PCAOB Staff Audit Practice Alert No. 11 – Part 4
Selecting Controls to Test and Testing Management Review Controls
In our ongoing series covering the PCAOB Alert No. 11, this blog covers the issues of selecting controls to test and testing management review controls.
The Alert notes that, in some instances, it appears that auditors, in implementing a top-down approach, placed undue emphasis on testing management review controls and other detective controls without considering whether they adequately addressed the assessed risks of material misstatement of the significant account or disclosure. As such, auditors may have not tested controls for all the relevant assertions of the significant accounts and disclosures.
Auditors should take the necessary steps to perform procedures to obtain evidence about how a management review control is designed and operates to prevent or detect misstatements. Merely verifying that a review was signed off by the appropriate management provides virtually no evidence by itself about the control’s effectiveness.
When evaluating management review controls, keep the following in mind:
- Ensure the control is properly designed;
- Obtain or prepare document to provide evidence a review was done; and
- Re-perform the review and drill-down to supporting evidence
Our next blog concerning the PCAOB Staff Audit Practice Alert No. 11 will cover information technology considerations, including system-generated data and reports.