AUD: Integrated Audit of Internal Control

Integrated audits are a cornerstone of public company financial reporting, mandated to restore investor confidence after corporate scandals. As a CPA candidate, you must master this area because it represents a significant portion of the AUD exam and is essential for auditing publicly traded clients. This process requires you to form two interrelated opinions: one on the fairness of the financial statements and another on the effectiveness of internal control over financial reporting (ICFR).

The Foundation: Integrated Audits and PCAOB AS 2201

An integrated audit is a single audit engagement designed to express opinions on both a public company's financial statements and its ICFR. This dual focus is required by the Sarbanes-Oxley Act of 2002 and is governed by the Public Company Accounting Oversight Board (PCAOB). The specific standard you must understand is PCAOB Auditing Standard (AS) 2201, An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements. This standard outlines the entire audit process, emphasizing that the audits are integrated and that the work you perform on internal controls directly influences the nature, timing, and extent of your substantive procedures for the financial statement audit.

AS 2201 mandates that your audit approach be risk-based. You cannot audit every control; instead, you must focus on areas that present the highest risk of material misstatement. The standard provides the framework for planning the engagement, assessing risk, testing controls, and evaluating the results. For the CPA exam, you are expected to know the standard's key objectives: to obtain reasonable assurance about whether effective ICFR was maintained in all material respects and to support your opinion on the financial statements.

Navigating Risk: The Top-Down Assessment Approach

The top-down risk assessment is a methodological approach that directs your attention to the controls most important to preventing or detecting material misstatements. You start at the broadest level—the entity-level controls—and work down to the specific accounts, disclosures, and assertions. This approach ensures efficiency and effectiveness in your audit.

Your assessment begins with understanding the company's overall control environment, including management's philosophy, oversight by the board of directors, and the integrity and ethical values of personnel. Next, you identify significant accounts and disclosures and their relevant assertions. You then pinpoint the processes within which these accounts reside, such as revenue or inventory cycles. Finally, you select for testing those controls within these processes that are crucial to addressing the risks of material misstatement. A common exam trap is to focus immediately on detailed transaction-level controls without first evaluating the broader control environment, which is a required step in the top-down sequence.

Testing for Assurance: Controls at Relevant Assertions

Testing controls is about gathering evidence that they operated effectively throughout the period under audit. Relevant assertions are the financial statement assertions—such as existence, completeness, valuation, rights and obligations, and presentation and disclosure—that have a meaningful bearing on whether an account balance, transaction, or disclosure is fairly stated. You test controls that management has implemented to address these assertions.

For example, to test the completeness assertion for revenue, you might examine the control that ensures all shipping documents are matched and recorded in the sales journal. Testing involves a mix of inquiry, observation, inspection of documentation, and reperformance. A key point for the exam is understanding the relationship between control risk and substantive testing. If you find a control to be effective, you may reduce the extent of your substantive procedures (like detailed testing of transactions). Conversely, if a control is ineffective, you must design more robust substantive tests. Remember, you must test both the design and operating effectiveness of controls.

From Deficiencies to Opinion: Evaluating Internal Control

A critical skill is evaluating any control weaknesses you identify. AS 2201 classifies deficiencies based on their severity. A deficiency exists when a control fails to prevent or detect a misstatement. A significant deficiency is a deficiency, or combination of deficiencies, that is less severe than a material weakness yet important enough to merit attention by those charged with governance. A material weakness is a deficiency, or combination of deficiencies, such that there is a reasonable possibility that a material misstatement will not be prevented or detected on a timely basis.

Your evaluation directly dictates the internal control audit opinion. If no material weaknesses exist, you issue an unqualified opinion on ICFR effectiveness. If one or more material weaknesses are present, you must issue an adverse opinion. The CPA exam frequently tests your ability to distinguish between a significant deficiency and a material weakness based on a scenario. The evaluation considers both the likelihood and the magnitude of a potential misstatement.

Common Pitfalls

1. Confusing Integrated Audit Objectives: A common mistake is treating the financial statement audit and the ICFR audit as separate, unrelated tasks. Remember, they are integrated. The work on ICFR informs the financial statement audit strategy, and findings from substantive procedures can reveal control deficiencies. On the exam, avoid answer choices that suggest the audits are performed independently.
2. Misapplying the Top-Down Approach: Candidates often incorrectly believe that testing entity-level controls is optional or less important than testing process-level controls. In reality, the top-down approach requires you to start with entity-level controls. If these are weak, you may need to test more at the process level or even conclude that testing certain process controls is unnecessary because the entity-level failures preclude effective ICFR.
3. Overlooking the Evaluation of Deficiencies: Simply identifying a control failure is not enough. You must correctly evaluate its severity. A trap is to immediately label any deficiency as a material weakness. Consider the specific facts: Is it a routine or non-routine transaction? What is the potential financial impact? Could other controls compensate for the failure? Your evaluation must be reasoned and graded.
4. Ignoring the Role of Walkthroughs: While not a test of control effectiveness itself, performing a walkthrough—tracing a transaction from initiation through recording—is a mandatory procedure under AS 2201. It is used to confirm your understanding of processes and controls. An exam pitfall is to consider walkthroughs as sufficient evidence for operating effectiveness; they are primarily for understanding and identifying potential points of failure.

Summary

• An integrated audit for public companies requires a single engagement resulting in two opinions: one on the financial statements and one on the effectiveness of internal control over financial reporting (ICFR), as mandated by PCAOB AS 2201.
• The audit must follow a top-down risk assessment approach, beginning with the control environment and entity-level controls before drilling down to significant accounts, processes, and the specific controls to be tested.
• Controls are tested at the level of relevant assertions (e.g., existence, completeness) to obtain evidence that they operated effectively throughout the period, which directly impacts the nature and extent of substantive testing for the financial statement audit.
• Identified control weaknesses must be evaluated as a deficiency, significant deficiency, or material weakness; the presence of even one material weakness necessitates an adverse opinion on ICFR.
• For the CPA exam, focus on the interconnected nature of the two audit opinions, the sequential logic of the top-down approach, and the precise definitions used to grade control deficiencies.