Performing an Integrated Audit Rittenberg/Schwieger/Johnstone Auditing: A Business Risk Approach Sixth Edition Chapter 7 Performing an Integrated Audit Copyright © 2008 Thomson South-Western, a part of the Thomson Corporation. Thomson, the Star logo, and South-Western are trademarks used herein under license.
The Integrated Audit The Sarbanes-Oxley Act of 2002 requires publicly held companies to report on the effectiveness of their internal controls over financial reporting The Public Company Accounting Oversight Board requires external auditors to perform an integrated audit of the effectiveness of internal controls and financial reporting In essence, the auditor must attest to both the financial statements and management's assertions regarding the effectiveness of internal controls over financial reporting
An Overview of Account Processes and Audit Testing
Important Elements of the Integrated Audit The objective of both internal control and the external audit is developing confidence in the fairness of financial reports including all material account balances and needed disclosures. The control environment is pervasive and affects the process of recording transactions, making estimates, and making adjusting entries. If the control environment is strong and the controls over transaction processing, adjusting, and estimating are good, then both management and the auditor would have a high degree of confidence that the financial accounts are fairly stated and financial disclosures are adequate. There is potential for errors in input, processing, estimating, or adjusting even if internal controls are considered effective.
Important Elements of the Integrated Audit (continued) Because errors could still occur, there is a need to do some, albeit limited and selective, testing of account balances and reviews of disclosures. There are three sources of evidence that the auditor can use to gather and evaluate the fairness of the financial statements. They are evidence derived from: Tests that indicate that internal controls over transaction processing, adjusting, and estimating financial statement line items are effective Tracing the recording of transactions through processes to determine that they are appropriately recorded in the account balances Directly testing the account balance(s)
How do auditors form opinions of the quality of internal controls? The auditor gathers information on the quality of internal controls by: Assessing the quality of management’s process in developing his or her opinion on internal control over financial reporting Evaluating the design of controls and the operation of controls that the auditor believes are designed effectively Making inferences about the quality of internal control based on findings in the financial statement audit
What is contained in the unqualified report? The internal control report The auditor provides an opinion on the effectiveness of internal control in the context of agreed-upon criteria, i.e., the COSO internal control integrated framework. The auditor’s opinion considers both the design and the operating effectiveness of internal control. The auditor recognizes and conveys to users that there are limitations of internal control that can affect its effectiveness in the future.
The Five Phases of Planning the Integrated Audit Phase 1: Identifies and assesses business risk and determines the implications for audit risk. Business risk is used to consider both the motivation for misstatement as well as the areas in which misstatements may exist. Phase 2: Assesses fraud risk and brainstorms how fraud might occur within the organization (see Chapter 9). Phase 3: Considers the process used by management to assess internal control and addressing internal control deficiencies in a timely manner, including the following: (following slide)
The Five Phases of Planning the Integrated Audit (Phase 3, ontinued) Documenting significant processes and controls within those processes Documenting the other COSO control elements, especially the control environment, risk analysis, and monitoring process Testing the effectiveness of important controls as a basis for establishing the quality of controls (first year and potentially thereafter when new processes or controls are introduced) Monitoring the effectiveness of previously identified controls Testing of important control activities to determine that there is no deterioration of controls Correcting control deficiencies
The Five Phases of Planning the Integrated Audit (continued) Assessesing the effectiveness of internal control over financial reporting Developing their report on internal control Phase 4: Determines which controls must be tested within each of the COSO elements, considering: The control environment, which having a pervasive effect on internal control The importance of various processes, including transaction processing, adjusting entries, and estimates, that affect material financial statement accounts The controls that must be evaluated and tested in order to reach a conclusion on the effectiveness of internal control The need to corroborate control testing with direct tests of account balances
The Five Phases of Planning the Integrated Audit (Continued) Phase 5: Determines the most efficient approach to achieve the dual objectives of reporting on internal control and on the financial statements and executing the audit plan.
Top-Down, Risk Based Approach A top-down, risk-based approach requires auditors to consider the materiality of account balances and processes along with the risks that the account balance maybe misstated. The approach requires auditors to identify: Account balances or related disclosures that might be materially misstated Potential causes of the misstatement Important processes that may affect one or more account balances
Top-Down, Risk Based Approach Risk Analysis: The Starting Point Understand the risk the business faces in meeting objectives Understand the risks that may motivate management or others to misstate financial statements Account Balances and Risk Analysis The Control Environment: Always Important to an Integrated Audit Materiality of Account Balances
Summary of Top-Down Risk-Based Audit Approach
Searching for Audit Efficiency 1. How much assurance can be obtained regarding financial reporting risk when a strong control environment is present and working? 2. If control activities within major processes are working properly throughout the year, what is the residual risk that remains that an account balance can still be misstated? 3. What is the risk that the analysis of internal controls is incorrect? 4. Which account balances might contain more than an acceptable amount of risk that a material misstatement could occur? 5. How would a misstatement in a material account balance most likely occur? 6. What are the most effective direct tests of account balances to determine whether there is a misstatement in the account balance?
Residual Risk Residual risk is the probability that an account balance might be misstated after processing and the application of internal controls. From an auditor’s view, the residual risk is based on: The strength of the control environment The design of the controls within major processes The operation of the controls, management’s process to monitor the effectiveness of its controls The auditor’s confidence that the assessment of residual risk is accurate
Likely Nature of Misstatements and Efficiency of Audit Tests Be recorded in the wrong period Contain unusual rights of return provisions Contain terms that are more consistent with consignment rather than sale Be concentrated in a very few customers, many of which are international customers and may have different credit risks than most other customers
How do auditors minimize risk related to the internal control audit? Only material processes and material account balances need to be tested by the auditor. Material processes must be evaluated for design and operation to support the auditor’s opinion on internal controls. Some material account balances will need to be tested—even with excellent internal controls—because the risk of misstatement is too high to control audit risk at an acceptable level. If there are no deficiencies in either the design or operation of internal controls over significant processing, the transactions associated with those processes will either require minimal or no direct audit testing. • The time requirement to meet SEC filing requirements encourages auditors, to the extent possible, to place more reliance on the control processes that are effective.
Auditing Accounts The riskiness of the account dictates the number of direct tests of accounts that need to be performed. The subjectivity of estimates, where material, requires that the affected account must be addressed with direct tests of the accounts. Non-standard and large adjusting entries should be directly tested. The size of the account (materiality) influences, but does not totally dictate, whether direct testing should be performed.
Auditing Accounts (continued) The extent of testing performed by management, as well as the control testing performed by the auditor, will influence the amount of direct testing of account balances to be performed. The confidence the auditor has from all sources (knowledge of the business and industry, results of control testing, knowledge of system changes, previous misstatements) influences the amount of direct testing. The existence of other corroborating tests of the account balance, such as from knowledge gained from testing related accounts, also affects the amount of direct testing to be performed.
FACTORS AFFECTING EXTENT OF DIRECT TESTING TO BE PERFORMED Audit Evidence Factors Auditor Assessment Effect on Direct Testing Performed Audit Risk Low More direct testing Business Risk High Subjectivity of accounting process Materiality of account balance Highly material account Effectiveness of internal control Internal controls are effective Less direct testing
Evaluating Internal Control over Financial Reporting Control Environment Risk Management Information and Communication Monitoring
Testing Control Activities Understand Important Supporting Systems Transaction-based Systems Perform Test of Controls