Jamie Acker

/in /by

Jamie Acker

ORDER A PLAGIARISM FREE PAPER NOW

Don't use plagiarized sources. Get Your Custom Essay on
Jamie Acker
Just from $15/Page
Order Essay

CASE 5.6 Sarbox Scooter, Inc.
Scoping and Evaluation Judgments in the Audit of Internal Control over Financial Reporting

MARK S. BEASLEY • FRANK A. BUCKLESS • STEVEN M. GLOVER • DOUGLAS F. PRAWITT

LEARNING OBJECTIVES

After completing and discussing this case you should be able to

[1] Understand the complexities of auditing internal control over financial reporting in an integrated audit required by PCAOB Auditing Standard No. 5

[2] Identify significant accounts for an integrated audit

[3] Identify significant locations or business units for an integrated audit

[4] Apply an evaluation methodology to determine the likelihood and magnitude of control deficiencies

[5] Appreciate the judgment needed to evaluate control deficiencies

INTRODUCTION

Section 404 of the Sarbanes-Oxley Act of 2002 requires public companies to report on the effectiveness of their internal control over financial reporting. Section 404 also requires companies to hire an auditor to perform an “integrated audit” involving both a traditional financial statement audit and an audit of internal control over financial reporting. PCAOB Audit Standard No. 5, An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements (AS5), provides guidance for the audit of internal control and requires the auditor to obtain sufficient competent1 evidence about the effectiveness of controls for all relevant assertions related to all significant accounts in the financial statements. Before an auditor can identify which controls to test, some important audit decisions need to be made. Some of these decisions are listed below.

■ Identify Significant Accounts. Significance is determined by applying quantitative and qualitative measures of materiality to the consolidated financial statements.

■ Identify Relevant Financial Statement Assertions. For each significant account, relevant assertions are identified by considering the assertions that have a meaningful bearing on whether the account is fairly stated. Relevant assertions are those assertions (one or more) related to significant accounts that, if inaccurate, present a reasonable possibility of containing a misstatement or misstatements that would cause the financial statements to be materially misstated.

■ Identify Significant Processes and Major Classes of Transactions. The auditor must understand relevant processing procedures involved in the flow of transactions for significant accounts. The controls auditors will test reside within the significant transaction processes (e.g., sales and collection cycle, period-end financial reporting process).

1 PCAOB Auditing Standards refer to sufficient “competent” evidence, while AICPA Auditing Standards refer to sufficient “appropriate” evidence.

The case was prepared by Mark S. Beasley, Ph.D. and Frank A. Buckless, Ph.D. of North Carolina State University and Steven M. Glover, Ph.D. and Douglas F. Prawitt, Ph.D. of Brigham Young University, as a basis for class discussion. Sarbox is a fictitious company. All characters and names represented are fictitious; any similarity to existing companies or persons is purely coincidental.

Once significant accounts, relevant assertions, and significant processes have been identified, the auditor identifies the controls to test. Determining the location where testing will occur is not always a simple decision. Significant accounts at the consolidated company level are an aggregation of the accounts at the company’s various business units, which may be geographically dispersed across several locations. For example, consolidated accounts receivable is the aggregation of the accounts receivable balances at each of the company’s individual business units (i.e., locations, divisions, or subsidiaries). Thus, another important logistical decision the auditor must make for each significant account is to determine which business units to visit in order to test the controls pertaining to the account.

AS5 does not require the auditor to visit all of a company’s business units or locations. Rather, AS5 requires the auditor to gather sufficient competent evidence for each significant account at the consolidated level in order to support his or her opinion regarding management’s assertion about the effectiveness of internal control over financial reporting. To illustrate, suppose a company has ten different business units, each of which has accounts receivable. Assuming accounts receivable is deemed to be a significant account at the consolidated company level, the auditor might appropriately decide to test controls over accounts receivable at the company’s six largest locations, representing 75 percent of the total consolidated receivables balance.

Part A of this case asks you to identify significant accounts and to determine which locations you would visit to perform tests of controls for Sarbox Scooter, Inc., a hypothetical manufacturer of scooters and mini-motorcycles. Completing the requirements of Part A will require you to exercise judgment to determine which accounts would be considered significant.

Part B of this case, which can be completed independently of Part A, asks you to evaluate the likelihood and magnitude of control deficiencies as defined and required by AS5. When a deficiency is deemed to be a material weakness, the auditor issues an adverse opinion with respect to the effectiveness of a company’s controls over financial reporting. Approximately 17 percent of the first wave of companies required to comply with Section 404 (known as “accelerated filers”) received an adverse audit opinion in early 2005 due to material weaknesses. That number has dropped to less than 5 percent in recent years.

BACKGROUND

Sarbox Scooter, Inc. manufactures and distributes pocket bikes and scooters internationally. Sarbox Scooter has operations in the U.S., Mexico, and Europe. Pocket bikes (also known as “minimotos,” “mini GP’s” or “pocket rockets”) are miniature GP “Grand Prix” racing motorcycles. Approximately one-fourth the size of a regular motorcycle, pocket bikes are accurate in detail and proportion to world-class GP bikes. Common features include the following: small two-stroke gas engines (between 40 – 50 cubic centimeters in size), front/rear disc brakes, racing tires, a sturdy light weight aluminum or aluminum alloy frame, and the look and feel of a real GP racing motorcycle. Pocket bikes are built for racing and intended for use on speedways, go-kart tracks, or closed parking lots. Pocket bike racing is very popular in Europe and Japan and is becoming increasingly popular in the U.S.

Traditional scooters have been a kid favorite for many years. However, the craze for motorized scooters took off in the early 2000’s and is spreading worldwide. While Sarbox Scooters carries a line of traditional non-motorized scooters, the company specializes in gas and electric powered scooters.

Sarbox Scooter was founded in 2005 and is headquartered in Basking Bridge, New Jersey. The company is one of the leading manufacturers of pocket bikes and motorized scooters. Sarbox Scooter’s vision is to be the world’s premier pocket bike and motorized scooter manufacturer and distributor. In line with this vision, Sarbox Scooter is striving to increase brand share by 1% each year for the next five years, to 30% of the market for motorized scooters. However, competition in the industry is intense and is based on price, quality, and aesthetics. In the last year, several competitors with strong brand recognition (e.g., Schwinn) have demonstrated renewed interest in the motorized scooter market with expensive ad campaigns.

Sarbox Scooter’s customer base consists primarily of dealerships both domestically and internationally. Sales to the dealerships account for approximately 90% of Sarbox Scooter’s annual sales. The remaining 10% of sales come from bulk orders sold directly to rental agencies and vacation resorts.

Sarbox Scooter’s business units are divided by geographical region into the U.S., Mexico and Europe. The U.S. region is further sub-divided into five business units: Northeast, Southeast, Central, Southwest and Northwest. The international business units have individual finance directors who report to Warwick Schawb (CFO) at the Basking Bridge headquarters. The Mexico Finance Director recently resigned following deep scrutiny from Sarbox Scooter’s internal audit team of his control, monitoring, and reporting practices. All of the individual business units have sales directors and manufacturing plant managers.

Sarbox Scooter’s computer systems are located within data centers at each regional business unit. All financial statement consolidations and “roll ups” from the business units are performed at headquarters. The company was able to synchronize revenue recording and reporting for all of its business units on the same accounting software systems for the first time in 2012.

The company continued to progress in the areas of corporate governance and social responsibility by strengthening the Board of Directors via the addition of a highly respected business leader, Morris Graybeard, Chairman and Chief Executive Officer of the Rubio Company. Sarbox Scooter has also bolstered its internal audit function by hiring Jenna Jaynes, formerly the head of internal audit at a large international food distributor.

You are an auditor with Sarbox Scooter’s external audit firm, Delmoss Watergrant LLP. Sarbox Scooter has been an audit client since it went public in 2007. Because Sarbox Scooter’s corporate shares are publicly traded, the audit will be an integrated audit in accordance with AS5, including both an audit of internal control over financial reporting and a financial statement audit. Section 404 of the Sarbanes-Oxley Act of 2002 and related rulings of the Securities and Exchange Commission (SEC) require management to assess and evaluate the effectiveness of its internal control over financial reporting. Management must identify significant accounts and locations for testing. While management will provide the auditors with documentation of its risk assessment, controls, and testing, auditing standards require the auditor to independently evaluate the design and operating effectiveness of controls for each of the components of internal control that relate to relevant assertions for all significant accounts and disclosures in the financial statements. Furthermore, the auditors must independently identify each significant process over each major class of transactions and test controls at enough significant locations to obtain sufficient competent evidence regarding the effectiveness of internal controls over financial reporting. In forming your judgments, you will consider the background information above, Sarbox Scooter’s financial statements, and Delmoss Watergrant’s audit policies.

REQUIRED – PART A

[1] According to AS5:

[a] What should the auditor consider when determining whether an account should be considered significant?

[b] What qualitative factors might cause an account that is otherwise relatively small quantitatively to be considered significant?

[c] What qualitative factors might cause an account that is greater than materiality to be considered not significant?

[2] Referring to Delmoss Watergrant’s policy for identifying significant accounts (see Appendix A) as well as Sarbox Scooter’s consolidated balance sheet and income statement, answer the following questions:

[a] Determine a planning materiality threshold to use to identify significant accounts for Sarbox Scooter. Please show your work and justify judgments.

[b] At a consolidated financial statement level, are there accounts on Sarbox Scooter’s financial statements that are greater than planning materiality that should not be considered significant? Please justify your response.

[c] Identify two accounts, at the consolidated level, that are not quantitatively significant, but that should be deemed significant due to qualitative factors. Provide the qualitative factors you considered.

[d] Which Sarbox Scooter business units (geographic locations), if any, would not be considered quantitatively significant? Which business units (locations) have specific risks that would render the unit significant regardless of its quantitative size?

[e] If you had to eliminate or scope out one entire business unit (geographic location), which unit would it be? Please justify your response and include both quantitative and qualitative reasons for doing so.

[3] Auditing standards require the identification and testing of entity-level controls. What are examples of entity-level controls? What are the auditor’s responsibilities with respect to evaluating and testing a client’s period-end financial reporting process?

REQUIRED – PART B (CAN BE COMPLETED INDEPENDENTLY OF PART A)

[1] What are the definitions of a control deficiency, significant deficiency, and material weakness as contained in AS5? Which, if any, of these deficiency categories must the external auditor include in the audit report?

[2] Referring to Delmoss Watergrant’s policy for evaluating control deficiencies (see Appendix B), determine if the following three deficiencies represent a control deficiency, a significant deficiency, or a material weakness. Please consider each case separately and justify your answers.

[a] Sarbox’s revenue recognition policy requires that all non routine sales (i.e. sales to clients other than dealerships) receive authorization from management in order to verify proper pricing and terms of sale. However, after examining a sample of non routine sales records you find that this control is not closely adhered to and that sales representatives offered discounts or altered sales terms that were not properly recorded in Sarbox’s records. As a result, in instances when the control is not followed the recorded sales prices tend to be too high and/or terms are not correctly reflected in the sales invoice and the customers complain. In some situations, customers have cancelled orders due to the over-billing or changed sales terms. Non routine sales represent about 10% of Sarbox’s sales revenue. From your sample testing of the authorization control, you find that the control doesn’t operate 4% of the time, with an upper bound of 9% (i.e., based on your sample, you can be 95% confident that the exception rate does not exceed 9%).

[b] While examining Sarbox’s period-end financial reporting process, you discover that revenue has been recognized on orders that were received and completed, but not yet shipped to the customer. No specific goods were set aside for these orders; however, there is sufficient inventory on hand to fill them. Also, you observe that some orders were shipped before being recorded as sales, so that your best estimate of total revenue cutoff error at year-end was approximately $2.3 million.

[c] Sarbox Scooter requires that all credit sales to new customers or to customers with a current balance over their pre-approved credit limit be approved by the credit manager prior to shipment. However, during peak seasons this policy is not strictly followed in order to accommodate the need of both the company and its customers to have orders processed rapidly. Because of these findings, you estimate that the allowance for doubtful accounts is materially understated. While the client does not dispute that the authorization control was not operating effectively during peak seasons, the client has pointed out compensating controls that it feels should reduce the magnitude of the deficiency below a material weakness. The first compensating control is that an accounts receivable aging schedule is reviewed each quarter by management and accounts that are older than 180 days are written-off. Also, management distributes a list of companies that default or fail to pay on time to all sales staff on a monthly basis to prohibit such companies from making additional purchases on credit.

PROFESSIONAL JUDGMENT QUESTION

It is recommended that you read the Professional Judgment Introduction found at the beginning of this book prior to responding to the following question.

[3] How might the overconfidence tendency affect management’s assessment of the likelihood and magnitude of potential misstatement from an observed control deficiency? If the auditor believes that management’s assessment is biased by overconfidence, how might the auditor help management recalibrate their assessment?

 

 

 

Appendix A: Excerpts from the Audit Policy of Delmoss Watergrant LLP to Identify Significant Accounts and Locations (For use with Part A of the case)

Identifying Significant Accounts and Assertions

For purposes of scoping the audit of internal controls over financial reporting, we consider planning materiality1 when identifying significant accounts from a quantitative standpoint. Generally, financial statement line items and/or accounts that exceed planning materiality should be considered for designation as significant accounts for both the audits of internal control over financial reporting (ICFR) and the financial statements. Further disaggregation of each financial statement line item may be necessary to determine which component account balances are significant or, alternatively, insignificant. For example, “other assets” may include several component account balances, some of which are individually significant and others that are not individually significant. The more an account exceeds planning materiality, the greater the likelihood it should be considered a significant account, even when the qualitative risk factors are low. However, an account that exceeds planning materiality is not automatically a significant account as qualitative factors may also be considered. Qualitative factors may also lead us to consider an account or disclosure less than planning materiality to be significant.

Qualitatively, we deem accounts to be significant if they are impacted by inherent and fraud risks that have a reasonable possibility of resulting in a material misstatement, either on an individual or an aggregate basis. Relevant qualitative factors include the following:

  • Susceptibility of loss due to errors or fraud;
  • Volume of activity, complexity, and homogeneity of the individual transactions processed through the account;
  • Nature of the account;
  • Accounting and reporting complexities associated with the account;
  • Exposures to losses represented by the account;
  • Likelihood of significant contingent liabilities arising from the activities represented by the account;
  • Existence of related party transactions in the account, and
  • Changes in account characteristics from the prior period.

For example, accounts that may not be quantitatively significant at any point in time, but include significant activity (e.g., cash, work in process, suspense accounts) should be considered significant accounts.

Similarly, some accounts that are quantitatively significant may not require testing for qualitative reasons. Accounts that have low susceptibility to error or fraud, have a low volume of activity, and that are not complex in nature, may not require testing—especially if the area has been thoroughly tested in the recent past. For example, while fixed assets in a service organization may be a large account, it may have very little change from year to year and may present low inherent and fraud risk. For such an account we may rotate our testing and/or rely more on the work of others to evaluate the related controls.

In addition, the qualitative factors of separate account components should be considered when determining which components of an account should be tested. For example, the petty cash component of the cash account rarely poses more than a remote risk that the financial statements are materially misstated.

1 Delmoss Watergrant’s policy on materiality indicates that from a quantitative perspective planning materiality will generally fall in the range of 3-5% of pretax earnings or 1-2% of sales, whichever is less so long as both bases are an accurate reflection of the company’s size, past performance, and complexity (i.e., when income is near zero or negative, it is not typically considered representative).

After identifying significant accounts we should consider relevant assertions. Relevant assertions are those that present risks that result in a reasonable possibility of a material misstatement and as a result, only controls over those assertions need be tested to assess ICFR. For example, if we determine payroll expense is a significant account, we may determine that only the completeness and valuation assertions present risks that result in a reasonable possibility of materiality misstatement, and as a result we would obtain evidence of design and operating effectiveness of ICFR from walkthroughs and tests of controls associated with these two assertions.

As part of identifying significant accounts and their relevant assertions, we should determine the likely sources of potential misstatements that would cause the financial statements to be materially misstated. We might determine the likely sources of potential misstatements by asking ourselves “what could go wrong?” within a given significant account or disclosure.

Identifying Significant Business Units or Locations

Determining the business units/locations for audit testing requires us to evaluate factors such as the relative financial significance of the business unit/location and the risk of material misstatement arising from the business unit/location. In making this determination we should categorize business units/locations into the following categories:

  1. Individually important.
  2. Contain specific risks that by themselves could create a material misstatement in the consolidated financial statements.
  3. Business units/locations that should not be able, individually or in the aggregate, to create a material misstatement in the financial statements (those at which we will perform no or very limited testing).
  4. When aggregated, could represent a level of financial significance that could create a material misstatement in the consolidated financial statements.

In identifying business units/locations at which to perform testing (item 1 above), we expect that a large portion of our audit assurance will be derived from testing individually important business units/locations.

Determining Individually Important Business Units/Locations

Individually important business units/locations are those that are financially significant to the entity as a whole. From a quantitative perspective we determine individually significant accounts by selecting business units/locations that exceed either of the following metrics:


Business Unit/Location’s
Net Income Greater than 10% of
Total Consolidated Net Income

  OR  

Business Unit/Location’s
Assets Greater than 10% of
Total Consolidated Assets

 

Determining Business Units/Locations That Have Specific Risks

Even after considering the quantitative factors above, the engagement team will need to use significant judgment when determining the individually important business unit’s/location’s qualitative or specific risks. A location or business unit might present specific risks that, by themselves, could create a material misstatement in the company’s financial statements, even though the unit might not be individually financially significant. For example, a business unit responsible for foreign exchange trading could expose the company to the risk of material misstatement, even though the relative financial significance of individual transactions is low.

A detailed consideration of inherent and fraud risks of material misstatement should be made for those locations that were not initially selected as an individually important location. A high degree of auditor judgment must be applied by the engagement leader in assessing whether certain locations have specific risks that make them important. The engagement team would normally only obtain evidence about the effectiveness of controls over specific risks that could lead to material misstatements.

Appendix B: Excerpts from the Audit Policy of Delmoss Watergrant LLP on Evaluating Control Deficiencies (For use with Part B of the case)

Evaluating Control Deficiencies

Auditing Standard 5 (AS5) requires that all control deficiencies be evaluated and included individually and in combination with other deficiencies to be either:

  • Internal control deficiencies that do not rise to the level of significant deficiencies,
  • Significant deficiencies, or
  • Material weaknesses.

AS5 defines these categories as control deficiency, significant deficiency, and material weakness, and the three categories are not mutually exclusive. Control deficiencies encompass all deficiencies, including those evaluated as significant deficiencies and material weaknesses. Thus, we first identify control deficiencies and then consider, individually and in the aggregate, by significant account balance, disclosure, relevant assertion or component of internal control (i.e., the COSO components) to determine whether they result in significant deficiencies or material weaknesses. Multiple control deficiencies that affect the same financial statement account or disclosure increase the likelihood of misstatement and may, in combination, constitute a material weakness, even though such deficiencies may individually be less severe.

AS5 requires that we evaluate the significance of a deficiency in internal control by determining:

  • the likelihood(reasonable possibility or probable, or remote) that the deficiency, individually or in combination with other deficiencies, could result in a misstatement of an account balance or disclosure, and
  • the magnitude(not material or significant, not material but significant, or material) of the potential misstatement resulting from the deficiency or deficiencies.

The term “reasonable possibility” and “probable” as used in the definitions of significant deficiency and material weakness are to be interpreted using the guidance in Financial Accounting Standards Board Statement No. 5, Accounting for Contingencies. Delmoss Watergrant has interpreted reasonable possibility to mean more than a 5% likelihood.

A misstatement is not “significant” if a reasonable person would conclude, after considering the possibility of further undetected misstatements, that the misstatement, either individually or when aggregated with other misstatements, would clearly be immaterial to the financial statements. Delmoss Watergrant has interpreted “not significant” to mean anything less than 10% of planning materiality.

In evaluating deficiencies we typically first consider likelihood and then magnitude because under the PCAOB definitions, only control deficiencies with at least a “reasonable possibility” likelihood can rise to the level of a significant deficiency or a material weakness.

The joint consideration of likelihood and magnitude becomes more important as the potential magnitude of misstatements becomes higher. For example, where any misstatement from the failure of a control is likely to be material, judgments as to whether the deficiency has a reasonable possibility or probable likelihood of misstatement becomes critical. Whether a control deficiency is determined to be a significant deficiency or a material weakness does not depend on the size of detected misstatements related to the deficiency. Rather, we must evaluate the potential likelihood and potential magnitude of a misstatement resulting from the deficiency.

If we find effective complementary or redundant controls that achieve the same control objective we may conclude that there is a control deficiency or no deficiency at all. We should gather evidence of the operating effectiveness of complementary or redundant controls.

The following chart illustrates the interplay between the likelihood of misstatement and the potential magnitude of misstatement.

Potential Amount Likelihood
Remote Reasonable Possibility or Probable
Material amount Internal control deficiency but not significant deficiency Material weakness
Significant (i.e., more than 10% of overall materiality) but less than a material amount Internal control deficiency but not significant deficiency Significant deficiency but not material weakness
Not material or significant amount (i.e., less than 10% of overall materiality) Internal control deficiency but not significant deficiency Internal control deficiency but not significant deficiency

AS5 paragraph 69 lists certain deficiencies that are indicators of material weakness in internal control over financial reporting. We should carefully consider this list as we evaluate deficiencies. There may be rare situations where indicators of a material weakness do not result in a control deficiency. For example, if a company had to restate previously issued financial statements we would need to carefully understand the cause of the restatement. If the company had a reasonable position for the application of generally accepted accounting principles and its controls for making such a determination were properly designed and effective, we may conclude that the restatement did not result from a control deficiency.

When evaluating and classifying process/transaction-level control deficiencies, we use the decision tree that follows. The decision tree assumes the auditor has determined that an exception discovered in testing represents a control deficiency.

Decision Tree for Evaluating Process/Transaction-Level Control Deficiencies

The decision tree is used to evaluate the classification of control deficiencies from the following sources:

  • Design effectiveness evaluation,
  • Operating effectiveness testing,
  • Deficiencies that resulted in a financial statement misstatement detected by management or the auditor in performing substantive test work.

Guidance for using the Decision Tree (see diagram on previous page)

Box 1 Consider whether the deficiency identified relates directly to the achievement of financial statement assertions. Some controls relate only indirectly (e.g., entity-level controls related to the control environment, information technology general controls). Evaluating the severity of deficiencies in controls that contribute only indirectly to the achievement of financial statement assertions should take into account the likelihood and significance of other control deficiencies that may occur or have occurred as a result of the indirect control’s deficiency.
Box 2 Determine if it is reasonably possible that the failure of the control or combination of controls will fail to prevent or detect a misstatement of an account balance. At this point, we are only concerned with the likelihood of a misstatement, regardless of size (i.e., we do not limit our evaluation to the likelihood of a material misstatement—the magnitude evaluation is performed separately).
Certain risk factors affect whether there is a reasonable possibility that a deficiency, or combination of deficiencies, will result in a misstatement of an account balance or disclosure. AS5.65 provides examples, which include, but are not limited to:

• The nature of the financial statement accounts, disclosures, and assertions involved.

• The susceptibility of the related assets or liability to loss or fraud; that is, greater susceptibility increases risk.

• The subjectivity, complexity, or extent of judgment required to determine the amount involved; that is, greater subjectivity, complexity, or judgment, like that related to an accounting estimate, increases risk.

• The interaction or relationship with other controls, including whether they are interdependent or redundant.

• The interaction of deficiencies.

• The possible future consequences of the deficiency.
Box 3 When evaluating deficiencies, factors that affect the potential magnitude in controls include, but are not limited to, the following (AS5.66):

• Financial statement amounts or total of transactions exposed to the deficiency

• Volume of activity in the account balance or class of transactions exposed to the deficiency that has occurred in the current period or that is expected in the future.
Evaluation of the magnitude of a deficiency includes the impact of actual and/or potential misstatements on both annual and interim financial statements. In considering potential magnitude, it may be useful to consider a “gross exposure,” or in other words the total dollars exposed to the identified deficiency. For example if the total dollars exposed is less than materiality, then the deficiency would not likely rise to the level of a material weakness. After considering the “gross exposure,” it may be useful to consider the “likely exposure” based on the results of the testing performed. For example, if a sampling technique indicates an upper exception limit of 12 percent, then 12 percent of the “gross exposure” would be an estimate of the “likely exposure.”
In considering materiality, we consider both quantitative and qualitative considerations as outlined in SEC’s Staff Accounting Bulletin 99.
Box 4 If we find effective complementary or redundant controls that achieve the same control objective we would only have a control deficiency or no deficiency at all. If there are no effective complementary or redundant controls, we should evaluate compensating controls to determine if there is a reasonable possibility that a material misstatement will go undetected. We must obtain evidence that the compensating controls are operating effectively. Effective compensating controls will operate at a level of precision that would result in the prevention or detection of a material misstatement, thereby mitigating or reducing the magnitude of the potential misstatements resulting from the identified control deficiency. Compensating controls that operate at a level of precision that would result in the prevention or detection of a material misstatement of the annual or interim financial statements may support a conclusion that the deficiency is not a significant deficiency or a material weakness.
Box 5 The evaluation of whether a deficiency is important enough to merit the attention of those responsible for oversight of the company’s financial reporting requires the use of professional judgment and is dependent on the facts and circumstances.
When evaluating the significance of a deficiency in internal control over financial reporting, the auditor determines the level of detail and degree of assurance that would satisfy prudent officials in the conduct of their own affairs that they have reasonable assurance that transactions are recorded as necessary to permit the preparation of financial statements in conformity with generally accepted accounting principles. If the auditor determines that the deficiency would prevent prudent officials in the conduct of their own affairs from concluding that they have reasonable assurance, then the auditor should deem the deficiency to be at least a significant deficiency. Having determined in this manner that a deficiency represents a significant deficiency, the auditor must further evaluate the deficiency to determine whether individually, or in combination with other deficiencies, the deficiency is a material weakness.
Box 6 The evaluation of the severity of a control deficiency, or combination of control deficiencies, involves the consideration of whether a well-informed, competent and objective individual (i.e., prudent official) would conclude that the control deficiency represents a material weakness because the risk of material misstatement is unacceptably high.