Our consulting blog features hot topics such as risk management, regulatory compliance,   financial reporting, cybersecurity and more.

PCAOB Staff Audit Practice Alert No. 11 – Part 4

Selecting Controls to Test and Testing Management Review Controls 

In our ongoing series covering the PCAOB Alert No. 11, this blog covers the issues of selecting controls to test and testing management review controls.

The Alert notes that, in some instances, it appears that auditors, in implementing a top-down approach, placed undue emphasis on testing management review controls and other detective controls without considering whether they adequately addressed the assessed risks of material misstatement of the significant account or disclosure.  As such, auditors may have not tested controls for all the relevant assertions of the significant accounts and disclosures.

Auditors should take the necessary steps to perform procedures to obtain evidence about how a management review control is designed and operates to prevent or detect misstatements.  Merely verifying that a review was signed off by the appropriate management provides virtually no evidence by itself about the control’s effectiveness.

When evaluating management review controls, keep the following in mind:

  • Ensure the control is properly designed;
  • Obtain or prepare document to provide evidence a review was done; and
  • Re-perform the review and drill-down to supporting evidence

Our next blog concerning the PCAOB Staff Audit Practice Alert No. 11 will cover information technology considerations, including system-generated data and reports.

Alan Frank is a Partner specializing in Process, Risk, and Technology Solutions (PRTS). His focus is internal audit and compliance. He provides consulting, internal audit, governance, risk, and compliance services to a variety of industries, and serves as the PRTS internal audit services leader.

Contact Alan

* Required