Integrated Audits of Internal Control

Chapter 18
Integrated Audits
of Public
Companies
McGraw-Hill/Irwin
Copyright © 2014 by The McGraw-Hill Companies, Inc. All rights reserved.
Nature of an Integrated Audit
 Auditors
of public companies should report
on:


Financial statements and
Internal control over financial reporting
 Based
on provisions of PCAOB Standard
No. 5, the audits of internal control and
financial reporting should be integrated
18-2
Sarbanes-Oxley Act of 2002

Section 404

404(a) – requires annual report filed with SEC to
include an internal control report
• Management acknowledges responsibility for
establishing and maintaining adequate internal control
• Provides assessment of internal control effectiveness at
end of fiscal year

404(b) – requires CPA firm to audit internal
control and express an opinion on effectiveness
of internal control. (Required for companies with a
capitalization in excess of $75,000,000)
18-3
Management’s Responsibility
 Accept
responsibility for effectiveness
 Evaluate the effectiveness using suitable
criteria
 Support the evaluation with sufficient
evidence
 Provide a report on internal control
18-4
Management’s Report on I/C

Report must:




State that it is management’s responsibility to establish and
maintain adequate internal control.
Identify management’s framework for evaluating internal control.
Include management’s assessment of the effectiveness of the
company’s internal control over financial reporting as of the end
of the most recent fiscal period, including a statement as to
whether internal control over financial reporting is effective.
Include a statement that the company’s auditors have issued an
attestation report on management’s assessment.
18-5
Management Assessment

Management can be assisted by consultants but
not by the CPA firm that conducts the audit of
financial statements
 Must understand definition of internal control
adopted by the SEC
 Evaluation must use an accepted “control
framework” such as Internal Control-Integrated
Framework created by COSO.
 Must understand concepts of control deficiency,
significant deficiency and material weakness
18-6
Decreasing level of
terribleness
Level of
Materiality
Chance of Fin.
Stmt. Mis-stmt
Report to Audit
Committee
Material Deficiency
Material (adverse
opinion)
Reasonable
Yes
Significant Deficiency
> Than
inconsequential
> Than Remote
Yes
Inconsequential
Deficiency
Inconsequential
Remote
No
18-7
Relationships Among Deficiencies
Deficiency in
Internal Control
Less than
Significant
Significant
Deficiency
Material
Weakness
18-8
Control concepts

Control deficiency


exists when the design or operation of a control does not allow
management or employees, in the normal course of performing
their functions, to prevent or detect misstatements on a timely
basis
Levels of severity of control deficiencies



Less than a significant deficiency
Significant deficiency – less severe than material weakness yet
important enough to merit attention
Material weakness – reasonable possibility that a material
misstatement will not be prevented or detected
18-9
Objective of Management’s Evaluation of I/C
 Provide
a reasonable basis for its annual
assessment
 Process




Evaluate design effectiveness of controls
Evaluate operating effectiveness of internal
control
Documentation of process
Reporting
18-10
Auditor’s Objective
 Plan
and perform the audit to obtain
reasonable assurance about whether
material weaknesses exist to express an
opinion on company’s internal control over
financial reporting
 Evidence gathered as of date specified in
management’s assessment – normally the
last day of the company’s fiscal year
18-11
Audit Steps
1.
2.
3.
4.
5.
Plan the engagement
Use a top-down approach to identify
controls to test
Test and evaluate design effectiveness of
internal control
Test and evaluate operating effectiveness
of internal control
Form an opinion on the effectiveness of
internal control
18-12
18-13
Plan the Engagement
 Efficient
planning requires coordination
with financial statement audit
 Consider matters such as:




Client’s industry
Regulatory matters
Client’s business
Recent changes in client’s operations
18-14
Auditors’ Consideration of I/C
 Difference
between audit of internal
control and audit of financial statements

Time period
• Audit of internal control –as of date
• Audit of financial statements – entire financial
statement period
 Differences
between small and large
clients

Degree of complexity of operations
18-15
Top-Down Approach
18-16
Top-Down Approach

Goal is to focus on testing those controls that
are most important to auditor’s conclusion on
internal control, avoiding those that are less
important
 Starts at top
 Entity-level controls – those in control
environment or monitoring components of
internal control
• Emphasize those relating to audit committee effectiveness,
fraud, and period-end process
• Direct or indirect effect
18-17
18-18
Significant Accounts and Disclosures


Account significant if reasonable possibility that it could contain a
misstatement that individually or in aggregate has a material effect
on financial statements
Factors

Size and composition.

Susceptibility of loss due to errors or fraud.

Volume of activity, complexity, and homogeneity of individual
transactions.

Nature of the account.

Accounting and reporting complexity.

Exposure to losses.

Possibility of significant contingent liabilities.

Existence of related party transactions.

Changes from the prior period.
18-19
Identifying Relevant Assertions
 Relevant

Those that have meaningful bearing on
whether account is presented fairly
(1) existence or occurrence;
(2) completeness;
(3) valuation or allocation;
(4) rights and obligations; and/or
(5) presentation and disclosure.
18-20
Design Effectiveness

Routine transactions are for recurring activities,


Nonroutine transactions occur only periodically; they
generally are not part of the routine flow of transactions


Examples: sales, purchases, cash receipts and disbursements,
and payroll.
Examples: transactions such as counting and pricing inventory,
calculating depreciation expense, or determining prepaid
expenses.
Accounting estimates are activities involving
management’s judgments or assumptions,

Examples: determining the allowance for doubtful accounts,
estimating warranty reserves and assessing assets for
impairment
18-21
Likely Source of Misstatements




Understand the flow of transactions;
Verify points within the company’s processes at which a
misstatement could arise that could be material;
Identify the controls management has implemented to
address these potential misstatements; and
Identify the controls management has implemented to
prevent or detect on a timely basis unauthorized
acquisition, use, or disposition of the company’s assets
that could result in a material misstatement.
18-22
Selecting Controls
 Not
necessary to design tests of all
controls
 Redundant controls

Do not need to test if duplicate control is
tested
 Design
tests for preventive and/or
detective controls
 Complementary controls

Should both be tested
18-23
Performing Walk-Throughs

Walk-through
 Tracing a transaction from its origination through the
company’s information system until it is reflected in
the company’s financial reports
 Provide evidence to:
• Verify that they have identified points at which a significant risk of
misstatement to a relevant assertion exists.
• Verify their understanding of the design of controls, including those
related to the prevention or detection of fraud.
• Evaluate the effectiveness of the design of controls.
• Confirm whether controls have been placed in operation
(implemented).
18-24
Tests of Operating Effectiveness
 Nature


Inquiries, inspections, observations and
reperformance
Vary exact tests when possible
 Timing


Sufficient period of time
Periodic controls – wait to after report date
 Extent

Depend on frequency of control
18-25
Frequency of Testing
18-26
Relationship Between Audits
 Tests


of controls
Same for internal control audit and financial statement
audit
Evidence from internal control audit can be used for
financial statement audit
 Differences

Objectives are different
 Integrated

between audits
audit
Testing should be spread through the year to satisfy
both objectives
18-27
Effects of Internal Control Testing on
Audit Substantive Procedures
 Integrated
audit requires tests of controls
for all major account and relevant
assertions



Will lead to decreased scope of substantive
procedures
However, significant deficiencies or material
weaknesses could lead to more substantive
procedures
Not acceptable to omit substantive
procedures completely
18-28
Effect of Substantive Procedures
on Audit of Internal Control
 Findings
from substantive procedures may
affect audit of internal control


Could provide evidence of effectiveness or
ineffectiveness of internal control over
financial reporting
Example: Identification of material
misstatement in financial statements is
indicative of at least a significant deficiency in
internal control
18-29
Form an opinion
Evaluate:
1. The results of their evaluation of the
design,
2. The results of tests of the operating
effectiveness of controls,
3. Negative results of substantive
procedures performed during the financial
statement audit, and
4. Any identified control deficiencies.
18-30
(continued on the next slide)
18-31
(continued from previous slide)
18-32
Circumstances Affecting the Auditors’ Opinions
18-33
Other Communication Requirements
 Communicate

All control deficiencies regardless of severity
 To

audit committee
Material weaknesses, significant deficiencies
and that all deficiencies have been
communicated to management
 To

in writing to management
board of directors
If conclude oversight of financial reporting and
internal control is ineffective
18-34
Other Report
 Reporting
on Whether a Previously
Reported Material Weakness Continues to
Exist



Management believes material weakness has
been eliminated
Auditor engaged to report on whether material
weakness continues to exist
Engagement focused on evidence regarding
material weakness
18-35
Integrated Audis for Nonpublic Companies
A
nonpublic company may choose to have
an integrated audit of its financial
statements and its internal control. While
the service is very similar to that for public
companies, it differs as follows:
18-36