The top-down approach is a process for controls testing of internal control over financial reporting. It follows three steps. First, top-down approach starts at the financial statement level with the auditor's understanding about financial reports. Then the auditor focuses on entity-level controls to find significant accounts and disclosure the weakness. The last step is verifying the auditors' understanding of risks of the process in company in order to test the controls that address the assessed risk. The whole approach direct audit's attention on accounts disclosures and assertions that likely misstated.
As the beginning step of top-down approach, the test of entity-level controls is important in top-down approach since it can inform the auditor whether the company has effective internal controls over financial reporting. There are several ways to identify entity-level controls. One is vary them in different functions. For instance, some controls have an important but indirect effect to show the misstatement. They might affect other control that auditor selected to test. Some other controls monitor the effectiveness of other controls and they are used to identify the breakdowns in lower level controls. Some entity-level controls are designed to operate at a level of precision to prevent or detect misstatements on time basis. The second way to identify entity-level control is to verify the connections in controls: controls related to the control environment, and controls over management override. In order to evaluating the control environment, the auditor needs to make sure there are no doubt on three parts including the effectiveness of management's philosophy or operating style on internal control over financial reporting; the understanding of integrity and ethical values of top management; the understanding of exercises oversight responsibility over financial reporting and internal controls of board or audit committee.
Relevant assertions have a possibility of containing a misstatement which may cause the misstatement of financial statement. They include existence or occurrence, completeness, valuation or allocation, rights and obligations, presentation and disclosures. In order to identify significant accounts and disclosures and their relevant assertions, the audit was required to evaluate the qualitative and quantitative risk factors relate to the financial statement line items and disclosures. The risk factors include size and composition of account, susceptibility to misstatement due to errors or fraud, volume of activity, complexity and homogeneity of the individual transaction, nature of the account, exposure to loses in the account, possibility of liabilities arising from the activities reflected in the disclosure, existence of related party transactions in the disclosure and changes from the pre-period in disclosure. The audit also needs to determine the source of potential misstatements. The risk factors are the same in the audit of internal control over financial reporting as in the audit of the financial statements. When the company has many locations, the audit should identify significant account based on consolidated financial statements.
In order to better understand the likely sources of misstatement, the auditor needs to know the flow of transactions related to the relevant assertion, including the process of how transaction are initiated, authorized, processed and recorded. Performing walkthroughs are the most effective way to find the likely sources of potential misstatements. It allows the audit follows tractions from original through the company's process, using the same documents and information technology. It includes a combination of inquiry, observation, inspection of relevant documentation and re-performance of controls.
At the last step, the audit should test those controls to see whether the company's controls are sufficient address the assessed risk of misstatement. It is unnecessary to neither test all controls nor test redundant controls, unless the repeating test is the objective of a control.
Material Weakness vs Significant Deficiency
Significant deficiency is defined as a control deficiency, or combination of control deficiencies, such that there is a reasonable possibility that a significant misstatement of the company's annual or interim financial statements will not be prevented or detected material weakness is kind of deficiency.
Material weakness is a deficiency, or a combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the company's annual or interim financial statements will not be prevented or detected on a timely basis. There are several indicators of material weaknesses, including the identification of fraud, restatement of previously issued financial statements, identification of the misstatement have not been detected by company's internal control, ineffective oversight of the company's external financial reporting.
The audit must communicate to management and the audit committee all material weaknesses identified during the audit in writing form. The written communication should be made previously to the issuance of the auditor's report in internal control over financial reporting. If the audit conclude the company's audit committee is ineffective, the auditor must communicated in writing to the board of directors. The audit should consider whether there are any deficiencies that have been identified as significant deficiencies; they need to communicate this deficiency in writing to the audit committee.
In the audit report in internal control there are several elements required: a title with the word independent, a statement that showing the management is responsible for maintaining effective internal control over financial reporting, an identification of management's report on internal control, a statement that audit was conducted with seastrands of PCAOB, the auditor plan under the standards of PCAOB, a statement the audit obtaining an understanding of internal control over financial reporting, assessing the risk, a statement that auditor believe the audit provides a reasonable basis of the opinion, a paragraph stating financial reporting may not prevent or detect misstatements, the auditor's opinion on whether this company should remain, the manual or printed signature of auditor's firm, the city and state from the auditor's report issued, the date of the audit report.