A statutory audit is an in-depth examination of corporate controls, procedures and financial accounting systems. A statutory auditor reviews such controls in accordance with guidelines that a government regulator or industry group issues on a regular basis. Insurance companies, banks and brokerage firms must submit statutory financial reports at the end of each quarter or year.
Statutory Audit Requirements will vary depending on the organization. An organization's control environment reflects external elements affecting its competitive standing and top leadership's strategic positioning. These elements may be regulatory guidelines, competitors' initiatives and economic trends domestically and internationally. Regulatory stipulations vary by industry, company and location.
For instance, a New York-based brokerage firm may need to abide by New York Stock Exchange rules. In contrast, a Colorado-based construction company may have to comply with Occupational Safety and Health Administration guidelines. Internal factors also impact a company's control environment, including senior management's ethical values and qualities, human resources policies and corporate mission and vision statements.
A statutory auditor checks the internal controls of a bank or brokerage firm to ensure they are adequate and effective. He also reviews such controls to ensure they conform to statutory guidelines the governing agency has stipulated. For example, a statutory auditor testing the controls in market transaction recording processes may examine senior management's directives and ensure they conform to National Association of Securities Dealers Automated Quotations (NASDAQ) rules.
A control is a set of instructions that top leadership puts into place to prevent operating losses resulting from theft, error, technological malfunction or employee carelessness. A control also helps a company avoid financial misfortune arising from adverse statutory initiatives, such as fines and litigation.
Ranking controls and risks is a pivotal process in statutory auditing procedures. An auditor rates risks as "high," "medium" and "low," depending on the loss expectation and control adequacy or effectiveness. A control is adequate if it provides clear instructions about task performance, problem identification and reporting, as well as on-the-job decision-making. An effective control provides proper remedies for internal breakdowns in the short term and long term.
Statutory regulators, such as the National Association of Insurance Commissioners and the Securities and Exchange Commission, require senior leadership to provide corrective measures for "high" and "medium" risks.
A statutory auditor reviews a company's "risk and control self-assessment" (RCSA) report to examine internal risk rankings before issuing a final report. In an RCSA report, department heads and segment managers document controls and related risks, and rate such risks as "tier 1," "tier 2" and "tier 3," based on the probability of loss. The auditor checks for consistency between the statutory rankings and corporate risk ratings. As an example, a "tier 1" risk in the RCSA must equate to a "high" statutory risk.