A5 Integrated Audits, Attestation Engagements, Compliance, and Government Audits

What are the objectives in an audit of internal control over financial reporting?

• Express opinion on effectiveness of ICFR

• Date of management’s assessment should correspond to “as of” balance sheet date under audit

• ICFR cannot be effective if one or more material weaknesses exist

What are the auditor’s requirements in an audit of internal control over financial reporting?

• Plan and perform the audit to achieve the audit objectives

• Use the same control criteria to perform the audit as management uses for its evaluation

• Test of controls should be designed to provide sufficient, appropriate audit evidence

The audit of internal control over financial reporting can be performed only if management:

• Accepts responsibility for the effectiveness of ICFR

• Evaluates the effectiveness of ICFR using suitable and available criteria (e.g. AICPA)

• Supports its assessment about the effectiveness of ICFR with sufficient, appropriate evidence

• Provides a written assessment about the effectiveness of ICFR in a report that accompanies the auditor’s

The auditor should obtain a written representation letter from management in which management:

• Acknowledges its responsibility for establishing and maintaining effective ICFR and states that management has performed an assessment of its effectiveness

• States management’s assessment “as of” a specified date and specifies the criteria used

• Affirms management did not rely on auditor’s procedures as the basis for the assessment

• States that management has disclosed all deficiencies in design and operation

• Describes fraud resulting in material misstatement or fraud involving senior management

• States whether there were any significant changes to ICFR after the date of the report

To develop an overall strategy, the auditor should consider (FELT):

• Financial reporting practices of the industry

• Economic conditions

• Laws and regulations

• Technological change

What are the areas of common fraud risks?

• Significant unusual transactions

• Period-end journal entries and adjustments

• Related party transactions

• Significant management estimates

In the top-down approach, an auditor should:

• Identify and test entity-level controls

• Identify significant classes of transactions, account balances, disclosures, and their relevant assertions

• Assess the risk that a material weakness may exist and whether it results in a material misstatement

In an integrated audit, the auditor should evaluate the components of ICFR and determine whether the components are:

• Present and functioning in design, implementation, and operation

• Free of material weaknesses individually or in aggregate

What are the key differences between an (1) audit on the financial statements and an (2) audit on ICFR?

• Purpose: (1) determines the nature, extent, and timing of tests; (2) expresses an opinion on effectiveness of ICFR

• Relevant period: (1) longer period, usually a year; (2) as of a point in time

• Extent of testing: (1) not required to test all relevant assertions; (2) must test all relevant assertions

• Communication of control deficiencies: (1) within 60 days with restricted-use; (2) by the report release date without restricted-use

Which testing methods are appropriate for evaluating operating effectiveness of controls? Which testing methods are appropriate for evaluating design effectiveness of controls?

• Operating: Inspection, reperformance, and recalculation

• Design: Inquiry, observation, and inspection

What must an auditor include in their communications with management and those charged with governance?

• Address to management

• Required to advise management about their internal control

• Auditor’s responsibility to plan and perform integrated audit to determine if entity’s internal controls were effective

• Define what a control deficiency is

• Describe material weakness identified, if applicable

• Define what a significant deficiency is

• Describe significant deficiency identified, if applicable

• Restrict communication to management only

What is the difference in communications with management between issuers and non-issuers?

For issuers, all types of deficiencies identified must be communicated by report release date. For non-issuers, only material weaknesses and significant deficiencies apply; control deficiencies must be communicated within 60 days of the release report date

What are the non-issuer headings for a separate report?

• Opinion on internal control over financial reporting

• Basis for opinion

• Responsibilities of management for internal control over financial reporting

• Auditor’s responsibilities for the audit of internal control over financial reporting

• Definition and inherent limitations of internal control over financial reporting

• Report on other legal and regulatory requirements

• Report on audit of internal control over financial reporting

What are the non-issuer headings for a combined report?

• Opinion on the financial statements and internal control over financial reporting

• Basis for opinion

• Responsibilities of management for the financial statements and internal control over financial reporting

• Auditor’s responsibilities for the audit of the financial statements and internal control over financial reporting

• Definition and inherent limitations of internal control over financial reporting

• Report on other legal and regulatory requirements

• Report on audit of internal control over financial reporting

• Basis for adverse opinion on internal control over financial reporting (if applicable)

What should an auditor do if management fails to report one or more material weaknesses identified by the auditor?

• State the issues and describe the omitted weakness in the report

• Communicate this situation in writing to those charged with governance

What should an auditor do if management’s report includes a material weakness but does not fairly present it?

• Indicate this situation in the report and fairly describe the weakness

• Consider the effect of this adverse opinion on the financial statements

• Indicate whether the opinion on the financial statements was affected by the material weakness

An auditor may perform an attest engagement for previously corrected material weaknesses if:

• Auditor has sufficient overall knowledge of both the company and its internal control over financial reporting

• Management accepts responsibility for effectiveness of internal control, evaluates its effectiveness, asserts internal controls are effective, provides support for this assertion, and presents a written report that will accompany the auditor’s report

Describe the guidance on concepts common to all attestation engagements (CAPE CORP)

• Compliance

• Acceptance and continuance of attestation engagements

• Preconditions for engagement are present

• Engagement documentation standards

• Change in terms of engagement are reasonable

• Other practitioner’s work is allowed

• Responsibility for quality control

• Professional skepticism and professional judgment

List the standards to apply to each service a CPA may provide: Audit engagements; Preparation, compilation, and review engagements; and Attest engagements

• Audit engagements: Statements on Auditing Standards (SAS) for non-issuers; PCAOB standards for issuers

• Preparation, compilation, and review engagements: Statements on Standards for Accounting and Review Services (SSARS)

• Attest engagements: Statements on Standards for Attest Engagements (SSAE)

What conditions must exist for an agreed-upon procedure attestation engagement to be performed? (I AM SURE)

• Independence

• Agreement of the parties

• Measurability and consistency

• Sufficiency of procedures

• Use of report either general or restricted

• Responsibility of client for subject matter

• Engagement: significant assumptions

What is the difference between a SOC1 and SOC2 report?

• SOC1: Report on Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting

• SOC2: Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy

What is the difference between a Type 1 and Type 2 report?

• Type 1: report on design and implementation of a service organization’s identified controls; '“as of” report

• Type 2: report on design, implementation, and operating effectiveness of a service organization’s controls; throughout a specified period report

What are the conditions for an auditor to issue a compliance report?

• Must have audited the client’s financial statements

• May only issue negative assurance on compliance

• Engagement is neither a compliance audit nor an attestation engagement

Negative assurance may be given when:

• No identified instances of noncompliance

• Must issue an unmodified or qualified opinion on financial statements

• Applicable covenants or regulatory requirements have been subjected to audit procedures as part of the financial statement audit

What type of assurance is provided for the following engagements: examination, (compliance) review, and agreed-upon procedures

• Examination: reasonable assurance; auditor provides an opinion

• Review: negative assurance; “There were no identified…”

• Agreed-upon procedures: no assurance; auditor provides list of findings

What are the key categories of performance audit?

• Effectiveness, Economy, and Efficiency

• Internal Control

• Compliance

• Prospective Analysis

In previous audits and attestation engagements, GAGAS requires:

• auditor to evaluate whether appropriate corrective actions have been addressed

• planning procedures to include inquiry of management about status of previous audits and recommendations

Audits in accordance with GAGAS require additional attention to:

• Fraud

• Noncompliance

• Abuse

According to GAGAS, auditors should communicate:

• pertinent information to individuals contracting for or requesting the audit and to cognizant legislative committees, unless the law/regulation does not specifically identify the entities to be audited

• when a law or regulation precludes an auditor’s option to withdraw or withhold a report as a result of uncorrected material misstatement, the auditor may issue a report or written communication to those charged with governance and to the appropriate statutory body

When providing an opinion or a disclaimer on financial statements in a government audit, auditors should report on:

• Internal control over financial reporting (no opinion on effectiveness)

• Compliance with provisions of laws, regulations, contracts, grant agreements, and federal awards (no opinion provided)

Consistent with or in addition to GAAS, according to GAGAS, management representation should also include:

• Statement of no violations or possible violations of laws or regulations

• Management is responsible for entity’s compliance with laws and regulations

• Management has identified and disclosed in writing to the auditor all the laws and regulations that have a direct and material effect on its financial statements

Unlike GAAS, in reporting on internal control, GAGAS requires:

a written report on auditor’s understanding of internal control and assessment of control risk in all audits

In addition to following the principles in GAAS and GAGAS, single audits also require:

• Expanded internal control documentation and testing requirements

• Expanded reporting to include formal written reports on consideration of internal control and the assessment of control risk

• Expanded reporting to include whether the federal financial assistance has been administered in accordance with applicable laws and regulations

• Application of single audit standards to federal financial assistance

Federal financial assistance can be categorized as two types:

• Type A: federal assistance greater than $750,000

• Type B: federal assistance less than $750,000

What are the two main objectives of a single audit?

• Audit of entity’s financial statements and reporting on separate schedule of expenditures of federal awards in relation to those financial statements

• Compliance audit of federal awards expended during the year as a basis for issuing additional reports on compliance of (1) major programs and (2) internal control over compliance

The single audit report must be submitted within and retained for:

• Submitted within thirty days of receipt of auditor’s report or nine months after the end of the audit period

• Retained for three years from date of submission

In a single audit, an auditor should consider internal controls over compliance using what as a basis for both testing and reporting?

• Major programs:

  • Type A (assistance more than $750,000)

  • or Type B assistance that is considered high risk

In a single audit regarding controls over compliance for major programs, an auditor is required to test which controls and report which controls?

• Test effective controls, not required to test ineffective controls

• Report ineffective controls

To assist entities with compliance with federal laws, rules, and regulations, Uniform Guidance includes:

• Administrative requirements

• Cost principles

• Compliance supplement

In the auditor’s report of a single audit, an auditor should:

• Express an opinion on the financials in accordance with GAAP

• Express an opinion on the presentation of the Schedule of Expenditures of Federal Awards in relation to the financials

• Report on internal control over financial reporting and compliance with federal statutes, regulations, and terms and conditions for federal award (scope, results, and reference to Schedule of Findings and Questioned Costs)

• Report on compliance for each major program and the internal control over compliance (scope, opinion on compliance, and reference to Schedule of Findings and Questioned Costs)

In a single audit, an auditor must report the following audit findings:

• Significant deficiencies and material weaknesses in internal controls over major programs

• Material noncompliance with provisions of federal statutes, regulations, or terms and conditions of federal awards related to major programs

• Questioned costs exceeding $25,000

• Circumstances concerning why the auditor’s report on compliance for each major program is other than an unmodified opinion

• Known or likely fraud affecting a federal award

• Instances in which the results of audit follow-up procedures disclosed that the summary schedule of prior audit findings prepared by the auditee was materially misrepresented

Illustrate the four-step process in determination of major programs

1. Identify Type A and Type B programs

2. Identify Type A programs with low risk and have been audited as major programs in at least one of the two most recent audit periods. Type A programs cannot be low risk if they had material weaknesses, modified opinion, or known or likely questioned costs exceeding 5% of total federal awards expended

3. Identify Type B programs that are high risk

4. Determine coverage requirements. At minimum, major programs include all Type A programs not low risk and all Type B programs identified as high risk

What is the percentage coverage of total federal awards expended for low-risk vs other auditees?

• Low risk: 20% of total federal awards expended

• Other: 40% of total federal awards expended