. However, the auditor is not required to assess control risk at less than the maximum for all relevant assertions and, for a variety of reasons, the auditor may choose not to do so.

B5.      When concluding on the effectiveness of controls for the purpose of assessing control risk, the auditor also should evaluate the results of any additional tests of controls performed to achieve the objective related to expressing an opinion on the company's internal control over financial reporting, as discussed in paragraph B2. Consideration of these results may require the auditor to alter the nature, timing, and extent of substantive procedures and to plan and perform further tests of controls, particularly in response to identified control deficiencies.

B6.      Effect of Tests of Controls on Substantive Procedures. If, during the audit of internal control over financial reporting, the auditor identifies a deficiency, he or she should determine the effect of the deficiency, if any, on the nature, timing, and extent of substantive procedures to be performed to reduce audit risk in the audit of the financial statements to an appropriately low level.

B7.      Regardless of the assessed level of control risk or the assessed risk of material misstatement in connection with the audit of the financial statements, the auditor should perform substantive procedures for all relevant assertions. Performing procedures to express an opinion on internal control over financial reporting does not diminish this requirement.

B8.      Effect of Substantive Procedures on the Auditor's Conclusions About the Operating Effectiveness of Controls. In an audit of internal control over financial reporting, the auditor should evaluate the effect of the findings of the substantive auditing procedures performed in the audit of financial statements on the effectiveness of internal control over financial reporting. This evaluation should include, at a minimum -

  • The auditor's risk assessments in connection with the selection and application of substantive procedures, especially those related to fraud.
  • Findings with respect to illegal acts and related party transactions.
  • Indications of management bias in making accounting estimates and in selecting accounting principles.
  • Misstatements detected by substantive procedures. The extent of such misstatements might alter the auditor's judgment about the effectiveness of controls.

B9.      To obtain evidence about whether a selected control is effective, the control must be tested directly; the effectiveness of a control cannot be inferred from the absence of misstatements detected by substantive procedures. The absence of misstatements detected by substantive procedures, however, should inform the auditor's risk assessments in determining the testing necessary to conclude on the effectiveness of a control.

Multiple Locations Scoping Decisions

B10.    In determining the locations or business units at which to perform tests of controls, the auditor should assess the risk of material misstatement to the financial statements associated with the location or business unit and correlate the amount of audit attention devoted to the location or business unit with the degree of risk.

Note: The auditor may eliminate from further consideration locations or business units that, individually or when aggregated with others, do not present a reasonable possibility of material misstatement to the company's consolidated financial statements.

B11.    In assessing and responding to risk, the auditor should test controls over specific risks that present a reasonable possibility of material misstatement to the company's consolidated financial statements. In lower-risk locations or business units, the auditor first might evaluate whether testing entity-level controls, including controls in place to provide assurance that appropriate controls exist throughout the organization, provides the auditor with sufficient evidence.

B12.    In determining the locations or business units at which to perform tests of controls, the auditor may take into account work performed by others on behalf of management. For example, if the internal auditors' planned procedures include relevant audit work at various locations, the auditor may coordinate work with the internal auditors and reduce the number of locations or business units at which the auditor would otherwise need to perform auditing procedures.

B13.    The direction in paragraph 61 regarding special considerations for subsequent years' audits means that the auditor should vary the nature, timing, and extent of testing of controls at locations or business units from year to year.

B14.     Special Situations. The scope of the audit should include entities that are acquired on or before the date of management's assessment and operations that are accounted for as discontinued operations on the date of management's assessment. The direction in this multiple-locations discussion describes how to determine whether it is necessary to test controls at these entities or operations.

B15.    For equity method investments, the scope of the audit should include controls over the reporting in accordance with generally accepted accounting principles, in the company's financial statements, of the company's portion of the investees' income or loss, the investment balance, adjustments to the income or loss and investment balance, and related disclosures. The audit ordinarily would not extend to controls at the equity method investee.

B16.    In situations in which the SEC allows management to limit its assessment of internal control over financial reporting by excluding certain entities, the auditor may limit the audit in the same manner. In these situations, the auditor's opinion would not be affected by a scope limitation. However, the auditor should include, either in an additional explanatory paragraph or as part of the scope paragraph in his or her report, a disclosure similar to management's regarding the exclusion of an entity from the scope of both management's assessment and the auditor's audit of internal control over financial reporting. Additionally, the auditor should evaluate the reasonableness of management's conclusion that the situation meets the criteria of the SEC's allowed exclusion and the appropriateness of any required disclosure related to such a limitation. If the auditor believes that management's disclosure about the limitation requires modification, the auditor should follow the same communication responsibilities that are described in paragraphs .29 through .32 of AU sec. 722, Interim Financial Information. If management and the audit committee do not respond appropriately, in addition to fulfilling those responsibilities, the auditor should modify his or her report on the audit of internal control over financial reporting to include an explanatory paragraph describing the reasons why the auditor believes management's disclosure requires modification.

Use of Service Organizations

B17.    AU sec. 324, Service Organizations, applies to the audit of financial statements of a company that obtains services from another organization that are part of the company's information system. The auditor may apply the relevant concepts described in AU sec. 324 to the audit of internal control over financial reporting.

B18.    AU sec. 324.03 describes the situation in which a service organization's services are part of a company's information system. If the service organization's services are part of a company's information system, as described therein, then they are part of the information and communication component of the company's internal control over financial reporting. When the service organization's services are part of the company's internal control over financial reporting, the auditor should include the activities of the service organization when determining the evidence required to support his or her opinion.

B19.    AU sec. 324.07 through .16 describe the procedures that the auditor should perform with respect to the activities performed by the service organization. The procedures include -

  1. Obtaining an understanding of the controls at the service organization that are relevant to the entity's internal control and the controls at the user organization over the activities of the service organization, and
  2. Obtaining evidence that the controls that are relevant to the auditor's opinion are operating effectively.

B20.    Evidence that the controls that are relevant to the auditor's opinion are operating effectively may be obtained by following the procedures described in AU sec. 324.12. These procedures include -

  1. Obtaining a service auditor's report on controls placed in operation and tests of operating effectiveness, or a report on the application of agreed-upon procedures that describes relevant tests of controls.

    Note: The service auditor's report referred to above means a report with the service auditor's opinion on the service organization's description of the design of its controls, the tests of controls, and results of those tests performed by the service auditor, and the service auditor's opinion on whether the controls tested were operating effectively during the specified period (in other words, "reports on controls placed in operation and tests of operating effectiveness" described in AU sec. 324.24b). A service auditor's report that does not include tests of controls, results of the tests, and the service auditor's opinion on operating effectiveness (in other words, "reports on controls placed in operation" described in AU sec. 324.24a) does not provide evidence of operating effectiveness. Furthermore, if the evidence regarding operating effectiveness of controls comes from an agreed-upon procedures report rather than a service auditor's report issued pursuant to AU sec. 324, the auditor should evaluate whether the agreed-upon procedures report provides sufficient evidence in the same manner described in the following paragraph.

  2. Performing tests of the user organization's controls over the activities of the service organization (e.g., testing the user organization's independent re-performance of selected items processed by the service organization or testing the user organization's reconciliation of output reports with source documents).
  3. Performing tests of controls at the service organization.

B21.    If a service auditor's report on controls placed in operation and tests of operating effectiveness is available, the auditor may evaluate whether this report provides sufficient evidence to support his or her opinion. In evaluating whether such a service auditor's report provides sufficient evidence, the auditor should assess the following factors -

  • The time period covered by the tests of controls and its relation to the as-of date of management's assessment,
  • The scope of the examination and applications covered, the controls tested, and the way in which tested controls relate to the company's controls, and
  • The results of those tests of controls and the service auditor's opinion on the operating effectiveness of the controls.

Note: These factors are similar to factors the auditor would consider in determining whether the report provides sufficient evidence to support the auditor's assessed level of control risk in an audit of the financial statements, as described in AU sec. 324.16.

B22.    If the service auditor's report on controls placed in operation and tests of operating effectiveness contains a qualification that the stated control objectives might be achieved only if the company applies controls contemplated in the design of the system by the service organization, the auditor should evaluate whether the company is applying the necessary procedures.

B23.    In determining whether the service auditor's report provides sufficient evidence to support the auditor's opinion, the auditor should make inquiries concerning the service auditor's reputation, competence, and independence. Appropriate sources of information concerning the professional reputation of the service auditor are discussed in paragraph .10a of AU sec. 543, Part of Audit Performed by Other Independent Auditors.

B24.    When a significant period of time has elapsed between the time period covered by the tests of controls in the service auditor's report and the date specified in management's assessment, additional procedures should be performed. The auditor should inquire of management to determine whether management has identified any changes in the service organization's controls subsequent to the period covered by the service auditor's report (such as changes communicated to management from the service organization, changes in personnel at the service organization with whom management interacts, changes in reports or other data received from the service organization, changes in contracts or service level agreements with the service organization, or errors identified in the service organization's processing). If management has identified such changes, the auditor should evaluate the effect of such changes on the effectiveness of the company's internal control over financial reporting. The auditor also should evaluate whether the results of other procedures he or she performed indicate that there have been changes in the controls at the service organization.

B25.    The auditor should determine whether to obtain additional evidence about the operating effectiveness of controls at the service organization based on the procedures performed by management or the auditor and the results of those procedures and on an evaluation of the following risk factors. As risk increases, the need for the auditor to obtain additional evidence increases.

  • The elapsed time between the time period covered by the tests of controls in the service auditor's report and the date specified in management's assessment,
  • The significance of the activities of the service organization,
  • Whether there are errors that have been identified in the service organization's processing, and
  • The nature and significance of any changes in the service organization's controls identified by management or the auditor.

B26.    If the auditor concludes that additional evidence about the operating effectiveness of controls at the service organization is required, the auditor's additional procedures might include -

  • Evaluating procedures performed by management and the results of those procedures.
  • Contacting the service organization, through the user organization, to obtain specific information.
  • Requesting that a service auditor be engaged to perform procedures that will supply the necessary information.
  • Visiting the service organization and performing such procedures.

B27.    The auditor should not refer to the service auditor's report when expressing an opinion on internal control over financial reporting.

Benchmarking of Automated Controls

B28.    Entirely automated application controls are generally not subject to breakdowns due to human failure. This feature allows the auditor to use a "benchmarking" strategy.

B29.    If general controls over program changes, access to programs, and computer operations are effective and continue to be tested, and if the auditor verifies that the automated application control has not changed since the auditor established a baseline (i.e., last tested the application control), the auditor may conclude that the automated application control continues to be effective without repeating the prior year's specific tests of the operation of the automated application control. The nature and extent of the evidence that the auditor should obtain to verify that the control has not changed may vary depending on the circumstances, including depending on the strength of the company's program change controls.

B30.    The consistent and effective functioning of the automated application controls may be dependent upon the related files, tables, data, and parameters. For example, an automated application for calculating interest income might be dependent on the continued integrity of a rate table used by the automated calculation.

B31.    To determine whether to use a benchmarking strategy, the auditor should assess the following risk factors. As these factors indicate lower risk, the control being evaluated might be well-suited for benchmarking. As these factors indicate increased risk, the control being evaluated is less suited for benchmarking. These factors are -

  • The extent to which the application control can be matched to a defined program within an application.
  • The extent to which the application is stable (i.e., there are few changes from period to period).
  • The availability and reliability of a report of the compilation dates of the programs placed in production. (This information may be used as evidence that controls within the program have not changed.)

B32.    Benchmarking automated application controls can be especially effective for companies using purchased software when the possibility of program changes is remote - e.g., when the vendor does not allow access or modification to the source code.

B33.    After a period of time, the length of which depends upon the circumstances, the baseline of the operation of an automated application control should be reestablished. To determine when to reestablish a baseline, the auditor should evaluate the following factors -

  • The effectiveness of the IT control environment, including controls over application and system software acquisition and maintenance, access controls and computer operations.
  • The auditor's understanding of the nature of changes, if any, on the specific programs that contain the controls.
  • The nature and timing of other related tests.
  • The consequences of errors associated with the application control that was benchmarked.
  • Whether the control is sensitive to other business factors that may have changed. For example, an automated control may have been designed with the assumption that only positive amounts will exist in a file. Such a control would no longer be effective if negative amounts (credits) begin to be posted to the account.