Management's Documentation  
SEC & PCAOB > PCAOB > Auditing Standard No. 2 > Management Documentation

Source:
PCAOB Release 2004-001
March 9, 2004
Page A–23 – Standard

42. Management's Documentation. When determining whether management's documentation provides reasonable support for its assessment, the auditor should evaluate whether such documentation includes the following:

• The design of controls over all relevant assertions related to all significant accounts and disclosures in the financial statements. The documentation should include the five components of internal control over financial reporting as discussed in paragraph 49, including the control environment and company-level controls as described in paragraph 53;

• Information about how significant transactions are initiated, authorized, recorded, processed and reported;

• Sufficient information about the flow of transactions to identify the points at which material misstatements due to error or fraud could occur;

• Controls designed to prevent or detect fraud, including who performs the controls and the related segregation of duties;

• Controls over the period-end financial reporting process;

• Controls over safeguarding of assets (See paragraphs C1 through C6); and

• The results of management's testing and evaluation.

43. Documentation might take many forms, such as paper, electronic files, or other media, and can include a variety of information, including policy manuals, process models, flowcharts, job descriptions, documents, and forms. The form and extent of documentation will vary depending on the size, nature, and complexity of the company.

44. Documentation of the design of controls over relevant assertions related to significant accounts and disclosures is evidence that controls related to management's assessment of the effectiveness of internal control over financial reporting, including changes to those controls, have been identified, are capable of being communicated to those responsible for their performance, and are capable of being monitored by the company. Such documentation also provides the foundation for appropriate communication concerning responsibilities for performing controls and for the company's evaluation of and monitoring of the effective operation of controls.

45. Inadequate documentation of the design of controls over relevant assertions related to significant accounts and disclosures is a deficiency in the company's internal control over financial reporting. As discussed in paragraph 138, the auditor should evaluate this documentation deficiency. The auditor might conclude that the deficiency is only a deficiency, or that the deficiency represents a significant deficiency or a material weakness. In evaluating the deficiency as to its significance, the auditor should determine whether management can demonstrate the monitoring component of internal control over financial reporting.

46. Inadequate documentation also could cause the auditor to conclude that there is a limitation on the scope of the engagement.

47. The auditor should obtain an understanding of the design of specific controls by applying procedures that include:
• Making inquiries of appropriate management, supervisory, and staff personnel; • Inspecting company documents;
• Observing the application of specific controls; and
• Tracing transactions through the information system relevant to financial reporting.
48. The auditor could also apply additional procedures to obtain an understanding of the design of specific controls.

49. The auditor must obtain an understanding of the design of controls related to each component of internal control over financial reporting, as discussed below.

• Control Environment. Because of the pervasive effect of the control environment on the reliability of financial reporting, the auditor's preliminary judgment about its effectiveness often influences the nature, timing, and extent of the tests of operating effectiveness considered necessary. Weaknesses in the control environment should cause the auditor to alter the nature, timing, or extent of tests of operating effectiveness that otherwise should have been performed in the absence of the weaknesses.
• Risk Assessment. When obtaining an understanding of the company's risk assessment process, the auditor should evaluate whether management has identified the risks of material misstatement in the significant accounts and disclosures and related assertions of the financial statements and has implemented controls to prevent or detect errors or fraud that could result in material misstatements. For example, the risk assessment process should address how management considers the possibility of unrecorded transactions or identifies and analyzes significant estimates recorded in the financial statements. Risks relevant to reliable financial reporting also relate to specific events or transactions.
• Control Activities. The auditor's understanding of control activities relates to the controls that management has implemented to prevent or detect errors or fraud that could result in material misstatement in the accounts and disclosures and related assertions of the financial statements. For the purposes of evaluating the effectiveness of internal control over financial reporting, the auditor's understanding of control activities encompasses a broader range of accounts and disclosures than what is normally obtained for the financial statement audit.
• Information and Communication. The auditor's understanding of management's information and communication involves understanding the same systems and processes that he or she addresses in an audit of financial statements. In addition, this understanding includes a greater emphasis on comprehending the safeguarding controls and the processes for authorization of transactions and the maintenance of records, as well as the period-end financial reporting process (discussed further beginning at paragraph 76).
• Monitoring. The auditor's understanding of management's monitoring of controls extends to and includes its monitoring of all controls, including control activities, which management has identified and designed to prevent or detect material misstatement in the accounts and disclosures and related assertions of the financial statements.



1