Conrming Pages Chapter 18 Integrated Audits of Public Companies Learning objectives After studying this chapter, you should be able to: LO1Describe the nature of an integrated audit. LO2Discuss managements responsibility for reporting on internal control as required by the Sarbanes-Oxley Act of 2002. LO3Describe the audi-tors responsibility for reporting on inter-nal control through integrated audits as required by the Public Company Accounting Oversight Board. LO4Present the auditors approach to analyzing internal control when performing an inte-grated audit. LO5Explain how ndings relating to the audits of internal control and the nancial state-ments may affect one another. LO6Discuss circumstances that require auditors to modify their report on internal control. Inthischapter,weprovideinformationonintegrated auditsbasedontheprovisionsofPublicCompany AccountingOversightBoard(PCAOB) StandardNo.5, AnAuditofInternalControlOverFinancialReporting That Is Integrated with an Audit of Financial Statements. Throughout this chapter, our emphasis is on presenting (1) details on audits of internal control over nancial reportingand(2)informationonhownancialstatementauditsaremodiedwhen theauditorsperformanintegratedaudit.Althoughwehavereferredtointegrated audits earlier in the text, in this chapter we emphasize in detail the nature of a pub-lic company audit. While an integrated audit involves an enhanced consideration of internal control, the nancial statement audits various planning, evidence gathering, andreportingproceduresremainlargelyunchanged.Accordingly,thefocusofthis chapterisonauditsofinternalcontrolovernancialreporting(hereafter,internal control). Overview The Sarbanes-Oxley Act of 2002 requires that, in addition to reporting upon nancial statements, auditors of public companies should also report upon internal control over nancial reporting (hereafter, internal control). Consistently, PCAOB Standard No. 5 recognizes this relationship and states that the internal control and nancial statement audits should be viewed as integrated. Section 404 is composed of two distinct sections. 1Section 404(a), which applies to all public companies, requires that each annual report led with the Securities and Exchange Commission include an internal control report prepared by management in which management acknowledges its responsibility for establishing and maintaining adequate internal control and provides an assessment of internal control efectiveness as of the end of the most recent scal year. Section 404(b), which applies to public companieswithamarketcapitalizationinexcessof$75,000,000,requirestheCPA rmtoauditinternalcontrolandexpressanopinionontheefectivenessofinternal control.Whiletheemphasisofthischapterisontheauditorsresponsibilityunder Section 404(b), we will begin with an overview of managements responsibility. Describethenatureofaninte-grated audit. LO1 1 While we emphasize Section 404 in this chapter, we also incorporate information from Sec-tion 103, which requires auditor reporting on internal control. In addition, other sections of the Sarbanes-Oxley Act are also relevant to the overall area of audits of nancial statements. Sec-tion 302 requires each of a companys principal executives and nancial ofcers to certify the nancial and other information contained in the companys quarterly and annual reports. These certications must indicate that, based on the ofcers knowledge, the nancial statements and other nancial information included in the report fairly present, in all material respects, the nancial condition and results of operations of the company as of, and for, the period pre-sented in the report. Section 906 includes a similar certication requirement but amends the Federal Criminal Code and explicitly sets forth possible criminal penalties for certications that do not comply with the requirements. whi1103X_ch18_696-725.indd 696 07/02/11 3:52 PMConrming PagesIntegrated Audits of Public Companies 697 Managements Responsibility for Internal Control Managementhasalwaysbeenresponsibleformaintainingefectiveinternalcontrol. However,the Sarbanes-OxleyActof2002increasesmanagementsresponsibility fordemonstratingthatcontrolsareefective.AsoperationalizedbytheSecuritiesand Exchange Commission (SEC), management is required to: Accept responsibility for the efectiveness of internal control. Evaluate the efectiveness of internal control using suitable control criteria. Support the evaluation with suf cient evidence. Provide a report on internal control. Managements report and the auditors opinion must be included in Form 10-K, the annual report led with the SEC. The Sarbanes-Oxley Act requires management to per-form the above steps in a meaningful manner to support its report. While the exact word-ing of the report is left to managements discretion, Section 404(a) of the Sarbanes-Oxley Act requires the report to: State that it is managements responsibility to establish and maintain adequate internal control. Identify managements framework for evaluating internal control. Include managements assessment of the efectiveness of the companys internal con-trol over nancial reporting as of the end of the most recent scal period, including a statement as to whether internal control over nancial reporting is efective. Include a statement that the companys auditors have issued an attestation report on managements assessment. For most SEC registrants, passage of Sarbanes-Oxley resulted in a one-time major project of evaluating and improving internal control to allow both management and the auditors toconcludethatthecompanysinternalcontrolisefective.Then,foreachsubsequent yearsreporting,theanalysisisupdated.Theoverallprocessisoneofidentifyingthe signicant controls and testing their design and operating efectiveness. The project is performed either by the company itself or by the company assisted by consultantsoften personnel from a CPA rm that does not audit the companys nan-cialstatements.Thecompanysexternalauditingrmmayprovideonlylimitedassis-tancetomanagementtoavoidasituationinwhichitsassessmentisinessencepartof managements assessment, as well as its own. That is, the CPA rm performing the audit should not create a situation in which management relies in any way on the CPA rms assessment in making its own assessment. As a starting point, the Securities and Exchange Commission, which provides oper-ationalguidanceforimplementingtheSarbanes-Oxleyrequirements,hasadoptedthe following denition for internal control: Managements Evaluation Process and Assessment Discussmanagementsrespon-sibilityforreportingoninternal controlasrequiredbytheSar-banes-Oxley Act of 2002. LO2 Internal control over nancial reporting is a process designed by, or under the supervision of, the companys principal executive and principal nancial ofcers, or persons performing similar func-tions, and affected by the companys board of directors, management, and other personnel, to provide reasonable assurance regarding the reliability of nancial reporting and the preparation of nancial statements for external purposes in accordance with generally accepted accounting principles and includes those policies and procedures that: 1.Pertain to the maintenance of records that, in reasonable detail, accurately and fairly reect the transactions and dispositions of the assets of the company; 2.Providereasonableassurancethattransactionsarerecordedasnecessarytopermitprepa-rationofnancialstatementsinaccordancewithgenerallyacceptedaccountingprinciples, and that receipts and expenditures of the company are being made only in accordance with authorizations of management and directors of the company; and 3.Providereasonableassuranceregardingpreventionortimelydetectionofunauthorized acquisition, use, or disposition of the companys assets that could have a material effect on the nancial statements. whi1103X_ch18_696-725.indd 697 07/02/11 3:52 PMConrming Pages698Chapter Eighteen Managementsreportmustbebasedontheprecedingdenitionofinternalcontrol andmustresultfromanevaluationusinganacceptedcontrolframework.Although notrequired,thecontrolframeworkordinarilyusedisthe InternalControlIntegrated Framework,createdbytheCommitteeofSponsoringOrganizationsoftheTreadway Commission(COSO).TheCOSOframework,discussedindetailinChapter7,isthe internal control framework commonly used in audits of nancial statements. To perform its evaluation and make its assessment, 2 management must understand the concepts of control deciency, signicant deciency, and material weaknessconcepts originally presented in Chapter 7 of this text, although the latter two terms are dened diferentlyforpurposesofanintegratedaudit.Acontroldeciency existswhenthe designoroperationofacontroldoesnotallowmanagementoremployees,inthenor-mal course of performing their functions, to prevent or detect misstatements on a timely basis. Amaterial weakness is a control deciency, or combination of control decien-cies, in internal control over nancial reporting, such that there is a reasonable possibil-ity that a material misstatement of the companys annual or interim nancial statements will not be prevented or detected on a timely basis. A reasonable possibility exists when the likelihood is either reasonably possible or probable as those terms are used in FASB ASC 450-20 Loss Contingencies. A signicant deciency is a control deciency, or a combination of control de-ciencies,ininternalcontrolovernancialreportingthatislessseverethanamaterial weakness, yet important enough to merit attention by those responsible for oversight of the companys nancial reporting. Figures 18.1 and18.2 illustrate relationships among deciencies, signicant decien-cies, and material weaknesses. 2 The evaluation or evaluation process refers to the methods and procedures management implements to comply with the requirements. The assessment is the disclosure required in man-agements report on internal control discussing any material weaknesses and managements assess-ment of the effectiveness of internal control. Deciency SeverityDoes Existence Result in Required Modication of Managements Assessment and Auditors Report?Control DeciencyNot directly considered in denitionOnly if it is a material weaknessSignicant DeciencyLess severe than a material weaknessNoMaterial WeaknessReasonable possibility of a material misstatementYes FIGURE 18.1 Comparison of Control Deciency, Signicant Deciency, and Material Weakness Denitions FIGURE 18.2 Levels of Severity of Control Deciencies Control DeciencyLess than a SignicantDeciencySignicant Deciency Material Weaknesswhi1103X_ch18_696-725.indd 698 07/02/11 3:52 PMConrming PagesIntegrated Audits of Public Companies 699 Inevaluatingthesignicanceofidentieddeciencies,bothquantitativeand qualitativefactorsareconsidered.Quantitativefactorsaddressthepotentialamount ofloss.Qualitativefactorsincludeconsiderationofthenatureoftheaccountsand assertions involved and the possible future consequences of the deciency. Chapters 6and16ofthistextincludediscussionsofqualitativefactorsafectingmateriality judgments. Additionally, the consideration of a control deciency should also include analysis of whethera compensatingcontrol existstoeitherpreventordetectthepossiblemis-statement.Forexample,assumeacompanyhasadeciencyincontrolovercashdis-bursements. The compensating control of reconciliation of cash accounts by a competent individual who is otherwise independent of the cash function might make the likelihood of not detecting a signicant misstatement less than reasonably possible. Therefore, while a deciency might exist, it might not be a signicant deciency or a material weakness due to the existence of a compensating control. Managementmustidentifythesignicantnancialstatementaccountsinorderto evaluatethecontrolsovermajorclassesoftransactions. Majorclassesoftransac-tionsarethosethatmateriallyafectsignicantnancialstatementaccountseither directly through entries in the general ledger or indirectly through the creation of rights or obligations that may or may not be recorded in the general ledger. The overall objective of managements evaluation of internal control is to provide it withareasonablebasisforitsannualassessmentastowhetherthereareanymaterial weaknesses in internal control as of the end of the scal year. How does management go aboutachievingthisobjective?TheSECguidanceisstructuredabouttwobroadprin-ciples(1) evaluating the design of controls to identify controls and risks and (2) evalu-ating the operation of the controls. This is consistent with the internal control coverage throughoutthetextrstconsiderthedesign,andthentheoperatingefectivenessof controls. Evaluating Design Efectiveness of Controls The evaluation process begins with identifying and assessing the risks to reliable nancial reporting. Management then considers whether it has controls placed in operation (imple-mented) that are designed to adequately address those risks. Management ordinarily uses atop-downapproachinwhichitbeginswiththeidenticationofentity-levelcontrols and works down to detailed controls only to the extent necessary. For example, if man-agementdeterminesthatacontrolwithinthecompanysperiod-endnancialreporting process (an entity-level control) is designed to adequately address the risk of a material misstatement of interest expense, management may not need to identify any additional controls related to interest expense. When additional assurance is needed, consideration of additional controls becomes necessary. Since the process auditors go through is simi-lar, we discuss this in greater detail later in the chapter. Evaluating Operating Efectiveness of Internal Control Managementthenevaluatesoperatingefectivenessofcontrolsinthoseareasthat poseahighrisktoreliablenancialreporting.Evidenceonoperatingefectivenessis obtainedfromtestsofcontrolsandfromongoingmonitoringactivitiesrelatedtothe controls. Tests of controls are similar to those performed by nancial statement auditors as described in detail in Chapter 7. Ongoing monitoring includes activities that provide information about the operation of controls. This information is obtained, for example, throughassessmentsmadebyemployees,assessmentsmadebymanagement(referred to asself-assessment procedures), and the analysis of performance measures designed to track the operation of controls (e.g., budgets). Documentation Arequiredpartofmanagementsevaluationprocessisappropriatedocumentationof internalcontrol.Thedocumentationoftenoccursthroughouttheentireevaluation whi1103X_ch18_696-725.indd 699 07/02/11 3:52 PMConrming Pages700Chapter Eighteenprocess. Virtually all of the documentation tools included in Chapters 7 and 8 of this text are relevant for both managements evaluation and the external auditors audit of internal control. Reporting Managements evaluation process culminates with the issuance of managements report oninternalcontrol,whichincludesmanagementsassessment.Ifmanagementbelieves that no material weaknesses exist at year-end, it is able to issue a report concluding that the company maintained efective internal control over nancial reporting. An illustration of such a report is included inFigure 18.3 . In the next section, we will describe the audi-tors process for evaluating and reporting on internal control. The Auditors Responsibility for Reporting on Internal Control in PCAOB Audits The auditors objective in an audit of internal control is to express an opinion on the com-panys internal control over nancial reporting. To meet this objective, the auditors must plan and perform the audit to obtain reasonable assurance about whether material weak-nesses exist as of the date specied in managements assessment. Evidence is gathered on both the design and operating efectiveness of internal control as of the date specied inmanagementsassessmentnormallythelastdayofthecompanysscalyear.The audit may be viewed as consisting of the following ve stages. 1.Plan the engagement. 2.Use a top-down approach to identify controls to test. 3.Test and evaluate design efectiveness of internal control. 4.Test and evaluate operating efectiveness of internal control. 5.Form an opinion on the efectiveness of internal control. Management is responsible for establishing and maintaining adequate internal control over nancial reporting. Carver Companys internal control system was designed to pro-vide reasonable assurance to the companys management and board of directors regard-ing the preparation and fair presentation of published nancial statements. All internal control systems, no matter how well designed, have inherent limitations. Therefore, even a system determined to be effective can provide only reasonable assur-ance with respect to nancial statement preparation and presentation. [ Note: This para-graph is not required. ] We assessed the effectiveness of the companys internal control over nancial reporting as of December 31, 20X4. In making this assessment, we used the criteria set forth by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) inInternal ControlIntegrated Framework. Based on our assessment, we believe that, as of Decem-ber 31, 20X4, the companys internal control over nancial reporting is effective based on those criteria. Carver Companys independent auditors have issued an audit report on our assessment of the companys internal control over nancial reporting. This report appears on page XX. Sally Jones John Hankson Chief Executive OfcerChief Financial Ofcer February 12, 20X5 FIGURE 18.3 Management Report on Internal Control Describe the auditors responsibil-ityforreportingoninternalcon-trolthroughintegratedauditsas requiredbythePublicCompany Accounting Oversight Board. LO3 whi1103X_ch18_696-725.indd 700 07/02/11 3:52 PMConrming PagesIntegrated Audits of Public Companies 701 Asindicatedin Figure18.4 ,theauditorsrstplantheengagement.Ef cientplanning requires coordination with the nancial statement audit. For purposes of both audits, the auditors consider matters related to the clients industry, regulatory matters, the clients business, and any recent changes in the clients operations. The auditors knowledge of a clients internal control at the planning stage of the engagement will difer signicantly depending upon the nature of the client and the auditors experience with that client, and this in turn will afect the scope of the auditors procedures. For example, when the audi-tors have previously performed audits of the client, the auditors begin the integrated audit with more information than in a circumstance in which the company is a new audit client. Accordingly, they only have to perform procedures to update their knowledge. Presenttheauditorsapproachto analyzinginternalcontrolwhen performing an integrated audit. LO4 FIGURE 18.4 An Audit of Internal Control over Financial Reporting CompanyInternalControlManagementsEvaluation ofInternal ControlControl Criteria(ordinarily COSOInternal ControlFramework)Issue AuditorsAttestation ReportPlan theengagementUse a top-down approachto identify controlsto testManagementsreport on internal control(with internal controlassessment)Test and evaluatedesign effectivenessTest and evaluateoperating effectivenessForm an opinion onthe effectiveness ofinternal control overnancial reporting Plan the Engagement whi1103X_ch18_696-725.indd 701 07/02/11 3:52 PMConrming Pages702Chapter Eighteen There is a subtle diference between the auditors consideration of internal control for the audit of internal control as compared to their consideration of internal control in an audit of nancial statements. In the audit of internal control, the focus is on whether inter-nal control is efective at a point in timethe as of datewhich is ordinarily the last day of the clients scal period. To express the internal control opinion, the auditors must obtain suf cient evidence on the efectiveness of controls at the as of date. By itself, this would involve performing tests of controls for a period that is usually signicantly less than the entire year. On the other hand, in a nancial statement audit the consideration of internal control is performed to help plan the audit and to assess control risk for the entire nancial statement period. Therefore, the auditors must perform tests of controls of transactions occurring throughout the year to meet the objective of obtaining suf cient evidence to support the opinion on internal control and assess control risk. This distinc-tion is discussed in more detail later in this chapter. When planning and performing the audit of internal control, the auditors should take into account the results of the nancial statement fraud risk assessment. Specically, the auditors should identify and test controls that address the risk of fraud, including man-agement override of other controls. These controls include those over: Signicantunusualtransactions,particularlythosereportedlateintheperiodand those related to the period-end nancial reporting process. Related party transactions. Signicant management estimates. Incentives for management to falsify or inappropriately manage nancial results. When planning and performing the audit of internal control, the auditors should also recognize internal control diferences between small and large clients. Often these difer-ences are related to the degree of complexity of their operations. For example, when the auditorsareauditingasmallcompany,manycontrolobjectivesmaybeaccomplished through daily interaction of senior management and other company personnel rather than through formal policies and procedures. Because of the extensive involvement of senior management in performing controls and the period-end nancial reporting process, the auditors of a small company should realize that controls to prevent management override are even more important than it is for a large company. Accordingly, for example, while detailed oversight by the audit committee may be an important control for most compa-nies, it may be particularly important for a small company. Figure18.4indicatesthattheauditorsuseatop-downapproachtoidentifycontrols totest.Whatisatop-downapproach?Asindicatedin Figure18.5 ,thetop-down approach starts at the topthe nancial statements and entity-level controlsand links the nancial statement elements and entity-level controls to signicant accounts, relevant assertions, and to the major classes of transactions. The goal is to focus on testing those controlsthataremostimportanttotheauditorsconclusiononinternalcontrol,while avoiding those that are less important. Entity-Level Controls Entity-levelcontrolsoftenarethoseincludedinthecontrolenvironmentormonitoring components of internal control. For example, the portions of the control environment deal-ing with the tone at the top, assignment of authority and responsibility, and corporate codes of conduct have a pervasive efect on internal control. Also, information technology general controlsoverprogramdevelopment,programchanges,andcomputercontrolsoverpro-cessing have a pervasive efect in that they help ensure that specic controls over process-ing are operating efectively. The pervasiveness of entity-level controls distinguishes them Use a Top-Down Approach to Identify Controls to Test 3 3 This terminology is used in PCAOB Standard No. 5. This stage corresponds to obtaining an under-standing of internal control in a nancial statement audit. whi1103X_ch18_696-725.indd 702 07/02/11 3:52 PMConrming PagesIntegrated Audits of Public Companies 703from other controls that are designed to achieve the specic objectives. As an example of a control that is not an entity-level control, consider control of requiring accounting for all shipping documents. This control activity is aimed primarily at assuring the completeness of recorded sales and does not have the pervasive efect of an entity-level control. Entity-level controls relating to audit committee efectiveness, fraud, and the period-end nancial reporting process are particularly emphasized inStandard No. 5. The audit committeeisparticularlyimportantsinceanefectiveauditcommitteeexercisesover-sightresponsibilityoverbothnancialreportingandinternalcontrol.Indeed,inefec-tive audit committee oversight by itself is regarded as a strong indication that a material weakness in internal control exists. PCAOB StandardNo.5alsoemphasizestheneedforcontrolsspecicallyintended to address the risk of fraud. These controls range from entity-level control environment controls, such as an appropriate tone at the top, corporate codes of conduct, and an efec-tive antifraud program, to control activities, such as the reconciliation of cash accounts. Figure 18.6 provides examples of antifraud programs and elements. Theperiod-endnancialreportingprocess(oftenreferredtoasnancialstatement close) is also very signicant. The period-end process involves the procedures used to enter transaction totals into the general ledger through the end of the nancial statement reportingprocess.Auditorsmustthoroughlyevaluatethisprocess,includingtheman-nerinwhichnancialstatementsareproduced,theextentofinformationtechnology involved,whoparticipatesfrommanagement,thelocationsinvolved,andthetypesof adjusting entries and oversight by appropriate parties. Inconsideringentity-levelcontrols,theauditorsshouldbeawarethatcontrolsmay have either an indirect or a direct efect on the likelihood of misstatement. Controls with an indirect efect on the likelihood of misstatement might afect the auditors decisions about the other controls that the auditors select for testing, as well as the nature, timing, and extent of procedures the auditors perform on other controls. For example, a positive tone at the top of the organization may lead to more efective lower level control perfor-mance, yet it does not have a direct efect on the likelihood of misstatement for any par-ticular assertion. Such a control might allow the auditors to decrease the testing of other lower level controls. Controls with a direct efect on the likelihood of misstatement operate at varying levels of precision. Some of these controls might be designed to identify possible breakdowns inlowerlevelcontrolsandoperateatalevelofprecisionthatwouldallowauditorsto reduce,butnoteliminate,thetestingofothercontrols.Asanexample,amonitoring control that detects only relatively large misstatements may fall into this category. When Overall Approach IllustrationFinancialstatementsSignicant accountsand disclosuresRelevantassertionsMajor classes oftransactions andsignicant processesEntity-levelcontrolsVariousothercontrolsBalancesheetAccountsreceivableCompletenessassertionCash receipt andtransactions remittanceprocessCentralizedprocessingDetailed listof cashreceipts FIGURE 18.5 A Top-Down Approach to Testing Internal Control whi1103X_ch18_696-725.indd 703 07/02/11 3:52 PMConrming Pages704Chapter EighteenAntifraud Program or Element Strong Indicator of Signicant DeciencyManagement accountability Senior management conducts ineffective oversight of antifraud programs and controls.Audit committee Audit committee passively conducts oversight.It does not actively engage the topic of fraud.Internal audit Inadequate scope of activities.Inadequate communication, involvement, and interaction with the audit committee.Code of conduct/ethics Nonexistent code or code that fails to address conicts of interest, related party transac-tions, illegal acts, and monitoring by management and the board.Ineffective communication to all covered persons.Whistleblower program* No program for anonymous submissions.Inadequate process for responding to allega-tions of suspicions of fraud.Whistleblower program signicantly defective in design or operation.Hiring and promotion procedures Failure to perform substantive background investigations for individuals being consid-ered for employment or promotion to a posi-tion of trust.Remediation Failure to take appropriate and consistent remedial actions with regard to identied signicant deciencies, material weaknesses, actual fraud, or suspected fraud.* A program for handling complaints and for accepting condential submissions of concerns about questionable accounting, auditing, and other matters (e.g., hotlines). FIGURE 18.6 Entity-Level Antifraud Programs and Elements such a control is operating efectively, it might allow the auditor to reduce, but not elimi-nate, the testing of other controls. Other entity-level controls that have a direct efect on the likelihood of misstatement mightbedesignedtooperateatalevelofprecisionthatwouldadequatelypreventor detect material misstatements to one or more relevant assertions. Such controls may allow theauditortoomittestingadditionalcontrolsrelatingtothatrisk.Monitoringcontrols that identify relatively small misstatements may fall into this category. Note, however, thatthisareahasbeencontroversialassomehaveaskedhowfrequentlysuchcontrols actually exist, and thus allow the elimination of testing of controls beneath the top. Signicant Accounts and Disclosures Asshownin Figure18.5 ,theauditorsmustobtainanunderstandingof signicant accounts and disclosures. An account is signicant if there is a reasonable possibility that it could contain a misstatement that, individually or when aggregated with others, has a material efect on the nancial statements, considering both the risks of understatementandoverstatement.Theassessmentshouldbemadewithoutgivinganyconsideration totheefectivenessofinternalcontrol.Factorsthattheauditorsconsiderindeciding whether an account is signicant include: Size and composition. Susceptibility of loss due to errors or fraud. whi1103X_ch18_696-725.indd 704 07/02/11 3:52 PMConrming PagesIntegrated Audits of Public Companies 705 Volume of activity, complexity, and homogeneity of individual transactions. Nature of the account. Accounting and reporting complexity. Exposure to losses. Possibility of signicant contingent liabilities. Existence of related party transactions. Changes from the prior period. Identifying Relevant Financial Statement Assertions Oncetheyhavedeterminedthesignicantaccountsanddisclosures,theauditorsmust determinewhichnancialstatementassertionsarerelevanttothesignicantaccounts: (1) existence or occurrence; (2) completeness; (3) valuation or allocation; (4) rights and obligations;and/or(5)presentationanddisclosure.Relevantassertionsforanaccount are those that have a meaningful bearing on whether the account is presented fairly. For example, valuation may be very relevant to determining the amount of receivables, but it is not ordinarily relevant to cash unless currency translation is involved. Obtaining a Further Understanding of Likely Sources of Misstatement To further understand the likely sources of potential misstatements, auditors should under-stand the ow of transactions related to the relevant assertions. This understanding allows the auditors to identify points within the companys processes where a material misstate-ment could arise and to identify the controls to prevent or detect these misstatements. Throughout the text (e.g., Chapter 6, Chapters 1116), we have discussed the concept of transaction cycles. Transaction cycles (also referred to as classes of transactions) are those transaction ows that have a meaningful bearing on the totals accumulated in the companyssignicantaccountsand,therefore,haveameaningfulbearingonrelevant assertions. Consider a company whose sales may be initiated by customers either through the Internet or in a retail store. These two types of sales may be viewed as representing two major classes of transactions within the sales process. Although not explicitly discussed in PCAOB Standard No. 5, it is helpful to classify transactions by transaction type routine, nonroutine, or accounting estimates. Routine transactionsareforrecurringactivities,suchassales,purchases,cashreceiptsand disbursements,andpayroll. Nonroutinetransactionsoccuronlyperiodically;they generally are not part of the routine ow of transactions and include transactions such as counting and pricing inventory, calculating depreciation expense, or determining prepaid expenses.Accounting estimates are activities involving managements judgments or assumptions, such as determining the allowance for doubtful accounts, estimating war-ranty reserves, and assessing assets for impairment. Throughouttheauditofinternalcontrol,auditorsmustbeconcernedaboutall threetransactiontypes.However,theauditorsmustbeawarethattheuniquenature ofnon-routinetransactionsandthesubjectivityinvolvedwithaccountingestimate transactionsmakethemparticularlypronetomisstatementunlesstheyareproperly controlled. To understand the likely sources of potential misstatements and as a part of selecting the controls to test, the auditors should: Understand the ow of transactions; Verify points within the companys processes at which a misstatement could arise that could be material; Identifythecontrolsmanagementhasimplementedtoaddressthesepotentialmis-statements; and Identifythecontrolsmanagementhasimplementedtopreventordetectonatimely basis unauthorized acquisition, use, or disposition of the companys assets that could result in a material misstatement. whi1103X_ch18_696-725.indd 705 07/02/11 3:52 PMConrming Pages706Chapter Eighteen FIGURE 18.7 Relationships among Processes, Transaction Types, and Signicant Accounts Examples of Signicant AccountsTransaction Example ProcessesTypesCash Accounts Receivable Allowance for Doubtful AccountsInventoriesInventory Reserves Prepaid Property, Plant, & EquipmentOther AccountsStockholders EquityFinancial statement closeNonroutineXXXXXXXXXCash receiptsRoutineXXX Cash disbursementsRoutineXX PayrollRoutine Inventory costing (CGS)RoutineXX Estimate purchase commitmentsEstimationX Estimate excess and obsolete inventoryEstimationX Lower-of-cost-or-market calculationEstimationX LIFO calculationNonroutineX Physical inventory countNonroutineX Accounts receivable and salesRoutineX Source: Adapted from Ernst & Young, Evaluating Internal Control: Considerations for Documenting Controls at the Process, Transaction, or Application Level, 2003. Figure18.7providesanillustrationoftherelationshipsamongsignicantaccounts, processes, and transaction types emphasizing inventory processes; it presumes one major class of transactions for each process. Selecting Controls to Test Theauditorsshouldtestthosecontrolsthatareimportanttotheirconclusionabout whetherthecompanyscontrolssuf cientlyaddresstheriskofmisstatementforeach relevant assertion. It is not necessary to design tests of all controls. For example, tests of redundantcontrols (thosethatduplicateothercontrols)neednotbedesignedwhen testsoftherelatedcontrolareplanned,unlessredundancyitselfisacontrolobjective. Theauditorsmaydecidetodesigntestsofpreventivecontrols,detectivecontrols,ora combination of both for the various assertions and signicant accounts. Preventive con-trols have the objective of preventing errors or fraud from occurring; detective controls have the objective of detecting errors or fraud that have already occurred. Efective inter-nalcontrolgenerallyinvolveslevelsofcontrolscomposedofacombinationofboth preventive and detective controls. Some controls arecomplementary controls in that theyworktogethertoachieveaparticularcontrolobjective.Whentestsarebeingper-formed related to that control objective, the complementary controls must be tested. A question that arises when a client has multiple locations is: Must the auditors design and perform tests at all locations? The answer is no. In determining the locations at which to perform tests of controls, the auditor should assess the risk of material misstatement to the nancial statements of each location and base the amount of testing on the degree of risk. whi1103X_ch18_696-725.indd 706 07/02/11 3:52 PMConrming PagesIntegrated Audits of Public Companies 707 Performing Walk-throughs While not required, performing walk-throughs may frequently be the most efective way toobtainanunderstandingofthelikelysourcesofmisstatement.A walk-through involves literally tracing a transaction from its origination through the companys infor-mation system until it is reected in the companys nancial reports. Walk-throughs pro-vide the auditors with evidence to: Verify that they have identied points at which a signicant risk of misstatement to a relevant assertion exists. Verifytheirunderstandingofthedesignofcontrols,includingthoserelatedtothe prevention or detection of fraud. Evaluate the efectiveness of the design of controls. Conrm whether controls have been placed in operation (implemented). Becausemuchjudgmentisrequiredinperformingawalk-through,theauditorsshould eitherperformwalk-throughsthemselvesorsupervisetheworkofotherswhoprovide assistance to them (e.g., internal auditors). Whileperformingwalk-throughs,theauditorsaskthoseinvolvedtodescribetheir understanding of the processing involved and to demonstrate what they do. In addition, follow-upinquiriesshouldbemadetohelpidentifyabuseofcontrolsorindicatorsof fraud. Examples of such follow-up inquiries include: What do you do when you nd an error? What kind of errors have you found? What happened as a result of nding the errors, and how were the errors resolved? Have you ever been asked to override the process or controls? If yes, why did it occur and what happened? Theauditorstestthedesignefectivenessofcontrolsbydeterminingwhetherthecom-panys controls, if operating properly, satisfy the companys control objectives and can efectively prevent or detect errors or fraud that could result in material misstatements. The procedures performed here include a combination of inquiry of appropriate person-nel,observationofthecompanysoperations,andinspectionofrelevantdocumenta-tion.Figure 18.8 provides an example of control objectives, risks, and controls using the COSO framework. The auditors specically consider whether the controls, if function-ing, would reduce the risks to an appropriately low level. Testsoftheoperatingefectivenessofacontroldeterminewhetherthecontrolfunc-tions as designed and whether the person performing the control possesses the necessary authorityandqualications.Indecidinghowtodesigntestsofoperatingefectiveness, the auditors must focus on the nature, timing, and extent of the tests. Nature of Tests of Operating Efectiveness Testsofcontrols,intheorderofincreasingpersuasiveness,includeacombinationof inquiries of appropriate personnel, inspection of relevant documents, observation of the companys operations, and reperformance of the application of controls. For example, to evaluate whether the second control objective inFigure 18.8 , the accurate and complete recording of invoices, is achieved, the auditors might use generalized audit software to inspect electronic documents to determine that no gaps exist in the sequence of shipping documents. Also,Standard No. 5 states that the auditors should vary the exact tests per-formed when possible to introduce unpredictability into the audit process. Evaluating responses to inquiries represents a particular challenge in that the responses mayrangefromformalwritteninquiries(e.g.,representationletters)toinformaloral inquiries.Becauseofthepossibilityofmisrepresentationormisunderstandingofthe Test and Evaluate Design Effectiveness of Internal Control over Financial ReportingTest and Evaluate Operating Effectiveness of Internal Control over Financial Reportingwhi1103X_ch18_696-725.indd 707 07/02/11 3:52 PMConrming Pages708Chapter Eighteen FIGURE 18.8 Process: Accounts Receivable Control Objective Risks Controls1.Ensure that all goods shipped are accurately billed in the proper period.Missing documents or incorrect information Use standard shipping or contract terms. Communicate nonstandard shipping or contract terms to accounts receivable department. Identify shipments as being before or after period end by means of a shipping log and prenumbered shipping documents.Improper cutoff of ship-ment at the end of a period2.Accurately record invoices for all authorized shipments and only for such shipments.Missing documents or incorrect information Prenumber and account for shipping documents and sales invoices. Match orders, shipping documents, invoices, and customer information, and follow through on miss-ing or inconsistent information. Mail customer statements periodically and investi-gate and resolve disputes or inquiries by individuals independent of the invoicing function. Monitor number of customer complaints regarding improper invoices or statements.3.Accurately record all authorized sales returns and allowances and only such returns and allowances.Missing documents or incorrect information Authorization of credit memos by individuals inde-pendent of accounts receivable function. Prenumber and account for credit memos and receiving documents. Match credit memos and receiving documents and resolve unmatched items by individuals indepen-dent of the accounts receivable function. Mail customer statements periodically and investi-gate and resolve disputes or inquiries by individuals independent of the invoicing function.Inaccurate input of data4.Ensure continued completeness and accuracy of accounts receivable.Unauthorized input for nonexistent returns, allowances, and write-offs Review correspondence authorizing returns and allowances. Reconcile accounts receivable subsidiary ledger with sales and cash receipts transactions. Resolve differences between the accounts receiv-able subsidiary ledger and the accounts receivable control account.5.Safeguard accounts receivable records.Unauthorized access to accounts receivable records and stored data Restrict access to accounts receivable les and data used in processing receivables.Source: Adapted from Internal ControlIntegrated Framework, Evaluation Tools.responses,inquiryalonedoesnotprovidesuf cientevidencetosupporttheoperating efectiveness of a control. Thus, auditors should substantiate the responses to inquiries by performing other procedures, such as inspecting reports or other documentation relating to the inquiries. Timing of Tests of Controls Testsofcontrolsshouldbeperformedoveraperiodoftimesuf cienttodetermine whether,asofthedatespeciedinmanagementsreport,thecontrolswereoperating efectively.Theauditorsareawarethatsomecontrolsoperatecontinuously(e.g.,con-trols over routine transactions, such as sales), while others operate only periodically (e.g., controls over nonroutine transactions or events, such as the preparation and analysis of monthlyorquarterlynancialstatements).Forcontrolsthatoperateonlyperiodically, it may be necessary to wait until after the date of managements report to test them; for example, controls over period-end nancial reporting normally operate only after the date whi1103X_ch18_696-725.indd 708 07/02/11 3:52 PMConrming PagesIntegrated Audits of Public Companies 709of managements report. The auditors tests can be performed only at the time the con-trols are operating. Extent of Tests of Controls PCAOB StandardNo.5requirestheauditorstoobtainsuf cientevidenceaboutthe efectivenessofcontrolsforallrelevantassertionsrelatedtoallsignicantaccounts. This means that the auditors must design procedures to provide a high level of assurance thatthecontrolsrelatedtoeachrelevantassertionareoperatingefectively.Forman-ual controls, this generally involves more extensive testing than for automated controls. Generally, the more frequently controls operate, the more auditors should test them, and controls that are relatively more important should be tested more extensively. Also, the auditorscannotbesatisedwithless-than-persuasiveevidencebecauseofabeliefthat management is honest. When control exceptions are identied, the auditors should critically assess the nature and extent of testing and consider whether additional testing is appropriate. Also, a con-clusion that an identied control exception does not represent a control deciency is only appropriateifevidencebeyondwhattheauditorshadoriginallyplanned,andbeyond inquiry, supports that conclusion. The issue of evaluating exceptions will be described in more detail later in this chapter. Can auditors use the work of othersinternal auditors, company personnel, and third partiesintheauditofinternalcontrol?Forexample,ifclientpersonnelhavealready performedcertainproceduresthattheauditorshadintended,maytheauditorsusethat work?TheanswerisyesbecausePCAOB StandardNo.5allowsauditorstousethe work of others. It is expected that the work of others used by the auditors will often be related to relatively low-risk areas. In any event, the auditors must understand that when theyusetheworkofotherstheyremainresponsiblefortheiropinionandtheycannot share responsibility with those others. In all cases in which the work of others is used, the auditors should evaluate the competence and objectivity of those individuals and test the work they have performed. Anotherissuerelatestothedegreetowhichauditorsmustretestcontrolsindetail each year. In audits subsequent to the rst year, auditors should incorporate knowledge obtained during past audits of internal control. Using this cumulative audit knowledge (knowledgeobtainedfromprioraudits),theauditorsoftenmaybeabletoreducethe amount of work performed. In making decisions as to the necessary testing, the auditors should consider the various risk factors related to a control as well as: The nature, timing, and extent of procedures performed in previous audits, The results of the previous years testing of the control, and Whether there have been changes in the control, or the signicant process in which it operates, since the previous audit. Illustrative Case Frequency of Testing One CPA rm provided the following guidance to its auditors as to frequency of testing:Frequency of ControlSuggested Number of Items to TestAnnual1Quarterly2Monthly36Weekly1020Daily2040Multiple times per day3060whi1103X_ch18_696-725.indd 709 07/02/11 3:52 PMConrming Pages710Chapter Eighteen To illustrate, assume that a control presents a low risk overall in that there is a low inher-entrisk,alowdegreeofcomplexity,fewchangesincontrols,andthepreviousyear revealed no deciencies. In such a case, the auditors may determine that suf cient evi-denceofoperatingefectivenesscouldbeobtainedbyperformingawalk-through.In addition, the auditors may use the work of others to a greater extent than in the past. But, on an overall basis, the auditors must test controls every year and cannot rotate analysis of various transaction types between various years (e.g., consider controls over sales this year, and purchases next year). Relationship between Tests of Controls Performed for the Internal Control Audit and Those Performed for the Financial Statement Audit Are the types of tests of controls performed for an internal control audit the same as those performedforanancialstatementaudit?Maytheevidencefromtestsperformedforan internal control audit be used for the nancial statement audit? While the answer to both of these questions is yes, the auditors must consider the diferences in the objectives of the tests. The objective of tests of controls in an audit of internal control is to obtain evidence about the efectiveness of controls to support the auditors opinion on whether manage-mentsassessmentoftheefectivenessofinternalcontrol,takenasawhole,isfairly stated as of a point in time. Accordingly, to express this opinion the auditors must obtain evidence about the efectiveness of controls over all relevant assertions for all signicant accounts and disclosures in the nancial statements. The objective of tests of controls for a nancial statement audit is to assess control risk. If the auditors decide to assess control risk at less than the maximum, they are required to obtain evidence that the relevant controls operated efectively during the entire period upon which they plan to place reliance on those controls. However, the auditors are not required to assess control risk at less than the maximum for all assertions. How may these two diferent approaches for tests of controls be reconciled in an inte-grated audit? PCAOB Standard No. 5, for purposes of the internal control audit, allows the auditors to obtain evidence about operating efectiveness at diferent times throughout the yearprovided that the auditors update those tests or obtain other evidence that the controls stilloperatedefectivelyattheendoftheyear.Thus,althoughthetimingforissuingthe internal control report will not ordinarily require tests from throughout the year, the inte-grated nature of the two audits suggests that testing should be spread throughout the year. The requirements of Standard No. 5 have had the efect of pushing auditors to perform nancial statement audits using the systems approachan approach with heavy reliance on internal control evidence. In essence, since extensive tests of controls are required for each signicant account for the internal control audit, the auditors should have signicant evidence about the efectiveness of internal control for the nancial statement audit. The auditors generally must merely extend the tests to cover the nancial statement period in order to assess control risk at a low level for purposes of the nancial statement audit. Efect of Tests of Controls on Financial Statement Audit Substantive Procedures Historically,toenhanceauditef ciencyandefectiveness,auditorsoftenhaveuseda substantiveauditapproachthatisnotacceptableforintegratedaudits.Auditorshave traditionallyreliedprimarily(orcompletely)onevidencefromsubstantiveprocedures ratherthantestingcontrolsinauditareaswhenasubstantiveapproachwasconsidered the most cost-efective approach. To illustrate, when only a nancial statement audit is being performed, auditors often rely heavily upon substantive procedures to audit areas such as property, plant, and equipment; investments; and long-term debt. Since auditors must now report on the efectiveness of internal control, approaches limiting the testing of controls are not acceptable. Historically, another ef ciency that has developed in nancial statement audits is min-imizingthetestingofcontrolsaimedat preventivecontrols(e.g.,transactionlevel controls),andemphasizingthetestingof detectivecontrols(e.g.,varioustypesof reconciliationsandexceptionreports).Whenauditorsexpressanopiniononinternal Explainhowndingsrelatingto theauditsofinternalcontroland the nancial statements may afect one another. LO5 whi1103X_ch18_696-725.indd 710 07/02/11 3:52 PMConrming PagesIntegrated Audits of Public Companies 711control, the auditors are more likely to use an approach that includes testing of both pre-ventive and detective controls. Sinceanintegratedauditrequirestestsofcontrolsforallmajoraccountsandrelevant assertions, circumstances in which controls are found to be efective will lead to a decreased scope of substantive procedures as compared to a situation in which tests of controls have revealed an inefective system or a situation in which tests of controls have not been per-formed. However, when signicant deciencies or material weaknesses have been identi-ed, the auditors must obtain assurance that such deciencies have not resulted in undetected material misstatements. As an example, if controls over the recording of revenues are con-sidered inefective, the auditors must determine whether the audit procedures designed into their audit program must be modied to obtain more evidence about the fairness of revenue. The extensive level of controls testing performed during an integrated audit leads to thequestionofwhethersubstantivetestsmaybeomittedcompletelyinareasinwhich controls have been found to operate efectively. This is not acceptable. Regardless of the assessedlevelofcontrolrisk,theauditorsmustperformsubstantiveproceduresforall relevant assertions related to all signicant accounts and disclosures. Efect of Financial Statement Substantive Procedures on the Audit of Internal Control Wehaveshownthattheauditofinternalcontrolmayafectthescopeofsubstantive procedures performed for the nancial statement audit. Alternatively, the results of sub-stantive procedures may afect the audit of internal control. The ndings obtained while performing substantive procedures in the nancial statement audit may provide evidence oftheefectivenessorinefectivenessofinternalcontrolovernancialreporting.For example, identication of a material misstatement in the nancial statements is consid-ered indicative of at least a signicant deciency in internal control. Additional examples ofsubstantiveproceduresndingsthatmightafecttheinternalcontrolauditarethose relating to illegal acts, related party transactions, the reasonableness of accounting esti-mates, and the clients overall selection of accounting principles. In forming an opinion on internal control over nancial reporting, the auditors evaluate all evidence, including: 1.The results of their evaluation of the design, 2.The results of tests of the operating efectiveness of controls, 3.Negativeresultsofsubstantiveproceduresperformedduringthenancialstatement audit, and 4.Any identied control deciencies. Form an Opinion on the Effectiveness of Internal Control over Financial Reporting Itispossibletousestatis-ticalattributesampling (presentedinChapter9)to considercontroldeciencyseriousness.Consideracontrol over authorization of sales transactions: 1% = Deviation rate in the auditors sample 6% = Achieved upper deviation rate 5% = Risk of assessing control risk too low Ifonefurtherassumesthat$3,000,000ofthetransaction typeoccurred,theauditormayestimatethat$180,000 (6% $3,000,000) worth of transactions may not have been properlyapproved.Thatis,thereislessthanareasonable possibilitythat$180,000intransactionswerenotproperly approved. If one assumes that $180,000 is material, the deciency representsamaterialweakness.Alternatively,ifitisnot consideredquantitativelymaterial,anauditormustjudg-mentallydeterminewhetheritrepresentsasignicant deciency that should be communicated to the audit com-mittee. Note, however, that the auditors must also take into account qualitative considerations. Illustrative Case Using Attributes Sampling to Consider Control Deciencies whi1103X_ch18_696-725.indd 711 07/02/11 3:52 PMConrming Pages712Chapter Eighteen An unqualied audit opinion may be issued when no material weaknesses in internal control have been identied as existing at the as of date (year-end) and when there have been no restrictions on the scope of the auditors work. The auditors may issue separate reports on the nancial statements and internal control or a combined report.Figure 18.9 is an example of a separate report on internal control. Oneormorematerialweaknessesininternalcontrolresultinanadverseopinion. 4 Scope limitations may result in either a disclaimer or withdrawal from the engagement depending on the extent of the limitation. Determining whether deciencies have been identied and, if so, the likelihood and potential amount of misstatement is key to identifying the proper opinion to issue. If no deciencieshavebeenidentiedandnoscopelimitationsareinvolved,anunqualied opinion is appropriate. Evaluating Deciencies Theauditorsmustevaluatewhetheridentiedcontroldeciencies,individuallyorin combination, are signicant deciencies or material weaknesses. This involves a consid-eration of both quantitative and qualitative factors. Whenadeciencyhasbeenidentied,theauditorswillconsiderwhetheranyother controlsefectivelymitigatetheriskofpotentialmisstatementandcreateasituationin which the deciency is not signicant or, at least, does not constitute a material weak-ness. Earlier in this chapter, we used the example of a weakness in cash disbursements that was mitigated by the compensating control of reconciliation of the bank account by an individual otherwise independent of the cash function. Such a compensating control might cause the auditors to alter their assessment of a deciencyreducing it from one thatotherwisewouldbeconsideredsignicant(oramaterialweakness)toonethatis simply a control deciency. In evaluating the potential amount of misstatement related to a control deciency, the auditors should consider not only the misstatements identied, but also the amount that could occur with a reasonable possibility. Although there are various possible approaches to this evaluation, one is to directly consider whether a reasonable possibility exists that amaterialamountofmisstatementcouldoccur.Ifthatisthecase,thedeciencyisa materialweakness.Alternatively,ifthedeciencyislessseverethanamaterialweak-ness, yet important enough to merit the attention by those responsible for oversight of the companys nancial reporting (ordinarily the audit committee), the deciency represents a signicant deciency. The auditors must also consider qualitative factors when evaluating materiality, as is the case with nancial statement audits. Examples of qualitative factors include whether theweaknessrelatestorelatedpartytransactionsandwhethertherearechangesin account characteristics in relation to the prior year. Chapter 6 presents additional infor-mation on qualitative factors that are used by the auditors. In essence, the auditors should attempt to determine what a prudent of cial in the conduct of his or her own afairs would consider a signicant deciency and a material weakness. While a material weakness in internal control can arise in a wide variety of situations, PCAOBStandard No. 5 provides the following indicators of material weaknesses: Identication of fraud, whether or not material, on the part of senior management. Restatementofpreviouslyissuednancialstatementstoreectthecorrectionofa material misstatement. Identication by the auditors of a material misstatement in circumstances that indicate that the misstatement would not have been detected by the companys internal control. Inefective oversight of the companys external nancial reporting and internal control by the companys audit committee. Discusscircumstancesthat requireauditorstomodifytheir report on internal control. LO6 4 Notice that this is different from reports on audits of nancial statements. In an audit of nancial statements, a departure from generally accepted accounting principles results in either a qualied opinion or an adverse opinion based on materiality. whi1103X_ch18_696-725.indd 712 07/02/11 3:52 PMConrming PagesIntegrated Audits of Public Companies 713Report of Independent Registered Public Accounting FirmTo the Audit Committee and Stockholders of Carver Company:[Introductory paragraph]We have audited Carver Companys internal control over nancial reporting as of December 31, 20X8, based on criteria established in Internal ControlIntegrated Framework issued by the Committee of Sponsoring Organiza-tions of the Treadway Commission (COSO). Carver Companys management is responsible for maintaining effective internal control over nancial reporting, and for its assessment of the effectiveness of internal control over nancial reporting, included in the accompanying [title of managements report]. Our responsibility is to express an opinion on the companys internal control over nancial reporting based on our audits.[Scope paragraph]We conducted our audit in accordance with the standards of the Public Company Accounting Oversight Board (United States). Those standards require that we plan and perform the audit to obtain reasonable assurance about whether effective internal control over nancial reporting was maintained in all material respects. Our audit included obtaining an understanding of internal control over nancial reporting, assessing the risk that a material weakness exists, and testing and evaluating the design and operating effectiveness of internal control based on the assessed risk. Our audit also included performing such other procedures as we considered necessary in the circum-stances. We believe that our audit provides a reasonable basis for our opinion.[Denition paragraph]A companys internal control over nancial reporting is a process designed to provide reasonable assurance regard-ing the reliability of nancial reporting and the preparation of nancial statements for external purposes in accor-dance with generally accepted accounting principles. A companys internal control over nancial reporting includes those policies and procedures that (1) pertain to the maintenance of records that, in reasonable detail, accurately and fairly reect the transactions and dispositions of the assets of the company; (2) provide reasonable assurance that transactions are recorded as necessary to permit preparation of nancial statements in accordance with gen-erally accepted accounting principles, and that receipts and expenditures of the company are being made only in accordance with authorizations of management and directors of the company; and (3) provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use, or disposition of the companys assets that could have a material effect on the nancial statements.[Inherent limitations paragraph]Because of its inherent limitations, internal control over nancial reporting may not prevent or detect misstate-ments. Also, projections of any evaluation of effectiveness to future periods are subject to the risk that controls may become inadequate because of changes in conditions, or that the degree of compliance with the policies or proce-dures may deteriorate.[Opinion paragraph]In our opinion, Carver Company maintained, in all material respects, effective internal control over nancial reporting as of December 31, 20X8, based on criteria established in Internal ControlIntegrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).[Explanatory paragraph]We have also audited, in accordance with the standards of the Public Company Accounting Oversight Board (United States), the balance sheets of Carver Company as of December 31, 20X8 and 20X7, and the related state-ments of income, shareholders equity and comprehensive income, and cash ows for each of the three years for the period ended December 31, 20X8, of Carver Company. Our report, dated February 12, 20X9, expressed an unqualied opinion.Willington & Co., CPAsBisbee, Arizona, United States of America February 20X9 FIGURE 18.9 Report with Standard Unqualied Opinion on Internal Control over Financial Reporting whi1103X_ch18_696-725.indd 713 07/02/11 3:52 PMConrming Pages714Chapter Eighteen Correcting a Material Weakness Recall that the audit report is modied for material weaknesses that exist at the as of date (year-end).Considerasituationinwhichfourmonthspriortoyear-endmanagement identies a material weakness. If management corrects this weakness prior to year-end, cantheauditorsissueanunqualiedopiniononinternalcontrol?Yes,butonlyifthe auditorshavesuf cientevidencetoprovidereasonableassurancethatthenewcontrol isoperatingefectively.Obtainingsuchevidenceismucheasierforcontrolsthatoper-ate frequently, in contrast to those that operate only monthly or quarterly (e.g., nancial statementclose).Allinall,thetimingoftheidenticationofthematerialweaknessis very important. For example, if the material weakness is not identied until after year-end, an adverse opinion must be issued even if the weakness is corrected: The control did not operate efectively on the date of managements report. Existence of a Material Weakness A material weakness in internal control that exists at year-end results in the issuance of an adverse opinion. When expressing an adverse opinion, the auditors report must dene a material weakness, indicate that one has been identied, and refer to the description of it in managements report. Figure 18.10 provides an example of an adverse opinion. Scope Limitations Ifarestrictiononthescopeoftheauditisimposedbythecircumstances,theauditors should withdraw from the engagement or disclaim an opinion. Earlier we discussed the situation in which the auditors identify a material weakness and management takes steps to correct that material weakness prior to year-end. If the auditors are unable to obtain suf cient evidence that the new controls are efective for a suf cient period of time, they will issue a disclaimer of opinion on internal control. Managements Report on Internal Control Is Incomplete or Improperly Presented When managements report on internal control (including its assessment) is found to be inadequate, the auditors should modify their report to include an explanatory paragraph describing the reasons for this determination. If management does not disclose a material weakness properly, the auditors should state that the material weakness is not included in managements assessment and describe it in the audit report. Note that the auditors report is already adverse due to the existence of a material weakness. In this situation, the auditors also are required to communicate in writing to the audit committee that the mate-rialweaknesswasnotdisclosedoridentiedasamaterialweaknessinmanagements report. Figure18.11summarizesreportingforthisandtheprecedingcircumstances described in this section. Audit Report Modications (Paragraphs 14 and the nal paragraph are identical to Figure 18.9 standard unqualied report)[Explanatory paragraph]A material weakness is a control deciency, or a combination of control deciencies, in internal control over nan-cial reporting, such that there is a reasonable possibility that a material misstatement of the companys annual or interim nancial statements will not be prevented or detected on a timely basis. A material weakness was identied and is described in managements assessment of internal control. That material weakness relates to [describe the material weakness, including its actual and potential effect on the nancial statements].[Opinion paragraph]In our opinion, because of the effect of the material weakness described above on the achievement of the objec-tives of the control criteria, Carver Company has not maintained effective internal control over nancial reporting as of December 31, 20X8, based on criteria established in Internal ControlIntegrated Framework issued by the Commit-tee of Sponsoring Organizations of the Treadway Commission (COSO). FIGURE 18.10 Abstract of Report with Adverse Opinion on Internal Control over Financial Reporting whi1103X_ch18_696-725.indd 714 07/02/11 3:52 PMConrming PagesIntegrated Audits of Public Companies 715 Reliance on Other Auditors Whenotherauditorshaveperformedaportionoftheaudit,theauditorsmustdecide whether they are able to serve as the principal auditors. The considerations and reporting requirements are essentially the same as when other auditors are involved in the nancial statement audit. The auditors who are able to serve as the principal auditors of the nan-cialstatementsordinarilyalsoserveasprincipalauditorsofinternalcontrol.Whenthe principal auditors decide to refer in their report to the work of the other auditors, this ref-erence is included both in describing the scope of the audit and in expressing the opinion. Subsequent Events Subsequenteventsrelevanttotheinternalcontrolauditarechangesininternalcontrol subsequenttoyear-endbutbeforethedateoftheauditorsreport.Theauditorshave aresponsibilitytomakeinquiriesofmanagementaboutwhethertherehavebeenany such changes. If the auditors obtain knowledge of subsequent events that materially and adversely afect the efectiveness of internal control, they should issue an adverse opin-ion. If the auditors are unable to determine the efect of the subsequent event, they should disclaim an opinion. Issuing a Combined Report on the Financial Statements and Internal Control PCAOB StandardNo.5allowsauditorstoeitherissueseparatereportsontheiraudits of the nancial statements and internal control or issue one combined report. The illus-trationsinthischapterhavebeenbasedonseparatereports. Figure18.12providesan illustration of a combined unqualied report on both the nancial statements and internal control. PCAOBStandard No. 5 requires that auditors communicate in writing to management all control deciencies, regardless of their severitythis includes material weaknesses, sig-nicant deciencies, and other deciencies. In addition, a written communication to the audit committee must be issued that includes material weaknesses, signicant decien-cies, and an indication that all deciencies have been communicated to management. The writtencommunicationsonweaknessestobothmanagementandtheauditcommittee should be made prior to issuance of the audit report on internal control. In addition, when the auditors conclude that the oversight of the companys external nancial reporting and internal control over nancial reporting is inefective, they must communicate that conclusion in writing to the board of directors. Other Communication Requirements Circumstance Auditors OpinionMaterial Weakness Exists AdverseMaterial Weakness Existed during Year, System Changed Prior to the As of DateAuditors test new system and material weakness eliminated UnqualiedAuditors do not have sufcient time to test new system Treat as scope restrictionScope Restriction* Disclaimer or Withdraw from EngagementManagements Report on Internal Control Is Incomplete or Improperly PresentedReport does not acknowledge a material weakness identied by the auditorAdverseOther Issues Unqualied (but with an explanatory paragraph)* If the auditors intend to issue a disclaimer of opinion, yet know of a material weakness, the material weakness should be described in the report. FIGURE 18.11 Circumstances Afecting Auditors Opinion on Internal Control whi1103X_ch18_696-725.indd 715 07/02/11 3:52 PMConrming Pages716Chapter EighteenReport of Independent Registered Public Accounting FirmTo the Audit Committee and Stockholders of Carver Company[Introductory paragraph]We have audited the accompanying balance sheets of Carver Company as of December 31, 20X8 and 20X7, and the related statements of income, stockholders equity and comprehensive income, and cash ows for each of the years in the three-year period ended December 31, 20X8. We also have audited Carver Companys internal control over nancial reporting as of December 31, 20X8, based on [Identify control criteria: for example, criteria established in Internal ControlIntegrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO)]. Carver Companys management is responsible for these nancial statements, for maintain-ing effective internal control over nancial reporting, and for its assessment of the effectiveness of internal control over nancial reporting included in the accompanying [title of managements report]. Our responsibility is to express an opinion on these nancial statements and an opinion on the companys internal control over nancial reporting based on our audits.[Scope paragraph]We conducted our audits in accordance with the standards of the Public Company Accounting Oversight Board (United States). Those standards require that we plan and perform the audits to obtain reasonable assurance about whether the nancial statements are free of material misstatement and whether effective internal control over nancial reporting was maintained in all material respects. Our audits of the nancial statements included exam-ining, on a test basis, evidence supporting the amounts and disclosures in the nancial statements, assessing the accounting principles used and signicant estimates made by management, and evaluating the overall nancial statement presentation. Our audit of internal control over nancial reporting included obtaining an understanding of internal control over nancial reporting, assessing the risk that a material weakness exists, and testing and evalu-ating the design and operating effectiveness of internal control based on the assessed risk. Our audits also included performing such other procedures as we considered necessary in the circumstances. We believe that our audits pro-vide a reasonable basis for our opinions.[Denition paragraph]A companys internal control over nancial reporting is a process designed to provide reasonable assurance regard-ing the reliability of nancial reporting and the preparation of nancial statements for external purposes in accor-dance with generally accepted accounting principles. A companys internal control over nancial reporting includes those policies and procedures that (1) pertain to the maintenance of records that, in reasonable detail, accurately and fairly reect the transactions and dispositions of the assets of the company; (2) provide reasonable assurance that transactions are recorded as necessary to permit preparation of nancial statements in accordance with gen-erally accepted accounting principles, and that receipts and expenditures of the company are being made only in accordance with authorizations of management and directors of the company; and (3) provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use, or disposition of the companys assets that could have a material effect on the nancial statements.[Inherent limitations paragraph]Because of its inherent limitations, internal control over nancial reporting may not prevent or detect misstate-ments. Also, projections of any evaluation of effectiveness to future periods are subject to the risk that controls may become inadequate because of changes in conditions, or that the degree of compliance with the policies or proce-dures may deteriorate.[Opinion paragraph]In our opinion, the nancial statements referred to above present fairly, in all material respects, the nancial position of Carver Company as of December 31, 20X8 and 20X7, and the results of its operations and its cash ows for each of the years in the three-year period ended December 31, 20X8, in conformity with accounting principles generally accepted in the United States of America. Also in our opinion, Carver Company maintained, in all material respects, effective internal control over nancial reporting as of December 31, 20X8, based on [identify control crite-ria: for example, criteria established in Internal ControlIntegrated Framework issued by the Committee of Sponsor-ing Organizations of the Treadway Commission (COSO)].Willington & Co., CPAsBisbee, Arizona, United States of America February 20X9 FIGURE 18.12Combined Report with Standard Unqualied Opinion on Financial Statements and Internal Control over Financial Reporting whi1103X_ch18_696-725.indd 716 07/02/11 3:52 PMConrming PagesIntegrated Audits of Public Companies 717 After the existence of a material weakness has led to an adverse opinion in an internal controlauditreport,thecompanyisordinarilymotivatedtoeliminatetheweaknessas quicklyasisreasonablypossible.Whenmanagementbelievesthatthematerialweak-ness has been eliminated, the auditors may be engaged to report on whether the material weaknesscontinuestoexist.PCAOB StandardNo.4,ReportingonWhetheraPrevi-ously Reported Material Weakness Continues to Exist, provides the guidance for such engagements. Toengagetheauditorstoperformthisservice,managementmustrstgathersuf-cient evidence to demonstrate that the material weakness has been eliminated, docu-ment this evidence, and provide a written assertion stating that the material weakness no longer exists. The auditors then plan and perform an engagement that focuses on con-trols that are relevant to the particular weakness. If they determine that the controls are now efective, the auditors may issue an unqualied report indicating that the material weakness no longer exists. PCAOB Standard No. 4 provides other reporting guidance, including: Asignicantscopelimitationontheauditorsproceduresshouldresultineithera disclaimerofopinionortheresignationoftheauditors(qualiedopinionsarenot allowed). Whentheauditorsoriginalreportincludesothermaterialweaknessesthatarenot being considered in this engagement, the report should be modied to disclose that the other weaknesses are not addressed by the opinion. After a change in auditors, the successor auditors may issue such a report, but they rst must obtain a suf cient understanding of the entity and the related material weakness. If,whileperformingtheengagement,theauditorsdiscoveranadditionalmaterial weakness, the auditors should inform the audit committee about the matter, but they are not required to modify their report. While nonpublic companies are not required to undergo integrated audits, the option is available. As an example, management may be considering taking the company public in the relatively near future and might choose to undergo such an audit. Attestation standard AT501providesguidanceforperformingtheinternalcontrolportionofanintegrated audit for a nonpublic company. The procedures for a nonpublic integrated audit are very similar to those for a public companythatwehaveemphasizedthroughoutthischapter.Accordingly,wewillnot provideextensivedetail,butwillsimplysummarizesignicantdiferencesasshown below. Integrated Audits for Nonpublic Companies Reporting on Whether a Previously Reported Material Weakness Continues to Exist Issue PCAOB Standard 5 AT 501Title of the engagement? Audit ExaminationReport on subject matter and/or assertion?Only on subject matter Subject matter or assertion when no material weakness exists; when a material weak-ness exists, subject matterMay the report issued indicate that no mate-rial weaknesses were identied?Yes NoWhich standards are followed by the CPA as indicated in the report?PCAOB Standards Attestation standards estab-lished by the AICPAwhi1103X_ch18_696-725.indd 717 07/02/11 3:52 PMConrming Pages718Chapter Eighteen This chapter explained the nature of integrated audits of public companies performed in responsetotheSarbanes-OxleyActof2002andinaccordancewithPublicCompany Accounting Oversight Board Standard No. 5. To summarize: 1.Section 404(a) of the Sarbanes-Oxley Act requires management to acknowledge its responsibility for establishing and maintaining adequate internal control and provide an assessment of internal control efectiveness as of the end of the most recent scal year. 2.Section 404(b) of the Sarbanes-Oxley Act requires the auditors to provide an opinion on the efectiveness of internal control. 3.Material weaknesses involve a reasonable possibility that a material misstatement of thenancialstatementswillnotbepreventedordetectedonatimelybasis.Signi-cantdecienciesarelessseverethanmaternalweaknesses,yetimportantenoughto merit attention by those responsible for oversight of the companys nancial reporting. 4.Anintegratedauditincludesanauditreportonboththenancialstatementsand internal control. To issue such a report, the auditors perform procedures to test con-trols over all signicant accounts, as well as substantive tests to support their opinion on the fairness of the nancial statements. 5.Internal control audit reports are modied for a material weakness that exists at year-end. The report issued includes an adverse opinion indicating that efective internal control does not exist. If the scope of the auditors work is limited, they should issue a disclaimer of opinion, or withdraw from the engagement. 6.After a client has remediated a material weakness that led to an adverse report, audi-tors may be engaged to attest to the elimination of the material weakness. Chapter Summary Accounting estimate (705) A transaction involving managements judgments or assumptions, such as determining the allowance for doubtful accounts, establishing warranty reserves, and assessing assets for impairment. Asofdate(702) Anauditofinternalcontrolovernancialreportingassessesinternalcontrolas of a particular point in time, the as of date, as opposed to the entire period under audit. This date is ordinarily the last day of the clients scal period. Compensatingcontrol(699) Acontrolthatreducestheriskthatanexistingorpotentialcontrol weakness will result in a failure to meet a control objective (e.g., avoiding misstatements). Compensating controls are ordinarily controls performed to detect, rather than prevent, the misstatement from occurring. For example, a reconciliation of the bank account performed by an individual otherwise independent of the cash function serves to detect a variety of possible misstatements (both errors and fraud) that may have occurred in the processing of cash receipts and disbursements. Complementary controls (706) Controls that function together to achieve the same control objective (e.g., avoiding misstatements). Controldeciency(698) Aweaknessinthedesignoroperationofacontrolthatdoesnotallow managementoremployees,inthenormalcourseofperformingtheirfunctions,topreventordetect misstatements on a timely basis. Detective controls (710) Policies and procedures that are designed to identify errors or fraud after they have occurred. Detective controls can be applied to groups of transactions (e.g., bank reconciliations). Integrated audit (under PCAOB Standard No. 5 )(696) An audit that includes audit reports on both a companys internal control over nancial reporting and the nancial statements. Major classes of transactions (699) Those transaction ows that have a meaningful bearing on the totals accumulated in the companys signicant accounts and, therefore, have a meaningful bearing on relevant assertions. Materialweakness(698) Acontroldeciency,oracombinationofcontroldeciencies,ininternal control over nancial reporting, such that there is a reasonable possibility that a material misstatement of the companys annual or interim nancial statements will not be prevented or detected on a timely basis. Key Terms Introduced or Emphasized in Chapter 18 whi1103X_ch18_696-725.indd 718 07/02/11 3:52 PMConrming PagesIntegrated Audits of Public Companies 719 Nonroutinetransaction(705) Atransactionthatoccursonlyperiodically,suchascountingand pricing inventory, calculating depreciation expense, or determining prepaid expenses. Preventive controls (710) Procedures designed to prevent an error or fraud. Preventive controls are normally applied at the individual transaction level. Redundant controls (706) Duplicate controls that both achieve a control objective. Routine transaction (705) A transaction for a recurring nancial activity recorded in the accounting records in the normal course of business, such as sales, purchases, cash receipts, cash disbursements, and payroll. Sarbanes-Oxley Act of 2002 (697) An act passed by the U.S. Congress to protect investors from the possibility of fraudulent accounting activities by corporations by improving the accuracy and reliability of corporate disclosures. Section404(696) TheprimarysectionoftheSarbanes-OxleyActdealingwithmanagementand auditor reporting on internal control over nancial reporting. Section 404(a) requires that each annual report led with the Securities and Exchange Commission include an internal control report prepared by management in which management acknowledges its responsibility for establishing and maintaining adequate internal control and an assessment of internal control efectiveas of the end of the most recent scal year. Section 404(b) requires that the CPA rm attest to and report internal control. Signicant account (704) An account for which there is a reasonable possibility that it could contain misstatementsthatindividually,orwhenaggregatedwithothers,couldhaveamaterialefectonthe nancial statements. Signicant deciency (698) A deciency, or a combination of deciencies, in internal control over nancial reporting that is less severe than a material weakness, yet important enough to merit attention by those responsible for oversight of the companys nancial reporting. Walk-through (707) A procedure in which an auditor follows a transaction from origination through the companys processes, including information systems, until it is reected in the companys nancial records,usingthesamedocumentsandinformationtechnologythatcompanypersonneluse.Walk-throughproceduresusuallyincludeacombinationofinquiry,observation,inspectionofrelevant documentation, and reperformance of controls. Review Questions 181.Section 404 of the Sarbanes-Oxley Act of 2002 includes two sections. Describe those sections. 182.Identify managements four overall responsibilities with respect to internal control over nan-cial reporting that arise due to the Securities and Exchange Commissions implementation of the Sarbanes-Oxley Act of 2002. 183.What information must be included in managements report on internal control over nancial reporting in the annual report led with the Securities and Exchange Commission? 184.Describe the diference between a signicant deciency and a material weakness in internal control. 185.Comment on the accuracy of the following statement: Since both signicant deciencies and material weaknesses must be reported to the audit committee, for practical purposes, there is no distinction between the two. 186.What is meant by the as of date when reporting on internal control over nancial reporting? 187.What is a compensating control? 188.Provide examples of antifraud programs that the auditors might expect the client to have. 189.Describe what is meant by a walk-through. Must walk-throughs be performed during audits ofinternalcontrolovernancialreporting?Maytheclientperformawalk-throughandthe auditors then review the clients work? 1810.Whileperformingawalk-through,auditorsordinarilymakecertaininquiriesofemployees. Provide three examples of such inquiries. 1811.Auditors often perform walk-throughs in integrated audits. Describe the evidence that is typi-cally provided by a walk-through. 1812.Whenperforminganauditofinternalcontrolovernancialreporting,auditorsmaydistin-guishamongthefollowingtypesoftransactions:routine,nonroutine,andaccountingesti-mates. Distinguish between these three types of transactions and give an example of each. 1813.When performing an integrated audit, auditors must identify signicant accounts and disclo-sures.Whatmakesanaccountsignicant?Whatfactorsshouldbeconsideredindeciding whether an account is signicant? whi1103X_ch18_696-725.indd 719 07/02/11 3:52 PMConrming Pages720Chapter Eighteen1814.A client operates out of 25 locations. Must the CPA perform tests related to internal control at each of these locations? 1815.Comment on the following: Auditors must decide, based on cost considerations, whether to test the design efectiveness or operating efectiveness of controls. 1816.Provide an example of a situation in which the design of controls may be efective but those controls do not operate efectively. 1817.Comment on the following: Inquiry alone does not provide suf cient evidence to support the operating efectiveness of a control. 1818.Commentonthefollowing:Allcontrolsshouldbetestedeitherpriortoorontheasof date. 1819.What requirements exist when the auditors use the work of client personnel as a part of the evidenceobtainedforanauditofinternalcontrol?Inwhichareasoftheauditwouldone expect this to be most likely to occur? 1820.Provide an example of a situation in which the performance of substantive procedures for the nancial statement audit might afect the internal control audit. 1821.Provide an example of a situation in which the performance of tests of controls for the internal control audit might afect the performance of substantive procedures in a nancial statement audit. 1822.Distinguishbetweenentity-levelcontrolsandcontrolsdesignedtoachievespeciccontrol objectives. 1823.Provide three examples of ndings by the auditors that are at least signicant deciencies and strong indicators of the existence of a material weakness in internal control. 1824.The auditors have completed an examination of internal control and are preparing to issue a report. Does the opinion paragraph on the clients internal control conclude on internal control or managements assessment of internal control? 1825.Whattypeofreportoninternalcontrolislikelytobeissuedwhenmanagementimposesa scope limitation? 1826.Ifanadverseinternalcontrolreportisissuedbytheauditors,mayanunqualiedreportbe issued on the nancial statements? 1827.Which types of deciencies must be communicated to the audit committee? 1828.Describe the requirements involved when auditors are engaged to report on whether a previ-ously reported material weakness continues to exist. Questions Requiring Analysis 1829.The CPA rm of Carson & Boggs LLP is performing an internal control audit in accordance withPCAOB StandardNo.5.Thepartnerinchargeoftheengagementhasaskedyouto explaintheprocessofdeterminingwhichcontrolstotest.Describetheprocess,presenting each of the links in this process and a short summary of how the auditors approach each of them. LO 1, 5 1830.Testsofcontrolsareordinarilyperformedforbothnancialstatementauditsandinternal control audits. a.What is the objective of tests of controls when performed for internal control audits? b.What is the objective of tests of controls when performed for nancial statement audits? c.How are these diferent objectives reconciled in an integrated audit? 1831.The CPA rm of Webster, Warren, & Webb LLP issued an adverse opinion on the internal control of Alexandria Financial, a public company, due to a material weakness. The weakness involved the lack of suf cient accounting expertise to evaluate and adopt appropriate account-ing principles. Subsequent to issuance of the report, management of Alexandria hired a new controller to eliminate the weakness. a.DescribewhatstepsAlexandriamustperformtoengageWebster,Warren,&Webbto issue a report indicating that the weakness no longer exists. b.Describe how Webster, Warren, & Webb should approach the engagement. c.Describe what Webster, Warren, & Webb must do if, during the course of the engagement, a member of the audit team discovers another mater