The top-down approach is used to select the controls to be tested in an audit of internal control over financial reporting. Under this approach, the auditor obtains an understanding of the overall risks to internal control over financial reporting. Following this activity, the auditor then examines entity-level controls, focusing on significant accounts and disclosures, as well as their relevant assertions. Entity-level controls include the following:
- Controls related to the control environment
- Controls over management override
- The entity's risk assessment process
- Centralized processing and controls
- Controls to monitor the results of operations
- Controls to monitor other controls (such as the activities of the internal audit staff)
- Controls over the period-end financial reporting process
- Policies that address significant business control and risk management practices
By taking this approach, the auditor's attention is directed towards those accounts, disclosures and assertions that have a reasonable possibility of being materially misstated within the financial statement package.
The auditor then goes on to verify his or her understanding of the risks inherent in the organization's processes. Based on this information, the auditor then selects those controls for testing that address the assessed risk of misstatement.
This approach to auditing does not necessarily show the exact work sequence used by an auditor. An auditor might find it more efficient to perform auditing procedures in a different order.