Teaching Auditing Now:
Effectively Combining Instruction on Public
and Nonpublic Company Audits in an
Undergraduate Course
Karen L. Hooks, Ph.D., CPA
Professor
Florida Atlantic University
Challenge:
How can a one-semester undergraduate
auditing course be structured to provide the
most important content coverage?
AICPA – SAS
PCAOB – AS
AICPA – SSARS
PCAOB – Rules of the Board
AICPA – Code of Conduct
International aspects
Problem…. Standards are a moving target
Who can benefit from this PowerPoint Presentation?
• Professors who are new to
teaching auditing.
• Professors who know pre-SOX
auditing, but have not followed
recent developments.
• Professors who want
confirmation on current
developments and effective
teaching approaches.
• Instructors, adjunct professors,
clinical professors – those with
current practical audit
experience.
• Those with practical experience
whose in-depth knowledge may
depend on the types of
companies audited.
• Those whose teaching
approaches based on practical
knowledge can be augmented
with additional academic
structure.
Classic Approach to Teaching Financial
Statement Auditing
• Phase 1
Plan and design an audit approach.
• Phase 2
Decide whether you want to plan a reduced
assessed level of control risk (…to rely on
internal control). If yes, perform tests of
controls and dual purpose tests.
• Phase 3
Perform analytical procedures and tests of
details of balances.
• Phase 4
Complete the audit and issue audit report.
PCAOB Model for Performing an ICFR Audit with
a Financial Statement Audit
Preliminary Engagement
Procedures
Wrap Up and
Completion
Execution, Testing
Of Controls, Testing of
Accounts and Disclosures
(from PCAOB 2007 Small Business Forum Publications)
Audit Planning
and Risk
Assessment
Modified Classic Approach
Assess client acceptance and retention
Plan the audit
Understand the client, including ICFR
Assess risk, design further procedures
Obtain evidence about controls and determine their
importance for the financial statement audit
Obtain substantive evidence about account assertions
Complete the audit
Form an opinion and issue the report
Difficulties Teaching an Integrated Audit Using
a Modified Classic Audit Approach
• SOX, PCAOB require that 2 opinions are the result of one audit
engagement. ICFR and financial statement audits occur
concurrently; auditors do not sequentially perform the ICFR
work and then the account balance work.
• Planning for both audits occurs together.
• Auditors use dual purpose tests as much as possible. Tests of
controls, tests of details of balances, analytical procedures are
performed together and inform auditors about both audits.
• ICFR audit is not an “add on.”
• SOX requires information obtained in each audit to be
considered in the other
Model for an Integrated Audit
Preliminary Engagement Procedures
Audit Planning and Risk Assessment
Tests of ICFR Operating
Effectiveness
Substantive Procedures on
Accounts and Disclosures
Wrap Up and Completion, Issue Audit Reports
on ICFR and Financial Statements
How Did We Get Here?
• Prior to widespread use of IT:
– Test internal controls, test account balances
– This was the only way to perform an audit…had to test
account balances extensively
• After widespread use of IT and recognition of its
benefits:
– Move toward a risk based audit approach
– Began to test controls more
– Move away from procedures like footing the general
ledger
– Move away from a lot of detailed testing
• IT changes impacted large and small companies
differently:
– Large companies: With high volumes of transactions, lots
of audit reliance placed on controls tests and increased use
of analytical procedures
– Smaller companies: Controls testing did not increase audit
efficiencies much because smaller companies have fewer
transactions; audits downplayed controls and continued to
perform extensive tests of details of balances and analytics
• Post SOX, audit differences are driven mostly by
standards and regulations; depend on
public/nonpublic status as well as size
Post SOX Differences in Audits
• Large public companies
– Auditor has to test and opine on both ICFR and financial
statements
– Emphasis on understanding processes returned;
knowledge from walkthroughs; shows up in Audit Planning
and Risk Assessment
– More balanced approach; controls tests, tests of details of
balances, substantive analytical procedures; shows up in
controls tests and substantive procedures having equal
prominence
– Push for efficiency to result from integrated approach;
combined preliminary procedures, planning and risk
assessment, wrap up and completion
• Smaller public companies
– ICFR audit opinion requirement coming in 2010
– Companies currently gearing up; we do not know how
real-world auditors will approach the audit
– Financial statement audit approach has not changed much
• Nonpublic companies
– AICPA requires identifying company’s important risks
– Enhances auditor emphasis on ICFR; even though financial
statement audit may still not rely on controls, the
requirement pulls nonpublic company financial statement
audits closer to integrated audits
PCAOB Top Down Approach Requires
Consideration of Account Balances and Controls
1. What accounts could cause the financial statements
to be materially misstated? (account balance
emphasis)
2. What are the significant classes of transactions that
affect those accounts? (emphasis on business risks);
[comparing different industries is an easy way to teach this]
3. Do controls exist for the significant classes of
transactions that could prevent or detect the
material misstatements in the account balances, if
they operate effectively? (controls emphasis)
4. Do the important controls work? (controls emphasis)
Timing of tests impacts value for an integrated audit:
Audit opinion at management’s report date requires tests of operating
effectiveness as of year end.
Reliance on controls operating effectiveness for the financial statement
audit requires testing function for any period of reliance.
5. Are the financial statement account balances
materially misstated? (account balance emphasis)
6. Is there any information from the financial statement
audit that is disconfirming for the ICFR audit? Is there
any information from the ICFR audit that is
disconfirming for the financial statement audit?
7. Audit opinions
Teaching Differences in the Audits of Public and
Nonpublic Companies
• Once students have the whole structure, explain
what is omitted for a nonpublic company audit.
– For nonpublic, auditors do not have to understand all the
business processes as extensively; need to be able to
identify the company’s major risks
– Not required to test ICFR operating effectiveness if not
relying on it; auditor can choose to rely on ICFR for
financial statement audit and then must test
– No opinion on ICFR for nonpublic
Change from AS 2 to AS 5 Reduced Differences
• AS 5 issued to make ICFR audit more cost efficient, and
increase feasibility for smaller public companies
• Documentation of company’s system not required
– Management can use whatever it uses to monitor business
– Management documentation must support conclusion
– What will auditors do without system documentation??
• Walkthrough by auditor “not required”
– But, must gain similar knowledge
– Can use the work of others in gaining walkthrough knowledge
• Can use knowledge gained in prior year audits
– Still have to perform some testing of each important control each
year; but can be as limited as inquiry (AICPA allows rotating years –
PCAOB does not)
• Can use benchmark testing in appropriate IT situations
Important Considerations for ICFR Audits,
Smaller Public Companies
• From AS 5 and Staff Guidance
–
–
–
–
–
–
–
–
Scaling the audit
Evaluating entity level controls
Risk of management override
Evaluating segregation of duties
Auditing IT controls
Financial reporting competencies
Less formal documentation
Pervasive control deficiencies
Differences in Audit Quality Oversight
• PCAOB inspections are an additional oversight layer.
– Required by SOX; implemented by SEC rules
– Inspection of firm-level quality controls and of individual
engagements
– Did the audit do everything required? Plus, do the
inspectors agree with the auditor’s judgments.
• Peer Review still required for firms of all AICPA
members if the firm performs audits.
– AICPA Peer Review Program, covers all firms
– National Peer Review Committee is a subset that covers
auditors of public companies
Review Services
• Public company interim financial statement reviews
provide information to understand the client’s
system and assess risk.
• Discussing public company interim financial
statement reviews provides an opportunity to teach
SSARS – at least briefly – when you might not be able
to work them in otherwise.
Audit Standard Setting is Settling Down
• SEC has done everything required by SOX
• Except for some foreign inspections, PCAOB has done
everything required by SOX
• Small business public company ICFR audits are about to begin
(fye 6/10); guidance is set
– SEC statement of no further delays
• PCAOB is starting to revise and develop audit standards for
financial statement audits
• International considerations:
–
–
–
–
Biggest impact of international is on accounting standards
SAS and ISA moving toward coordination/standardization
Commitment to not change ISAs for a couple of years
PCAOB is explaining its changes in reference to ISAs now
CPA Exam Considerations
• We don’t teach to the CPA exam, but we can’t ignore
it…
– PCAOB and AICPA are both covered
– AICPA and ISA coordination/standardization covers
possible international considerations
– AICPA Code of Conduct
• A challenge to teach AICPA Code comprehensively and also cover
PCAOB Rules of the Board because they are different
– SSARS is covered
• Sometimes difficult to fit in to an audit class due to time
constraints
Wrap Up
• Basically, we have too much to cover!
• Integrated audit model includes all
possibilities and shows students what does
not apply in some audits
• Changes – AS 5 instead of AS 2 and AICPA
requirement to consider important risks –
move nonpublic company audit and
integrated audit closer together