Teaching Auditing Now: Effectively Combining Instruction on Public and Nonpublic Company Audits in an Undergraduate Course Karen L. Hooks, Ph.D., CPA Professor Florida Atlantic University

Challenge: How can a one-semester undergraduate auditing course be structured to provide the most important content coverage? AICPA – SASPCAOB – AS AICPA – SSARSPCAOB – Rules of the Board AICPA – Code of Conduct International aspects Problem…. Standards are a moving target

Who can benefit from this PowerPoint Presentation? Professors who are new to teaching auditing. Professors who know pre-SOX auditing, but have not followed recent developments. Professors who want confirmation on current developments and effective teaching approaches. Instructors, adjunct professors, clinical professors – those with current practical audit experience. Those with practical experience whose in-depth knowledge may depend on the types of companies audited. Those whose teaching approaches based on practical knowledge can be augmented with additional academic structure.

Classic Approach to Teaching Financial Statement Auditing Phase 1 Phase 2 Phase 3 Phase 4 Plan and design an audit approach. Decide whether you want to plan a reduced assessed level of control risk (…to rely on internal control). If yes, perform tests of controls and dual purpose tests. Perform analytical procedures and tests of details of balances. Complete the audit and issue audit report.

PCAOB Model for Performing an ICFR Audit with a Financial Statement Audit Preliminary Engagement Procedures Wrap Up and Completion Audit Planning Execution, Testingand Risk Of Controls, Testing ofAssessment Accounts and Disclosures (from PCAOB 2007 Small Business Forum Publications)

Modified Classic Approach Assess client acceptance and retention Plan the audit Assess risk, design further procedures Obtain evidence about controls and determine their importance for the financial statement audit Obtain substantive evidence about account assertions Complete the audit Form an opinion and issue the report Understand the client, including ICFR

Difficulties Teaching an Integrated Audit Using a Modified Classic Audit Approach SOX, PCAOB require that 2 opinions are the result of one audit engagement. ICFR and financial statement audits occur concurrently; auditors do not sequentially perform the ICFR work and then the account balance work. Planning for both audits occurs together. Auditors use dual purpose tests as much as possible. Tests of controls, tests of details of balances, analytical procedures are performed together and inform auditors about both audits. ICFR audit is not an “add on.” SOX requires information obtained in each audit to be considered in the other

Model for an Integrated Audit Preliminary Engagement Procedures Tests of ICFR Operating Effectiveness Substantive Procedures on Accounts and Disclosures Wrap Up and Completion, Issue Audit Reports on ICFR and Financial Statements Audit Planning and Risk Assessment

How Did We Get Here? Prior to widespread use of IT: – Test internal controls, test account balances – This was the only way to perform an audit…had to test account balances extensively After widespread use of IT and recognition of its benefits: – Move toward a risk based audit approach – Began to test controls more – Move away from procedures like footing the general ledger – Move away from a lot of detailed testing

IT changes impacted large and small companies differently: – Large companies: With high volumes of transactions, lots of audit reliance placed on controls tests and increased use of analytical procedures – Smaller companies: Controls testing did not increase audit efficiencies much because smaller companies have fewer transactions; audits downplayed controls and continued to perform extensive tests of details of balances and analytics Post SOX, audit differences are driven mostly by standards and regulations; depend on public/nonpublic status as well as size

Post SOX Differences in Audits Large public companies – Auditor has to test and opine on both ICFR and financial statements – Emphasis on understanding processes returned; knowledge from walkthroughs; shows up in Audit Planning and Risk Assessment – More balanced approach; controls tests, tests of details of balances, substantive analytical procedures; shows up in controls tests and substantive procedures having equal prominence – Push for efficiency to result from integrated approach; combined preliminary procedures, planning and risk assessment, wrap up and completion

Smaller public companies – ICFR audit opinion requirement coming in 2010 – Companies currently gearing up; we do not know how real-world auditors will approach the audit – Financial statement audit approach has not changed much Nonpublic companies – AICPA requires identifying company’s important risks – Enhances auditor emphasis on ICFR; even though financial statement audit may still not rely on controls, the requirement pulls nonpublic company financial statement audits closer to integrated audits

PCAOB Top Down Approach Requires Consideration of Account Balances and Controls 1.What accounts could cause the financial statements to be materially misstated? (account balance emphasis) 2.What are the significant classes of transactions that affect those accounts? (emphasis on business risks); [comparing different industries is an easy way to teach this] 3.Do controls exist for the significant classes of transactions that could prevent or detect the material misstatements in the account balances, if they operate effectively? (controls emphasis)

4. Do the important controls work? (controls emphasis) Timing of tests impacts value for an integrated audit: Audit opinion at management’s report date requires tests of operating effectiveness as of year end. Reliance on controls operating effectiveness for the financial statement audit requires testing function for any period of reliance. 5. Are the financial statement account balances materially misstated? (account balance emphasis) 6. Is there any information from the financial statement audit that is disconfirming for the ICFR audit? Is there any information from the ICFR audit that is disconfirming for the financial statement audit? 7. Audit opinions

Teaching Differences in the Audits of Public and Nonpublic Companies Once students have the whole structure, explain what is omitted for a nonpublic company audit. – For nonpublic, auditors do not have to understand all the business processes as extensively; need to be able to identify the company’s major risks – Not required to test ICFR operating effectiveness if not relying on it; auditor can choose to rely on ICFR for financial statement audit and then must test – No opinion on ICFR for nonpublic

Change from AS 2 to AS 5 Reduced Differences AS 5 issued to make ICFR audit more cost efficient, and increase feasibility for smaller public companies Documentation of company’s system not required – Management can use whatever it uses to monitor business – Management documentation must support conclusion – What will auditors do without system documentation?? Walkthrough by auditor “not required” – But, must gain similar knowledge – Can use the work of others in gaining walkthrough knowledge Can use knowledge gained in prior year audits – Still have to perform some testing of each important control each year; but can be as limited as inquiry (AICPA allows rotating years – PCAOB does not) Can use benchmark testing in appropriate IT situations

Important Considerations for ICFR Audits, Smaller Public Companies From AS 5 and Staff Guidance – Scaling the audit – Evaluating entity level controls – Risk of management override – Evaluating segregation of duties – Auditing IT controls – Financial reporting competencies – Less formal documentation – Pervasive control deficiencies

Differences in Audit Quality Oversight PCAOB inspections are an additional oversight layer. – Required by SOX; implemented by SEC rules – Inspection of firm-level quality controls and of individual engagements – Did the audit do everything required? Plus, do the inspectors agree with the auditor’s judgments. Peer Review still required for firms of all AICPA members if the firm performs audits. – AICPA Peer Review Program, covers all firms – National Peer Review Committee is a subset that covers auditors of public companies

Review Services Public company interim financial statement reviews provide information to understand the client’s system and assess risk. Discussing public company interim financial statement reviews provides an opportunity to teach SSARS – at least briefly – when you might not be able to work them in otherwise.

Audit Standard Setting is Settling Down SEC has done everything required by SOX Except for some foreign inspections, PCAOB has done everything required by SOX Small business public company ICFR audits are about to begin (fye 6/10); guidance is set – SEC statement of no further delays PCAOB is starting to revise and develop audit standards for financial statement audits International considerations: – Biggest impact of international is on accounting standards – SAS and ISA moving toward coordination/standardization – Commitment to not change ISAs for a couple of years – PCAOB is explaining its changes in reference to ISAs now

CPA Exam Considerations We don’t teach to the CPA exam, but we can’t ignore it… – PCAOB and AICPA are both covered – AICPA and ISA coordination/standardization covers possible international considerations – AICPA Code of Conduct A challenge to teach AICPA Code comprehensively and also cover PCAOB Rules of the Board because they are different – SSARS is covered Sometimes difficult to fit in to an audit class due to time constraints

Wrap Up Basically, we have too much to cover! Integrated audit model includes all possibilities and shows students what does not apply in some audits Changes – AS 5 instead of AS 2 and AICPA requirement to consider important risks – move nonpublic company audit and integrated audit closer together