Auditing Internal Control over Financial Reporting
What happens when you hear the phrase “internal control over financial reporting”? Do you think “not this again”? Do you maybe scream? Let out a heavy sigh? When I hear the phrase, it takes me back to my first year as a public company auditor. I don’t like to age myself, but my first year as an auditor was the first year of implementing the rules and requirements of the Sarbanes-Oxley Act. I lived and breathed internal controls everyday of my life (for a long time)!
The rules and requirements have come a long way since I first started my career, but you know what has remained the same? High deficiency rates as it relates to auditing internal control over financial reporting (ICFR).
Internal control over financial reporting: Overview
Internal control is a process, impacted by a company’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance (this definition is from COSO’s Internal Control – Integrated Framework). A company is responsible for establishing and maintaining effective internal control. We (as auditors) are responsible for understanding a company’s internal control (and sometimes, opining on the company’s system of internal control).
The full extent of our internal control responsibilities, as auditors, is often misunderstood, which is why deficiency rates remain so high. But, I have some exciting news for you! We recently released a four-course collection as it pertains to the essential requirements of auditing internal control (for both PCAOB and U.S. GAAS audits)!
Note that the first two courses in our collected (discussed below) are based on the revised guidance within SAS 145, Understanding the Entity and Its Environment and Assessing the Risk of Material Misstatement. We’ve separately bundled these two courses into its own course collection if you only want to focus on the new requirements of SAS 145.
Here is a summary of each individual course in our four-course Internal Control: The Essentials Collection:
Understanding the entity, including its system of internal control
If you mess up your risk assessment procedures and, by default, your understanding of the entity, including its system of internal control, your audit is doomed from the start.
In this CPE-eligible (1.5 CPE), eLearning course, you will learn about the required risk assessment procedures necessary to obtain an understanding of the entity and its environment, including its system of internal control. We’ll walk through the 2013 COSO framework and the five components of internal control, including the principles representing the fundamental concepts associated with each component. Finally, you’ll learn how to identify relevant (or key) controls, why they are important, and what the auditing standards require you to do with them.
Evaluating the design and implementation of identified controls
“Walkthroughs? Why are we talking about walkthroughs? I’m doing a substantive audit!” Unfortunately, this is the thinking of many engagement teams, especially those who are not performing a PCAOB audit. However, as you’ll learn in this course, auditors are required to evaluate the design and implementation of identified controls for any audit and the way we document our procedures is, you guessed it, a walkthrough!
In this CPE-eligible (1.5 CPE) eLearning course, you will learn about the various controls within the control activities component of an entity’s system of internal control. We then discuss how to identify those relevant or key controls because, for these identified controls, we are required to evaluate the design and implementation (D&I) by performing risk assessment procedures. Finally, we learn about walkthroughs, specifically what they are, the key elements, and how they are documented by auditors.
Testing the operating effectiveness of identified controls
Picture this: You have decided to take a controls reliance approach on your audit engagement, and you have determined that the identified (relevant) controls have been effectively designed and implemented. So, what’s next? Well, now it’s time to test the operating effectiveness of those identified controls. But what exactly does that mean?
In this CPE-eligible (1.0 CPE), eLearning course, you will learn about important considerations as it relates to testing the operating effectiveness of an identified control, which is a crucial step in obtaining relevant audit evidence and responding to identified risks. This course will discuss how the nature, timing, and extent of testing is required to be designed and performed, and then you will have the chance to work through an example scenario of testing a specific identified control.
Evaluating control deficiencies and communicating with management
What happens if your engagement team discovers some sort of “issue” or “discrepancy” when testing the operating effectiveness of identified controls? There are many factors to consider, such as the severity of the finding, which will require professional judgment.
In this CPE-eligible (1.0 CPE), eLearning course, you will learn how to differentiate between a control deviation and a control deficiency. Additionally, the course will discuss the various types of deficiencies, and how to evaluate each type of control deficiency. Lastly, an auditor’s requirements for communicating deficiencies to management will also be covered.
For those of you that perform an integrated audit (where you must opine on ICFR), I would be remiss if I didn’t include information on the following course that is also available:
Considerations for an integrated audit under AS 2201
Given the increasing pervasiveness of technology, internal controls over financial reporting (ICFR) are becoming critical to the success of an audit, whether ensuring the completeness and accuracy of information or helping reduce the nature, timing, and extent of substantive procedures. While many audits already use an integrated approach, public company audits performed under PCAOB standards have incremental requirements when testing internal controls and issuing an auditor’s report on ICFR.
In this CPE-eligible (1.5 CPE) eLearning course, you will learn about specific PCAOB requirements when auditing internal control over financial reporting when it is integrated with a financial statement audit.
About GAAP Dynamics
We’re a DIFFERENT type of accounting training firm. We view training as an opportunity to empower professionals to make informed decisions at the right time. Whether it’s U.S. GAAP, IFRS, or audit training, we’ve trained thousands of professionals since 2001, including at some of the world’s largest firms. Our promise: Accurate, relevant, engaging, and fun training. Want to know how GAAP Dynamics can help you? Let’s talk!
Disclaimer
This post is for informational purposes only and should not be relied upon as official accounting guidance. While we’ve ensured accuracy as of the publishing date, standards evolve. Please consult a professional for specific advice.
