Chapter 18 Integrated Audits of Public Companies McGraw-Hill/Irwin Copyright © 2014 by The McGraw-Hill Companies, Inc. All rights reserved. Nature of an Integrated Audit Auditors of public companies should report on: Financial statements and Internal control over financial reporting Based on provisions of PCAOB Standard No. 5, the audits of internal control and financial reporting should be integrated 18-2 Sarbanes-Oxley Act of 2002 Section 404 404(a) – requires annual report filed with SEC to include an internal control report • Management acknowledges responsibility for establishing and maintaining adequate internal control • Provides assessment of internal control effectiveness at end of fiscal year 404(b) – requires CPA firm to audit internal control and express an opinion on effectiveness of internal control. (Required for companies with a capitalization in excess of $75,000,000) 18-3 Management’s Responsibility Accept responsibility for effectiveness Evaluate the effectiveness using suitable criteria Support the evaluation with sufficient evidence Provide a report on internal control 18-4 Management’s Report on I/C Report must: State that it is management’s responsibility to establish and maintain adequate internal control. Identify management’s framework for evaluating internal control. Include management’s assessment of the effectiveness of the company’s internal control over financial reporting as of the end of the most recent fiscal period, including a statement as to whether internal control over financial reporting is effective. Include a statement that the company’s auditors have issued an attestation report on management’s assessment. 18-5 Management Assessment Management can be assisted by consultants but not by the CPA firm that conducts the audit of financial statements Must understand definition of internal control adopted by the SEC Evaluation must use an accepted “control framework” such as Internal Control-Integrated Framework created by COSO. Must understand concepts of control deficiency, significant deficiency and material weakness 18-6 Decreasing level of terribleness Level of Materiality Chance of Fin. Stmt. Mis-stmt Report to Audit Committee Material Deficiency Material (adverse opinion) Reasonable Yes Significant Deficiency > Than inconsequential > Than Remote Yes Inconsequential Deficiency Inconsequential Remote No 18-7 Relationships Among Deficiencies Deficiency in Internal Control Less than Significant Significant Deficiency Material Weakness 18-8 Control concepts Control deficiency exists when the design or operation of a control does not allow management or employees, in the normal course of performing their functions, to prevent or detect misstatements on a timely basis Levels of severity of control deficiencies Less than a significant deficiency Significant deficiency – less severe than material weakness yet important enough to merit attention Material weakness – reasonable possibility that a material misstatement will not be prevented or detected 18-9 Objective of Management’s Evaluation of I/C Provide a reasonable basis for its annual assessment Process Evaluate design effectiveness of controls Evaluate operating effectiveness of internal control Documentation of process Reporting 18-10 Auditor’s Objective Plan and perform the audit to obtain reasonable assurance about whether material weaknesses exist to express an opinion on company’s internal control over financial reporting Evidence gathered as of date specified in management’s assessment – normally the last day of the company’s fiscal year 18-11 Audit Steps 1. 2. 3. 4. 5. Plan the engagement Use a top-down approach to identify controls to test Test and evaluate design effectiveness of internal control Test and evaluate operating effectiveness of internal control Form an opinion on the effectiveness of internal control 18-12 18-13 Plan the Engagement Efficient planning requires coordination with financial statement audit Consider matters such as: Client’s industry Regulatory matters Client’s business Recent changes in client’s operations 18-14 Auditors’ Consideration of I/C Difference between audit of internal control and audit of financial statements Time period • Audit of internal control –as of date • Audit of financial statements – entire financial statement period Differences between small and large clients Degree of complexity of operations 18-15 Top-Down Approach 18-16 Top-Down Approach Goal is to focus on testing those controls that are most important to auditor’s conclusion on internal control, avoiding those that are less important Starts at top Entity-level controls – those in control environment or monitoring components of internal control • Emphasize those relating to audit committee effectiveness, fraud, and period-end process • Direct or indirect effect 18-17 18-18 Significant Accounts and Disclosures Account significant if reasonable possibility that it could contain a misstatement that individually or in aggregate has a material effect on financial statements Factors Size and composition. Susceptibility of loss due to errors or fraud. Volume of activity, complexity, and homogeneity of individual transactions. Nature of the account. Accounting and reporting complexity. Exposure to losses. Possibility of significant contingent liabilities. Existence of related party transactions. Changes from the prior period. 18-19 Identifying Relevant Assertions Relevant Those that have meaningful bearing on whether account is presented fairly (1) existence or occurrence; (2) completeness; (3) valuation or allocation; (4) rights and obligations; and/or (5) presentation and disclosure. 18-20 Design Effectiveness Routine transactions are for recurring activities, Nonroutine transactions occur only periodically; they generally are not part of the routine flow of transactions Examples: sales, purchases, cash receipts and disbursements, and payroll. Examples: transactions such as counting and pricing inventory, calculating depreciation expense, or determining prepaid expenses. Accounting estimates are activities involving management’s judgments or assumptions, Examples: determining the allowance for doubtful accounts, estimating warranty reserves and assessing assets for impairment 18-21 Likely Source of Misstatements Understand the flow of transactions; Verify points within the company’s processes at which a misstatement could arise that could be material; Identify the controls management has implemented to address these potential misstatements; and Identify the controls management has implemented to prevent or detect on a timely basis unauthorized acquisition, use, or disposition of the company’s assets that could result in a material misstatement. 18-22 Selecting Controls Not necessary to design tests of all controls Redundant controls Do not need to test if duplicate control is tested Design tests for preventive and/or detective controls Complementary controls Should both be tested 18-23 Performing Walk-Throughs Walk-through Tracing a transaction from its origination through the company’s information system until it is reflected in the company’s financial reports Provide evidence to: • Verify that they have identified points at which a significant risk of misstatement to a relevant assertion exists. • Verify their understanding of the design of controls, including those related to the prevention or detection of fraud. • Evaluate the effectiveness of the design of controls. • Confirm whether controls have been placed in operation (implemented). 18-24 Tests of Operating Effectiveness Nature Inquiries, inspections, observations and reperformance Vary exact tests when possible Timing Sufficient period of time Periodic controls – wait to after report date Extent Depend on frequency of control 18-25 Frequency of Testing 18-26 Relationship Between Audits Tests of controls Same for internal control audit and financial statement audit Evidence from internal control audit can be used for financial statement audit Differences Objectives are different Integrated between audits audit Testing should be spread through the year to satisfy both objectives 18-27 Effects of Internal Control Testing on Audit Substantive Procedures Integrated audit requires tests of controls for all major account and relevant assertions Will lead to decreased scope of substantive procedures However, significant deficiencies or material weaknesses could lead to more substantive procedures Not acceptable to omit substantive procedures completely 18-28 Effect of Substantive Procedures on Audit of Internal Control Findings from substantive procedures may affect audit of internal control Could provide evidence of effectiveness or ineffectiveness of internal control over financial reporting Example: Identification of material misstatement in financial statements is indicative of at least a significant deficiency in internal control 18-29 Form an opinion Evaluate: 1. The results of their evaluation of the design, 2. The results of tests of the operating effectiveness of controls, 3. Negative results of substantive procedures performed during the financial statement audit, and 4. Any identified control deficiencies. 18-30 (continued on the next slide) 18-31 (continued from previous slide) 18-32 Circumstances Affecting the Auditors’ Opinions 18-33 Other Communication Requirements Communicate All control deficiencies regardless of severity To audit committee Material weaknesses, significant deficiencies and that all deficiencies have been communicated to management To in writing to management board of directors If conclude oversight of financial reporting and internal control is ineffective 18-34 Other Report Reporting on Whether a Previously Reported Material Weakness Continues to Exist Management believes material weakness has been eliminated Auditor engaged to report on whether material weakness continues to exist Engagement focused on evidence regarding material weakness 18-35 Integrated Audis for Nonpublic Companies A nonpublic company may choose to have an integrated audit of its financial statements and its internal control. While the service is very similar to that for public companies, it differs as follows: 18-36