Integrated Audit Flashcards
What kind of audit does the PCAOB require?
The PCAOB requires an integrated audit of the effectiveness of internal controls and financial reporting.
Applies only to accelerated filers (large public companies)
Auditor must attest to the management’s assertions regarding both the financial statements and the effectiveness of internal controls over financial reporting.
What are the steps of an Integrated Audit?
- Update info about risks
- Consider possible misstatements (business risk, management motivations, processes affecting material account balances)
- Preliminary analytical procedures
- Understand client internal controls
- Identify controls to test
- Make plan to test controls
- Consider results of control testing
- Conduct substantive testing
With good internal controls, do we have to do more substantive testing or less?
When we have good internal controls, we can have more confidence in them and therefore do less substantive testing.
Who has to issue an internal control report?
All public companies have a management internal control report, but only large public companies have to have it audited.
Private companies do not need internal control reports from neither auditors nor management. (If they do have them, they are not available to third parties).
What is a material weakness? What are the indicators?
In internal control, there is a “reasonable possibility” of a “material” misstatement - will not be detected on a timely basis.
Indicators of a material weakness are the nature of the account, susceptibility of fraud, subjectivity, complexity, and future consequences.
**It’s possible that finding a material misstatement doesn’t mean material weakness in internal controls.
What is a significant deficiency?
There is a problem, less severe than material weakness.
Maybe didn’t lead to a material misstatement, but could in the future
Is the act of a CFO overriding controls any time of material weakness/deficiency?
NO!!!!
Who’s responsibility is it to have internal controls?
It is management’s responsibility, NOT THE AUDITOR’S, to have internal controls. The auditor just issues the report.
Nothing is foulproof - but is it foulproof enough?
Why test internal controls?
***1. To formulate an opinion on the entity’s internal controls (I/C Report)
- Potentially, to reduce substantive testing for the financial statement audit
- To evaluate the control environment, risk assessment, information and communication, and monitoring
***4. To evaluate management’s process of evaluating internal controls (I/C Report)
In Step 7, what do you do if there are deficiencies identified with internal controls?
Assess the deficiencies:
- Are they significant deficiencies or material weaknesses?
- Determine whether the preliminary control risk assessment should be modified and document the implications for substantive testing (IF YOU CHANGE CR, MUST ALSO CONSIDER CHANGES TO DR)
(must still assess preliminary CR if there are no deficiencies)
What are the two types of IC reports?
Clean IC Report - controls are operating effectively
Qualified IC Report - Material weakness/significant deficiency
Can an auditor issue a qualified IC report? What about a qualified FS report?
An auditor can issue a qualified IC report, which is part of the FS report.
An auditor cannot issue a qualified FS report; the company must change things until the auditor issues an unqualified report.
**If a company receives a qualified report, you can infer that the company probably had a material misstatement that was corrected.
What kind of approach should you use when auditing the financial statements?
Always use a top-down approach
How does an integrated audit differ from a financial statement audit?
Stand alone financial statement audits do not include audit reports on I/C
Public Co’s without IC audits still have to have management reports on IC (SOX section 302)
Private companies do not have to have IC reports from either auditors or managers
Many of the steps to the integrated audit still apply to any F/S audit
But those around testing IC can be minimized
