Wiley Practitioner's Guide to GAAS 2020. Joanne M. Flood

Чтение книги онлайн.

      REQUIREMENTS

      Determining Whether Deficiencies in Internal Control Have Been Identified

      The auditors must determine whether, on the basis of the audit work performed, they have identified one or more deficiencies in internal control. (AU-C 265.08)

      Determination of Deficiency Severity

      The auditor must evaluate identified control deficiencies to determine whether they are— individually or in the aggregate—significant deficiencies or material weaknesses. (See “Definitions of Terms” section earlier in this chapter for definitions of those terms.) (AU-C 265.09) When evaluating the severity of control deficiencies, the auditor should consider both the possibility and the magnitude of the misstatement that could result from the deficiency.

      The magnitude of a misstatement can be impacted by such factors as the amount or transaction volume that is exposed to the deficiency. When evaluating the magnitude of a potential misstatement, the recorded amount is considered the maximum amount by which an account balance or total of transactions can be overstated. However, understatements could cause a larger misstatement. (AU-C 265.A6–.A7)

      The auditor must also consider whether there is a reasonable possibility that the entity’s controls will fail to prevent, or detect and correct, a misstatement. Notice that the determination of severity of a deficiency does not depend on whether the misstatement actually occurred. (AU-C 265.A5)

      Possibility of the misstatement. The possibility of a misstatement is a continuous spectrum that ranges from “remote” to “reasonably possible” to “probable.” The following diagram illustrates this range, with “probable” as somewhat less than 100% certainty and “remote” as greater than a 0% chance, while “reasonably possible” is when the chance is more than remote.

      The reasonable possibility that one or more deficiencies will result in a financial statement misstatement is affected by risk factors. Risk factors include the following:

       The nature of the financial statement, transaction types, account balances, disclosures, and assertions

       The susceptibility of assets or liabilities to loss or fraud

       The cause and frequency of the exceptions detected as a result of the deficiency

       The extent of judgment required to determine amounts, as well as the level of subjectivity and complexity in these decisions

       The interaction of controls with each other

       The interaction of deficiencies with each other

       The future consequences of the deficiency

       The importance of the controls to the financial reporting process

      (AU-C 265.A8)

      One can evaluate whether a deficiency presents a reasonable possibility of misstatement without quantifying a specific range for the probability of occurrence. It is quite possible that the probability of a small misstatement will exceed the probability of a large misstatement. (AU-C 265.A9)

      Magnitude of the misstatement. The magnitude of a misstatement also is a continuous spectrum with two key thresholds, “inconsequential” to “material,” as illustrated in the following diagram.

      The combination of possibility and magnitude. The evaluation of control deficiencies requires the auditor to consider both the possibility and the magnitude of the misstatement. Combining the previous two diagrams illustrates this concept.

      When a control deficiency exists, there is a chance that the internal control system will fail to either prevent or detect a misstatement. This diagram illustrates that if the possibility of the misstatement being included in the financial statements is greater than remote and the magnitude of the misstatement is greater than inconsequential, then the deficiency is at least a significant deficiency. If the magnitude of the potential misstatement is greater than material, then a material weakness exists.

      Indicators of Material Weakness

      The following are indicators of material weaknesses in internal controls:

       Fraud by senior management, even if immaterial

       Restatement of previously issued financial statements to reflect the correction of a material misstatement due to error or fraud

       Identification of a material misstatement that would not have been detected and corrected by the entity’s internal controls

       Ineffective oversight of financial reporting and internal controls

      (AU-C 265.A11)

      Communication of Internal Control Related Matters

      Significant deficiencies and material weaknesses must be communicated in writing to management and those charged with governance as a part of each audit. [AU-C 265.11–.12(a)] In this context, the appropriate level of management is one that has the responsibility and authority to take action to correct the deficiency. This is normally the CEO or CFO. For other deficiencies, it may be appropriate to communicate with personnel directly involved in the affected areas with the authority to take action. (AU-C 265.A21)

      The auditor may communicate matters in writing or orally that he or she does not consider to be significant deficiencies but which nonetheless may be of benefit to the entity. If the communication is oral, it should be documented. [AU-C 265.12(b)] The auditor is not required to communicate such matters if they have been communicated by the auditor in a prior period or by others, such as internal auditors. (AU-C 265.A26)

      If significant deficiencies and material weaknesses were not remediated following previous audits, this communication should repeat the description or reference the prior communications. While management may have made a conscious decision to accept the risk of a control deficiency, the auditor must still communicate the issue regardless of management’s decision. (AU-C 265.A20)

      To avoid potential misunderstanding or misuse, the auditor should not issue a written communication that no significant deficiencies were identified during the audit. (AU-C 265.16) The auditor may issue a written communication СКАЧАТЬ