According to the Dodd-Frank Act, which issuers must perform an integrated audit?
Accelerated and large accelerated filers; therefore, any company with <$75M outstanding common equity held by nonaffiliates are except from the integrated audit.
What is the objective of the audit of internal control?
To express an opinion regarding the effectiveness of the entity’s IC over financial reporting.
aka to determine if the IC contains material weakness
What date is the audit of IC to cover?
The date specified in management’s assessment, which should correspond to the balance sheet date
What are the primary differences between an integrated audit vs audit only of FS?
Testing the IC: FS Only = the auditor may choose whether or not to test IC or to rely solely on substantive procedures. With IC = must be tested and opinion provided.
Relevant Period: FS Only = the entire year must be tested. IC = a point in time (usually end of year).
Extent of Testing: FS Only = IC is only tested over certain assertions. With IC = IC is tested over all relevant assertions.
Communication of Deficiencies: FS Only = release date + 60 days. With IC = by the release date.
Audit Plan: FS Only = the plan only covers FS. With IC = the plan must cover both aspects
What must management of a non-issuer do before an integrated audit can be performed?
Accept responsibility for and provide a written evaluation of the effectiveness of IC
Support the assessment with sufficient appropriate evidence
The auditor must obtain a written representation letter from mgmt for IC. What should be included in this letter?
Acknowledge its responsibilities regarding IC
States mgmt’s assessment of IC
** as of a specified date
** using a specified criteria
States mgmt has disclosed all deficiencies, including to the auditor, and which remain unresolved
Described fraud resulting in material misstatement or involving mgmt
States whether significant changes were made to IC after the assessment, including corrections
Failure to obtain a written representation letter from mgmt for IC is which of the following: (1) a scope limitation, or (2) a disclosure limitation, and how does this affect the auditor’s opinion?
(1) a scope limitation
(2) results in either withdrawal from the engagement or a disclaimer of opinion
When planning an integrated audit, which level of materiality is used: (1) unique to the risk level of the IC, (2) the same as that used for the FS?
(2) the same as that used for the FS
When planning an integrated audit, which risk assessment is used: (1) unique to the IC, (2) the same as that used for the FS?
(2) the same as that used for the FS
Which types of events or transactions are considered high risk, and therefore more effort should be spent to assess the controls over these areas?
Significant or unusual transactions
Period-end journal entries and adjustments
Related party transactions
Significant management estimates
Controls that mitigate incentives to inappropriately manage financial results (mgmt bias)
True / False: The auditor may use the work of others in evaluating the effectiveness of IC.
True, if they are deemed sufficiently competent and objective
Name and describe the type of approach used in selecting controls to test.
Top-down approach
Begin with entity-level controls
Move down to controls affecting accounts, transactions, or disclosures
Move down to controls affecting specific assertions
What types of controls are at the entity-level
The control environment
Management override of controls
The company’s risk assessment process
Centralized processing
Monitoring the results of operations
Monitoring other controls
In general, what criteria are used to select which controls to test at the acct, transaction, or disclosure level
When we see and area prone to risk of weakness, we will expend more effort to ensure the IC works.
Examples of higher risk: high volume, complexity, dollar value, or exposure to loss
Which is the most effective method to identify likely sources of potential misstatement, such as design flaws, or lack of operating effectiveness.
Use a walk-through (follow a transaction from origination through financial recording)
According to the COSO framework, what are the components of ICFR (internal control over financial reporting)
C-R-I-M-E
Control environment
Risk assessment
Information and communication systems
Monitoring
Existing control activities
When the entity uses a service organization, which type of report must be provided to the auditor?
A type-2 report that includes a description of their internal controls, plus an assessment of effectiveness performed over a 6-month period (SAS 70).
When using a Type-2 report from a service organization, does the auditor make reference to the type-2 in the audit report on IC?
No. The auditor uses the Type-2 report to evaluate the service orgazniation’s competence as if the service organization were an employee on the engagement team. The evaluation of an engagement team member is never included in the audit report; thus, neither should the evaluation of a service organization who is considered one of the team.
The auditor determines one or more failures in IC exist, yet mgmt is unwilling to either disclose the weakness or make a correction due to cost-benefit loss. How does the auditor respond?
If not presented properly: modify the auditor’s report to include each material weakness not included in mgmt’s report.
If refuses change, and provides justification: modify the auditor’s report to disclaim an opinion on mgmt’s statement
Provide an example sentence where the auditor must disclaim an opinion on mgmt’s justification for not making a change to IC that could cause material misstatement.
We do not express an opinion or any other form of assurancee on mgmt’s cost-benefit statement.