Evaluating Management's Assessment   SEC & PCAOB > PCAOB > Auditing Standard No. 2 > Evaluating Management Assessment Processes Source: PCAOB Release 2004-001 March 9, 2004 Page A–21 – Standard Evaluating Management's Assessment Process 40. The auditor must obtain an understanding of, and evaluate, management's process for assessing the effectiveness of the company's internal control over financial reporting. When obtaining the understanding, the auditor should determine whether management has addressed the following elements: • Determining which controls should be tested, including controls over all relevant assertions related to all significant accounts and disclosures in the financial statements. Generally, such controls include: – Controls over initiating, authorizing, recording, processing, and reporting significant accounts and disclosures and related assertions embodied in the financial statements. – Controls over the selection and application of accounting policies that are in conformity with generally accepted accounting principles. – Antifraud programs and controls. – Controls, including information technology general controls, on which other controls are dependent. – Controls over significant nonroutine and nonsystematic transactions, such as accounts involving judgments and estimates. – Company level controls (as described in paragraph 53), including: – The control environment and – Controls over the period-end financial reporting process, including controls over procedures used to enter transaction totals into the general ledger; to initiate, authorize, record, and process journal entries in the general ledger; and to record recurring and nonrecurring adjustments to the financial statements (for example, consolidating adjustments, report combinations, and reclassifications). Note: References to the period-end financial reporting process in this standard refer to the preparation of both annual and quarterly financial statements. • Evaluating the likelihood that failure of the control could result in a misstatement, the magnitude of such a misstatement, and the degree to which other controls, if effective, achieve the same control objectives. • Determining the locations or business units to include in the evaluation for a company with multiple locations or business units (See paragraphs B1 through B17). • Evaluating the design effectiveness of controls. • Evaluating the operating effectiveness of controls based on procedures sufficient to assess their operating effectiveness. Examples of such procedures include testing of the controls by internal audit, testing of controls by others under the direction of management, using a service organization's reports (See paragraphs B18 through B29), inspection of evidence of the application of controls, or testing by means of a selfassessment process, some of which might occur as part of management's ongoing monitoring activities. Inquiry alone is not adequate to complete this evaluation. To evaluate the effectiveness of the company's internal control over financial reporting, management must have evaluated controls over all relevant assertions related to all significant accounts and disclosures. • Determining the deficiencies in internal control over financial reporting that are of such a magnitude and likelihood of occurrence that they constitute significant deficiencies or material weaknesses. • Communicating findings to the auditor and to others, if applicable. • Evaluating whether findings are reasonable and support management's assessment. 41. As part of the understanding and evaluation of management's process, the auditor should obtain an understanding of the results of procedures performed by others. Others include internal audit and third parties working under the direction of management, including other auditors and accounting professionals engaged to perform procedures as a basis for management's assessment. Inquiry of management and others is the beginning point for obtaining an understanding of internal control over financial reporting, but inquiry alone is not adequate for reaching a conclusion on any aspect of internal control over financial reporting effectiveness. Note: Management cannot use the auditor's procedures as part of the basis for its assessment of the effectiveness of internal control over financial reporting.