Auditing internal control under PCAOB and U.S. GAAS Standards
Audit Internal control VR experience

Auditing internal control under PCAOB and U.S. GAAS Standards

Posted on Aug 29, 2023 by Jenny Lukac, CPA  | Tags: Auditing, eLearning

What happens when you hear the phase “internal control over financial reporting”? Do you think “not this again?” Do you maybe scream? Let out a heavy sigh? When I hear the phrase, it takes me back to my first year as a public company auditor. I don’t like to age myself, but my first year as an auditor was the first year of implementing the rules and requirements of the Sarbanes-Oxley Act. I lived and breathed internal controls everyday of my life (for a long time)! I realize the rules and requirements have come a long way in 20 years, but you know what has remained the same? High deficiency rates as it relates to auditing internal control over financial reporting (ICFR).  

Internal control is a process, effected by a company’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance (this definition is from COSO’s Internal Control – Integrated Framework). A company is responsible for establishing and maintaining effective internal control, and we (as auditors) are responsible for understanding a company’s internal control (and sometimes, opining on the company’s system of internal control).

The full extent of our internal control responsibilities, as auditors, is often misunderstood, which is why deficiency rates remain so high. But, I have some exciting news for you! We recently released a four-course collection as it pertains to the essential requirements of auditing internal control (for both PCAOB and U.S. GAAS audits)! You can check out the full course collection here. Also note that the first two courses listed below are based on the revised guidance within SAS 145, Understanding the Entity and Its Environment and Assessing the Risk of Material Misstatement. We’ve separately bundled these two courses into its own course collection if you only want to focus on the new requirements of SAS 145.

 

Here is a summary of each individual course in our four-course Internal Control: The Essentials Collection:

Understanding the entity, including its system of internal controls

If you screw up your risk assessment procedures and, by default, your understanding of the entity, including its system of internal control, your audit is doomed from the start.

In this CPE-eligible (1.5 CPE), eLearning course, you will learn about the required risk assessment procedures necessary to obtain an understanding of the entity and its environment, including its system of internal control. We’ll walk through the 2013 COSO framework and the five components of internal control, including the principles representing the fundamental concepts associated with each component. Finally, you’ll learn how to identify relevant (or key) controls, why they are important, and what the auditing standards require you to do with them.

By the end of this course, you should be able to:

  • Recall the required risk assessment procedures and what we hope to learn from performing them
  • Identify the components within an entity's system of internal control
  • Identify relevant controls that address the risks of material misstatement

Evaluating the design and implementation of identified controls

writing on chalk board

“Walkthroughs? Why are we talking about walkthroughs? I’m doing a substantive audit!” Unfortunately, this is the thinking of many engagement teams, especially those who are not performing a PCAOB audit. However, as you’ll learn in this course, auditors are required to evaluate the design and implementation of identified controls for any audit and the way we document our procedures is, you guessed it, a walkthrough!

In this CPE-eligible (1.5 CPE) eLearning course, you will learn about the various controls within the control activities component of an entity’s system of internal control. We then discuss how to identify those relevant or key controls because, for these identified controls, we are required to evaluate the design and implementation (D&I) by performing risk assessment procedures. Finally, we learn about walkthroughs, specifically what they are, the key elements, and how they are documented by auditors.

By the end of this course, you should be able to:

  • Recall types of controls in the control activities component within an entity's system of internal control
  • Identify relevant controls for which the auditor is required to evaluate their design and determine implementation, and what this means from an auditing perspective
  • Recall the key concepts of a walkthrough

Testing the operating effectiveness of identified controls

Picture this: You have decided to take a controls reliance approach on your audit engagement, and you have determined that the identified (relevant) controls have been effectively designed and implemented. So, what’s next? Well, now it’s time to test the operating effectiveness of those identified controls. But what exactly does that mean?

In this CPE-eligible (1.0 CPE), eLearning course, you will learn about important considerations as it relates to testing the operating effectiveness of an identified control, which is a crucial step in obtaining relevant audit evidence and responding to identified risks. This course will discuss how the nature, timing, and extent of testing is required to be designed and performed, and then you will have the chance to work through an example scenario of testing a specific identified control.

By the end of this course, you should be able to:

  • Distinguish between the nature, timing, and extent of testing identified controls
  • Recognize an auditor's responsibilities for testing the operating effectiveness of identified controls

Evaluating control deficiencies and communicating with management

woman yelling on a mega phone

What happens if your engagement team discovers some sort of “issue” or “discrepancy” when testing the operating effectiveness of identified controls? There are many factors to consider, such as the severity of the finding, which will require professional judgment.

In this CPE-eligible (1.0 CPE), eLearning course, you will learn how to differentiate between a control deviation and a control deficiency. Additionally, the course will discuss the various types of deficiencies, and how to evaluate each type of control deficiency. Lastly, an auditor’s requirements for communicating deficiencies to management will also be covered.

By the end of this course, you should be able to:

  • Recall the various types of control deficiencies and the related requirements to evaluate each type
  • Recognize an auditor’s responsibilities for communicating control deficiencies to management

audit technology

For those of you that perform an integrated audit (where you must opine on ICFR), I would be remiss if I didn’t include information on the following course that is also available:

Considerations for an integrated audit under AS 2201

Given the increasing pervasiveness of technology, internal controls over financial reporting (ICFR) are becoming critical to the success of an audit, whether ensuring the completeness and accuracy of information or helping reduce the nature, timing, and extent of substantive procedures. While many audits already use an integrated approach, public company audits performed under PCAOB standards have incremental requirements when testing internal controls and issuing an auditor’s report on ICFR.

In this CPE-eligible (1.5 CPE) eLearning course, you will learn about specific PCAOB requirements when auditing internal control over financial reporting when it is integrated with a financial statement audit.

By the end of this course, you should be able to:

  • Recall various specifics as it relates to the PCAOB and ICFR
  • Identify AS 2201 requirements as it relates to audit planning procedures and testing controls
  • Recall PCAOB specific concerns and considerations when evaluating results and issuing an ICFR audit opinion

About GAAP Dynamics  

We’re a DIFFERENT type of accounting training firm. We don’t think of training as a “tick the box” exercise, but rather an opportunity to empower your people to help them make the right decisions at the right time. Whether it’s U.S. GAAP training, IFRS training, or audit training, we’ve helped thousands of professionals since 2001. Our clients include some of the largest accounting firms and companies in the world. As lifelong learners, we believe training is important. As CPAs, we believe great training is vital to doing your job well and maintaining the public trust. We want to help you understand complex accounting matters and we believe you deserve the best training in the world, regardless of whether you work for a large, multinational company or a small, regional accounting firm. We passionately create high-quality training that we would want to take. This means it is accurate, relevant, engaging, visually appealing, and fun. That’s our brand promise. Want to learn more about how GAAP Dynamics can help you? Let’s talk!

Disclaimer  

This post is published to spread the love of GAAP and provided for informational purposes only. Although we are CPAs and have made every effort to ensure the factual accuracy of the post as of the date it was published, we are not responsible for your ultimate compliance with accounting or auditing standards and you agree not to hold us responsible for such. In addition, we take no responsibility for updating old posts, but may do so from time to time.

New call-to-action
 
New Call-to-action

Comments (0)


Add a Comment




Allowed tags: <b><i><br>Add a new comment:


Ready To Make a Change?

Let's Talk

Cookies on the GAAP Dynamics website

To give you the best possible experience, this website uses cookies. By continuing to browse this website you are agreeing to our use of cookies. For more details about cookies and how to manage them, please see our privacy policy.