AS 2201: An Audit of Internal Control over Financial Reporting That Is Integrated with

An Audit of Financial Statements

This auditing standard guides the auditor to perform an audit of management's assessment of the
effectiveness of internal control over financial reporting that is integrated with an audit of the
financial statements The auditor should plan the examination of internal control by evaluating
whether the following matters are important to the entity's financial statements and internal
control and, if so, how they may affect the auditor's procedures, may assist the auditor in
planning the examination. They are Knowledge of the entity's internal control obtained during
other engagements performed by the auditor or, if applicable, during a review of a predecessor
auditor's working papers, Matters relating to the entity's business, including its organization,
operating characteristics, and capital structure, The extent of recent changes, if any, in the entity,
its operations, or its internal control, Legal or regulatory matters of which the entity is aware,
Preliminary judgments about the effectiveness of internal control, Knowledge about risks related
to the entity evaluated as part of the auditor's client acceptance and retention evaluation, The
relative complexity of the entity's operations etc. Auditor has to focus on entity-level controls
and identifies significant accounts, disclosures, and their relevant assertions. The auditor then
selects those controls that sufficiently address the assessed risk of misstatement to each relevant
assertion for testing. To accomplish this task, it is necessary that internal control systems be
documented adequately and that relevant internal controls be identified and tested. The
complexity of the organization, business unit, or process plays major role is risk assessment. The
audit of internal control more clearly scalable for smaller, less complex companies. Thus, the
standard contains direction to auditors on scaling the audit based on a company's size and
complexity.
For Audit of internal control the auditor should take into account the results of his or her fraud
risk assessment. The auditor should evaluate whether the company's controls sufficiently address
identified risks of material misstatement due to fraud and controls intended to address the risk of
management override of other controls. Controls that might address these risks include. If the
auditor identifies deficiencies in controls designed to prevent or detect fraud during the audit of
internal control over financial reporting, the auditor should take into account those deficiencies
when developing his or her response to risks of material misstatement during the financial
statement audit.
The general inspection report notes that inspections staff have identified situations in which firms
used the work of others, most often internal audit, who performed tests of controls without
establishing a sufficient basis for using that work. For example, in some instances, the extent to
which firms used the work of internal audit in higher risk areas involving significant judgment,
such as aspects of revenue and the valuation of complex, hard-to-value investment securities,
was inappropriate. Also, in some instances, firms failed to evaluate the design of internal audit's
control testing procedures, including the scoping and the Identification of important controls.
A top-down approach begins at the financial statement level and with the auditor's understanding
of the overall risks to internal control over financial reporting. The auditor then focuses on entity
level controls and works down to significant accounts and disclosures and their relevant

assertions. This approach directs the auditor's attention to accounts, disclosures, and assertions
that present a reasonable possibility of material misstatement to the financial statements and
related disclosures. The auditor then verifies his or her understanding of the risks in the
company's processes and selects for testing those controls that sufficiently address the assessed
risk of misstatement to each relevant assertion.
Entity-level controls, like other internal controls over financial reporting, have procedural
aspects designed to help determine their effectiveness. The outputs of the procedures, after being
reviewed and tested for adherence to the control concepts, provide the basis for mitigating
business risks. This overall system of risk identification and control adaptation ensure a company
can achieve its strategic business objectives while acting within the ethical, legal, and regulatory
boundaries established for their industry and organization type. The top-down approach begins
with the auditors understanding of the Overall risks to internal control over financial reporting
Next, the auditor focuses on entity-level controls and identifies significant accounts, disclosures,
and their relevant assertions. The auditor then selects those controls that sufficiently address the
assessed risk of misstatement to each relevant assertion for testing. To accomplish this task, it is
necessary that internal control systems be documented adequately and that relevant internal
controls be identified and tested.
In selected controls to test and understanding the likely source of misstatement the auditor should
understand the flow of transactions, how information technology affects the flow of the
transaction and identify the steps management has taken to address potential misstatement.
Because of the great deal of judgment involved in these activities, the auditor should perform the
steps personally or closely supervise those who provide assistance in the audit. The most
effective way to achieve the steps to understanding likely source of misstatement is by
performing walkthroughs. It helps the auditor follow transaction from origination through the
companys process and to the final source document. In performing walkthrough, the auditor
should question the companys personnel about their understanding of the flow of information.
The auditors conclusion about whether the company on. Controls adequately convey the chance
of misstatement are the controls that should be tested. More than one control may be needed to
address possible risks within a relevant assert. Decision on what controls to be tested also
depends on whether controls can independently or in combination be used to judge the risk of
potential misstatement.
The auditor evaluates managements assessment process and obtains sufficient evidence about
Whether the companys internal control is designed and operating effectively. This evaluation
Provides the auditor with a basis for expressing an opinion on the companys internal control
over financial reporting. The auditors report will be appropriately modified if the auditor
concludes that managements assessment process is inadequate or if managements report is
inappropriate Design effectiveness involves evaluating whether internal control is suitably
designed to prevent or detect material misstatement on a timely basis. Controls will not be
designed effectively if there are missing controls, or if implemented controls do not meet the
appropriate control objective. Operating effectiveness involves evaluating whether internal
control is operating as designed.

In Subsequent year audit the auditor should incorporate knowledge from past audits of the entity
controls into decision making process for determining the nature timing and extent of testing
needed. After taking into account all risk factors the auditor may be able to reduce testing in
subsequent year. The auditors should vary the nature timing and extent of controls testing from
year to year to introduce unpredictability into testing and respond to change in circumstance.
Thus the auditor could test controls during different interim periods, change the number and
types of tests performed or change the combination of procedure used.
A list of indicators of control deficiencies that are regarded as indicators of material weaknesses
in internal control are - Identification of fraud of any magnitude on the part of senior
management; Restatement of previously issued financial statements to reflect the correction of a
material misstatement, which includes misstatements due to error or fraud.
Identification by the auditor of a material misstatement in the financial statements for the period
under audit that in circumstances that indicate that the misstatement would not have been
detected by the entitys internal control. Ineffective oversight of the entitys financial reporting
and internal control by those charged with governance.
Auditor is required to form an opinion on the financial statements based on an evaluation of the
audit evidence obtained, including evidence obtained about comparative financial statements or
comparative financial information, and express clearly that opinion on the financial statements
through a written report that also describes the basis for that opinion.
A written statement by management provided to the auditor to confirm certain matters or to
support other audit evidence. Written representations in this context do not include financial
statements, the assertions therein, or supporting books and records. The auditor should request
management to provide written representations concerning fraud, Laws and regulations,
uncorrected misstatements, Litigation and claims, Estimates, Related party transactions,
Subsequent events. Reporting of internal control over financial reporting should follow the
pattern and must include the line items provided in the auditing standard.