Chapter 2 Overview of the Integrated Audit
Total Page:16
File Type:pdf, Size:1020Kb
Full file at http://testbankwizard.eu/Solution-Manual-for-Auditing-and-Assurance-Service- Understanding-the-Integrated-Audit-1st-Edition-by-Hooks Chapter 2 – Overview of the Integrated Audit
TEACHING TIP: This chapter accomplishes two main purposes. It lays out the progression of an integrated audit: preliminary engagement procedures (which begin with client acceptance or continuance), planning and risk assessment, tests of ICFR operating effectiveness and substantive procedures, and wrap up, completion and reporting. This presentation introduces each of these topics which are discussed in greater depth in Chapters 5 through 11. Second, it introduces the student to the “language of auditing” with presentation of many of the terms and concepts that are integral to auditing.
Learning Objectives 1. Understand the legal and regulatory requirements for integrated audits. 2. Identify the basic requirements for an audit to be possible. 3. Recognize the basic stages of an audit. 4. Explain the meaning of fundamental terms related to auditing. 5. Describe the activities that comprise the general stages of an integrated audit. 6. Learn the basic differences between the audit of a public and a nonpublic company. 7. Explain the generally accepted auditing standards.
(LO 1) Integrated Audits
Integrated audit is the term for an engagement to audit the annual financial statements and management’s report on ICFR of a public company. This audit is required of public companies by SOX and the SEC and must be one engagement. Firms that perform these audits must be registered with the PCAOB. When performing the audit of a public company a firm must follow PCAOB standards. When performing the audit of a nonpublic company, a firm follows the audit standards of the AICPA or IAASB.
SOX requires that an integrated audit be one engagement that results in two audit opinions. Because of this, and because it creates greater efficiencies – auditors consider both the financial statement and ICFR audit during each of the various steps of an integrated audit. Since audit services provided to a nonpublic company involve only a financial statement audit, the easiest way to learn both integrated audits of public companies and financial statement audits of nonpublic companies is to start with the complete picture – the integrated audit. Then, it can be fairly straightforward to understand those components that are not mandatory when the company is nonpublic and an ICFR audit is not performed.
(LO 2) Preliminary Requirements for an Audit
Standards that govern the information GAAP, IFRS, OCBOA for financial information COSO for ICFR Guidelines for performing the audit PCAOB AS for public companies AICPA SAS for nonpublic companies (…or possibly IAASB ISA) Sufficient records to provide evidence
1 Full file at http://testbankwizard.eu/Solution-Manual-for-Auditing-and-Assurance-Service- Understanding-the-Integrated-Audit-1st-Edition-by-Hooks Reasonable confidence in management integrity
(LO 3) Overview of an Integrated Audit
Preliminary engagement procedures Client acceptance and continuance Establishing an understanding about the terms of the engagement Confirming auditor independence, and communicating Planning and risk assessment Risk assessment (includes fraud risk) Preliminary audit plan/audit strategy Understanding the client’s accounting information system Assess design effectiveness of ICFR Consider controls in the system Determine if they are appropriate for the risks
Definition of Internal Control over Financial Reporting (AS5.A5): Internal control over financial reporting is a process designed by, or under the supervision of, the company’s principal executive and principal financial officers, or persons performing similar functions, and effected by the company’s board of directors, management, and other personnel. The purpose is to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with GAAP and includes those policies and procedures that 1. Pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the company’s assets. 2. Provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the company are being made only in accordance with authorizations of management and directors of the company; and 3. Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the company’s assets that could have a material effect on the financial statements.
Note: The auditor’s procedures as part of either the audit of internal control over financial reporting or the audit of the financial statements are not part of a company’s internal control over financial reporting. (emphasis added)
TEACHING TIP: This is an effective time to discuss the definition of ICFR. The key words highlighted in the definition above provide a structure for discussing important components of the definition.
Tests of ICFR operating effectiveness and substantive procedures Test only important controls that are designed effectively Do the controls operate effectively? Form preliminary conclusion on ICFR effectiveness Substantive procedures examine accounts and disclosures
2 Full file at http://testbankwizard.eu/Solution-Manual-for-Auditing-and-Assurance-Service- Understanding-the-Integrated-Audit-1st-Edition-by-Hooks Form preliminary conclusion on financial statement fairness Wrap up, completion and reporting Numerous audit steps Information from company’s management and lawyers Specific communications from auditor to management and audit committee Make final decision on opinions and issue report
(LO 4) Fundamental Concepts
Management assertions PCAOB has 5, AICPA has 13 Management assertions (also called financial statement assertions) basically summarize what management is communicating via the financial statements.
Existence or occurrence Completeness Rights and obligations Valuation or allocation Presentation and disclosure
TEACHING TIP: Discussion of examples helps establish that the PCAOB and AICPA assertions cover the same things. For example, students can understand the cutoff assertion as a combination of the existence or occurrence and completeness assertions. If, due to poor cutoff, a transaction is recorded in the wrong period, then it didn’t really occur in the period in which it is shown, and the period from which it is omitted is not complete. Students can understand occurrence, rights, obligations, completeness, classification, understandability, accuracy, and valuation as specific descriptions of presentation and disclosure. Financial statements cannot have proper presentation and disclosure if the information does not represent events that occurred, rights and obligations that exist, or is not complete, properly classified, understandable, accurate and properly valued.
Audit evidence Provide reasonable basis for forming opinions on financial statements and ICFR Accounting data such as ledgers Other examples: invoices, contracts, EFT transfer records Internally produced or from third parties Routine business output or produced specifically for the audit Direct personal knowledge of the auditor from inquiry and observation
Auditors’ use of management assertions 1. Management assertions apply to financial statements and management states whether ICFR is effective: 2. Auditor assesses risk of material misstatements regarding those assertions: 3. Audit procedures are developed to collect evidence about whether management assertions are valid: 4. Audit evidence is collected
More audit concepts and their relationships
3 Full file at http://testbankwizard.eu/Solution-Manual-for-Auditing-and-Assurance-Service- Understanding-the-Integrated-Audit-1st-Edition-by-Hooks Management assertions Audit procedures Evidence Confirmation process Sample Due professional care Professional skepticism Absolute assurance Reasonable assurance Professional judgment Judgment errors Negligent Free of material misstatements Error Fraud Material weakness Economic limits (regarding evidence) Cost-benefit trade off (motivates use of samples) Persuasive evidence Convincing evidence Sufficient evidence Appropriate evidence Reliable and relevant evidence Evidence from a source outside the company Internally produced evidence Auditor’s direct personal knowledge Evidence produced under conditions of good controls Original documents, paper and electronic vs. copies and faxes Documentary evidence Oral evidence Materiality Fair presentation Audit risk
TEACHING TIP: Refer students to the list of terms at the end of the chapter. All words that are bolded are defined in the list of terms.
TEACHING TIP: Diagrams are presented in the book for each audit phase that follows. These same diagrams appear later in the specific chapters that discuss each topic in greater detail. Referring to the diagrams typically helps students understand the overall audit, and details about each phase. It is important that students understand that even those these phases are presented in approximate chronological order – on an audit many “loop backs” and iterations can occur as new information is learned. Also, students need lots of reinforcement that “planning” in an audit differs from the lay concept of planning because it does not all occur at the beginning of the audit. Although auditors call it planning, a better description is actually “preparing an audit plan and continually modifying it based on new information and developments.”
4 Full file at http://testbankwizard.eu/Solution-Manual-for-Auditing-and-Assurance-Service- Understanding-the-Integrated-Audit-1st-Edition-by-Hooks (LO 5) Preliminary Engagement Procedures
Auditor proposal and client acceptance or continuance Do we want this client? If yes, Can we effectively perform this audit? If yes, Research the client. Do we still want the audit? If yes, Present proposal. Did we win the engagement? If yes, Confirm and communicate on auditor independence (1st year of a public client communication must come before accepting client) Establish understanding on terms of the engagement.
Audit Planning and Risk Assessment
Preliminary audit strategy Staffing and timing Potential misstatements Early plan Understanding the company, obtain understanding from: Client acceptance process Reviews of 10Qs Client’s ICFR documentation Understanding the company, obtain understanding about: Client business and activities Transactions Financial statement accounts …use analytical procedures Information systems Entity level controls Assessing risk Fraud risk Ask management about fraud controls; hold a brainstorming session Financial statement risk of misstatements Evaluate which assertions are relevant to the important accounts ICFR related risk of material weaknesses Evaluating entity level controls is part of the “top down” approach Identify important controls Assess design effectiveness of important controls Audit planning Plan nature, timing and extent of audit procedures Controls to test Which controls are important? To what level do important controls need to be functioning in order for t hem to be relied upon? How should important controls be tested?
5 Full file at http://testbankwizard.eu/Solution-Manual-for-Auditing-and-Assurance-Service- Understanding-the-Integrated-Audit-1st-Edition-by-Hooks Accounts and disclosures Which ones are material? How should they be tested? (Note: have to use analytical procedures as part of risk assessment and planning) How should controls, accounts and disclosures be tested? Audit procedures are the steps used for testing Documented in the audit plan; greater detail than earlier
Tests of ICFR Operating Effectiveness
Purpose is to gather evidence on operating effectiveness Tests of controls Dual purpose tests Evaluate results of tests and document Do more work if unexpected problems are found during testing
Consider other information, e.g., from review engagements of interim financial statements or management communications
Form tentative conclusion on ICFR operating effectiveness
Substantive Procedures on Accounts and Disclosures
Tests of details of balances Dual purpose tests Substantive analytical procedures
Modify planned nature, timing and extent of procedures if needed based on ICFR results
Inherent risk Control risk Risk of material misstatement Detection risk Materiality
Evaluate results of tests and document Do more work if unexpected problems are found during testing
Management makes corrections
Consider other information, e.g., tentative conclusion made about effectiveness of ICFR
Form tentative conclusions on fairness of financial statements
Wrap up, Completion and Reporting
6 Full file at http://testbankwizard.eu/Solution-Manual-for-Auditing-and-Assurance-Service- Understanding-the-Integrated-Audit-1st-Edition-by-Hooks Perform final audit steps, including Reviews Communication with client’s attorneys Obtain and consider written representations from management Decide on appropriate report(s) 2 opinions, can be expressed in 1 combined report or 2 separate reports Communicate as required with management and the audit committee Issue audit report(s) on financial statements and ICFR
(LO 6) Nonpublic Company Audits
The main difference between a nonpublic company financial statement audit and a public company integrated audit is that a nonpublic company does not typically engage the audit firm to audit ICFR. The AICPA auditing standards still require that the auditor consider the company’s important risks and address whether its internal controls fit with the company’s risks. However, the auditor is not required to test the operating effectiveness of controls. The auditor will usually test the operating effectiveness of a company’s controls only if doing so will make the financial statement audit more efficient by permitting the auditor to rely on the controls and, as a consequence, perform less substantive procedures. However, in some cases, a company’s operations may be so reliant on its controls that the auditor cannot complete a financial statement audit without testing controls.
The lack of a mandate for testing controls permits the diagram of a financial statement audit to be presented in a linear fashion. Preliminary engagement procedures Audit planning and risk assessment Understand ICFR Identify significant risks Decide whether to rely on controls Tests the operating effectiveness of ICFR to be relied upon Substantive procedures on accounts and disclosure Wrap up, completion and reporting
(LO 7) Auditing Standards
After it was created the PCAOB adopted all of the AICPA SAS that were in place at that time as its interim auditing standards. Since that time, as the PCAOB has written and adopted its own standards it has superseded the AICPA SAS that were its original interim standards.
The AICPA has a body of auditing standards that continue to be added to and revised as needed over time.
Both the PCAOB and AICPA standards are based on 10 underlying standards called generally accepted auditing standards (GAAS).
The 10 GAAS are grouped into:
7 Full file at http://testbankwizard.eu/Solution-Manual-for-Auditing-and-Assurance-Service- Understanding-the-Integrated-Audit-1st-Edition-by-Hooks General standards: training and proficiency, independence, due professional care Field work standards: planning and supervision, understanding, evidence Reporting standards
Except
AS 5, the PCAOB standard on ICFR states that it provides the field work and reporting standards for the ICFR audit of an integrated audit.
“The general standards are applicable to an audit of internal control over financial reporting. Those standards require technical training and proficiency as an auditor, independence, and the exercise of due professional care, including professional skepticism. This standard establishes the fieldwork and reporting standards applicable to an audit of internal control over financial reporting.” (AS 5.4)
Currently the language of the 10 GAAS as shown in the PCAOB Interim Standards (p. 62) and AICPA SAS (pp. 74-74) differ slightly because the AICPA amended the GAAS and these amendments were not made by the PCAOB. The amendments do not change the substance of the standards. They update the language and wording.
Words with Special Meaning for Auditors
Unconditional Responsibility Must Shall Is required
Presumptively Mandatory Responsibility Should
…In the rare circumstances in which the auditor believes the objectives of the standard can be met by alternative means, the auditor, as part of documenting the planning and performance of the work, must document the information that demonstrates that the objectives were achieved.
Responsibility to Consider (called “explanatory language” in the AICPA standards) May Might Could
Should consider: consideration of the action or procedure is presumptively mandatory while the action or procedure is not.
8