Chapter 7
Performing An Integrated Audit
Chapter
Outline
I. INTRODUCTION- EXPANDED AUDIT REQUIREMENTS
a. An integrated audit is required for public companies. It is also an important concept for audits of non-public companies. The objective is to plan and perform audits that detect material misstatements in an efficient manner. All audits must focus on those accounts where the likelihood of material misstatements is the greatest.
b. Framework for Audit Evidence in an Integrated Audit
i. In exhibit 7.1, there are a number of important elements that have implications for the integrated audit
1. The objective of both internal control and the external audit is developing confidence in the fairness of financial reports including all material account balances and needed disclosures.
2. The control environment is pervasive and affects the process of recording transactions, making estimates, and making adjusting entries.
3. If the control environment is strong and the controls over transaction processing, adjusting, and estimating are good, then both management and the auditor would have a high degree of confidence that the financial accounts are fairly stated and financial disclosures are adequate.
4. There is potential for errors in input, processing, estimating, or adjusting even if internal controls are considered effective.
5. Because errors could still occur, there is a need to do some testing of account balances and reviews of disclosures.
6. There are three sources of evidence that the auditor can use to gather and evaluate the fairness of the financial statements. They are derived from:
a. Tests that indicate that internal controls over transaction processing, adjusting, and estimating financial statement line items are effective.
b. Tracing the recording of transactions through processes to determine that they are appropriately recorded in the account balances.
c. Directly testing the account balances.
c. Audit Report on Internal Control over Financial Reporting
i. The auditor is required to form an opinion on the quality of internal controls. The auditor gathers this information by:
1. Assessing the quality of management’s process in developing his or her opinion on internal control over financial reporting
2. Evaluating the design of controls and the operation of controls that the auditor believes are designed effectively
3. Making inferences about the quality of internal control based on findings in the financial statement audit.
ii. Unqualified Opinion on Internal Control over Financial Reporting
1. The auditor’s unqualified report contains the following elements:
a. The internal control report is contained in the same report that contains the opinion on the financial statements. An acceptable alternative is to issue two reports- one on the financial statements and the other on internal controls.
b. The auditor provides an opinion on the effectiveness of internal control in the context of agreed-upon criteria (i.e. COSO internal control integrated framework).
c. The auditor’s opinion considers both the design and the operating effectiveness of internal control.
d. The auditor recognizes and conveys to users that there are limitations of internal control that can affect its effectiveness in the future.
iii. Adverse Audit Opinion on Internal Control over Financial Reporting
1. An adverse report is issued when the auditor finds material weaknesses in the client’s internal controls over financial reporting.
II. PLANNING THE INTEGRATED AUDIT
a. The integrated audit consists of five phases:
i. Phase 1
1. Identify and assess business risk and determine the implications for audit risk. Business risk is used to consider both the motivation for misstatement as well as the areas in which misstatements may exist.
ii. Phase 2
1. Assess fraud risk and brainstorm how fraud might occur within the organization.
iii. Phase 3
1. Consider the process used by management to assess internal control and address internal control deficiencies in a timely manner including:
a. Documenting significant processes and controls within those processes
b. Documenting the other COSO control elements, especially the control environment, risk analysis, and monitoring process
c. Testing the effectiveness of important controls as a basis for establishing the quality of controls
d. Monitoring the effectiveness of previously identified controls
e. Testing of important control activities to determine that there is no deterioration of controls
f. Correcting control deficiencies
g. Assessing the effectiveness of internal control over financial reporting
h. Developing their report on internal control
iv. Phase 4
1. Determine which controls must be tested within each of the COSO elements considering:
a. The control environment which has a pervasive effect on internal control
b. The importance of various processes, including transaction processing, adjusting entries, and estimates, that affect material financial statement accounts
c. The controls that must be evaluated and tested in order to reach a conclusion on the effectiveness of internal control
d. The need to corroborate control testing with direct tests of account balances
v. Phase 5
1. Determines the most efficient approach to achieve the dual objectives of reporting on internal control and on the financial statements and executing the audit plan
b. A Top-Down, Risk-Based Approach
i. This requires auditors to consider the materiality of account balances and processes along with the risks that the account balance may be misstated. It requires the auditors to identify:
1. Account balances or related disclosures that might be materially misstated
2. Potential causes of the misstatement
3. Important processes that may affect one or more account balances
ii. Risk Analysis: The Starting Point
1. The auditor must understand
a. The risks that the business faces in meeting its objectives, including the objective of accurate financial reporting
b. The risks that may motivate management or other employees to misstate the financial statements and
c. The risks inherent in important business processes
iii. Account Balances and Risk Analysis
1. The PCAOB mandates that a top-down approach to an integrated audit must start with an analysis of account balances and disclosures. After understanding the business and its risks, the audit team should identify material (or potentially material) account balances, and then proceed to analyze the control environment and significant processes that affect the account balances.
iv. The Control Environment: Always Important to an Integrated Audit
1. It is important to the integrated audit because the quality of the control environment has a pervasive effect on all other processes. The auditor needs to evaluate both the design and the operation of the control environment that is consistent with the design.
2. Many misstatements occur in the processes of accounting judgments and accounting estimates. Often, the misstatements are a result of the company not having the required accounting competencies. The auditor must determine if the organization has a commitment to build or acquire the competencies needed to address the complexity of the business and its processes.
v. Identification of Significant Processes
1. The auditor will consider evaluating internal control in the following processes:
a. Revenue
b. Purchasing
c. Cash Collection
d. Payroll
e. Important Accounting Estimation Processes
f. Other Important Processes Leading to Accounting Judgments
vi. Materiality of Account Balances
1. Materiality is a judgment that contains both quantitative and qualitative dimensions. The process of determining the important account balances should include:
a. Input from the audit team’s brainstorming analysis regarding potential for fraud
b. Review of “market expectations” of company performance
c. Trends in performance, including trends in key business segments
d. The size of the account balance
e. The subjectivity used in making the accounting estimate
f. Comparison of account balances with industry trends, averages, etc.
g. Other important factors specific to the client
vii. Summary of Risk-Based Audit Approach
1. The process begins with the identification of the broad categories of risks that may affect the presentation of the financial statements. The audit, then, identifies the material account balances and considers the important processes that affect the financial statement account balances and the subjectivity of individual judgments affecting those processes. Last, the auditor examines the account balances and related disclosures to determine which ones are material to informed users.
c. Integrated Audit: Searching for Audit Efficiency
i. The fundamental questions that the auditor must address to determine the optimal amount of audit work are as follows:
1. How much assurance can be obtained regarding financial reporting risk when a strong control environment is present and working?
2. If control activities within major processes are working properly throughout the year, what is the residual risk that remains that an account balance can still be misstated?
3. What I the risk that the analysis of internal controls is incorrect?
4. Which account balances might contain more than an acceptable amount of risk that a material misstatement could occur?
5. How would a misstatement in a material account balance most likely occur?
6. What are the most effective direct tests of account balances to determine whether there is a misstatement in the account balance?
ii. The auditor must answer all six questions to plan an effective integrated audit.
d. Remaining Residual Risk
i. From an auditor’s perspective, residual risk is based on:
1. The strength of the control environment
2. The design of the controls within major processes
3. The operation of the controls and management’s process to monitor the effectiveness of its controls
4. The auditor’s confidence that the assessment of residual risk is accurate
e. Account Balances Likely to Contain Misstatements
i. In determining the amount of direct testing needed, the auditor considers:
1. The source of potential misstatement and
2. The extent and type of potential misstatements
ii. Accounts that impact accounts receivables balance:
1. Revenues
2. Cash receipts
3. Current provision for uncollectible accounts
4. Write-offs
5. Adjustments
iii. Implications of the text’s analysis of receivables can be generalized to all accounts:
1. The riskiness of the account dictates the number of direct tests of accounts that need to be performed
2. The subjectivity of estimates, where material, requires that the affected account must be addressed with direct tests of the accounts
3. Non-standard and large adjusting entries should be directly tested.
4. The size of the account (materiality) influences, but does not totally dictate, whether direct testing should be performed
5. The extent of testing performed by management, as well as the control testing performed by the auditor, will influence the amount of direct testing of account balances to be performed
6. The confidence the auditor has from all sources (knowledge of the business and industry, results of control testing, knowledge of system changes, previous misstatements) influences the amount of direct testing
7. The existence of other corroborating tests of the account balance, such as from knowledge gained from testing related accounts, also affects the amount of direct testing to be performed.
f. Likely Nature of Misstatements and Efficiency of Audit Tests
i. Ultimately, the auditor needs to consider which account balances might be misstated and how they might be misstated. In order for audit efficiency to be gained, the auditor must audit smarter. The auditor must consider a number of important factors to reduce audit costs while simultaneously managing audit risk at an acceptable level.
III. CONDUCTING AN INTEGRATED AUDIT
a. For most firms, the economic consequences of not controlling audit risk on the financial statement audit are much larger than making a mistake in evaluating internal control. Thus, most auditors want to control audit risk on the financial statement audit very tightly, while minimizing audit risk related to the internal control audit.
b. Evaluating Internal Control Over Financial Reporting
i. The auditor can test the monitoring of controls but must also do a minimal amount of testing of control activities.
ii. Evaluating the Control Environment, Risk Management, and Monitoring
1. The process for evaluating these important components of the COSO Internal Control, Integrated Framework was developed in chapter 6. The following observations should be considered by auditors performing a similar evaluation.
2. Control Environment
a. The auditor should examine management’s assessment process, including the extent to which management performed independent assessments of the effectiveness of the control environment. The auditor should perform an independent assessment of the design of the control structure.
3. Risk Management
a. The auditor should observe the extent to which the company uses enterprise risk management in managing its organization. Most of the information can be gathered through inquiry and review of documents. The auditor needs to understand whether the company uses a consistent framework in evaluating the risks associated with transaction processing, adjustments, estimates, and disclosures.
4. Information and Communication
a. The auditor should assess the company’s information and communication systems through inquiry and observation.
b. Sarbanes Oxley requires the establishment of an effective whistleblower program. The auditor will need to determine that the program is effective by evaluating whether employees are aware of the program, the number of complaints filed, who receives the complaints, who handles the complaints, and the ultimate disposition of the complaints. The auditor also wants to know what information the board or audit committee receives regarding the nature of whistleblower complaints.
5. Monitoring
a. It is an integral part of the internal control framework. It is the process by which the organization determines whether its other control procedures are operating effectively. In order to manage costs associated with internal control reporting effectively, companies must develop processes that monitor the effectiveness of the controls.
iii. Management’s Process of Evaluating Internal Control
1. The auditor is allowed to rely on some work performed within the organization when the work is performed by individuals who are competent in evaluating controls and are independent of management. The auditor needs to independently:
a. Determine which controls need to be tested and
b. Take samples based on the auditor’s planning parameters and principles of audit sampling and the independence and reliability of management’s tests (i.e. those performed by an independent and competent internal auditor). In assessing whether the auditor can rely on the work of the internal auditor, the auditor considers:
i. The independence of the internal audit function from management
ii. The competency of the internal audit department
iii. The design and comprehensiveness of the internal audit testing approach
iv. The documentation of the internal audit testing
c. Testing Control Activities
i. Auditors are required to assess control risk for each relevant assertion and for important classes of transaction and account balances as a basis for planning the audit. For a public company, the auditor has to understand and test controls that are important to preventing or detecting significant misstatements.
1. Not all controls need to be tested providing the auditor believes that a misstatement related to a particular assertion could not be material.
ii. Understanding Important Supporting Systems
1. Many significant accounting processes do not process transactions, but are related to transactions or legal requirements. When examining a process, the auditor must also think of processes related to the process being examined.
2. Transaction-Based Systems
a. Each accounting application should be designed to ensure that all transactions occurred and are recorded accurately in the correct time period and that the correct amounts are updated. The basic control objectives are derived from the assertions about classes of transactions. To ensure that recorded transactions have occurred and pertain to the entity, there must be proper authorization of the transaction and evidence the transaction actually occurred.
iii. Perform Test of Controls
1. Once the auditor has identified the significant processes and assertions, the auditor identifies the important controls that need to be tested. The nature of the testing will vary with the nature of the process, the materiality of the account balance, and the control.
IV. Example- Integrated Audit
a. Looking Forward: Reducing 404 Compliance Costs
i. The major complaint about reporting on internal controls over financial reporting is costs are too high. This resulted from many companies previously not paying enough attention to the quality of controls. Control problems were found; this is evidenced by approximately 15% of the companies receiving adverse opinions on their internal controls. More companies would have received adverse opinions had they not started the assessment process early and remediated many of the control deficiencies they had identified. Another factor of the additional costs was related to the initial documenting of internal controls.
ii. For companies with good internal controls, there are two ways to reduce costs:
1. Management has to do less testing
2. OR the auditor does less testing and relies more on management’s testing
iii. Management can achieve cost efficiencies by reengineering their processes for control and efficiency, and then developing effective monitoring controls. Assuming that both management and the auditor have confidence that a particular process is working well and there are no control deficiencies, a monitoring process might include:
1. A requirement that any changes must be approved, documented, and thoroughly tested, including all interfaces with other systems
2. A process put into place that will identify control failures
3. A process to spot-check that the controls are still operating effectively
iv. In applying the COSO framework, management should be able to rely on the monitoring controls to form their assessment and the basis for their report assuming all the elements described above are in place. The reengineering of the processes, coupled with effective monitoring, should greatly reduce compliance costs.
v. Auditors must form their own independent assessment. Overall audit costs can be reduced by the following which should lead to effective audits and significant cost reductions:
1. Focusing only on material processes
2. Evaluating the effectiveness of the other four components of the COSO internal control framework
3. Rely, to some extent, on the work performed by internal auditors. Verify their work through limited testing of the internal auditor’s work and conclusions
4. Test the effectiveness of management’s monitoring controls