AICPA on Reporting on Internal Control in an Integrated Audit Flashcards
Define an Integrated Audit?
audit of internal controls over Financial Reporting AND audit of the nonissuers financial statements
What is the key date when auditing internal controls?
Did the client have effective internal controls “as of”in managements assessment of ICFR (i.e. as of December 31)
What are the preconditions of the audit of ICFR?
- Management accepts responsibility of internal control
- Management provides the auditors with an assessment of ICFR
- The auditor should plan and perform the integrated audit to achieve objectives of both engagements simultaneously
When planning the audit of ICFR, what needs to be considered?
- Risk assessment
- Fraud Risk
- Multiple locations
- Materiality (same was financial statement materiality)
- Using the work of internal auditors
- Top-down approach
What is the top-down approach for auditing internal controls?
Begin with financial statement level
Focus on entity-level controls
Focus on significant classes of transactions, process, monitoring controls
Verify auditors understanding of the risk in the entity
How do you test controls?
- Evaluate design effectiveness- mix of inquiry, observation, inspection (a walkthrough is usually sufficient to evaluate design)
- Operating effectiveness- Mix of inquiry, observation, inspection
What are some areas you want to focus on when looking at controls?
1) size and composition of the account
2) Susceptibility to misstatement
3) Volume of activity and complexity
4) Nature of accountant, transactions, disclosure
5) Exposure to loss in the accountant
6) Contingent liabilities
7) Existence of related parties
When should you communicate material weaknesses and significant deficiencies?
60 days before the release date. Gives the client enough time to clean-up or fix the material weakness
This should be done in writing!
What should be included in the auditors written report on ICFR?
- Title: Word Independent
- Introduction: Name of entity, states that ICFR has been audited “as of date”, and identified the criteria
- Management responsibility
- Auditor responsibility: Express an opinion, plan and perform the audit to obtain reasonable assurance, belief the the audit obtained sufficient and appropriate basis for the opinion
Definition and inherent limitation- Paragraph commenting on the inherent limitations of internal control
Opinion
When would you issue an adverse report?
- At least one material weakness
If there is a scope limitation on ICFR, what should the auditor do?
1) Disclaimer of opinion
2) Withdrawal from the engagement
What is the most common control criteria?
COSO Framework
What does “scaling the audit” mean?
Less complex procedures may be performed for less risky/complex areas of the audit
What are the 5 reasons you would modify the report?
1) Adverse opinion
2) Scope limitation
3) Management report is incomplete or improperly presented
4) Making reference to a component auditor
5) Management report includes additional information
