A5_M1_Integrated Audit Procedures.
☐ Evaluate the design effectiveness of the controls to determine whether the controls, if applied as prescribed, satisfy the company's control objectives and can effectively prevent or detect [and correct] material misstatements.
(1). Walk-throughs, which include inquiry, observation, and inspection of documentation, are often used to evaluate design effectiveness.
☐ supports its assessment about the effectiveness of internal control with sufficient appropriate evidence.
(1). management is responsible for identifying and documenting control objectives and the controls that meet those objectives. (2). management's monitoring activities may provide evidence supporting its assertion.
☐ test and evaluate the operating effectiveness of the controls to determine whether the controls are operating as designed, and whether the persons implementing the controls are qualified to implement them effectively.
(1). operating effectiveness is typically tested through inquiry, inspection of documentation, observation, recalculation, and re-performance. (2). inquiry alone is not sufficient to support a conclusion about operating effectiveness.
AICPA Standards. In an integrated audit, the auditor should evaluate the components of ICFR and determine whether the components are:
(1). present and functioning in design, implementation and operation; and (2). operating together in an integrated manner.
☐ provides a written assessment about the effectiveness of the entity's internal control in a report that accompanies the auditor's report.
(1). the "as of" date in management's assertion should coincide with the date of the financial statements.
☐ obtain sufficient appropriate evidence to support the opinion about the overall effectiveness of the entity's internal control.
(1). the auditor is not responsible for obtaining sufficient evidence to support an opinion about the effectiveness of each individual control, but rather the effectiveness of the entity's internal control overall.
The auditor should determine whether identified deficiencies represent significant deficiencies or material weaknesses [either alone or in combination]. this determination should be based on:
(1). the magnitude of the potential misstatement resulting from the deficiency; and (2). whether there is a reasonable possibility that the control will fail to prevent, or detect and correct, a material misstatement.
☐ Determine the effect of any identified control deviations on the assessment of risk associated with the control, the amount of evidence to be obtained, and the operating effectiveness of the control.
(1).An individual control does not have to operate without any deviation to be considered effective.
☐ judgements about materiality and risk, including risks evaluated as part of the auditor's acceptance and retention decision and preliminary judgements about the effectiveness of internal control.
(2). more attention should be focused on areas of higher risk. (1). the same level of materiality and the same risk assessment process should be used for both the financial statement audit and the audit of internal control.
Written Representations [Issuers and Nonissuers]. The auditor should obtain a written representation letter from management in which management: (3). affirms that management did not rely on the auditor's procedures as the basis for the assessment.
(2). states management's assessment as of a specified date and specifies the criteria used. (1). acknowledges its responsibility for establishing and maintaining effective internal control, and states that management has performed an assessment of the effectiveness of the entity's internal control.
☐ determine the appropriate timing for tests of controls. (1). Tests performed over a longer period of time provide more evidence of effectiveness than tests performed over a shorter period. (2). the auditor should use judgement in balancing the timing of tests.
(3). test performed closer to the date of management's assertion provide more evidence than testing performed earlier in the year. [tests performed earlier in the year should be supplemented with additional evidence for the remainder of the year].
☐ judgements about materiality and risk, including risks evaluated as part of the auditor's acceptance and retention decision and preliminary judgements about the effectiveness of internal control.(2)
(3). the results of the fraud risk assessment performed in the financial statement audit should be considered in the audit of internal control, and the auditor should evaluate whether controls sufficiently address fraud risk.
☐ the auditor should consider whether any observations made during the financial statement audit impact the auditor's opinion on internal control. for example, identified misstatements might imply that controls are not functioning effectively.
(a). note that the absence of misstatements does not imply operating effectiveness, although it may affect the auditor's assessment of risk.
In an audit of an entity's internal control, the scope and procedures are more extensive , and the purpose is directed primarily toward the internal control report. In an audit, the scope is less extensive, and the purpose is to determine the nature, timing, and extent of auditing procedures.
Audit procedures [testing] is more extensive when rendering an opinion on internal controls because the auditor should obtain evidence on selected controls over all relevant assertions, whereas in a FS audit the auditor is not required to test controls over all relevant assertions.
Management Requirements [Issuers Only].
Note: the American Institute of Certified Public Accountants [AICPA] standards use the term "management's assessment" while the Public Company Accounting Oversight Board [PCAOB] uses the term "management's assertion." the term "assessment" is being used in this text for consistency.
For nonissuers, SAS 130 governs the audit and report on a non-issuer's internal control over financial reporting that is integrated with a financial statement audit.
The rules regarding the conduct of issuer and non-issuer integrated audits are very similar. the similarities and differences between the two sets of integrated audit standards are highlighted below.
An engagement to audit internal control will generally be more extensive in scope than the assessment of control risk made during a financial statement audit of a nonissuer.
This occurs because assessing control risk is the primary purpose of an engagement to express an opinion on internal control, whereas it is an incidental result of an audit of a nonissuer.
Impact of the Dodd-Frank Act on the Issuer Integrated Audit Requirement. A large accelerated filers is defined by the U.S. Securities and Exchange Commission [SEC] as an issuer with a worldwide market value of outstanding common equity held by non-affiliates of $700 million or more.
an accelerated filer is defined as an issuer with a worldwide market value of outstanding common equity held by non-affiliates of $75 million or more, but less than $700 million.
Financial Statement Audit vs. Audit of Internal Control [Nonissuers]. Difference between the two engagements. Relevant Period.
an audit of internal control results in an opinion on internal control as of a point in time, and an opinion on financial statements relates to a longer period, such as a year.
Benchmarking of Automated Controls. Automated application controls are not particularly susceptible to human error. if general controls with respect to program modifications, access, and operations are tested and continue to be effective,
and if the automated controls have not changed from one year to the next, the auditor may not need to repeat specific testing performed in the previous year [but would need to verify that the control has not changed]. this "benchmarking" strategy is most appropriate in low-risk situations.
Written Representations [Issuers and Nonissuers]. (4). states that management has disclosed all deficiencies in design and operation. confirms that all significant deficiencies and material weaknesses have been disclosed to the auditor,
and indicates whether any such deficiencies identified in previous engagements remain unresolved. (5). describes fraud resulting in material misstatement or fraud involving senior management or other employees who have a significant role in ICFR.
A top-down approach is used in selecting controls to test. the auditor evaluates overall risks at the financial statement level, considers controls at the entity level,
and then focuses on accounts, disclosures, and assertions for which there is a reasonable possibility of material misstatement.
Use of Service Organizations. A service organization may be part of an entity's internal control. in such cases, the auditor should: ☐ obtain an understanding of relevant controls. ☐ obtain evidence that the controls at the service organization
are operating effectively by performing one or more of the following: obtaining a service auditor's report [covered in more detail in later module], testing the entity's controls over the activities of the service organization, and/or performing tests of controls at the service organization.
Financial Statement Audit vs. Audit of Internal Control [Nonissuers]. Difference: Purpose. The purpose of an audit of the effectiveness of an entity's internal control is to express an opinion about whether the entity maintained, in all material respects, effective internal control
as of a point in time based on the control criteria. the purpose of an auditor's consideration of internal control in an audit of financial statements conducted in accordance with GAAS is to enable the auditor to plan the audit and determine the nature, extent, and timing of tests to be performed.
In determining what amount of audit attention should be applied to a particular class of transactions, account balance, disclosure, or assertion, the auditor should assess the risk that a material weakness in that area may exist,
as well as the risk that such weaknesses will lead to a material misstatement in the financial statements. ☐ a Walk-Through [in which a transaction is followed from origination through financial recording] is one of the most effective ways to identify likely sources of potential misstatement.
Objective of the Engagement [ issuers and nonissuers]. because an entity's internal control cannot be considered effective if one or more material weaknesses exist, the auditor should plan and perform the engagement to obtain sufficient appropriate evidence to obtain reasonable
assurance about whether material weaknesses exist as of the date specified in management's assessment, which should correspond to the balance sheet date for the financial statement audit.
as indicated previously, indicators of material weakness include senior management fraud, restatement of previous financial statements to correct a material error, identification by the auditor of a material misstatement that the entity's controls would not have detected, and ineffective oversight
by those charged with governance. A control weakness may be a material weakness even if no misstatement actually occurred. Compensating controls, if tested and found to be operating effectively, may limit the severity of an identified deficiency and prevent it from being a material weakness.
The auditor's fraud risk assessment [required in the financial statement audit] should be integrated into the audit of internal control, and the auditor should consider management fraud and management override of controls as areas of high risk.
control that might address these risk include controls over: ☐ significant or unusual transactions. ☐ period-end journal entries and adjustments. ☐ related party transactions. ☐ significant management estimates.
FS Audit vs. Audit of Internal Control [Nonissuers]. Difference: Communication of Control Deficiencies. in a financial statement audit, the communication of significant deficiencies and material weaknesses must be made within 60 days of the report release date, whereas in an audit of internal
control, the communication must be made by the report release date. in a financial statement audit, the communication of significant deficiencies and material weakness should include restricted-use language, but in an audit of internal control, no restriction on the use of the report is required.
Entity-Level Controls. the auditor's evaluation of entity-level controls can result in increasing or decreasing the testing that the auditor otherwise would have performed on other controls.
entity-level controls that are working effectively may allow the auditor to reduce the testing of lower-level controls, or might affect the nature, extent, or timing of the auditor's tests of lower-level controls.
The auditor may use the work of others [internal auditors, other company personnel, and certain third parties] who are sufficiently competent and objective, in evaluating the effectiveness of internal control.the auditor should consider the risk associated with a particular control,
in determining whether and to what extent to use the work of others. as risk increases, a greater degree of competence and objectivity is required. for high-risk areas, use of the work of others might be reduced or eliminated.
☐ provides a written assessment about the effectiveness of the entity's internal control in a report that accompanies the auditor's report. (2). if management refuses to furnish a written assessment, the auditor should withdraw from the engagement. in rare instances,
in which the auditor is not permitted by law or regulation to withdraw, a disclaimer of opinion on ICFR should be issued and the auditor should consider the impact on the financial statement audit. Management's refusal to provide a written assessment would be treated as a scope limitation.
Management Requirements [Nonissuers Only]. an audit of internal control can only be performed if management: ☐ accepts responsibility for the effectiveness of internal control. ☐ evaluates the effectiveness of the entity's internal control using suitable and available criteria, such as criteria
issued by the AICPA or by regulatory agencies. ☐ supports its assessment about the effectiveness of internal control with sufficient appropriate evidence. ☐ provides a written assessment about the effectiveness of the entity's internal control in a report that accompanies the auditor's report.
Written Representations [Issuers and Nonissuers]. (6). states whether there were any significant changes to internal control after the "as of" date of the report,including any corrective action taken by
management regarding significant deficiencies and material weaknesses identified.- subsequent event. Failure to obtain such written representations is a scope limitation that will generally result in the auditor's withdrawal from the engagement or in a disclaimer of opinion.
Forming an Opinion [issuers and nonissuers] Management's report should: ☐ indicate that management is responsible for internal control. ☐ describe the subject matter [e.g., controls over financial statement preparation]. ☐ identify the criteria used by management to measure the effectiveness
of the entity's internal control. ☐ include a statement of management's assessment about the effectiveness of internal control, including an "as of" date. the "as of" date should be the end of the entity's most recent fiscal year. ☐ describe any material weakness identified by management.
FS Audit vs. Audit of Internal Control [Nonissuers]. Difference:Extent of Testing. an auditor's consideration of internal control in a financial statement audit is more limited than that of an auditor engaged to audit the effectiveness of the entity's internal control in order to render an opinion
on internal control, the auditor should obtain evidence about the effectiveness of selected controls over all relevant assertions. in a financial statement audit, the audit is not required to test controls over all relevant assertions [for example, if a substantive approach is to be used instead].
Management Requirements [Issuers Only]. Section 404 of the Sarbanes-Oxley Act of 2002 requires each issuers' annual report to contain an internal control report that: (1). states management's responsibility for establishing and maintaining and adequate internal control structure and
procedures for financial reporting; and (2). contains an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of issuer for financial reporting.
the auditor should also consider controls that mitigate incentives and pressures
that may lead management to falsify or inappropriately manage financial results.
☐ obtain evidence that the controls at the service organization are operating effectively by performing one or more of the following: (1).If the date specified in management's assertion is significantly beyond the time period covered by the service auditor's report,
the auditor should perform additional procedures. (2). no reference should be made to the service auditor's report in the auditor's report on internal control.
Auditor Requirements [Issuers and Non-issuers]. The auditor of internal control should be integrated with an audit of the financial statements. The auditor should plan and perform the integrated audit to achieve the objectives of both engagements.
the auditor should use the same control criteria to perform the audit of internal control as management uses for its evaluation of the effective of the entity's internal control.
Objective of the Engagement [ issuers and nonissuers].
the auditor's objective in an audit of internal control is to express an opinion on the effectiveness of the entity's internal control over financial reporting.
Forming an Opinion [issuers and nonissuers] the auditor should form an opinion about the effectiveness of internal control. The auditor should base this opinion on all available evidence, including both evidence obtained from
the financial statement audit and evidence obtained during the audit of internal control. After forming an opinion on the effectiveness of the entity's internal control over financial reporting, the auditor should evaluate management's report on internal control.
Forming an Opinion [issuers and nonissuers] ☐ if management's report contains additional information beyond that noted above, the auditor should disclaim an opinion on such information. for example, if the report states that management believes the cost of correcting a
weakness would exceed the benefits to be derived from implementing new policies and procedures, the auditor should disclaim an opinion on management's "cost-benefit statement": (a). we do not express an opinion or any other form of assurance on management's cost-benefit statement.
In determining what amount of audit attention should be applied to a particular class of transactions, account balance, disclosure, or assertion, the auditor should assess the risk that a material weakness in that area may exist, as well as the risk that such weaknesses
will lead to a material misstatement in the financial statements. ☐ a greater risk implies that more audit attention should be applied, more evidence should be obtained, etc. ☐ the evaluation of risk factors is the same for both an audit of the financial statements and an audit of internal control.
Components of ICFR: Recall that the components of internal control over financial reporting [ICFR] are:
☐ Control environment. ☐ Risk assessment. ☐ Information and communication systems. ☐ Monitoring. ☐ Existing control activities.
In testing controls, the auditor should: ☐ Determine the effect of any identified control deviations on the assessment of risk associated with the control, the amount of evidence to be obtained, and the operating effectiveness of the control.
☐ determine the appropriate timing for tests of controls. ☐ consider knowledge obtained during past audits. ☐ incorporate an element of unpredictability into the testing.
interrelationships between the two engagements. ☐ in concluding on the effectiveness of controls as part of the financial statement audit, the auditor should consider the results of tests performed as part of the internal control audit.
☐ if during the audit of internal control a deficiency is noted, the auditor should consider this deficiency in determining the nature, timing, and extent of substantive tests in the financial statement audit.
interrelationships between the two engagements. the results from one type of engagement should be considered in performing the other type of engagement.
☐ in forming an opinion on internal control, the auditor should consider the results of tests of controls performed as part of the financial statement audit.
Planning the Engagement [Issuers and Non-issuers]. ☐ previously communicated deficiencies, legal or regulatory matters, and public information.
☐ judgements about materiality and risk, including risks evaluated as part of the auditor's acceptance and retention decision and preliminary judgements about the effectiveness of internal control.
Entity-Level Controls. the auditor should identify and test entity-level controls that are important to the auditor's overall opinion about internal control. Entity-level controls include controls related to: ☐ the control environment.
☐ management override. ☐ the company's risk assessment process. ☐ centralized processing. ☐ monitoring the results of operations. ☐ monitoring other controls. ☐ period-end financial reporting. ☐ policies that address significant business control and risk management practices.
Planning the Engagement [Issuers and Non-issuers]. Planning involves developing an overall strategy for the scope and performance of the engagement. the auditor should consider:
☐ matters affecting the industry of the entity-- financial reporting practices , economic conditions, laws and regulations, and technological change. ☐ prior knowledge of the entity's internal control [obtained during other professional engagements or by reviewing a predecessor's working papers].
In testing controls, the auditor should: ☐ test and evaluate the operating effectiveness of the controls to determine whether the controls are operating as designed, and whether the persons implementing the controls are qualified to implement them effectively.
☐ obtain relatively more evidence for controls that are subject to a greater risk of failure. ☐ obtain sufficient appropriate evidence to support the opinion about the overall effectiveness of the entity's internal control.
Planning the Engagement [Issuers and Non-issuers]. ☐ the nature and extent of available evidence.
☐ scaling the audit: smaller or less complex companies might achieve their control objectives differently from more complex companies, so the audit should be scaled appropriately.
In testing controls, the auditor should: ☐ Evaluate the design effectiveness of the controls to determine whether the controls, if applied as prescribed, satisfy the company's control objectives and can effectively prevent or detect [and correct] material misstatements.
☐ test and evaluate the operating effectiveness of the controls to determine whether the controls are operating as designed, and whether the persons implementing the controls are qualified to implement them effectively.
Planning the Engagement [Issuers and Non-issuers]. ☐ matters concerning the entity and its business--organization, operations, and capital structure.
☐ the relative complexity of entity operations, as well as the extent of any recent changes in the entity, its operations, or its internal control. ☐ management's method of evaluating control effectiveness.
The auditor should evaluate qualitative and quantitative risk factors to identify significant classes of the transactions, account balances and disclosures, and their relevant assertions. Risk factors include: ☐ account size and composition. ☐ susceptibility to misstatement.
☐ volume of activity, complexity, and homogeneity of transactions. ☐ accounting and reporting complexities. ☐ exposure to loss, or to the possibility of significant contingent liabilities. ☐ the existence of related party transactions. ☐ changes from the prior period.
☐ if the auditor determines that the required disclosures for one or more material weaknesses have not been included in management's report, this should be stated in the auditor's report. the auditor's report should include a description of each material weakness not included in management's report.
☐if management's report is incomplete or improperly presented, the auditor should modify his or her own report to discuss the situation. if management refuses to supply a report, the auditor should withdraw from the engagement.
Auditor Requirements [Issuers and Non-issuers].
Tests of controls should be designed to provide sufficient appropriate evidence to support both the opinion on internal control and the control risk assessment needed for the financial statement audit.
Impact of the Dodd-Frank Act on the Issuer Integrated Audit Requirement.
The Dodd-Frank Act amended Rule 404 of the Sarbanes-Oxley Act to provide that an audit of an issuer's internal control over financial reporting is only required for issuers that are large accelerated filers or accelerated filers.
Under PCAOB standards, auditors of issuers are required to perform an integrated audit, auditing both the financial statements and management's assessment of the effectiveness of internal control over financial reporting [ICFR].
The audit of management's assessment is commonly referred to as an "audit of internal control over financial reporting."
