PCAOB Staff Audit Practice Alert No. 11 – Part 2

January 06, 2014

By Alan Frank, CPA 

Risk Assessment and the Audit of Internal Control

As mentioned in part 1 of this series, the Staff Audit Practice Alert No. 11 was issued in light of significant observations made by the PCAOB staff. The key observations related to risk assessment and the audit of internal control are as follows:

  • Improper application of the top down approach and undue emphasis on testing management review and other detective type controls
  • Failure to test controls for all relevant assertions
  • Failure to understand the likely sources of potential misstatement as part of selecting controls to test

A proper risk assessment is fundamental to an audit of internal controls over financial reporting.  The identification of risks that could lead to a material misstatement along with how those risks can occur must be part of the risk assessment.  After this analysis, controls that address those risks must be identified and tested. 

For example, if the overstatement of revenue is identified as a risk, consideration must be given as to how a revenue overstatement could occur and the internal controls in place to address the risk.  Without this knowledge the selection of internal controls to test for design and operating effectiveness will be difficult, which may lead to the evaluation of controls that are not correlated to the risks identified in the risk assessment. 

Our next blog in this series regarding the PCAOB Staff Audit Practice Alert No. 11 will cover Obtaining an Understanding of Internal Controls. We will then look at selecting controls to test.

About Alan Frank

Alan Frank is a Partner specializing in Process, Risk, and Technology Solutions (PRTS). His focus is internal audit and compliance. He provides consulting, internal audit, governance, risk, and compliance services to a variety of industries, and serves as the PRTS internal audit services leader.