Additional Performance Requirements  
SEC & PCAOB > PCAOB > Auditing Standard No. 2 > Additional Performance Requirements and Directions

Source:
PCAOB Release 2004-001
March 9, 2004

APPENDIX B
Additional Performance Requirements and Directions; Extent-of-Testing Examples
Tests to be Performed When a Company Has Multiple Locations or Business Units

B1. To determine the locations or business units for performing audit procedures, the auditor should evaluate their relative financial significance and the risk of material misstatement arising from them. In making this evaluation, the auditor should identify the locations or business units that are individually important, evaluate their documentation of controls, and test controls over significant accounts and disclosures. For locations or business units that contain specific risks that, by themselves, could create a material misstatement, the auditor should evaluate their documentation of controls and test controls over the specific risks.

B2. The auditor should determine the other locations or business units that, when aggregated, represent a group with a level of financial significance that could create a material misstatement in the financial statements. For that group, the auditor should determine whether there are company-level controls in place. If so, the auditor should evaluate the documentation and test such company-level controls. If not, the auditor should perform tests of controls at some of the locations or business units.

B3. No further work is necessary on the remaining locations or businesses, provided that they are not able to create, either individually or in the aggregate, a material misstatement in the financial statements.

Locations or Business Units That Are Financially Significant

B4. Because of the importance of financially significant locations or business units, the auditor should evaluate management's documentation of and perform tests of controls over all relevant assertions related to significant accounts and disclosures at each financially significant location or business unit, as discussed in paragraphs 83 through 105. Generally, a relatively small number of locations or business units will encompass a large portion of a company's operations and financial position, making them financially significant.

RELEASE
PCAOB Release 2004-001
March 9, 2004
Page A–113 – Standard

B5. In determining the nature, timing, and extent of testing at the individual locations or business units, the auditor should evaluate each entity's involvement, if any, with a central processing or shared service environment.

Locations or Business Units That Involve Specific Risks B6. Although a location or business unit might not be individually financially significant, it might present specific risks that, by themselves, could create a material misstatement in the company's financial statements. The auditor should test the controls over the specific risks that could create a material misstatement in the company's financial statements. The auditor need not test controls over all relevant assertions related to all significant accounts at these locations or business units. For example, a business unit responsible for foreign exchange trading could expose the company to the risk of material misstatement, even though the relative financial significance of such transactions is low.

Locations or Business Units That Are Significant Only When Aggregated with Other Locations and Business Units

B7. In determining the nature, timing, and extent of testing, the auditor should determine whether management has documented and placed in operation companylevel controls (See paragraph 53) over individually unimportant locations and business units that, when aggregated with other locations or business units, might have a high level of financial significance. A high level of financial significance could create a greater than remote risk of material misstatement of the financial statements.

B8. For the purposes of this evaluation, company-level controls are controls management has in place to provide assurance that appropriate controls exist throughout the organization, including at individual locations or business units.

B9. The auditor should perform tests of company-level controls to determine whether such controls are operating effectively. The auditor might conclude that he or she cannot evaluate the operating effectiveness of such controls without visiting some or all of the locations or business units.

B10. If management does not have company-level controls operating at these locations and business units, the auditor should determine the nature, timing, and extent of procedures to be performed at each location, business unit, or combination of

RELEASE
PCAOB Release 2004-001
March 9, 2004
Page A–114

Standard locations and business units. When determining the locations or business units to visit and the controls to test, the auditor should evaluate the following factors:

• The relative financial significance of each location or business unit.
• The risk of material misstatement arising from each location or business unit.
• The similarity of business operations and internal control over financial reporting at the various locations or business units.
• The degree of centralization of processes and financial reporting applications.
• The effectiveness of the control environment, particularly management's direct control over the exercise of authority delegated to others and its ability to effectively supervise activities at the various locations or business units. An ineffective control environment over the locations or business units might constitute a material weakness.
• The nature and amount of transactions executed and related assets at the various locations or business units.
• The potential for material unrecognized obligations to exist at a location or business unit and the degree to which the location or business unit could create an obligation on the part of the company.
• Management's risk assessment process and analysis for excluding a location or business unit from its assessment of internal control over financial reporting.

B11. Testing company-level controls is not a substitute for the auditor's testing of controls over a large portion of the company's operations or financial position. If the auditor cannot test a large portion of the company's operations and financial position by selecting a relatively small number of locations or business units, he or she should expand the number of locations or business units selected to evaluate internal control over financial reporting.
Note: The evaluation of whether controls over a large portion of the company's operations or financial position have been tested should be made at the overall level, not at the individual significant account level.

RELEASE
PCAOB Release 2004-001
March 9, 2004
Page A–115

Standard Locations and Business Units That Do Not Require Testing

B12. No testing is required for locations or business units that individually, and when aggregated with others, could not result in a material misstatement to the financial statements.

Multi-Location Testing Considerations Flowchart

B13. Illustration B-1 depicts how to apply the directions in this section to a hypothetical company with 150 locations or business units, along with the auditor's testing considerations for those locations or business units.



Special Situations
B14. The scope of the evaluation of the company's internal control over financial reporting should include entities that are acquired on or before the date of management's assessment and operations that are accounted for as discontinued operations on the date of management's assessment. The auditor should consider this multiple locations discussion in determining whether it will be necessary to test controls at these entities or operations.

RELEASE
PCAOB Release 2004-001
March 9, 2004
Page A–117 – Standard

B15. For equity method investments, the evaluation of the company's internal controlover financial reporting should include controls over the reporting in accordance with generally accepted accounting principles, in the company's financial statements, of the company's portion of the investees' income or loss, the investment balance, adjustments to the income or loss and investment balance, and related disclosures. The evaluation ordinarily would not extend to controls at the equity method investee.
B16. In situations in which the SEC allows management to limit its assessment of internal control over financial reporting by excluding certain entities, the auditor may limit the audit in the same manner and report without reference to the limitation in scope. However, the auditor should evaluate the reasonableness of management's conclusion that the situation meets the criteria of the SEC's allowed exclusion and the appropriateness of any required disclosure related to such a limitation. If the auditor believes that management's disclosure about the limitation requires modification, the auditor should follow the same communication responsibilities as described in paragraphs 204 and 205. If management and the audit committee do not respond appropriately, in addition to fulfilling those responsibilities, the auditor should modify his or her report on the audit of internal control over financial reporting to include an explanatory paragraph describing the reasons why the auditor believes management's disclosure should be modified.

B17. For example, for entities that are consolidated or proportionately consolidated,the evaluation of the company's internal control over financial reporting should include controls over significant accounts and processes that exist at the consolidated or proportionately consolidated entity. In some instances, however, such as for some variable interest entities as defined in Financial Accounting Standards Board Interpretation No. 46, Consolidation of Variable Interest Entities, management might not be able to obtain the information necessary to make an assessment because it does not have the ability to control the entity. If management is allowed to limit its assessment by excluding such entities,1/ the auditor may limit the audit in the same manner and report It is our understanding that the SEC Staff may conclude that management can limit the scope of its assessment if it does not have the authority to affect, and therefore cannot assess, the controls in place over certain amounts. This would relate to entities that are consolidated or proportionately consolidated when the issuer does not have sufficient control over the entity to assess and affect controls. If management's report on its assessment of the effectiveness of internal control over financial reporting is limited in that manner, the SEC staff may permit the company to without reference to the limitation in scope. In this case, the evaluation of the company's internal control over financial reporting should include evaluation of controls over the reporting in accordance with generally accepted accounting principles, in the company's financial statements, of the company's portion of the entity's income or loss, the investment balance, adjustments to the income or loss and investment balances, and related disclosures. However, the auditor should evaluate the reasonableness of management's conclusion that it does not have the ability to obtain the necessary information as well as the appropriateness of any required disclosure related to such a limitation.



1