Page 195 - COSO Guidance Book
P. 195

Auditing Standard No. 2201: Levels of


            controls



            Auditing Standard (AS) No. 2201, An Audit of Internal Control Over Financial Reporting That Is Integrated
            with An Audit of Financial Statements, promulgated by the PCAOB, is relevant for audits of issuers. Its
            guidance is also useful to management of issuer entities. AS No. 2201 discusses a top-down approach
            to the audit of internal control over financial reporting to select the controls to test. A top-down approach
            begins at the financial statement level and with the auditor’s understanding of the overall risks to internal
            control over financial reporting. The auditor then focuses on entity-level controls and works down to
            significant accounts and disclosures and their relevant assertions. This approach directs the auditor’s
            attention to accounts, disclosures, and assertions that present a reasonable possibility of material
                                                                          4
            misstatement to the financial statements and related disclosures .



            Entity-level controls

            Entity-level controls are pervasive and, like the COSO control environment, affect the other components of
            internal control. Per AS No. 2201, these entity-level controls include the following:

              Controls related to the control environment
              Controls over management override
              The company’s risk assessment process
              Centralized processing and controls, including shared-service environments
              Controls to monitor results of operations
              Controls to monitor other controls, including activities of the internal audit function, the audit
               committee, and self-assessment programs
              The period-end financial reporting process
              Policies that address significant business control and risk management practices

            Regarding entity-level controls, auditors must test those that are important to the auditor’s conclusion
            about whether the company has effective internal control over financial reporting. The auditor’s
            evaluation of entity-level controls can result in increasing or decreasing the testing that the auditor
            otherwise would have performed on other controls.




            Account- or process-level controls

            AS No. 2201 also notes that the auditor should identify significant accounts and disclosures and their
            relevant assertions. Relevant assertions are those financial statement assertions that have a reasonable
            possibility of containing a misstatement, thus causing the financial statements to be materially


            4
              The PCAOB standards were reorganized; the guidance contained in AS No. 2201 was previously contained in
            AS No. 5.


            © 2020 Association of International Certified Professional Accountants. All rights reserved.    2-7
   190   191   192   193   194   195   196   197   198   199   200