This article provides a comprehensive overview of Auditing Standard (AS) 2201, “An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements.” This standard, issued by the Public Company Accounting Oversight Board (PCAOB), guides auditors in evaluating a company’s internal control over financial reporting (ICFR). Understanding AS 2201 is crucial for ensuring the reliability of financial reporting.
Planning and Performing an Audit Under AS 2201
AS 2201 outlines a risk-based, top-down approach to auditing ICFR. This involves:
1. Risk Assessment and Scaling the Audit
- Risk Assessment: Auditors must assess the risk of material misstatement due to error or fraud, focusing on areas with the highest risk. This includes considering factors such as the company’s industry, operations, and recent changes. The complexity of the organization influences the auditor’s risk assessment and determines the necessary procedures. Scaling the audit involves adjusting the procedures to the size and complexity of the company. A smaller, less complex company might achieve its control objectives differently than a larger, more complex one.
- Fraud Risk Assessment: AS 2201 emphasizes the importance of addressing fraud risks, including management override of controls. Auditors must evaluate controls over significant unusual transactions, journal entries, related party transactions, and management estimates.
2. Using a Top-Down Approach
- Entity-Level Controls: Auditors must test entity-level controls, which are broad controls that impact the overall control environment. These include controls related to the control environment, management override, risk assessment, and the period-end financial reporting process.
- Significant Accounts and Disclosures: Auditors identify significant accounts and disclosures and their relevant assertions (existence, completeness, valuation, rights and obligations, presentation and disclosure). This involves understanding the flow of transactions and identifying potential points of misstatement. Walkthroughs are often used to gain this understanding.
- Selecting Controls to Test: Based on the risk assessment, auditors select controls that sufficiently address the risk of misstatement for each relevant assertion. It’s not necessary to test all controls or redundant controls.
Testing and Evaluating Controls
- Testing Design Effectiveness: Auditors determine if controls, if operated as designed, would prevent or detect material misstatements.
- Testing Operating Effectiveness: Auditors evaluate whether controls are operating as designed and whether personnel performing the control have the necessary authority and competence. The nature, timing, and extent of testing depend on the risk associated with the control. Inquiry, observation, inspection of documentation, and re-performance are common testing procedures.
Evaluating Deficiencies and Forming an Opinion
- Control Deficiencies: Auditors must evaluate control deficiencies and determine their severity. Deficiencies are categorized as material weaknesses, significant deficiencies, or less severe deficiencies.
- Forming an Opinion: The auditor forms an opinion on the effectiveness of ICFR based on the evidence gathered. The opinion can be unqualified (effective), adverse (ineffective), or a disclaimer of opinion (unable to obtain sufficient evidence). The auditor must communicate all material weaknesses and significant deficiencies to management and the audit committee.
Subsequent Events and Reporting
Auditors must consider subsequent events that could impact the effectiveness of ICFR. AS 2201 also addresses special reporting situations, such as scope limitations and the use of service organizations. The auditor’s report on ICFR includes an opinion, basis for opinion, definition and limitations of ICFR, and signature, location, and date. The report can be issued separately or combined with the financial statement audit report.
Conclusion
AS 2201 provides a crucial framework for auditing ICFR. By following this standard, auditors contribute to the reliability of financial reporting and provide valuable assurance to stakeholders. This overview provides a foundational understanding of the key elements of AS 2201. For a comprehensive understanding, refer to the full text of the standard on the PCAOB website.
