Upload
vuongthu
View
222
Download
1
Embed Size (px)
Citation preview
Integrated Audits
of Public Companies
Chapter 18
McGraw-Hill/Irwin Copyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.
18-2
Nature of an Integrated Audit
Auditors of public companies should report
on:
Financial statements and
Internal control over financial reporting
Based on provisions of PCAOB Standard
No. 5, the audits of internal control and
financial reporting should be integrated
18-3
Sarbanes-Oxley Act of 2002
Section 404
404(a) – requires annual report filed with SEC to
include an internal control report
• Management acknowledges responsibility for
establishing and maintaining adequate internal control
• Provides assessment of internal control effectiveness at
end of fiscal year
404(b) – requires CPA firm to audit internal
control and express an opinion on effectiveness
of internal control. (Required for companies with a
capitalization in excess of $75,000,000)
18-4
Management’s Responsibility
Accept responsibility for effectiveness
Evaluate the effectiveness using suitable
criteria
Support the evaluation with sufficient
evidence
Provide a report on internal control
18-5
Management’s Report on I/C
Report must:
State that it is management’s responsibility to establish and
maintain adequate internal control.
Identify management’s framework for evaluating internal control.
Include management’s assessment of the effectiveness of the
company’s internal control over financial reporting as of the end
of the most recent fiscal period, including a statement as to
whether internal control over financial reporting is effective.
Include a statement that the company’s auditors have issued an
attestation report on management’s assessment.
18-6
Management Assessment
Management can be assisted by consultants but
not by the CPA firm that conducts the audit of
financial statements
Must understand definition of internal control
adopted by the SEC
Evaluation must use an accepted “control
framework” such as Internal Control-Integrated
Framework created by COSO.
Must understand concepts of control deficiency,
significant deficiency and material weakness
18-7
18-8
Relationships Among Deficiencies
Deficiency in
Internal Control
Less than Significant Material
Significant Deficiency Weakness
18-9
Control concepts
Control deficiency exists when the design or operation of a control does not allow
management or employees, in the normal course of performing
their functions, to prevent or detect misstatements on a timely
basis
Levels of severity of control deficiencies
Less than a significant deficiency
Significant deficiency – less severe than material weakness yet
important enough to merit attention
Material weakness – reasonable possibility that a material
misstatement will not be prevented or detected
18-10
Objective of Management’s
Evaluation of I/C Provide a reasonable basis for its annual
assessment
Process
Evaluate design effectiveness of controls
Evaluate operating effectiveness of internal
control
Documentation of process
Reporting
18-11
Auditor’s Objective
Plan and perform the audit to obtain
reasonable assurance about whether
material weaknesses exist to express an
opinion on company’s internal control over
financial reporting
Evidence gathered as of date specified in
management’s assessment – normally the
last day of the company’s fiscal year
18-12
Audit Steps
1. Plan the engagement
2. Use a top-down approach to identify
controls to test
3. Test and evaluate design effectiveness of
internal control
4. Test and evaluate operating effectiveness
of internal control
5. Form an opinion on the effectiveness of
internal control
18-13
18-14
Plan the Engagement
Efficient planning requires coordination
with financial statement audit
Consider matters such as:
Client’s industry
Regulatory matters
Client’s business
Recent changes in client’s operations
18-15
Auditors’ Consideration of I/C
Difference between audit of internal
control and audit of financial statements
Time period
• Audit of internal control –as of date
• Audit of financial statements – entire financial
statement period
Differences between small and large
clients
Degree of complexity of operations
18-16
Top-Down Approach
18-17
Top-Down Approach
Goal is to focus on testing those controls that
are most important to auditor’s conclusion on
internal control, avoiding those that are less
important
Starts at top
Entity-level controls – those in control
environment or monitoring components of
internal control • Emphasize those relating to audit committee effectiveness,
fraud, and period-end process
• Direct or indirect effect
18-18
18-19
Significant Accounts and Disclosures
Account significant if reasonable possibility that it could contain a
misstatement that individually or in aggregate has a material effect
on financial statements
Factors
Size and composition.
Susceptibility of loss due to errors or fraud.
Volume of activity, complexity, and homogeneity of individual
transactions.
Nature of the account.
Accounting and reporting complexity.
Exposure to losses.
Possibility of significant contingent liabilities.
Existence of related party transactions.
Changes from the prior period.
18-20
Identifying Relevant Assertions
Relevant
Those that have meaningful bearing on
whether account is presented fairly
(1) existence or occurrence;
(2) completeness;
(3) valuation or allocation;
(4) rights and obligations; and/or
(5) presentation and disclosure.
18-21
Design Effectiveness
Routine transactions are for recurring activities,
Examples: sales, purchases, cash receipts and disbursements,
and payroll.
Nonroutine transactions occur only periodically; they
generally are not part of the routine flow of transactions
Examples: transactions such as counting and pricing inventory,
calculating depreciation expense, or determining prepaid
expenses.
Accounting estimates are activities involving
management’s judgments or assumptions,
Examples: determining the allowance for doubtful accounts,
estimating warranty reserves and assessing assets for
impairment
18-22
Likely Source of Misstatements
Understand the flow of transactions;
Verify points within the company’s processes at which a
misstatement could arise that could be material;
Identify the controls management has implemented to
address these potential misstatements; and
Identify the controls management has implemented to
prevent or detect on a timely basis unauthorized
acquisition, use, or disposition of the company’s assets
that could result in a material misstatement.
18-23
Selecting Controls
Not necessary to design tests of all
controls
Redundant controls
Do not need to test if duplicate control is
tested
Design tests for preventive and/or
detective controls
Complementary controls
Should both be tested
18-24
Performing Walk-Throughs
Walk-through
Tracing a transaction from its origination through the
company’s information system until it is reflected in
the company’s financial reports
Provide evidence to: • Verify that they have identified points at which a significant risk of
misstatement to a relevant assertion exists.
• Verify their understanding of the design of controls, including those
related to the prevention or detection of fraud.
• Evaluate the effectiveness of the design of controls.
• Confirm whether controls have been placed in operation
(implemented).
18-25
Tests of Operating Effectiveness
Nature
Inquiries, inspections, observations and
reperformance
Vary exact tests when possible
Timing
Sufficient period of time
Periodic controls – wait to after report date
Extent
Depend on frequency of control
18-26
Frequency of Testing
18-27
Relationship Between Audits
Tests of controls Same for internal control audit and financial statement
audit
Evidence from internal control audit can be used for
financial statement audit
Differences between audits Objectives are different
Integrated audit Testing should be spread through the year to satisfy
both objectives
18-28
Effects of Internal Control Testing on
Audit Substantive Procedures
Integrated audit requires tests of controls
for all major account and relevant
assertions
Will lead to decreased scope of substantive
procedures
However, significant deficiencies or material
weaknesses could lead to more substantive
procedures
Not acceptable to omit substantive
procedures completely
18-29
Effect of Substantive Procedures
on Audit of Internal Control
Findings from substantive procedures may
affect audit of internal control
Could provide evidence of effectiveness or
ineffectiveness of internal control over
financial reporting
Example: Identification of material
misstatement in financial statements is
indicative of at least a significant deficiency in
internal control
18-30
Form an opinion
Evaluate:
1. The results of their evaluation of the
design,
2. The results of tests of the operating
effectiveness of controls,
3. Negative results of substantive
procedures performed during the financial
statement audit, and
4. Any identified control deficiencies.
18-31
18-32
Circumstances Affecting the Auditors’
Opinions
18-33
Other Communication Requirements
Communicate in writing to management
All control deficiencies regardless of severity
To audit committee
Material weaknesses, significant deficiencies
and that all deficiencies have been
communicated to management
To board of directors
If conclude oversight of financial reporting and
internal control is ineffective
18-34
Other Report
Reporting on Whether a Previously
Reported Material Weakness Continues to
Exist
Management believes material weakness has
been eliminated
Auditor engaged to report on whether material
weakness continues to exist
Engagement focused on evidence regarding
material weakness
18-35
Integrated Audis for
Nonpublic Companies
A nonpublic company may choose to have
an integrated audit of its financial
statements and its internal control. While
the service is very similar to that for public
companies, it differs as follows: