Professor Adams' Lecture Materials

LO5-01: Integrated audit procedures

1. What is an integrated audit?

Auditors of issuers are required to perform an integrated audit, which involves auditing both the financial statements and management's assessment of the effectiveness of internal control over financial reporting (ICFR)

1.0. What impact did the Dodd-Frank Act have on the Issuer Integrated Audit Requirement?

The Dodd-Frank Act amended Rule 404 of the Sarbanes-Oxley Act to provide that an audit of an issuer's internal control over financial reporting is only required for issuers that are large accelerated filers or accelerated filers.

1.1. What is the objective of the engagement?

The auditor's objective in an audit of internal control is to express an opinion on the effectiveness of the entity's internal control over financial reporting.

2. Conditions for engagement performance

2.1. What are the auditor requirements?

The audit of internal control should be integrated with an audit of the financial statements. Tests of controls should be designed to provide sufficient appropriate evidence to support both the opinion on internal control and the control risk assessment needed for the financial statement audit.

2.2. What are the management requirements, if it is an issuer?

Section 404 of the Sarbanes-Oxley Act of 2002 requires each issuer's annual report to contain an internal control report that:

states management's responsibility for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and
contains an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of issuer for financial reporting.

2.3. What are the management requirements, if it is a nonissuer?

Accepts responsibility for the effectiveness of internal control.
Evaluates the effectiveness of the entity's internal control using suitable and available criteria, such as criteria issued by the AICPA or by regulatory agencies.
Supports its assessment about the effectiveness of internal control with sufficient appropriate evidence.
Provides a written assessment about the effectiveness of the entity's internal control in a report that accompanies the auditor's report.

2.4. What are the written representation requirements?

The auditor should obtain a written representation letter from management in which management:

Acknowledges its responsibility for establishing and maintaining effective internal control, and states that management has performed an assessment of the effectiveness of the entity's internal control.
States management's assessment as of a specified date and specifies the criteria used.
Affirms that management did not rely on the auditor's procedures as the basis for the assessment.
States that management has disclosed all deficiencies in design and operation. Confirms that all significant deficiencies and material weaknesses have been disclosed to the auditor, and indicates whether any such deficiencies identified in previous engagements remain unresolved.
Describes fraud resulting in material misstatement or fraud involving senior management or other employees who have a significant role in ICFR.
States whether there were any significant changes to internal control after the "as of'' date of the report, including any corrective action taken by management regarding significant deficiencies and material weaknesses identified.

Failure to obtain such written representations is a scope limitation that will generally result in the auditor's withdrawal from the engagement or in a disclaimer of opinion.

SampleRepresentationLetter.pdf

3. Planning the engagement

3.1. What is planning?

Planning involves developing an overall strategy for the scope and performance of the engagement.

3.2. What is involved in fraud risk assessment?

The auditor's fraud risk assessment (required in the financial statement audit) should be integrated into the audit of internal control, and the auditor should consider management fraud and management override of controls as areas of high risk.

3.3. What is involved in using the work of others?

The auditor may use the work of others (internal auditors, other company personnel, and certain third parties) who are sufficiently competent and objective, in evaluating the effectiveness of internal control.

The auditor should consider the risk associated with a particular control, in determining whether and to what extent to use the work of others. As risk increases, a greater degree of competence and objectivity is required. For high-risk areas, use of the work of others might be reduced or eliminated.

4. What is a top-down approach?

A top-down approach is used in selecting controls to test. The auditor evaluates overall risks at the financial statement level, considers controls at the entity level, and then focuses on accounts, disclosures, and assertions for which there is a reasonable possibility of material misstatement.

4.1. What are entity level controls?

The auditor should identify and test entity-level controls that are important to the auditor's overall opinion about internal control. Entity-level controls include controls related to:

The control environment
Management override
The company's risk assessment process
Centralized processing
Monitoring the results of operations
Monitoring other controls
Period-end financial reporting
Policies that address significant business control and risk management practices

4.2. What is involved in identifying significant classes of transactions, account balances, disclosures, and assertions?

The auditor should evaluate qualitative and quantitative risk factors to identify significant classes of transactions, account balances and disclosures, and their relevant assertions.

4.3. What is involved selecting controls to test?

The auditor should test those controls that are important in addressing the risk of material misstatement.

5. Testing controls

Becker Pass Key

In an integrated audit, the auditor should evaluate the components of ICFR and determine whether the components are:

1. present and functioning in design, implementation and operation; and

2. operating together in an integrated manner.

Source: Becker (2022, p. A5-8)

5.1. What should the auditor do when testing controls?

Evaluate the design effectiveness of the controls to determine whether the controls, if applied as prescribed, satisfy the company's control objectives and can effectively prevent or detect (and correct) material misstatements.
Test and evaluate the operating effectiveness of the controls to determine whether the controls are operating as designed, and whether the persons implementing the controls are qualified to implement them effectively.
Obtain relatively more evidence for controls that are subject to a greater risk of failure.
Obtain sufficient appropriate evidence to support the opinion about the overall effectiveness of the entity's internal control
Determine the effect of any identified control deviations on the assessment of risk associated with the control, the amount of evidence to be obtained, and the operating effectiveness of the control.
Determine the appropriate timing for tests of controls.
Consider knowledge obtained during past audits.
Incorporate an element of unpredictability into the testing.

5.2. What should the auditor do when using a service organization?

Obtain an understanding of relevant controls.
Obtain evidence that the controls at the service organization are operating effectively by performing one or more of the following: Obtaining a service auditor's report, testing the entity's controls over the activities of the service organization, and/or performing tests of controls at the service organization.

5.3. What is involved in benchmarking automated controls?

Automated application controls are not particularly susceptible to human error. If general controls with respect to program modifications, access, and operations are tested and continue to be effective, and if the automated controls have not changed from one year to the next, the auditor may not need to repeat specific testing performed in the previous year (but would need to verify that the control has not changed). This "benchmarking" strategy is most appropriate in low-risk situations.

6. Evaluating control deficiencies

The auditor should determine whether identified deficiencies represent significant deficiencies or material weaknesses (either alone or in combination). This determination should be based on:

the magnitude of the potential misstatement resulting from the deficiency; and
whether there is a reasonable possibility that the control will fail to prevent, or detect and correct, a material misstatement.

7. Forming an opinion

The auditor should form an opinion about the effectiveness of internal control. The auditor should base this opinion on all available evidence, including both evidence obtained from the financial statement audit and evidence obtained during the audit of internal control.

8. Financial statement audit vs. audit of internal controls

The purpose of an audit of the effectiveness of an entity's internal control is to express an opinion about whether the entity maintained, in all material respects, effective internal control as of a point in time based on the control criteria. The purpose of an auditor's consideration of internal control in an audit of financial statements conducted in accordance with GAAS is to enable the auditor to plan the audit and determine the nature, extent, and timing of tests to be performed.

🧮 Practice Problem: LO5-01-01, MCQ-05389

In an audit of an issuer, the auditor must provide an opinion on which of the following?

I. The financial statements.

II. The audit committee's oversight of financial reporting and internal control.

III. The effectiveness of internal control.

Page updated

Google Sites

Report abuse