The purpose of using the top down approach for an audit of internal controls is to allow the auditor to take a systematic approach to identify risks and select which controls to test. The top down approach begins with the auditor forming a general understanding of the entity and the industry in which it operates. This is accomplished by looking at the company’s financial statements, and acquiring general business knowledge.
The auditor then looks at the entity-level controls of the company to ensure that sufficient policies and procedures are implemented to recognize misstatements, due to error or fraud, in a timely manner so that material misstatements do not affect the financial statements. The two most important types of entity-level controls are those related to the control environment, and those over the period-end financial reporting process. Controls over the control environment should assess how management promotes ethical values and integrity, as well as whether or not the Board of Directors or the audit committee has assumed the responsibility of the accuracy and completeness of the financial statements and internal controls. Controls over the period-end financial reporting process should assess the methods used to enter information to the general ledger, how much IT is used in the financial reporting process, types of adjusting and consolidation entries, and the involvement of management, Board of Directors, and the audit committee in the period-ending financial reporting process.
Other entity-level controls that must be taken into account include controls over management override, the company’s risk assessment process, centralized processing controls, controls that monitor operations, and controls that monitor other controls. It is important to understand that entity-level controls vary both in nature and precision. Some entity-level controls only indirectly affect the likelihood of detecting or preventing material misstatements, whereas others are specifically designed to monitor the effectiveness of the other controls. The more precise the control, the less tests the auditor must perform on those controls.
Next, the auditor identifies any significant accounts and disclosures, and their relevant assertions. Relevant assertions are basically risky financial statement assertions. Financial statement assertions show that a transaction has occurred, is complete, is valued correctly, has transferred ownership to the company, and is properly presented on the financial statements. A relevant assertion, therefore, would be any of these financial statement assertions that are exceptionally vulnerable to having a misstatement and could cause the financial statements to be materially misstated. Significant accounts and disclosures that require more attention are those that are larger in size, are more susceptible to misstatements, are very complex, contain a larger volume of transactions during the period, have realized losses during the period, involve a high likelihood of related party transactions within the account, or there has been a significant change in the accounting methods used from last year. It is beneficial for the auditor to go through the financial statements, and for each account and disclosure brainstorm all the ways it could have been misstated to identify as many risky areas as possible. Risk factors, as well as significant accounts and disclosures, and their relevant assertions will be the same for both the audit of internal controls as well as the financial statement audit. When auditing an enterprise with multiple business entities, the auditor should use the consolidated financial statements to identify significant accounts and disclosures.
The next step is for the auditor to understand likely sources of misstatement. In order to do this, the auditor should achieve a series of objectives. These objectives include the auditor being able to show where there are vulnerabilities in a company’s internal controls that could result in material misstatements to the financial statements, and what controls management has implemented to reduce these risks. The best way for the auditor to achieve these objectives is by performing walkthroughs. A walkthrough is when the auditor follows a transaction from its origination until it reaches the financial records, and makes sure that all of the control procedures were conducted properly. It is important that the auditor conducts these types of procedures him or herself and takes careful notes about what type of information technology is used, as well as what personnel is involved in each processing procedure.
The final step in the top down approach is to select which controls to test. The auditor should test each control that is the most important in determining whether or not a particular risk has been sufficiently addressed. If two controls address the same risk, it may not be necessary to test both controls. Also, it may not be necessary to address two risks separately if one control sufficiently addresses both of them. Together, the tests of these internal controls will provide the auditor with a conclusion about the effectiveness of the internal controls over financial reporting.
To conclude, the top down approach is a systematic method of assessing risk that an auditor uses to locate specific areas of risk in a company’s internal controls over financial reporting, and select the best tests to make sure these risks are sufficiently addressed. The top down approach requires the auditors to start by understanding a company and its industry, then moving down to the company’s entity-level controls, then to significant accounts and disclosures and their relevant assertions, then double check that the auditor has a complete understanding of the risks, and then finally select the controls that are necessary to test to make sure that all risks have been addressed.