PCAOB Staff Audit Practice Alert No. 11 – Part 2
Risk Assessment and the Audit of Internal Control
As mentioned in part 1 of this series, the Staff Audit Practice Alert No. 11 was issued in light of significant observations made by the PCAOB staff. The key observations related to risk assessment and the audit of internal control are as follows:
- Improper application of the top down approach and undue emphasis on testing management review and other detective type controls
- Failure to test controls for all relevant assertions
- Failure to understand the likely sources of potential misstatement as part of selecting controls to test
A proper risk assessment is fundamental to an audit of internal controls over financial reporting. The identification of risks that could lead to a material misstatement along with how those risks can occur must be part of the risk assessment. After this analysis, controls that address those risks must be identified and tested.
For example, if the overstatement of revenue is identified as a risk, consideration must be given as to how a revenue overstatement could occur and the internal controls in place to address the risk. Without this knowledge the selection of internal controls to test for design and operating effectiveness will be difficult, which may lead to the evaluation of controls that are not correlated to the risks identified in the risk assessment.
Our next blog in this series regarding the PCAOB Staff Audit Practice Alert No. 11 will cover Obtaining an Understanding of Internal Controls. We will then look at selecting controls to test.