Performing an Audit of Internal Control in an Integrated Audit
The information contained in Lessons Learned represents the views of the members of the task force, has not been approved by any regulatory body or any senior technical committee of the AICPA and does not set standards for any purpose. Auditors are required to adhere to AS 5 and associated guidance published by the PCAOB. Public companies should follow related guidance published by the Securities and Exchange Commission (SEC).
Users of Lessons Learned should be familiar with AS 5 and the terms and concepts used in AS 5, as they are frequently used or referred to within this publication. Users are also encouraged to read other publications issued by the PCAOB, SEC, and the Committee of Sponsoring Organizations of the Treadway Commission (COSO) that provide further guidance to auditors and management in performing Section 404 evaluations.
Performing an integrated audit requires that the auditor form numerous judgments about an entity’s internal control over financial reporting and how well it addresses risks of material misstatements in that entity’s financial statements. As part of this process, the auditor must determine the amount and type of evidence necessary to support a conclusion by the auditor that an entity’s system of internal control is effective.
Section 404 reporting requirements challenges both management and auditors to evaluate and assess the effectiveness of entities’ internal control systems that contribute to their financial reports. This focus on internal control, and coordinating the internal control audit in conjunction with the existing audit of the financials statements, presents a new environment for auditors.
In the initial year of an integrated audit, comparatively more effort may be necessary for the auditor to form judgments about an entity’s internal control over financial reporting, build up the auditor’s experience, and obtain support for judgments. In subsequent years, as the auditor becomes more proficient and obtains more experience in forming these judgments, the auditor’s effectiveness and efficiency in executing an integrated audit generally increase. Each year the auditor not only re-evaluates his or her judgments, including risk assessments, but also may incorporate and build on knowledge obtained in previous years’ audits.
Certain concepts are fundamental to performing an effective and efficient integrated audit in accordance with AS 5. These concepts are present throughout Lessons Learned. In addition, the background discussion and suggestions included in each of the individual sections provide insight into how these concepts have been applied.
Lessons Learned has been organized into the following relevant sections:Section 1: Understand and Use Management’s Assessment and Documentation as a Starting Point
- Lesson Learned #1 – Take advantage of the company’s internal control evaluation process and documentation, where practical, in connection with financial statement audits performed in years prior to the first integrated audit.
- Lesson Learned #2 – Early and frequent communication and coordination between management and the external auditors create a more effective and efficient audit process.
- Lesson Learned #3 – Coordinate with management regarding the timing of its work to enable the auditor to utilize management’s work to the extent permitted by PCAOB standards.
- Lesson Learned #4 – Early in the process identify and assess those risks and controls that may have a pervasive impact on the assessment and effectiveness of internal control over financial reporting (ICFR).
- Lesson Learned #5 – Consider the implications of any unremediated deficiencies.
Section 2: Integrate the Audits
- Lesson Learned #6 – Plan the audit of ICFR and the audit of the financial statements as a single integrated audit.
- Lesson Learned #7 – Where appropriate, plan to employ a controls reliance approach in the first year of the required Section 404(b) audit of ICFR under the Sarbanes-Oxley Act of 2002.
- Lesson Learned #8 - Consider what audit procedures could meet the objectives of both substantive testing and internal control testing. Where practical, perform the internal control tests in conjunction with the substantive tests in those areas.
- Lesson Learned #9 - Substantive tests, the risk assessment process, as well as knowledge obtained from prior audits or reviews of interim financial information inform the auditor with respect to the risks related to internal control (which can affect the nature, timing and extent of tests of controls) and the auditor’s conclusions related to the effectiveness of internal control.
- Lesson Learned #10 - Coordinate the planning and performance of the internal control tests and substantive tests among the persons performing the work.
Section 3: Establish the Right Team
- Lesson Learned #11 – Because of the additional complexities in planning and executing an integrated audit, it is important to have experienced members of the engagement team, including specialists, involved at an early stage and for such members to remain close to the engagement as it progresses.
- Lesson Learned #12 - Due to the learning curve associated with implementing the ICFR audit requirement; involve auditors with previous experience auditing internal control or auditors who have been trained specifically on performing integrated audits.
Section 4: Identify Material Risks to Reliable Financial Reporting
- Lesson Learned #13 - Apply the top-down, risk-based approach set forth in AS 5 by starting at the financial statement level to effectively and efficiently identify significant accounts and disclosures, and their relevant assertions.
- Lesson Learned #14 - The more refined the risk assessment is, the more the audit approach can be tailored based on the assessed risks.
- Lesson Learned #15 - Different combinations of procedures, including walkthroughs, can be performed to achieve the required objectives discussed in AS 5 paragraph 34 in an effective and efficient manner.
- Lesson Learned #16 - The significance, extent, and complexity of information technology (IT) applications, and their supporting general IT control environment, influence the identification of material risks to reliable financial reporting.
Section 5: Identify Controls Necessary to Sufficiently Address Identified Risks
- Lesson Learned #17 - Apply a top-down approach, beginning with the identification of entity-level controls, to identify the controls that are necessary to sufficiently address the assessed risk of misstatement to each relevant assertion (i.e., controls that are important to the audit).
Section 6: Take a Risk-Based Approach to Testing Identified Controls
- Lesson Learned #18 - Maximize the opportunities for using the work of others.
- Lesson Learned #19 - Vary the nature, timing, and extent of testing of identified controls based upon the risk associated with a control.
- Lesson Learned #20 - Testing controls at an interim date may improve the effectiveness and efficiency of the integrated audit by spreading the auditor’s effort out over the fiscal year and increasing the opportunity to identify control deficiencies at an earlier date.
- Lesson Learned #21 - When a control’s design is determined to be ineffective, it is not necessary to test the operating effectiveness of the control. Similarly, once the auditor has sufficient evidence to conclude an effectively designed control did not operate effectively, the auditor may cease testing that control.
Useful ResourcesUseful Documents:
- Full text of CAQ Lessons Learned - Performing an Audit of Internal Control in an Integrated Audit.
- Full text of Auditing Standard No. 5, An Audit of Internal Control Over Financial Reporting that is Integrated with an Audit of Financial Statements.