1、外 文 翻 译外文题目 Auditing Internal Control Over Financial Reporting外文出处 Auditing Internal Control Over Financial Reporting University of Hawaii at Hilo 2004(12):100-107 外文作者 James E. Hunton 原文: Public Company Accounting Oversight Board (PCAOB) Auditing Standard No. 2 , AnAudit of Internal Control Over Fi
2、nancial Reporting Performed in Conjunction With an Audit of Financial Statements, (AS-2) addresses the work that is required to audit internal control over financial reporting and the relationship of that audit to the audit of the financial statements.Since the issuance of AS-2, auditors and other p
3、arties have raised questions on a variety of issues about the implications of AS-2. To answer those questions, on June 23, 2004, the Office of the Chief Auditor of the PCAOB issued guidance in the form of questions and answers on issues related to the implementation of AS-2. Refer to the September 3
4、0, 2004, and October 15, 2004, GAAS Update Service issues for coverage of the topics previously addressed by the PCAOB staff in its June release, which relate to the following areas: auditor independence;scope and extent of testing; evaluating deficiencies; multi-location issues; using work of other
5、s;and service organizations. In response to additional implementation questions that continue to be raised, on October 6, 2004, the PCAOB staff updated its June release, Auditing Internal Control Over Financial Reporting, on frequently asked questions. The updated PCAOB release issued in October 200
6、4 provides additional interpretive and implementation guidance on issues relating to scope and extent of testing, evaluating deficiencies, and service organizations. PCAOB staff questions and answers represent the staffs opinions on issues related to the implementation of the standards of the PCAOB.
7、 They are intended to provide guidance to auditors on implementing the PCAOBs standards. However, they are neither rules of the PCAOB nor have they been approved by the PCAOB. Scope and Extent of TestingQ. Does the scope of internal control over financial reporting as it relates to compliance with l
8、aws and regulations under AS-2 encompass controls over a broader array of circumstances than those described in AU Section 317, Illegal Acts by Clients? A. Yes. AU Section 317, Illegal Acts by Clients, provides that the auditor consider the laws and regulations that have a direct and material effect
9、 on the determination of financial statement amounts. However, paragraph 15 of AS-2 does not use the phrase “direct and material effect on the determination of financial statement amounts.” Rather, paragraph 15 of AS-2 provides that operations and compliance with laws and regulations directly relate
10、d to the presentation of and required disclosures in financial statements are encompassed in internal control over financial reporting. This provision in AS-2 includes: (1) the “direct and material” effects described in AU Section 317, such as compliance with tax laws that affect accruals and the am
11、ount recognized as expense in the accounting period; and (2)other circumstances that would be classified under AU Section 317 as having only indirect effects on the financial statements In the PCAOB staffs view, internal control over financial reporting encompasses controls over the identification,
12、measurement, and reporting of all material actual loss events that have occurred, including controls over the monitoring and risk assessment of areas in which such actual loss events are reasonably possible. The staff guidance illustrates this point by indicating that, for example, a waste disposal
13、companys internal control over financial reporting ordinarily would encompass controls for identifying and measuring environmental liabilities for existing and newly acquired landfills, even if there is no governmental investigation or enforcement proceeding underway. The PCAOB staff believes that i
14、ts interpretation is consistent with the Securities and Exchange Commission (SEC) staffs views regarding managements responsibilities for assessing internal control over financial reporting. According to the SEC staff, while it may be possible to connect the violation of any law, rule, or regulation
15、 to the financial statements by observing that if the violation is significant enough it will have a material effect on the registrants financial statements, the SEC staff does not believe that compliance with all laws fits within the definition. The SECs financial reporting requirements and the Int
16、ernal Revenue Code are examples of regulations that are directly related to the preparation of the financial statements. Conversely, rules requiring disclosure as to the existence of a code of ethics or disclosure as to the existence of an audit committee financial expert are examples of rules promu
17、lgated under the Sarbanes-Oxley Act of 2002 (SOA) that are not directly related to the preparation of financial statementsEvaluating Deficiencies What is the effect on the auditors evaluation of managements assessment of internal control and the auditors report in circumstances under which managemen
18、ts assessment and the auditors audit procedures do not include certain controls that should have been encompassed because neither management nor the auditor has the ability to evaluate those controls?A. There may be circumstances in which there are restrictions on the scope of the auditors engagemen
19、t to audit internal control over financial reporting. For example, both management and the auditor may be unable to obtain evidence of operating effectiveness of controls at a service organization used by the company because a type 2 Statement on Auditing Standards (SAS) No. 70, Service Organization
20、s, (SAS-70) report that is deemed to be necessary under the circumstances is not available. If neither management nor the auditor is able toperform tests of controls at the service organization (e.g., because management does not have a contractual right to do so), a scope limitation exists. An SEC s
21、taff interpretation states that, subject to limited exceptions, management cannot issue a report on internal control with a scope limitation. Under paragraph 20 of AS-2, in order for the auditor to satisfactorily complete an audit of internal control over financial reporting, management must fulfill
22、 several responsibilities, including evaluating the effectiveness of the companys internal control over financial reporting and supporting its evaluation with sufficient evidence. Therefore, if management is unable to assess certain controls over financial reporting that should have been included in
23、 its assessment, a control deficiency exists. If the transaction or events subject to controls that management is unable to assess are material to the companys financial statements, the auditor ordinarily would determine that this control deficiency represents a material weakness. In addition,the au
24、ditor would need to determine whether management, under the circumstances, had failed to fulfill its responsibilities to evaluate the effectiveness of the companys internal control over financial reporting and support its evaluation with sufficient evidence. If the auditor determines that management
25、 has not fulfilled its responsibilities, the auditor is required to disclaim an opinion. Also, to the extent that management has willfully decided not to fulfill its responsibilities, the auditor may have additional responsibilities under AU Section 317 and under Section 10A of the Securities Exchan
26、ge Act of 1934. In making the determination of whether management has fulfilled its responsibilities to evaluate the effectiveness of the companys internal control over financial reporting, the PCAOB staff indicates that the auditor could evaluate factors, such as the following: The date of the cont
27、ract or other transaction documents that could have provided management with the ability to assess controls or otherwise to obtain evidence of the operating effectiveness of relevant controls; The relative ease or difficulty with which management could renegotiate the contract or transaction documen
28、ts and the extent to which management has attempted to do so; and Whether management is able to assess the controls, or obtain evidence of operating effectiveness of relevant controls, in the absence of having access to the controls. The PCAOB staff provides the following examples of how to apply th
29、e aforementioned guidance: Inability to obtain evidence of the operating effectiveness of controls at the service organization.When the transactions or events subject to the internal controls at the service organization are material to the companys financial statements, and management is unable to o
30、btain evidence about their operating effectiveness, the auditor ordinarily would determine that a material weakness exists. However, for example, if the servicing contract with the service organization was executed in 2001 (i.e., well before the existence of the SOA) and management already has negot
31、iated with the service organization to provide a suitable type 2 SAS-70 report next year, the auditor might determine that management had fulfilled its responsibilities under AS-2. Accordingly, the auditor might be able to complete the audit of internal control over financial reporting. On the other
32、 hand, the auditor ordinarily would determine that management had not fulfilled its responsibilities under AS-2 in the following circumstances: (1) if management recently renewed its contract with the service organization but did not negotiate either an agreement about obtaining a suitable type 2 SA
33、S-70 report or permission to test controls at the service organization; or (2) if the contract with the service organization is long-dated and management has not attempted to negotiate to obtain the necessary evidence of operating effectiveness of controls. Accordingly, in these circumstances, the a
34、uditor would be required to disclaim an opinion and would need to evaluate his or her additional responsibilities under AU Section 317 and under Section 10A of the Securities Exchange Act of 1934. Consolidation of variable interest entities. The SEC allows management to limit its assessment of inter
35、nal control over financial reporting by excluding certain entities that are subject to consolidation under FASB Interpretation No. 46, Consolidation of Variable Interest Entitiesan Interpretation of ARB No. 51 (FIN-46). For example, management is permitted to exclude from the scope of its assessment
36、 the controls of an entity in existence prior to December 15, 2003, that is consolidated pursuant to FIN-46, for which the company does not have the right or authority to assess the controls and also lacks the ability to make that assessment. In such situations, according to AS-2, the auditor may li
37、mit the audit of internal control over financial reporting in the same manner and report without reference to the scope limitation. On the other hand, if management is unable to assess the controls of an entity consolidated pursuant to FIN-46 that came into existence subsequent to December 15, 2003,
38、 the auditor would conclude that a control deficiency exists; accordingly, if the consolidated variable interest entity is material to the companys financial statements, the auditor ordinarily would conclude that this represents a material weakness in internal control over financial reporting. Also,
39、 the auditor needs to determine whether management has fulfilled its responsibilities as described in paragraph 20 of AS-2. If the auditor determines that management has not fulfilled its responsibilities, the auditor is required to disclaim an opinion. Also, to the extent that management has willfu
40、lly decided not to fulfill its responsibilities, the auditor may have additional responsibilities under AU Section 317 and under Section 10A of the Securities Exchange Act of 1934. Service Organizations By virtue of the requirement in AS-2 for the auditor to perform at least one walkthrough for each
41、 major class of transactions, if a service organizations services involve the processing of a major class of transactions, should the auditor perform walkthroughs at the service organization? AS-2 requires the auditor to perform at least one walkthrough for each major class of transactions. In a wal
42、kthrough, the auditor traces all types of company transactions and events: (1) from origination; (2) through the companys accounting, information, and financial reporting system; and (3) to their inclusion and disclosure in the companys financial statements. Because of the importance of walkthroughs
43、 and the fact that they accomplish several objectives, AS-2 specifically requires the auditor to: Perform walkthroughs in each annual audit of internal control over financial reporting; Perform the walkthroughs directly himself or herself (i.e., the auditor is precluded from delegating the performan
44、ce of walkthroughs to others, e.g., to management or to the internal auditors); and Perform at least one walkthrough for each major class of transactions. If the processing of a major class of transactions involves the services of a service organization, the PCAOB staff advises that auditors would n
45、ot have to perform walkthroughs at the service organization, as long as they were able to obtain sufficient evidence to achieve the objectives of the walkthrough by other means, for example through a service auditors report. In evaluating if the service auditors report provides evidence sufficient t
46、o achieve the objectives of a walkthrough, the PCAOB guidance indicates that auditors should follow the directions in paragraphs B21 to B24 of AS-2, which indicate: The auditor may obtain evidence about whether controls that are relevant to managements assessment and the auditors opinion are operati
47、ng effectively by performing procedures, such as the following: Performing tests of the user organizations controls over the activities of the service organization (e.g., testing the user organizations independent performance of selected items processed by the service organization or testing the use
48、r organizations reconciliation of output reports with source documents). Performing tests of controls at the service organization. Obtaining a service auditors report on controls placed in operation and tests of operating effectiveness, or a report on the application of agreed-upon procedures that d
49、escribes relevant tests of controls. If a service auditors report on controls placed in operation and tests of operating effectiveness is available, management and the auditor may evaluate whether this report provides sufficient evidence to support the assessment and opinion, respectively.In evaluating whether such a service audito