null

AUDIT MANUAL EXCERPT: REPORTING ON INTERNAL CONTROL GUIDELINES–

Audit Policy for Identifying Significant Accounts and Locations, and Evaluating Control Deficiencies

Audit Policy for Identifying Significant Accounts and Locations

Identifying Significant Accounts and Assertions
For purposes of scoping the audit of internal controls over financial reporting, we consider overall materiality1 when identifying significant accounts from a quantitative standpoint. Generally, financial statement line items and/or accounts that exceed overall materiality should be considered for designation as significant accounts for both the audits of internal control over financial reporting (ICFR) and the financial statements. Further disaggregation of each financial statement line item may be necessary to determine which component account balances are significant or, alternatively, insignificant. For example, “other assets” may include several component account balances, some of which are individually significant and others that are not individually significant. The more an account exceeds overall materiality, the greater the likelihood it should be considered a significant account.
To identify significant accounts and disclosures and their relevant assertions, we consider the following risk factors:

Size and composition of the account;

Susceptibility to misstatement due to errors or fraud;

Volume of activity, complexity, and homogeneity of the individual transactions processed through the account or reflected in the disclosure;

Nature of the account or disclosure;

Accounting and reporting complexities associated with the account or disclosure;

Exposures to losses in the account;

Possibility of significant contingent liabilities arising from the activities reflected in the account or disclosure;

Existence of related party transactions in the account, and

Changes from the prior period in account or disclosure characteristics.
Some accounts that are quantitatively significant may not require testing for qualitative reasons. Accounts that have low susceptibility to error or fraud, have a low volume of activity, and that are not complex in nature, may not require testing—especially if the area has been thoroughly tested in the recent past. For example, while fixed assets in a service organization may be a large account, it may have very little change from year to year and may present low inherent and fraud risk. For such an account we may rotate our testing and/or rely more on the work of others to evaluate the related controls.

(
Willis

&

Adams,

CPAs
)
1 Refer to the Willis & Adams Audit Manual for the firm’s policy on materiality.
Copyright © 2017 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
(
2
)
Copyright © 2017 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
(
1
)

Identifying Significant Units or Locations
A business unit or location can be defined as any of the following: country, plant, sales region, legal entity, reporting unit, business unit, or segment.
We use a risk-based approach to determine which locations should be considered significant. Scoping for an integrated audit should typically begin with the identification of significant accounts and their relevant assertions, based on the consolidated financial statements. In determining the sufficiency of evidence we need to obtain about ICFR for a significant account, we consider both quantitative and qualitative factors. Specifically, we would consider the qualitative risk factors discussed above in determining the amount of evidence we should obtain for a relevant assertion of a significant account. As the risk associated with a significant account decreases, we need to obtain evidence over ICFR from a lower portion of the account. Similarly, as the risk increases, we need to obtain evidence over ICFR from a greater portion of the account.
Determining the business units/locations for audit testing requires us to evaluate factors such as the relative financial significance of the business unit/location and the risk of material misstatement arising from the business unit/location. An illustration of our multi-location testing considerations is provided in the flowchart below.
As noted in the flowchart, in making this determination we should categorize business units/locations into the following categories:
1. Individually important.
2. Contain specific risks that by themselves could create a material misstatement in the consolidated financial statements.
3. units/locations that should not be able, individually or in the aggregate, to create a material misstatement in the financial statements (those at which we will perform no or very limited testing).
4. When aggregated, could represent a level of financial significance that could create a material misstatement in the consolidated financial statements.
In identifying business units/locations at which to perform testing (item 1 above), we expect that a large portion of our audit assurance will be derived from testing individually important business units/locations (see coverage guidance below).

Determining Individually Important Units/Locations

Individually important business units/locations are those that are financially significant to the entity as a whole. From a quantitative perspective we determine individually significant accounts by selecting business units/locations that exceed either of the following metrics:
Unit/Location’s Net Income Greater than 10% of Total Consolidated Net Income
or
Unit/Location’s Assets Greater than 10% of total assets

The quantitative measures for these metrics cannot exceed 10%; however, in some cases to achieve necessary coverage a team may use lower percentages.

At individually important locations, we should obtain evidence about the effectiveness of controls (either by performing tests of controls ourselves or by using the work of others) for all relevant assertions related to all significant accounts or disclosures at the location, unless at that location, the significant account or disclosure is less than overall materiality.
Multi-location Testing Consideration Flowchart

(
Is

the

location

or

business

unit

individually

important?
Evaluate

documentation

and

test

significant

controls

at

each

location

or

business

unit.
Are

there

specific

significant

risks?
Evaluate

and

test

controls

over

specific

risks.
Are

there

locations

or

business

units

that

are

not

important

even

when

aggregated

with

others?
No

further

action

required

for

such

units.
Evaluate

documentation

and

test

company-level

controls

over

this

group.
Some

testing

of

controls

at

individual

locations

or

business

units

is

required.
Are

there

documented

company-

level

controls

over

this

group?
Yes
No
Yes
No
Yes
No
Yes
No
)

Determining Units/Locations That Have Specific Risks

Even after considering the quantitative factors above, the engagement team will need to use significant judgment when determining the individually important business unit’s/location’s qualitative or specific risks. A location or business unit might present specific risks that, by themselves, could create a material misstatement in the company’s financial statements, even though the unit might not be individually financially significant. For example, a business unit responsible for foreign exchange trading could expose the company to the risk of material misstatement, even though the relative financial significance of individual transactions is low.
A detailed consideration of inherent and fraud risks of material misstatement should be made for those locations that were not initially selected as an individually important location. A high degree of auditor judgment must be applied by the engagement leader in assessing whether certain locations have specific risks that make them important.
For those locations identified as having specific risks, the engagement team should evaluate and obtain evidence about the effectiveness of controls (either by performing tests of controls ourselves or by using the work of others) over only the specific risks that could create a material misstatement in the company’s financial statements.
(
Willis

&

Adams,

CPAs
)

(
4
)Copyright © 2017 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.

Copyright © 2017 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
(
3
)

Determining Immaterial Units/Locations

Immaterial business units or locations are those business units or locations that are incapable of creating a material misstatement, either individually or in the aggregate, in the financial statements. The aggregate of these immaterial locations should generally be less than 5 to 10% of the quantitative metrics noted above (i.e., 5 to 10% of total net income or assets). No testing is required with respect to these business units or locations that individually, and when aggregated with others, could not lead to a material misstatement in the financial statements (assuming no specific risks are identified).

Determining Units/Locations Considered Important When Aggregated With Others

This grouping of business units/locations is basically the “catch all” for the remaining business units/locations that were not specifically identified as either “individually important,” “specific risk,” or “immaterial.” This grouping includes those locations which, when aggregated with others, could represent a level of financial significance that could create a material misstatement in the financial statements.
For these locations we should determine whether management has documented and placed in operation entity-level controls. Entity-level controls are controls management has in place to monitor the operations and to oversee the control environment and risk assessment process at these business units or locations. If the company has entity-level controls over these locations, we should perform tests of entity-level controls to determine whether such controls are operating effectively. If the company does not have entity-level controls operating throughout the organization, we should determine the nature, timing, and extent of additional tests of control activities over relevant assertions for significant accounts to be performed at each business unit/location or at a combination of business units/locations.

Determining the Coverage Achieved from Units/Locations Selected

Under AS5, we are not required to achieve a minimum level of coverage (i.e., “large portion” of coverage), however we need to obtain sufficient competent evidence to support our opinion on ICFR. We expect that much of our audit comfort will be derived from the testing of individually important business units/locations. As a benchmark to determine whether we have obtained enough coverage of control activity testing, we look at both coverage of financial metrics by individually important and specific risk business units/locations as well as coverage of significant accounts.
As a general rule of thumb, between our testing of controls over relevant assertions for significant accounts performed at individually important and specific risk locations and evidence obtained from entity-level controls for other locations or other extended procedures, we should typically obtain evidence related to approximately 90 to 95% of consolidated assets and revenue.

The general goal of coverage related to our financial metrics (i.e., total revenue and assets) is shown below:

Coverage of Total Revenue and Assets

Testing Plan

Location

55-70%

Detailed evaluation and tests of controls over significant (or specific risk) accounts and disclosures at the location and testing of entity-level controls.

Individually important locations and specific risk locations

20-35%

Evaluate/test entity-level controls, if applicable, or perform detailed evaluation and tests of controls over significant accounts and disclosures at some locations if adequate entity- level controls do not exist.

Locations considered important when aggregated with others

< 5 to 10% No testing required. Immaterial locations We generally will consider whether or not the coverage obtained from the individually important business units/locations and business units/locations with specific risks provides coverage over 55 to 70% of the company’s total net income and assets. If our individually important and specific risk locations do not cover at least 55% of both total revenues and assets from individually important and specific risk locations, we may decide to: Lower the percentage used in our criteria used to select individually important locations or Add selected locations to obtain the necessary coverage of these metrics The coverage percentages are generally considered minimums and in many instances we expect to exceed these minimums. Once we determine that a location is individually important based on our metrics, we will typically include that location for testing even if we have already achieved 70% coverage with other locations. For example, if a company has 4 locations that each represents 20% of total net income then we will achieve at least 80% coverage. It would not be appropriate to test only 3 of the 4 locations even though we could achieve 60% coverage with 3 locations because the 4th location likely represents a reasonable possibility of material misstatement. There may be some rare instances where we obtain lower coverage for individually important and specific risk locations than suggested by the table above, in instances where teams are contemplating such an approach we expect the engagement partner to consult with our firm’s risk management office. Calculate Coverage for Each Significant Account Once we have calculated coverage for the total revenue and assets metrics, the next step in the process is a “cross- check” designed to determine whether sufficient aggregate evidence is obtained for each significant account through testing at individually important and specific risk locations. Generally, if the coverage obtained for any significant account is less than 50% of the total consolidated balance of the significant account; additional locations need be selected for testing of controls over relevant assertions for that account. When additional coverage is needed to test at least 50% of a significant account, we should carefully consider whether any specific risks exist with respect to the account and add the specific risk location(s) as well as other locations for that particular significant account to increase coverage to at least 50%. ( Willis & Adams, CPAs ) Copyright © 2017 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education. ( 6 ) Copyright © 2017 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education. ( 5 ) Audit Policy for Evaluating Control Deficiencies Evaluating Control Deficiencies Auditing Standard (AS) 5 requires that all control deficiencies be evaluated and included individually and in combination with other deficiencies to be either: Internal control deficiencies that do not rise to the level of significant deficiencies, Significant deficiencies, or Material weaknesses. AS 5 defines these categories as control deficiency, significant deficiency, and material weakness, and the three categories are not mutually exclusive. Control deficiencies encompass all deficiencies, including significant deficiencies and material weaknesses. Thus, we first identify control deficiencies and then consider, individually and in the aggregate, by significant account balance, disclosure, relevant assertion or component of internal control (i.e., the COSO components) to determine whether they result in a significant deficiency or material weakness. Multiple control deficiencies that affect the same financial statement account or disclosure increase the likelihood of misstatement and may, in combination, constitute a material weakness, even though such deficiencies may individually be less severe. AS 5 requires that we evaluate the significance of a deficiency in internal control by determining: the likelihood (reasonably possible, probable, or remote) that the deficiency, individually or in combination with other deficiencies, could result in a misstatement of an account balance or disclosure, and the magnitude (not material or significant, not material but significant, or material) of the potential misstatement resulting from the deficiency. The terms “reasonably possible” and “probable” as used in the definitions of significant deficiency and material weakness are to be interpreted using the guidance in Financial Accounting Standards Board Statement, ASC Topic 450, Contingencies. Willis & Adams has interpreted reasonably possible to mean more than a 5% likelihood. A misstatement is not “significant” if a prudent official (i.e., a well-informed, competent and objective individual) would conclude, after considering the possibility of further undetected misstatements, that the misstatement, either individually or when aggregated with other misstatements, would clearly be immaterial to the financial statements. Willis & Adams has interpreted “not significant” to mean anything less than 10% of overall materiality. In evaluating deficiencies we typically first consider likelihood and then magnitude because under the PCAOB definitions, only control deficiencies that that are reasonably possible or probable can result in a misstatement in the financial statements can rise to the level of a significant deficiency or a material weakness. The joint consideration of likelihood and magnitude becomes more important as the potential magnitude of misstatements becomes higher. For example, where any misstatement from the failure of a control is likely to be material, judgments as to whether the deficiency is reasonably possible or probable of misstatement becomes critical. Whether a control deficiency is determined to be a significant deficiency or a material weakness does not depend on the size of detected misstatements related to the deficiency. Rather, we must evaluate the potential likelihood and potential magnitude of a misstatement resulting from the deficiency. If we find effective compensating (i.e., complementary or redundant controls that achieve the same control objective, we may conclude that there is a control deficiency or no deficiency at all. We should gather evidence of the operating effectiveness of compensating controls. The following chart illustrates the interplay between the likelihood of misstatement and the potential magnitude of misstatement. Potential Amount Likelihood Remote Reasonably Possible or Probable Material amount Internal control deficiency but not significant deficiency Material weakness Significant (i.e., more than 10% of overall materiality) but less than a material amount Internal control deficiency but not significant deficiency Significant deficiency but not material weakness Not material or significant amount (i.e., less than 10% of overall materiality) Internal control deficiency but not significant deficiency Internal control deficiency but not significant deficiency AS 5 (¶69) lists certain deficiencies that are indicators of material weakness in ICFR. We should carefully consider this list as we evaluate deficiencies. There may be rare situations where indicators of a material weakness do not result in a control deficiency. For example, if a company had to restate previously issued financial statements we would need to carefully understand the cause of the restatement. If the company had a reasonable position for the application of generally accepted accounting principles and its controls for making such a determination were properly designed and effective, we may conclude that the restatement did not result from a control deficiency. When evaluating and classifying process/transaction-level control deficiencies, we use the decision tree that follows. ( Willis & Adams, CPAs ) ( 8 )Copyright © 2017 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education. Copyright © 2017 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education. ( 7 ) ( Deficiency ) ( Significant Deficiency ) ( Material Weakness )Decision Tree for Evaluating Process/Transaction-Level Control Deficiencies This decision tree is to be used to evaluate the classification of control deficiencies from the following sources: · Design effectiveness evaluation · Operating effectiveness testing · ( Box 1. Does the deficiency relate directly to the achievement of one or more financial statement assertions? Box 2. Is the likelihood of a misstatement resulting from the deficiency (or combination of deficiencies) at least reasonably possible? Box 3. Is the magnitude of the potential deficiency material to either the interim or annual financial statements? Box 5. Do compensating controls exist and operate effectively at a level of precision sufficient to prevent or detect a misstatement that could be material to interim or annual financial statements? NO YES NO YES NO YES YES NO )Deficiencies that resulted in a financial statement misstatement detected by management or the auditor in performing substantive test work Box 4. Is the deficiency (or combination of deficiencies) important enough to merit attention by those responsible for oversight of the company’s financial reporting? NO YES Box 6. Would a well-informed, competent and objective individual (i.e., prudent official) conclude the deficiency is a material weakness? NO YES Guidance for using the Decision Tree Box 1 Consider whether the deficiency identified relates directly to the achievement of financial statement assertions. Some controls relate only indirectly (e.g., entity-level controls “ELCs” related to the control environment, information technology general controls). Evaluating the severity of deficiencies in controls that contribute only indirectly to the achievement of financial statement assertions should take into account the likelihood and significance of other control deficiencies that may occur or that have occurred as a result of the indirect control’s deficiency. Box 2 Determine if it is reasonably possible that the failure of the control or combination of controls will fail to prevent or detect a misstatement of an account balance. At this point, we are only concerned with the likelihood of a misstatement of any size (i.e., we do not limit our evaluation to the likelihood of a material misstatement—the materiality evaluation is performed separately). Certain risk factors affect whether there is a reasonable possibility that a deficiency, or combination of deficiencies, will result in a misstatement of an account balance or disclosure. AS5 (¶65) provides examples, which include, but are not limited to: The nature of the financial statement accounts, disclosures, and assertions involved. The susceptibility of the related assets or liability to loss or fraud; that is, greater susceptibility increases risk. The subjectivity, complexity, or extent of judgment required to determine the amount involved; that is, greater subjectivity, complexity, or judgment, like that related to an accounting estimate, increases risk. The interaction or relationship with other controls, including whether they are interdependent or redundant. The interaction of deficiencies. The possible future consequences of the deficiency. Box 3 When evaluating deficiencies, factors that affect the potential magnitude in controls include, but are not limited to, the following (AS5 ¶66): Financial statement amounts or total of transactions exposed to the deficiency Volume of activity in the account balance or class of transactions exposed to the deficiency that has occurred in the current period or that is expected in the future. Evaluation of the magnitude of a deficiency includes the impact of actual and/or potential misstatements on both annual and interim financial statements. In considering potential magnitude, it may be useful to consider a “gross exposure,” or in other words, the total dollars exposed to the identified deficiency. For example if the total dollars exposed is less than materiality, then the deficiency would not likely rise to the level of a material weakness. After considering the “gross ( Willis & Adams, CPAs ) Copyright © 2017 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education. ( 10 ) Copyright © 2017 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education. ( 9 ) exposure,” it may be useful to consider the “likely exposure” based on the results of the testing performed. For example, if a sampling technique indicates an upper exception limit of 12 percent, then 12 percent of the “gross exposure” would be an estimate of the “likely exposure.” In considering materiality, we consider both quantitative and qualitative considerations as outlined in SEC’s Staff Accounting Bulletin 99. Box 4 The evaluation of whether a deficiency is important enough to merit the attention of those responsible for oversight of the company’s financial reporting requires the use of professional judgment and is dependent on the facts and circumstances. When evaluating the significance of a deficiency in internal control over financial reporting, the auditor determines the level of detail and degree of assurance that would satisfy prudent officials in the conduct of their own affairs that they have reasonable assurance that transactions are recorded as necessary to permit the preparation of financial statements in conformity with generally accepted accounting principles. If the auditor determines that the deficiency would prevent prudent officials in the conduct of their own affairs from concluding that they have reasonable assurance, then the auditor should deem the deficiency to be at least a significant deficiency. Having determined in this manner that a deficiency represents a significant deficiency, the auditor must further evaluate the deficiency to determine whether individually, or in combination with other deficiencies, the deficiency is a material weakness. Box 5 We should evaluate compensating controls to determine if there is a reasonable possibility that a material misstatement will go undetected. We must obtain evidence that the compensating controls are operating effectively. Effective compensating controls will operate at a level of precision that would result in the prevention or detection of a material misstatement, thereby mitigating or reducing the magnitude of the potential misstatements resulting from the identified control deficiency. Compensating controls that operate at a level of precision that would result in the prevention or detection of a material misstatement of the annual or interim financial statements may support a conclusion that the deficiency is not a significant deficiency or a material weakness Box 6 The evaluation of the severity of a control deficiency, or combination of control deficiencies, involves the consideration of whether a well-informed, competent and objective individual (i.e., prudent official) would conclude that the control deficiency represents a material weakness because the risk of material misstatement is unacceptably high.

Place your order
(550 words)

Approximate price: $22

Calculate the price of your order

550 words
We'll send you the first draft for approval by September 11, 2018 at 10:52 AM
Total price:
$26
The price is based on these factors:
Academic level
Number of pages
Urgency
Basic features
  • Free title page and bibliography
  • Unlimited revisions
  • Plagiarism-free guarantee
  • Money-back guarantee
  • 24/7 support
On-demand options
  • Writer’s samples
  • Part-by-part delivery
  • Overnight delivery
  • Copies of used sources
  • Expert Proofreading
Paper format
  • 275 words per page
  • 12 pt Arial/Times New Roman
  • Double line spacing
  • Any citation style (APA, MLA, Chicago/Turabian, Harvard)

Our guarantees

Delivering a high-quality product at a reasonable price is not enough anymore.
That’s why we have developed 5 beneficial guarantees that will make your experience with our service enjoyable, easy, and safe.

Money-back guarantee

You have to be 100% sure of the quality of your product to give a money-back guarantee. This describes us perfectly. Make sure that this guarantee is totally transparent.

Read more

Zero-plagiarism guarantee

Each paper is composed from scratch, according to your instructions. It is then checked by our plagiarism-detection software. There is no gap where plagiarism could squeeze in.

Read more

Free-revision policy

Thanks to our free revisions, there is no way for you to be unsatisfied. We will work on your paper until you are completely happy with the result.

Read more

Privacy policy

Your email is safe, as we store it according to international data protection rules. Your bank details are secure, as we use only reliable payment systems.

Read more

Fair-cooperation guarantee

By sending us your money, you buy the service we provide. Check out our terms and conditions if you prefer business talks to be laid out in official language.

Read more
Open chat
1
You can contact our live agent via WhatsApp! Via + 1 929 473-0077

Feel free to ask questions, clarifications, or discounts available when placing an order.

Order your essay today and save 20% with the discount code GURUH