Internal auditors may have noticed an increase in external audit's documentation and testing requirements on the design and effectiveness of internal controls. The increase may relate to a December 2012 U.S. Public Company Accounting Oversight Board (PCAOB) report, Observations From 2010 Inspections of Domestic Annually Inspected Firms Regarding Deficiencies in Audits of Internal Control Over Financial Reporting, which highlights deficiencies in internal control audits such as the completeness and accuracy of the data used in performing the review. As the PCAOB has stated, a signature alone is not evidence that a control occurred. Rather, sufficient evidence supporting internal control audits often is gained through an internal control walk-through.
As internal auditors often gather evidence about the design and effectiveness of internal controls, they may benefit from revisiting the procedures for performing walk-throughs as noted by the PCAOB in its Auditing Standard No. 5 (AS5), An Audit of Internal Control Over Financial Reporting That Is Integrated With an Audit of Financial Statements, as well as suggested best practices in implementing the standards.
Internal auditors often perform walk-throughs to help understand and document the flow of transactions from initiation through recording and disclosure in an organization's financial statements. The walk-through is a useful tool for identifying areas where potential misstatements may occur — whether by error or intentional manipulation — and for testing the control's overall design. In determining which controls to examine during an audit of internal control over financial reporting, AS5 requires use of a top-down, risk-based approach to focus audits on the areas most likely to result in a material misstatement.
In applying the top-down approach, internal auditors should begin with determining risks at the financial statement level. Next, auditors must gain an understanding of the organization's entity-level controls, such as tone at the top and personnel competence, to determine the impact on the organization's risk of material misstatement. Auditors then should determine the specific financial statement accounts and disclosures, as well as relevant assertions that represent material risk of financial misstatement. Auditors may find that focusing on common business processes — such as revenue, purchasing, and accounting — and their relationship to the accounts and disclosures with high risk of misstatements helps identify risks. The degree of risk identified considers both quantitative and qualitative risk factors such as the existence of related-party transactions, accounts subject to a high degree of judgment, and accounts subject to management override or highly complex transactions.
An auditor begins the walk-through at the initiation of a transaction and traces it through authorization and processing to recording and disclosing in the financial statements. The auditor may use a combination of inquiry, observation, reperformance, or inspection techniques to evaluate the control design and effectiveness using the same documents and computer information systems employed by the organization. In addition, the auditor should verify the completeness and accuracy of the data the organization used in performing the control. At all points throughout the process, the auditor should consider what could go wrong, including the risk of intentional misstatement and fraud.
During the walk-through, the auditor will want to ask all personnel interviewed about any instances where normal procedures were not followed, including management override and unusual related-party transactions, as well as any known instances of fraud. These inquiries should take place in a private location, if possible. During the interviews, asking open-ended questions may be more effective than basic yes or no questions read from a checklist. Above all, the auditor should maintain a high degree of professional skepticism and be cognizant of any deflective questions from personnel or observations of deceit during the interviews.
When the auditor identifies points in the process where misstatements could be material, he or she should evaluate whether there are compensating controls, such as a management review control, to prevent such a misstatement. The auditor also may recommend design improvements or additional review controls to mitigate the risk of misstatement. In understanding the ability of a review control (e.g., bank reconciliations) to detect and correct a misstatement, the auditor should assess the competence of the individual performing that control, the trigger point for deeper analysis (i.e., precision at which the control operates), how timely the control is performed, and the disposition of follow-up questions triggered by the control.
The auditor also may want to test the operating effectiveness of the control during the walk-through by verifying the control is operating as designed and the personnel performing the control are capable. The amount of evidence required to determine the operating effectiveness must be based on the degree of risk associated with the control. AS5 requires additional evidence beyond inquiry alone — such as inspection, observation, and reperformance — to test a control's operating effectiveness. A higher degree of associated risk will require more audit evidence to conclude operating effectiveness.
Walk-through procedures performed near year-end provide more reliable evidence than those performed on an interim basis. Therefore, roll-forward evidence often is necessary if the evidence is gathered at an interim date. The amount of additional evidence is a matter of professional judgment, but auditors should consider the amount of time from the interim testing date, the effectiveness of the control at the interim testing date, any changes in the control since the testing date, and the risk associated with the control.
The auditor then should evaluate deficiencies identified during the walk-through procedures to consider whether the deficiency would result in a material weakness. AS5 considers a material weakness as a deficiency (or combination of deficiencies) that results in a reasonable
possibility that a material financial statement misstatement may occur and will not be detected or prevented timely. A misstatement does not need to actually have occurred to evaluate a deficiency as a material weakness.
Assuring Financial Statement Quality
In today's complex business environment, internal controls are critical to assuring financial statement quality. The PCAOB wants identifying material weaknesses in internal control to be an early warning sign to the capital markets rather than being reported after a material problem already has occurred. Therefore, using walk-throughs to identify and remedy weaknesses in internal control is critical, and internal auditors are uniquely positioned to play a key role in the process.