A5 Integrated Audits, Attestation Engagements, Compliance, and Government Audits

What are the objectives in an audit of internal control over financial reporting?

• Express opinion on effectiveness of ICFR

• Date of management’s assessment should correspond to “as of” balance sheet date under audit

• ICFR cannot be effective if one or more material weaknesses exist

What are the auditor’s requirements in an audit of internal control over financial reporting?

• Plan and perform the audit to achieve the audit objectives

• Use the same control criteria to perform the audit as management uses for its evaluation

• Test of controls should be designed to provide sufficient, appropriate audit evidence

The audit of internal control over financial reporting can be performed only if management:

• Accepts responsibility for the effectiveness of ICFR

• Evaluates the effectiveness of ICFR using suitable and available criteria (e.g. AICPA)

• Supports its assessment about the effectiveness of ICFR with sufficient, appropriate evidence

• Provides a written assessment about the effectiveness of ICFR in a report that accompanies the auditor’s

The auditor should obtain a written representation letter from management in which management:

• Acknowledges its responsibility for establishing and maintaining effective ICFR and states that management has performed an assessment of its effectiveness

• States management’s assessment “as of” a specified date and specifies the criteria used

• Affirms management did not rely on auditor’s procedures as the basis for the assessment

• States that management has disclosed all deficiencies in design and operation

• Describes fraud resulting in material misstatement or fraud involving senior management

• States whether there were any significant changes to ICFR after the date of the report

To develop an overall strategy, the auditor should consider (FELT):

• Financial reporting practices of the industry

• Economic conditions

• Laws and regulations

• Technological change

What are the areas of common fraud risks?

• Significant unusual transactions

• Period-end journal entries and adjustments

• Related party transactions

• Significant management estimates

In the top-down approach, an auditor should:

• Identify and test entity-level controls

• Identify significant classes of transactions, account balances, disclosures, and their relevant assertions

• Assess the risk that a material weakness may exist and whether it results in a material misstatement

In an integrated audit, the auditor should evaluate the components of ICFR and determine whether the components are:

• Present and functioning in design, implementation, and operation

• Free of material weaknesses individually or in aggregate

What are the key differences between an (1) audit on the financial statements and an (2) audit on ICFR?

• Purpose: (1) determines the nature, extent, and timing of tests; (2) expresses an opinion on effectiveness of ICFR

• Relevant period: (1) longer period, usually a year; (2) as of a point in time

• Extent of testing: (1) not required to test all relevant assertions; (2) must test all relevant assertions

• Communication of control deficiencies: (1) within 60 days with restricted-use; (2) by the report release date without restricted-use

Which testing methods are appropriate for evaluating operating effectiveness of controls? Which testing methods are appropriate for evaluating design effectiveness of controls?

• Operating: Inspection, reperformance, and recalculation

• Design: Inquiry, observation, and inspection