A5

Integrated Audits, Attestation Engagements, Compliance, and Government Audits

What is an integrated audit (issuers)?

Audit of both, financial statements + management’s assessment of ICFR (Internal control over financial reporting) (PCAOB).

Audit of ICFR is only for large and/or accelerate filers

What governs integrated audits for nonissuers?

SAS 130.

What is the objective of ICFR?

to express an opinion on the effectiveness of the entity’s internal control over financial reporting.

Conditions for enggement performance - ICFR audit (management must)?

1. Accept responsibility

2. Evaluate effectiveness

3. Provide written assessment of ICFR.

What approach is used in integrated audits?

Top-down approach→

Begin evaluation at:

1. FS-level

2. Entity-level

3. Significant accounts & assertions

What does testing controls include?

Evaluate design effectiveness + test operating effectiveness.

How are deficiencies evaluated?

Determine if they are significant deficiencies or material weaknesses (magnitude + reasonable possibility).

What is a material weakness?

if a control is weak

indicators of weakness:

• senior management fraud

• prev FS had been restated due to material error

• Auditor found misstatement that entity’s controls wouldn’t have caught.

What are the differences in audit of FS vs ICFR?

• FS audit: fairness of FS → covers longer period of time.

  • deadline to communicate = within 60 days of report release date

• ICFR: effectiveness of internal controls as of a point in time.

  • deadline to communicate = report release date

  • no “restricted-use” language.

How should deficiencies in internal control be communicated for non issuers?

How should deficiencies in internal control be communicated for issuers?

How should the report on internal controls look for an issuer vs non issuer?

What are attestation engagements?

When CPA is asked to “attest” (the action of formally witnessing or certifying something) the client’s requested engagement (other than full FS).

Ex:

• Financial forecasts/projections

• MD&A

• Controls at service organization

What are common attestation standards for an attestation engagement?
*CAPE CORP*

• C – Compliance with relevant SSAE standards

• A – Acceptance & continuance

• P – Preconditions present

• E – Engagement documentation

• C – Change in terms allowed if reasonable

• O – Other practitioners’ work can be used

• R – Responsibility for quality control

• P – Professional skepticism & judgment

What 3 levels of assurance exist in attestation engagements?

• Examination (positive opinion, high assurance)

• Review (negative assurance, moderate)

• Agreed-upon procedures (no assurance).

What is attestation risk?

Inherent risk × Control risk × Detection risk.

What assertion is generally obtained in attestation engagements?

Written assertion from responsible party (except direct exams).

What are agreed-upon procedures (AUPs)?

Engagements where specific procedures are agreed with client/parties; no assurance; findings listed.

What are the conditions for an auditor to accept AUP engagements?

*I AM SURE*

I AM SURE:

I	Independence	To stay objective and credible
A	Agreement	To set clear procedures upfront
M	Measurable	To ensure results can be verified
S	Sufficiency	To let users judge adequacy
U	Use (restricted/general)	To limit who can rely on report
R	Responsibility – client's	To confirm management owns the data
E	Engagement assumptions	To disclose bases and limitations

What must AUP report include?

• Procedures performed + findings

• Disclaimer of opinion

• Suitability statement (“hey user, this statement may/may not be suitable for u)

• Caution about use.

2 types of prospective financial statements:

1. Financial forecast

2. Financial projection

• Forecast: expected conditions/actions.

• Projection: hypothetical “what-if.”

What 4 types of engagements can be done for prospective FS?

1. Preparation (“No assurance”)

2. Compilation (no assurance, caution about achievability)

3. Examination (positive opinion, reasonable basis, CPA= no responsibility to update)

4. AUP (findings only).

Is review of prospective FS allowed?

No.

What are pro forma FS?

Show effect of hypothetical transactions on past FS (not prospective).

What is a service organization in audit?

3rd-party org (like IT) whose services affect user entity’s ICFR or transactions.

What does a service auditor do?

Examines controls of service org relevant to user entity’s ICFR.

What are SOC 1 and SOC 2 engagements?

• SOC 1 → ICFR. Transactions and processing

  • Helps with trust in the numbers.

  • Useful for FS auditors bc tells if IT processors like payroll or revenue booking have IC to prevent errors from flowing into books.

• SOC 2 → Data security

  • Helps with trust in the system.

  • Protecting data availability

What is a Type 1 vs Type 2 report prepared by a service auditor?

• Type 1: Design of controls at point in time.

• Type 2: Design + operating effectiveness over time.

Who is the “user auditor” vs “service auditor” and how do they work together?

• User auditor – Auditor of the company using the service org (e.g., client’s payroll auditor).

• Service auditor – Auditor of the service organization itself (e.g., ADP).

• Work together – User auditor may rely on the service auditor’s SOC report to evaluate internal controls at the service org that affect the user company’s financial reporting.

What is compliance reporting?

Reporting on compliance with contracts, regs, laws, or federal assistance.

Types of compliance reports?

• Compliance in FS audit (negative assurance only).

• Compliance attestation (AUP or exam, not review). • Single audit (federal assistance).

What is a single audit?

• If an entity spends >$1M of federal assistance in a fiscal year, they need a single audit.

• Need to evaluate: Entity-wide and all major programs

• Focus is on compliance with laws, rules, regulations; IC for compliance, and findings on noncompliance.

Materiality in single audit?

Assessed at program level, not FS as a whole.

Who selects auditor in single audit?

Auditee, under federal guidelines.

Auditor responsibilities in single audit?

• FS opinion accordance w GAAP

• Opinion on fair presentation of SEFA (Schedule of Expenditures of Federal Awards)

• Yellow Book ICFR/compliance report

• Compliance for each major program + single audit report

• Findings report.

When are the following 4 reports required for GAAS vs. GAGAS vs. Single Audits?

4 Reports:

1. Opinion/Disclaimer on FS and SEFA

2. IC & Compliance w. laws, regs, contracts, grants

3. Compliance and IC for each program

4. Schedule of findings & questioned costs