Evaluating Internal Control over Financial Reporting
A subjective approach to stratify identified risks, ensure adequate
financial statement assertion coverage, and reduce compliance costs
via risk-focused testing
INTRODUCTION
Last year’s passage of Auditing Standard No. 5 (AS 5) seems to have been the Public
Company Accounting Oversight Board’s (PCAOB) attempt to swing the Sarbanes
Oxley regulatory pendulum back from the process oriented, control-centric, “kitchen
sink” approach to one that allowed companies to make intelligent choices around
properly mitigating their financial reporting risks via a top-down risk-based
assessment. This in theory should have significantly lowered the amount of work to
be done and the costs to be incurred. Furthermore, Auditing Standard 5 also
encouraged auditors to rely on the work of others (i.e. documenting and testing key
controls) when evaluating the system of internal control, which should have reduced
the overall costs of SOX compliance even further. Unfortunately, in practice, these
savings have not been fully realized
In point of fact, external auditors often duplicate their clients’ internally-generated
work or perform testing of controls deemed non-key because of management’s
inability to clearly and succinctly demonstrate how their own efforts addressed the
organization’s financial reporting risks for the
relevant assertions of significant accounts and
disclosures. If management is unable do so, then
external auditors have no other choice than to
exercise their own judgment in determining what
work must be done to arrive at an opinion
regarding the adequacy of internal control. Their
judgment would include selecting the controls
required to achieve financial assertion coverage as
well
as
the
nature
(inquiry/observation,
examination, or re-performance), timing (reporting
periods from which samples will be selected), and
extent (sample s