Conrming Pages Chapter 18 Integrated Audits of Public Companies
Learning objectives After studying this chapter, you should be able
to: LO1Describe the nature of an integrated audit. LO2Discuss
managements responsibility for reporting on internal control as
required by the Sarbanes-Oxley Act of 2002. LO3Describe the
audi-tors responsibility for reporting on inter-nal control through
integrated audits as required by the Public Company Accounting
Oversight Board. LO4Present the auditors approach to analyzing
internal control when performing an inte-grated audit. LO5Explain
how ndings relating to the audits of internal control and the
nancial state-ments may affect one another. LO6Discuss
circumstances that require auditors to modify their report on
internal control. Inthischapter,weprovideinformationonintegrated
auditsbasedontheprovisionsofPublicCompany
AccountingOversightBoard(PCAOB) StandardNo.5,
AnAuditofInternalControlOverFinancialReporting That Is Integrated
with an Audit of Financial Statements. Throughout this chapter, our
emphasis is on presenting (1) details on audits of internal control
over nancial
reportingand(2)informationonhownancialstatementauditsaremodiedwhen
theauditorsperformanintegratedaudit.Althoughwehavereferredtointegrated
audits earlier in the text, in this chapter we emphasize in detail
the nature of a pub-lic company audit. While an integrated audit
involves an enhanced consideration of internal control, the nancial
statement audits various planning, evidence gathering,
andreportingproceduresremainlargelyunchanged.Accordingly,thefocusofthis
chapterisonauditsofinternalcontrolovernancialreporting(hereafter,internal
control). Overview The Sarbanes-Oxley Act of 2002 requires that, in
addition to reporting upon nancial statements, auditors of public
companies should also report upon internal control over nancial
reporting (hereafter, internal control). Consistently, PCAOB
Standard No. 5 recognizes this relationship and states that the
internal control and nancial statement audits should be viewed as
integrated. Section 404 is composed of two distinct sections.
1Section 404(a), which applies to all public companies, requires
that each annual report led with the Securities and Exchange
Commission include an internal control report prepared by
management in which management acknowledges its responsibility for
establishing and maintaining adequate internal control and provides
an assessment of internal control efectiveness as of the end of the
most recent scal year. Section 404(b), which applies to public
companieswithamarketcapitalizationinexcessof$75,000,000,requirestheCPA
rmtoauditinternalcontrolandexpressanopinionontheefectivenessofinternal
control.Whiletheemphasisofthischapterisontheauditorsresponsibilityunder
Section 404(b), we will begin with an overview of managements
responsibility. Describethenatureofaninte-grated audit. LO1 1 While
we emphasize Section 404 in this chapter, we also incorporate
information from Sec-tion 103, which requires auditor reporting on
internal control. In addition, other sections of the Sarbanes-Oxley
Act are also relevant to the overall area of audits of nancial
statements. Sec-tion 302 requires each of a companys principal
executives and nancial ofcers to certify the nancial and other
information contained in the companys quarterly and annual reports.
These certications must indicate that, based on the ofcers
knowledge, the nancial statements and other nancial information
included in the report fairly present, in all material respects,
the nancial condition and results of operations of the company as
of, and for, the period pre-sented in the report. Section 906
includes a similar certication requirement but amends the Federal
Criminal Code and explicitly sets forth possible criminal penalties
for certications that do not comply with the requirements.
whi1103X_ch18_696-725.indd 696 07/02/11 3:52 PMConrming
PagesIntegrated Audits of Public Companies 697 Managements
Responsibility for Internal Control
Managementhasalwaysbeenresponsibleformaintainingefectiveinternalcontrol.
However,the
Sarbanes-OxleyActof2002increasesmanagementsresponsibility
fordemonstratingthatcontrolsareefective.AsoperationalizedbytheSecuritiesand
Exchange Commission (SEC), management is required to: Accept
responsibility for the efectiveness of internal control. Evaluate
the efectiveness of internal control using suitable control
criteria. Support the evaluation with suf cient evidence. Provide a
report on internal control. Managements report and the auditors
opinion must be included in Form 10-K, the annual report led with
the SEC. The Sarbanes-Oxley Act requires management to per-form the
above steps in a meaningful manner to support its report. While the
exact word-ing of the report is left to managements discretion,
Section 404(a) of the Sarbanes-Oxley Act requires the report to:
State that it is managements responsibility to establish and
maintain adequate internal control. Identify managements framework
for evaluating internal control. Include managements assessment of
the efectiveness of the companys internal con-trol over nancial
reporting as of the end of the most recent scal period, including a
statement as to whether internal control over nancial reporting is
efective. Include a statement that the companys auditors have
issued an attestation report on managements assessment. For most
SEC registrants, passage of Sarbanes-Oxley resulted in a one-time
major project of evaluating and improving internal control to allow
both management and the auditors
toconcludethatthecompanysinternalcontrolisefective.Then,foreachsubsequent
yearsreporting,theanalysisisupdated.Theoverallprocessisoneofidentifyingthe
signicant controls and testing their design and operating
efectiveness. The project is performed either by the company itself
or by the company assisted by consultantsoften personnel from a CPA
rm that does not audit the companys
nan-cialstatements.Thecompanysexternalauditingrmmayprovideonlylimitedassis-tancetomanagementtoavoidasituationinwhichitsassessmentisinessencepartof
managements assessment, as well as its own. That is, the CPA rm
performing the audit should not create a situation in which
management relies in any way on the CPA rms assessment in making
its own assessment. As a starting point, the Securities and
Exchange Commission, which provides
oper-ationalguidanceforimplementingtheSarbanes-Oxleyrequirements,hasadoptedthe
following denition for internal control: Managements Evaluation
Process and Assessment
Discussmanagementsrespon-sibilityforreportingoninternal
controlasrequiredbytheSar-banes-Oxley Act of 2002. LO2 Internal
control over nancial reporting is a process designed by, or under
the supervision of, the companys principal executive and principal
nancial ofcers, or persons performing similar func-tions, and
affected by the companys board of directors, management, and other
personnel, to provide reasonable assurance regarding the
reliability of nancial reporting and the preparation of nancial
statements for external purposes in accordance with generally
accepted accounting principles and includes those policies and
procedures that: 1.Pertain to the maintenance of records that, in
reasonable detail, accurately and fairly reect the transactions and
dispositions of the assets of the company;
2.Providereasonableassurancethattransactionsarerecordedasnecessarytopermitprepa-rationofnancialstatementsinaccordancewithgenerallyacceptedaccountingprinciples,
and that receipts and expenditures of the company are being made
only in accordance with authorizations of management and directors
of the company; and
3.Providereasonableassuranceregardingpreventionortimelydetectionofunauthorized
acquisition, use, or disposition of the companys assets that could
have a material effect on the nancial statements.
whi1103X_ch18_696-725.indd 697 07/02/11 3:52 PMConrming
Pages698Chapter Eighteen
Managementsreportmustbebasedontheprecedingdenitionofinternalcontrol
andmustresultfromanevaluationusinganacceptedcontrolframework.Although
notrequired,thecontrolframeworkordinarilyusedisthe
InternalControlIntegrated
Framework,createdbytheCommitteeofSponsoringOrganizationsoftheTreadway
Commission(COSO).TheCOSOframework,discussedindetailinChapter7,isthe
internal control framework commonly used in audits of nancial
statements. To perform its evaluation and make its assessment, 2
management must understand the concepts of control deciency,
signicant deciency, and material weaknessconcepts originally
presented in Chapter 7 of this text, although the latter two terms
are dened diferentlyforpurposesofanintegratedaudit.Acontroldeciency
existswhenthe
designoroperationofacontroldoesnotallowmanagementoremployees,inthenor-mal
course of performing their functions, to prevent or detect
misstatements on a timely basis. Amaterial weakness is a control
deciency, or combination of control decien-cies, in internal
control over nancial reporting, such that there is a reasonable
possibil-ity that a material misstatement of the companys annual or
interim nancial statements will not be prevented or detected on a
timely basis. A reasonable possibility exists when the likelihood
is either reasonably possible or probable as those terms are used
in FASB ASC 450-20 Loss Contingencies. A signicant deciency is a
control deciency, or a combination of control
de-ciencies,ininternalcontrolovernancialreportingthatislessseverethanamaterial
weakness, yet important enough to merit attention by those
responsible for oversight of the companys nancial reporting.
Figures 18.1 and18.2 illustrate relationships among deciencies,
signicant decien-cies, and material weaknesses. 2 The evaluation or
evaluation process refers to the methods and procedures management
implements to comply with the requirements. The assessment is the
disclosure required in man-agements report on internal control
discussing any material weaknesses and managements assess-ment of
the effectiveness of internal control. Deciency SeverityDoes
Existence Result in Required Modication of Managements Assessment
and Auditors Report?Control DeciencyNot directly considered in
denitionOnly if it is a material weaknessSignicant DeciencyLess
severe than a material weaknessNoMaterial WeaknessReasonable
possibility of a material misstatementYes FIGURE 18.1 Comparison of
Control Deciency, Signicant Deciency, and Material Weakness
Denitions FIGURE 18.2 Levels of Severity of Control Deciencies
Control DeciencyLess than a SignicantDeciencySignicant Deciency
Material Weaknesswhi1103X_ch18_696-725.indd 698 07/02/11 3:52
PMConrming PagesIntegrated Audits of Public Companies 699
Inevaluatingthesignicanceofidentieddeciencies,bothquantitativeand
qualitativefactorsareconsidered.Quantitativefactorsaddressthepotentialamount
ofloss.Qualitativefactorsincludeconsiderationofthenatureoftheaccountsand
assertions involved and the possible future consequences of the
deciency. Chapters
6and16ofthistextincludediscussionsofqualitativefactorsafectingmateriality
judgments. Additionally, the consideration of a control deciency
should also include analysis of whethera compensatingcontrol
existstoeitherpreventordetectthepossiblemis-statement.Forexample,assumeacompanyhasadeciencyincontrolovercashdis-bursements.
The compensating control of reconciliation of cash accounts by a
competent individual who is otherwise independent of the cash
function might make the likelihood of not detecting a signicant
misstatement less than reasonably possible. Therefore, while a
deciency might exist, it might not be a signicant deciency or a
material weakness due to the existence of a compensating control.
Managementmustidentifythesignicantnancialstatementaccountsinorderto
evaluatethecontrolsovermajorclassesoftransactions.
Majorclassesoftransac-tionsarethosethatmateriallyafectsignicantnancialstatementaccountseither
directly through entries in the general ledger or indirectly
through the creation of rights or obligations that may or may not
be recorded in the general ledger. The overall objective of
managements evaluation of internal control is to provide it
withareasonablebasisforitsannualassessmentastowhetherthereareanymaterial
weaknesses in internal control as of the end of the scal year. How
does management go
aboutachievingthisobjective?TheSECguidanceisstructuredabouttwobroadprin-ciples(1)
evaluating the design of controls to identify controls and risks
and (2) evalu-ating the operation of the controls. This is
consistent with the internal control coverage
throughoutthetextrstconsiderthedesign,andthentheoperatingefectivenessof
controls. Evaluating Design Efectiveness of Controls The evaluation
process begins with identifying and assessing the risks to reliable
nancial reporting. Management then considers whether it has
controls placed in operation (imple-mented) that are designed to
adequately address those risks. Management ordinarily uses
atop-downapproachinwhichitbeginswiththeidenticationofentity-levelcontrols
and works down to detailed controls only to the extent necessary.
For example, if
man-agementdeterminesthatacontrolwithinthecompanysperiod-endnancialreporting
process (an entity-level control) is designed to adequately address
the risk of a material misstatement of interest expense, management
may not need to identify any additional controls related to
interest expense. When additional assurance is needed,
consideration of additional controls becomes necessary. Since the
process auditors go through is simi-lar, we discuss this in greater
detail later in the chapter. Evaluating Operating Efectiveness of
Internal Control
Managementthenevaluatesoperatingefectivenessofcontrolsinthoseareasthat
poseahighrisktoreliablenancialreporting.Evidenceonoperatingefectivenessis
obtainedfromtestsofcontrolsandfromongoingmonitoringactivitiesrelatedtothe
controls. Tests of controls are similar to those performed by
nancial statement auditors as described in detail in Chapter 7.
Ongoing monitoring includes activities that provide information
about the operation of controls. This information is obtained, for
example,
throughassessmentsmadebyemployees,assessmentsmadebymanagement(referred
to asself-assessment procedures), and the analysis of performance
measures designed to track the operation of controls (e.g.,
budgets). Documentation
Arequiredpartofmanagementsevaluationprocessisappropriatedocumentationof
internalcontrol.Thedocumentationoftenoccursthroughouttheentireevaluation
whi1103X_ch18_696-725.indd 699 07/02/11 3:52 PMConrming
Pages700Chapter Eighteenprocess. Virtually all of the documentation
tools included in Chapters 7 and 8 of this text are relevant for
both managements evaluation and the external auditors audit of
internal control. Reporting Managements evaluation process
culminates with the issuance of managements report
oninternalcontrol,whichincludesmanagementsassessment.Ifmanagementbelieves
that no material weaknesses exist at year-end, it is able to issue
a report concluding that the company maintained efective internal
control over nancial reporting. An illustration of such a report is
included inFigure 18.3 . In the next section, we will describe the
audi-tors process for evaluating and reporting on internal control.
The Auditors Responsibility for Reporting on Internal Control in
PCAOB Audits The auditors objective in an audit of internal control
is to express an opinion on the com-panys internal control over
nancial reporting. To meet this objective, the auditors must plan
and perform the audit to obtain reasonable assurance about whether
material weak-nesses exist as of the date specied in managements
assessment. Evidence is gathered on both the design and operating
efectiveness of internal control as of the date specied
inmanagementsassessmentnormallythelastdayofthecompanysscalyear.The
audit may be viewed as consisting of the following ve stages.
1.Plan the engagement. 2.Use a top-down approach to identify
controls to test. 3.Test and evaluate design efectiveness of
internal control. 4.Test and evaluate operating efectiveness of
internal control. 5.Form an opinion on the efectiveness of internal
control. Management is responsible for establishing and maintaining
adequate internal control over nancial reporting. Carver Companys
internal control system was designed to pro-vide reasonable
assurance to the companys management and board of directors
regard-ing the preparation and fair presentation of published
nancial statements. All internal control systems, no matter how
well designed, have inherent limitations. Therefore, even a system
determined to be effective can provide only reasonable assur-ance
with respect to nancial statement preparation and presentation. [
Note: This para-graph is not required. ] We assessed the
effectiveness of the companys internal control over nancial
reporting as of December 31, 20X4. In making this assessment, we
used the criteria set forth by the Committee of Sponsoring
Organizations of the Treadway Commission (COSO) inInternal
ControlIntegrated Framework. Based on our assessment, we believe
that, as of Decem-ber 31, 20X4, the companys internal control over
nancial reporting is effective based on those criteria. Carver
Companys independent auditors have issued an audit report on our
assessment of the companys internal control over nancial reporting.
This report appears on page XX. Sally Jones John Hankson Chief
Executive OfcerChief Financial Ofcer February 12, 20X5 FIGURE 18.3
Management Report on Internal Control Describe the auditors
responsibil-ityforreportingoninternalcon-trolthroughintegratedauditsas
requiredbythePublicCompany Accounting Oversight Board. LO3
whi1103X_ch18_696-725.indd 700 07/02/11 3:52 PMConrming
PagesIntegrated Audits of Public Companies 701 Asindicatedin
Figure18.4 ,theauditorsrstplantheengagement.Ef cientplanning
requires coordination with the nancial statement audit. For
purposes of both audits, the auditors consider matters related to
the clients industry, regulatory matters, the clients business, and
any recent changes in the clients operations. The auditors
knowledge of a clients internal control at the planning stage of
the engagement will difer signicantly depending upon the nature of
the client and the auditors experience with that client, and this
in turn will afect the scope of the auditors procedures. For
example, when the audi-tors have previously performed audits of the
client, the auditors begin the integrated audit with more
information than in a circumstance in which the company is a new
audit client. Accordingly, they only have to perform procedures to
update their knowledge. Presenttheauditorsapproachto
analyzinginternalcontrolwhen performing an integrated audit. LO4
FIGURE 18.4 An Audit of Internal Control over Financial Reporting
CompanyInternalControlManagementsEvaluation ofInternal
ControlControl Criteria(ordinarily COSOInternal
ControlFramework)Issue AuditorsAttestation ReportPlan
theengagementUse a top-down approachto identify controlsto
testManagementsreport on internal control(with internal
controlassessment)Test and evaluatedesign effectivenessTest and
evaluateoperating effectivenessForm an opinion onthe effectiveness
ofinternal control overnancial reporting Plan the Engagement
whi1103X_ch18_696-725.indd 701 07/02/11 3:52 PMConrming
Pages702Chapter Eighteen There is a subtle diference between the
auditors consideration of internal control for the audit of
internal control as compared to their consideration of internal
control in an audit of nancial statements. In the audit of internal
control, the focus is on whether inter-nal control is efective at a
point in timethe as of datewhich is ordinarily the last day of the
clients scal period. To express the internal control opinion, the
auditors must obtain suf cient evidence on the efectiveness of
controls at the as of date. By itself, this would involve
performing tests of controls for a period that is usually
signicantly less than the entire year. On the other hand, in a
nancial statement audit the consideration of internal control is
performed to help plan the audit and to assess control risk for the
entire nancial statement period. Therefore, the auditors must
perform tests of controls of transactions occurring throughout the
year to meet the objective of obtaining suf cient evidence to
support the opinion on internal control and assess control risk.
This distinc-tion is discussed in more detail later in this
chapter. When planning and performing the audit of internal
control, the auditors should take into account the results of the
nancial statement fraud risk assessment. Specically, the auditors
should identify and test controls that address the risk of fraud,
including man-agement override of other controls. These controls
include those over:
Signicantunusualtransactions,particularlythosereportedlateintheperiodand
those related to the period-end nancial reporting process. Related
party transactions. Signicant management estimates. Incentives for
management to falsify or inappropriately manage nancial results.
When planning and performing the audit of internal control, the
auditors should also recognize internal control diferences between
small and large clients. Often these difer-ences are related to the
degree of complexity of their operations. For example, when the
auditorsareauditingasmallcompany,manycontrolobjectivesmaybeaccomplished
through daily interaction of senior management and other company
personnel rather than through formal policies and procedures.
Because of the extensive involvement of senior management in
performing controls and the period-end nancial reporting process,
the auditors of a small company should realize that controls to
prevent management override are even more important than it is for
a large company. Accordingly, for example, while detailed oversight
by the audit committee may be an important control for most
compa-nies, it may be particularly important for a small company.
Figure18.4indicatesthattheauditorsuseatop-downapproachtoidentifycontrols
totest.Whatisatop-downapproach?Asindicatedin Figure18.5
,thetop-down approach starts at the topthe nancial statements and
entity-level controlsand links the nancial statement elements and
entity-level controls to signicant accounts, relevant assertions,
and to the major classes of transactions. The goal is to focus on
testing those
controlsthataremostimportanttotheauditorsconclusiononinternalcontrol,while
avoiding those that are less important. Entity-Level Controls
Entity-levelcontrolsoftenarethoseincludedinthecontrolenvironmentormonitoring
components of internal control. For example, the portions of the
control environment deal-ing with the tone at the top, assignment
of authority and responsibility, and corporate codes of conduct
have a pervasive efect on internal control. Also, information
technology general
controlsoverprogramdevelopment,programchanges,andcomputercontrolsoverpro-cessing
have a pervasive efect in that they help ensure that specic
controls over process-ing are operating efectively. The
pervasiveness of entity-level controls distinguishes them Use a
Top-Down Approach to Identify Controls to Test 3 3 This terminology
is used in PCAOB Standard No. 5. This stage corresponds to
obtaining an under-standing of internal control in a nancial
statement audit. whi1103X_ch18_696-725.indd 702 07/02/11 3:52
PMConrming PagesIntegrated Audits of Public Companies 703from other
controls that are designed to achieve the specic objectives. As an
example of a control that is not an entity-level control, consider
control of requiring accounting for all shipping documents. This
control activity is aimed primarily at assuring the completeness of
recorded sales and does not have the pervasive efect of an
entity-level control. Entity-level controls relating to audit
committee efectiveness, fraud, and the period-end nancial reporting
process are particularly emphasized inStandard No. 5. The audit
committeeisparticularlyimportantsinceanefectiveauditcommitteeexercisesover-sightresponsibilityoverbothnancialreportingandinternalcontrol.Indeed,inefec-tive
audit committee oversight by itself is regarded as a strong
indication that a material weakness in internal control exists.
PCAOB
StandardNo.5alsoemphasizestheneedforcontrolsspecicallyintended to
address the risk of fraud. These controls range from entity-level
control environment controls, such as an appropriate tone at the
top, corporate codes of conduct, and an efec-tive antifraud
program, to control activities, such as the reconciliation of cash
accounts. Figure 18.6 provides examples of antifraud programs and
elements.
Theperiod-endnancialreportingprocess(oftenreferredtoasnancialstatement
close) is also very signicant. The period-end process involves the
procedures used to enter transaction totals into the general ledger
through the end of the nancial statement
reportingprocess.Auditorsmustthoroughlyevaluatethisprocess,includingtheman-nerinwhichnancialstatementsareproduced,theextentofinformationtechnology
involved,whoparticipatesfrommanagement,thelocationsinvolved,andthetypesof
adjusting entries and oversight by appropriate parties.
Inconsideringentity-levelcontrols,theauditorsshouldbeawarethatcontrolsmay
have either an indirect or a direct efect on the likelihood of
misstatement. Controls with an indirect efect on the likelihood of
misstatement might afect the auditors decisions about the other
controls that the auditors select for testing, as well as the
nature, timing, and extent of procedures the auditors perform on
other controls. For example, a positive tone at the top of the
organization may lead to more efective lower level control
perfor-mance, yet it does not have a direct efect on the likelihood
of misstatement for any par-ticular assertion. Such a control might
allow the auditors to decrease the testing of other lower level
controls. Controls with a direct efect on the likelihood of
misstatement operate at varying levels of precision. Some of these
controls might be designed to identify possible breakdowns
inlowerlevelcontrolsandoperateatalevelofprecisionthatwouldallowauditorsto
reduce,butnoteliminate,thetestingofothercontrols.Asanexample,amonitoring
control that detects only relatively large misstatements may fall
into this category. When Overall Approach
IllustrationFinancialstatementsSignicant accountsand
disclosuresRelevantassertionsMajor classes oftransactions
andsignicant
processesEntity-levelcontrolsVariousothercontrolsBalancesheetAccountsreceivableCompletenessassertionCash
receipt andtransactions
remittanceprocessCentralizedprocessingDetailed listof cashreceipts
FIGURE 18.5 A Top-Down Approach to Testing Internal Control
whi1103X_ch18_696-725.indd 703 07/02/11 3:52 PMConrming
Pages704Chapter EighteenAntifraud Program or Element Strong
Indicator of Signicant DeciencyManagement accountability Senior
management conducts ineffective oversight of antifraud programs and
controls.Audit committee Audit committee passively conducts
oversight.It does not actively engage the topic of fraud.Internal
audit Inadequate scope of activities.Inadequate communication,
involvement, and interaction with the audit committee.Code of
conduct/ethics Nonexistent code or code that fails to address
conicts of interest, related party transac-tions, illegal acts, and
monitoring by management and the board.Ineffective communication to
all covered persons.Whistleblower program* No program for anonymous
submissions.Inadequate process for responding to allega-tions of
suspicions of fraud.Whistleblower program signicantly defective in
design or operation.Hiring and promotion procedures Failure to
perform substantive background investigations for individuals being
consid-ered for employment or promotion to a posi-tion of
trust.Remediation Failure to take appropriate and consistent
remedial actions with regard to identied signicant deciencies,
material weaknesses, actual fraud, or suspected fraud.* A program
for handling complaints and for accepting condential submissions of
concerns about questionable accounting, auditing, and other matters
(e.g., hotlines). FIGURE 18.6 Entity-Level Antifraud Programs and
Elements such a control is operating efectively, it might allow the
auditor to reduce, but not elimi-nate, the testing of other
controls. Other entity-level controls that have a direct efect on
the likelihood of misstatement
mightbedesignedtooperateatalevelofprecisionthatwouldadequatelypreventor
detect material misstatements to one or more relevant assertions.
Such controls may allow
theauditortoomittestingadditionalcontrolsrelatingtothatrisk.Monitoringcontrols
that identify relatively small misstatements may fall into this
category. Note, however,
thatthisareahasbeencontroversialassomehaveaskedhowfrequentlysuchcontrols
actually exist, and thus allow the elimination of testing of
controls beneath the top. Signicant Accounts and Disclosures
Asshownin Figure18.5 ,theauditorsmustobtainanunderstandingof
signicant accounts and disclosures. An account is signicant if
there is a reasonable possibility that it could contain a
misstatement that, individually or when aggregated with others, has
a material efect on the nancial statements, considering both the
risks of
understatementandoverstatement.Theassessmentshouldbemadewithoutgivinganyconsideration
totheefectivenessofinternalcontrol.Factorsthattheauditorsconsiderindeciding
whether an account is signicant include: Size and composition.
Susceptibility of loss due to errors or fraud.
whi1103X_ch18_696-725.indd 704 07/02/11 3:52 PMConrming
PagesIntegrated Audits of Public Companies 705 Volume of activity,
complexity, and homogeneity of individual transactions. Nature of
the account. Accounting and reporting complexity. Exposure to
losses. Possibility of signicant contingent liabilities. Existence
of related party transactions. Changes from the prior period.
Identifying Relevant Financial Statement Assertions
Oncetheyhavedeterminedthesignicantaccountsanddisclosures,theauditorsmust
determinewhichnancialstatementassertionsarerelevanttothesignicantaccounts:
(1) existence or occurrence; (2) completeness; (3) valuation or
allocation; (4) rights and
obligations;and/or(5)presentationanddisclosure.Relevantassertionsforanaccount
are those that have a meaningful bearing on whether the account is
presented fairly. For example, valuation may be very relevant to
determining the amount of receivables, but it is not ordinarily
relevant to cash unless currency translation is involved. Obtaining
a Further Understanding of Likely Sources of Misstatement To
further understand the likely sources of potential misstatements,
auditors should under-stand the ow of transactions related to the
relevant assertions. This understanding allows the auditors to
identify points within the companys processes where a material
misstate-ment could arise and to identify the controls to prevent
or detect these misstatements. Throughout the text (e.g., Chapter
6, Chapters 1116), we have discussed the concept of transaction
cycles. Transaction cycles (also referred to as classes of
transactions) are those transaction ows that have a meaningful
bearing on the totals accumulated in the
companyssignicantaccountsand,therefore,haveameaningfulbearingonrelevant
assertions. Consider a company whose sales may be initiated by
customers either through the Internet or in a retail store. These
two types of sales may be viewed as representing two major classes
of transactions within the sales process. Although not explicitly
discussed in PCAOB Standard No. 5, it is helpful to classify
transactions by transaction type routine, nonroutine, or accounting
estimates. Routine
transactionsareforrecurringactivities,suchassales,purchases,cashreceiptsand
disbursements,andpayroll.
Nonroutinetransactionsoccuronlyperiodically;they generally are not
part of the routine ow of transactions and include transactions
such as counting and pricing inventory, calculating depreciation
expense, or determining prepaid expenses.Accounting estimates are
activities involving managements judgments or assumptions, such as
determining the allowance for doubtful accounts, estimating
war-ranty reserves, and assessing assets for impairment.
Throughouttheauditofinternalcontrol,auditorsmustbeconcernedaboutall
threetransactiontypes.However,theauditorsmustbeawarethattheuniquenature
ofnon-routinetransactionsandthesubjectivityinvolvedwithaccountingestimate
transactionsmakethemparticularlypronetomisstatementunlesstheyareproperly
controlled. To understand the likely sources of potential
misstatements and as a part of selecting the controls to test, the
auditors should: Understand the ow of transactions; Verify points
within the companys processes at which a misstatement could arise
that could be material;
Identifythecontrolsmanagementhasimplementedtoaddressthesepotentialmis-statements;
and
Identifythecontrolsmanagementhasimplementedtopreventordetectonatimely
basis unauthorized acquisition, use, or disposition of the companys
assets that could result in a material misstatement.
whi1103X_ch18_696-725.indd 705 07/02/11 3:52 PMConrming
Pages706Chapter Eighteen FIGURE 18.7 Relationships among Processes,
Transaction Types, and Signicant Accounts Examples of Signicant
AccountsTransaction Example ProcessesTypesCash Accounts Receivable
Allowance for Doubtful AccountsInventoriesInventory Reserves
Prepaid Property, Plant, & EquipmentOther AccountsStockholders
EquityFinancial statement closeNonroutineXXXXXXXXXCash
receiptsRoutineXXX Cash disbursementsRoutineXX PayrollRoutine
Inventory costing (CGS)RoutineXX Estimate purchase
commitmentsEstimationX Estimate excess and obsolete
inventoryEstimationX Lower-of-cost-or-market calculationEstimationX
LIFO calculationNonroutineX Physical inventory countNonroutineX
Accounts receivable and salesRoutineX Source: Adapted from Ernst
& Young, Evaluating Internal Control: Considerations for
Documenting Controls at the Process, Transaction, or Application
Level, 2003.
Figure18.7providesanillustrationoftherelationshipsamongsignicantaccounts,
processes, and transaction types emphasizing inventory processes;
it presumes one major class of transactions for each process.
Selecting Controls to Test
Theauditorsshouldtestthosecontrolsthatareimportanttotheirconclusionabout
whetherthecompanyscontrolssuf
cientlyaddresstheriskofmisstatementforeach relevant assertion. It
is not necessary to design tests of all controls. For example,
tests of redundantcontrols
(thosethatduplicateothercontrols)neednotbedesignedwhen
testsoftherelatedcontrolareplanned,unlessredundancyitselfisacontrolobjective.
Theauditorsmaydecidetodesigntestsofpreventivecontrols,detectivecontrols,ora
combination of both for the various assertions and signicant
accounts. Preventive con-trols have the objective of preventing
errors or fraud from occurring; detective controls have the
objective of detecting errors or fraud that have already occurred.
Efective
inter-nalcontrolgenerallyinvolveslevelsofcontrolscomposedofacombinationofboth
preventive and detective controls. Some controls arecomplementary
controls in that
theyworktogethertoachieveaparticularcontrolobjective.Whentestsarebeingper-formed
related to that control objective, the complementary controls must
be tested. A question that arises when a client has multiple
locations is: Must the auditors design and perform tests at all
locations? The answer is no. In determining the locations at which
to perform tests of controls, the auditor should assess the risk of
material misstatement to the nancial statements of each location
and base the amount of testing on the degree of risk.
whi1103X_ch18_696-725.indd 706 07/02/11 3:52 PMConrming
PagesIntegrated Audits of Public Companies 707 Performing
Walk-throughs While not required, performing walk-throughs may
frequently be the most efective way
toobtainanunderstandingofthelikelysourcesofmisstatement.A
walk-through involves literally tracing a transaction from its
origination through the companys infor-mation system until it is
reected in the companys nancial reports. Walk-throughs pro-vide the
auditors with evidence to: Verify that they have identied points at
which a signicant risk of misstatement to a relevant assertion
exists.
Verifytheirunderstandingofthedesignofcontrols,includingthoserelatedtothe
prevention or detection of fraud. Evaluate the efectiveness of the
design of controls. Conrm whether controls have been placed in
operation (implemented).
Becausemuchjudgmentisrequiredinperformingawalk-through,theauditorsshould
eitherperformwalk-throughsthemselvesorsupervisetheworkofotherswhoprovide
assistance to them (e.g., internal auditors).
Whileperformingwalk-throughs,theauditorsaskthoseinvolvedtodescribetheir
understanding of the processing involved and to demonstrate what
they do. In addition,
follow-upinquiriesshouldbemadetohelpidentifyabuseofcontrolsorindicatorsof
fraud. Examples of such follow-up inquiries include: What do you do
when you nd an error? What kind of errors have you found? What
happened as a result of nding the errors, and how were the errors
resolved? Have you ever been asked to override the process or
controls? If yes, why did it occur and what happened?
Theauditorstestthedesignefectivenessofcontrolsbydeterminingwhetherthecom-panys
controls, if operating properly, satisfy the companys control
objectives and can efectively prevent or detect errors or fraud
that could result in material misstatements. The procedures
performed here include a combination of inquiry of appropriate
person-nel,observationofthecompanysoperations,andinspectionofrelevantdocumenta-tion.Figure
18.8 provides an example of control objectives, risks, and controls
using the COSO framework. The auditors specically consider whether
the controls, if function-ing, would reduce the risks to an
appropriately low level.
Testsoftheoperatingefectivenessofacontroldeterminewhetherthecontrolfunc-tions
as designed and whether the person performing the control possesses
the necessary
authorityandqualications.Indecidinghowtodesigntestsofoperatingefectiveness,
the auditors must focus on the nature, timing, and extent of the
tests. Nature of Tests of Operating Efectiveness
Testsofcontrols,intheorderofincreasingpersuasiveness,includeacombinationof
inquiries of appropriate personnel, inspection of relevant
documents, observation of the companys operations, and
reperformance of the application of controls. For example, to
evaluate whether the second control objective inFigure 18.8 , the
accurate and complete recording of invoices, is achieved, the
auditors might use generalized audit software to inspect electronic
documents to determine that no gaps exist in the sequence of
shipping documents. Also,Standard No. 5 states that the auditors
should vary the exact tests per-formed when possible to introduce
unpredictability into the audit process. Evaluating responses to
inquiries represents a particular challenge in that the responses
mayrangefromformalwritteninquiries(e.g.,representationletters)toinformaloral
inquiries.Becauseofthepossibilityofmisrepresentationormisunderstandingofthe
Test and Evaluate Design Effectiveness of Internal Control over
Financial ReportingTest and Evaluate Operating Effectiveness of
Internal Control over Financial Reportingwhi1103X_ch18_696-725.indd
707 07/02/11 3:52 PMConrming Pages708Chapter Eighteen FIGURE 18.8
Process: Accounts Receivable Control Objective Risks
Controls1.Ensure that all goods shipped are accurately billed in
the proper period.Missing documents or incorrect information Use
standard shipping or contract terms. Communicate nonstandard
shipping or contract terms to accounts receivable department.
Identify shipments as being before or after period end by means of
a shipping log and prenumbered shipping documents.Improper cutoff
of ship-ment at the end of a period2.Accurately record invoices for
all authorized shipments and only for such shipments.Missing
documents or incorrect information Prenumber and account for
shipping documents and sales invoices. Match orders, shipping
documents, invoices, and customer information, and follow through
on miss-ing or inconsistent information. Mail customer statements
periodically and investi-gate and resolve disputes or inquiries by
individuals independent of the invoicing function. Monitor number
of customer complaints regarding improper invoices or
statements.3.Accurately record all authorized sales returns and
allowances and only such returns and allowances.Missing documents
or incorrect information Authorization of credit memos by
individuals inde-pendent of accounts receivable function. Prenumber
and account for credit memos and receiving documents. Match credit
memos and receiving documents and resolve unmatched items by
individuals indepen-dent of the accounts receivable function. Mail
customer statements periodically and investi-gate and resolve
disputes or inquiries by individuals independent of the invoicing
function.Inaccurate input of data4.Ensure continued completeness
and accuracy of accounts receivable.Unauthorized input for
nonexistent returns, allowances, and write-offs Review
correspondence authorizing returns and allowances. Reconcile
accounts receivable subsidiary ledger with sales and cash receipts
transactions. Resolve differences between the accounts receiv-able
subsidiary ledger and the accounts receivable control
account.5.Safeguard accounts receivable records.Unauthorized access
to accounts receivable records and stored data Restrict access to
accounts receivable les and data used in processing
receivables.Source: Adapted from Internal ControlIntegrated
Framework, Evaluation Tools.responses,inquiryalonedoesnotprovidesuf
cientevidencetosupporttheoperating efectiveness of a control. Thus,
auditors should substantiate the responses to inquiries by
performing other procedures, such as inspecting reports or other
documentation relating to the inquiries. Timing of Tests of
Controls Testsofcontrolsshouldbeperformedoveraperiodoftimesuf
cienttodetermine
whether,asofthedatespeciedinmanagementsreport,thecontrolswereoperating
efectively.Theauditorsareawarethatsomecontrolsoperatecontinuously(e.g.,con-trols
over routine transactions, such as sales), while others operate
only periodically (e.g., controls over nonroutine transactions or
events, such as the preparation and analysis of
monthlyorquarterlynancialstatements).Forcontrolsthatoperateonlyperiodically,
it may be necessary to wait until after the date of managements
report to test them; for example, controls over period-end nancial
reporting normally operate only after the date
whi1103X_ch18_696-725.indd 708 07/02/11 3:52 PMConrming
PagesIntegrated Audits of Public Companies 709of managements
report. The auditors tests can be performed only at the time the
con-trols are operating. Extent of Tests of Controls PCAOB
StandardNo.5requirestheauditorstoobtainsuf cientevidenceaboutthe
efectivenessofcontrolsforallrelevantassertionsrelatedtoallsignicantaccounts.
This means that the auditors must design procedures to provide a
high level of assurance
thatthecontrolsrelatedtoeachrelevantassertionareoperatingefectively.Forman-ual
controls, this generally involves more extensive testing than for
automated controls. Generally, the more frequently controls
operate, the more auditors should test them, and controls that are
relatively more important should be tested more extensively. Also,
the
auditorscannotbesatisedwithless-than-persuasiveevidencebecauseofabeliefthat
management is honest. When control exceptions are identied, the
auditors should critically assess the nature and extent of testing
and consider whether additional testing is appropriate. Also, a
con-clusion that an identied control exception does not represent a
control deciency is only
appropriateifevidencebeyondwhattheauditorshadoriginallyplanned,andbeyond
inquiry, supports that conclusion. The issue of evaluating
exceptions will be described in more detail later in this chapter.
Can auditors use the work of othersinternal auditors, company
personnel, and third
partiesintheauditofinternalcontrol?Forexample,ifclientpersonnelhavealready
performedcertainproceduresthattheauditorshadintended,maytheauditorsusethat
work?TheanswerisyesbecausePCAOB StandardNo.5allowsauditorstousethe
work of others. It is expected that the work of others used by the
auditors will often be related to relatively low-risk areas. In any
event, the auditors must understand that when
theyusetheworkofotherstheyremainresponsiblefortheiropinionandtheycannot
share responsibility with those others. In all cases in which the
work of others is used, the auditors should evaluate the competence
and objectivity of those individuals and test the work they have
performed.
Anotherissuerelatestothedegreetowhichauditorsmustretestcontrolsindetail
each year. In audits subsequent to the rst year, auditors should
incorporate knowledge obtained during past audits of internal
control. Using this cumulative audit knowledge
(knowledgeobtainedfromprioraudits),theauditorsoftenmaybeabletoreducethe
amount of work performed. In making decisions as to the necessary
testing, the auditors should consider the various risk factors
related to a control as well as: The nature, timing, and extent of
procedures performed in previous audits, The results of the
previous years testing of the control, and Whether there have been
changes in the control, or the signicant process in which it
operates, since the previous audit. Illustrative Case Frequency of
Testing One CPA rm provided the following guidance to its auditors
as to frequency of testing:Frequency of ControlSuggested Number of
Items to TestAnnual1Quarterly2Monthly36Weekly1020Daily2040Multiple
times per day3060whi1103X_ch18_696-725.indd 709 07/02/11 3:52
PMConrming Pages710Chapter Eighteen To illustrate, assume that a
control presents a low risk overall in that there is a low
inher-entrisk,alowdegreeofcomplexity,fewchangesincontrols,andthepreviousyear
revealed no deciencies. In such a case, the auditors may determine
that suf cient
evi-denceofoperatingefectivenesscouldbeobtainedbyperformingawalk-through.In
addition, the auditors may use the work of others to a greater
extent than in the past. But, on an overall basis, the auditors
must test controls every year and cannot rotate analysis of various
transaction types between various years (e.g., consider controls
over sales this year, and purchases next year). Relationship
between Tests of Controls Performed for the Internal Control Audit
and Those Performed for the Financial Statement Audit Are the types
of tests of controls performed for an internal control audit the
same as those
performedforanancialstatementaudit?Maytheevidencefromtestsperformedforan
internal control audit be used for the nancial statement audit?
While the answer to both of these questions is yes, the auditors
must consider the diferences in the objectives of the tests. The
objective of tests of controls in an audit of internal control is
to obtain evidence about the efectiveness of controls to support
the auditors opinion on whether
manage-mentsassessmentoftheefectivenessofinternalcontrol,takenasawhole,isfairly
stated as of a point in time. Accordingly, to express this opinion
the auditors must obtain evidence about the efectiveness of
controls over all relevant assertions for all signicant accounts
and disclosures in the nancial statements. The objective of tests
of controls for a nancial statement audit is to assess control
risk. If the auditors decide to assess control risk at less than
the maximum, they are required to obtain evidence that the relevant
controls operated efectively during the entire period upon which
they plan to place reliance on those controls. However, the
auditors are not required to assess control risk at less than the
maximum for all assertions. How may these two diferent approaches
for tests of controls be reconciled in an inte-grated audit? PCAOB
Standard No. 5, for purposes of the internal control audit, allows
the auditors to obtain evidence about operating efectiveness at
diferent times throughout the yearprovided that the auditors update
those tests or obtain other evidence that the controls
stilloperatedefectivelyattheendoftheyear.Thus,althoughthetimingforissuingthe
internal control report will not ordinarily require tests from
throughout the year, the inte-grated nature of the two audits
suggests that testing should be spread throughout the year. The
requirements of Standard No. 5 have had the efect of pushing
auditors to perform nancial statement audits using the systems
approachan approach with heavy reliance on internal control
evidence. In essence, since extensive tests of controls are
required for each signicant account for the internal control audit,
the auditors should have signicant evidence about the efectiveness
of internal control for the nancial statement audit. The auditors
generally must merely extend the tests to cover the nancial
statement period in order to assess control risk at a low level for
purposes of the nancial statement audit. Efect of Tests of Controls
on Financial Statement Audit Substantive Procedures
Historically,toenhanceauditef
ciencyandefectiveness,auditorsoftenhaveuseda
substantiveauditapproachthatisnotacceptableforintegratedaudits.Auditorshave
traditionallyreliedprimarily(orcompletely)onevidencefromsubstantiveprocedures
ratherthantestingcontrolsinauditareaswhenasubstantiveapproachwasconsidered
the most cost-efective approach. To illustrate, when only a nancial
statement audit is being performed, auditors often rely heavily
upon substantive procedures to audit areas such as property, plant,
and equipment; investments; and long-term debt. Since auditors must
now report on the efectiveness of internal control, approaches
limiting the testing of controls are not acceptable. Historically,
another ef ciency that has developed in nancial statement audits is
min-imizingthetestingofcontrolsaimedat
preventivecontrols(e.g.,transactionlevel
controls),andemphasizingthetestingof
detectivecontrols(e.g.,varioustypesof
reconciliationsandexceptionreports).Whenauditorsexpressanopiniononinternal
Explainhowndingsrelatingto theauditsofinternalcontroland the
nancial statements may afect one another. LO5
whi1103X_ch18_696-725.indd 710 07/02/11 3:52 PMConrming
PagesIntegrated Audits of Public Companies 711control, the auditors
are more likely to use an approach that includes testing of both
pre-ventive and detective controls.
Sinceanintegratedauditrequirestestsofcontrolsforallmajoraccountsandrelevant
assertions, circumstances in which controls are found to be
efective will lead to a decreased scope of substantive procedures
as compared to a situation in which tests of controls have revealed
an inefective system or a situation in which tests of controls have
not been per-formed. However, when signicant deciencies or material
weaknesses have been identi-ed, the auditors must obtain assurance
that such deciencies have not resulted in undetected material
misstatements. As an example, if controls over the recording of
revenues are con-sidered inefective, the auditors must determine
whether the audit procedures designed into their audit program must
be modied to obtain more evidence about the fairness of revenue.
The extensive level of controls testing performed during an
integrated audit leads to
thequestionofwhethersubstantivetestsmaybeomittedcompletelyinareasinwhich
controls have been found to operate efectively. This is not
acceptable. Regardless of the
assessedlevelofcontrolrisk,theauditorsmustperformsubstantiveproceduresforall
relevant assertions related to all signicant accounts and
disclosures. Efect of Financial Statement Substantive Procedures on
the Audit of Internal Control
Wehaveshownthattheauditofinternalcontrolmayafectthescopeofsubstantive
procedures performed for the nancial statement audit.
Alternatively, the results of sub-stantive procedures may afect the
audit of internal control. The ndings obtained while performing
substantive procedures in the nancial statement audit may provide
evidence
oftheefectivenessorinefectivenessofinternalcontrolovernancialreporting.For
example, identication of a material misstatement in the nancial
statements is consid-ered indicative of at least a signicant
deciency in internal control. Additional examples
ofsubstantiveproceduresndingsthatmightafecttheinternalcontrolauditarethose
relating to illegal acts, related party transactions, the
reasonableness of accounting esti-mates, and the clients overall
selection of accounting principles. In forming an opinion on
internal control over nancial reporting, the auditors evaluate all
evidence, including: 1.The results of their evaluation of the
design, 2.The results of tests of the operating efectiveness of
controls,
3.Negativeresultsofsubstantiveproceduresperformedduringthenancialstatement
audit, and 4.Any identied control deciencies. Form an Opinion on
the Effectiveness of Internal Control over Financial Reporting
Itispossibletousestatis-ticalattributesampling
(presentedinChapter9)to
considercontroldeciencyseriousness.Consideracontrol over
authorization of sales transactions: 1% = Deviation rate in the
auditors sample 6% = Achieved upper deviation rate 5% = Risk of
assessing control risk too low
Ifonefurtherassumesthat$3,000,000ofthetransaction
typeoccurred,theauditormayestimatethat$180,000 (6% $3,000,000)
worth of transactions may not have been
properlyapproved.Thatis,thereislessthanareasonable
possibilitythat$180,000intransactionswerenotproperly approved. If
one assumes that $180,000 is material, the deciency
representsamaterialweakness.Alternatively,ifitisnot
consideredquantitativelymaterial,anauditormustjudg-mentallydeterminewhetheritrepresentsasignicant
deciency that should be communicated to the audit com-mittee. Note,
however, that the auditors must also take into account qualitative
considerations. Illustrative Case Using Attributes Sampling to
Consider Control Deciencies whi1103X_ch18_696-725.indd 711 07/02/11
3:52 PMConrming Pages712Chapter Eighteen An unqualied audit opinion
may be issued when no material weaknesses in internal control have
been identied as existing at the as of date (year-end) and when
there have been no restrictions on the scope of the auditors work.
The auditors may issue separate reports on the nancial statements
and internal control or a combined report.Figure 18.9 is an example
of a separate report on internal control.
Oneormorematerialweaknessesininternalcontrolresultinanadverseopinion.
4 Scope limitations may result in either a disclaimer or withdrawal
from the engagement depending on the extent of the limitation.
Determining whether deciencies have been identied and, if so, the
likelihood and potential amount of misstatement is key to
identifying the proper opinion to issue. If no
deciencieshavebeenidentiedandnoscopelimitationsareinvolved,anunqualied
opinion is appropriate. Evaluating Deciencies
Theauditorsmustevaluatewhetheridentiedcontroldeciencies,individuallyorin
combination, are signicant deciencies or material weaknesses. This
involves a consid-eration of both quantitative and qualitative
factors.
Whenadeciencyhasbeenidentied,theauditorswillconsiderwhetheranyother
controlsefectivelymitigatetheriskofpotentialmisstatementandcreateasituationin
which the deciency is not signicant or, at least, does not
constitute a material weak-ness. Earlier in this chapter, we used
the example of a weakness in cash disbursements that was mitigated
by the compensating control of reconciliation of the bank account
by an individual otherwise independent of the cash function. Such a
compensating control might cause the auditors to alter their
assessment of a deciencyreducing it from one
thatotherwisewouldbeconsideredsignicant(oramaterialweakness)toonethatis
simply a control deciency. In evaluating the potential amount of
misstatement related to a control deciency, the auditors should
consider not only the misstatements identied, but also the amount
that could occur with a reasonable possibility. Although there are
various possible approaches to this evaluation, one is to directly
consider whether a reasonable possibility exists that
amaterialamountofmisstatementcouldoccur.Ifthatisthecase,thedeciencyisa
materialweakness.Alternatively,ifthedeciencyislessseverethanamaterialweak-ness,
yet important enough to merit the attention by those responsible
for oversight of the companys nancial reporting (ordinarily the
audit committee), the deciency represents a signicant deciency. The
auditors must also consider qualitative factors when evaluating
materiality, as is the case with nancial statement audits. Examples
of qualitative factors include whether
theweaknessrelatestorelatedpartytransactionsandwhethertherearechangesin
account characteristics in relation to the prior year. Chapter 6
presents additional infor-mation on qualitative factors that are
used by the auditors. In essence, the auditors should attempt to
determine what a prudent of cial in the conduct of his or her own
afairs would consider a signicant deciency and a material weakness.
While a material weakness in internal control can arise in a wide
variety of situations, PCAOBStandard No. 5 provides the following
indicators of material weaknesses: Identication of fraud, whether
or not material, on the part of senior management.
Restatementofpreviouslyissuednancialstatementstoreectthecorrectionofa
material misstatement. Identication by the auditors of a material
misstatement in circumstances that indicate that the misstatement
would not have been detected by the companys internal control.
Inefective oversight of the companys external nancial reporting and
internal control by the companys audit committee.
Discusscircumstancesthat requireauditorstomodifytheir report on
internal control. LO6 4 Notice that this is different from reports
on audits of nancial statements. In an audit of nancial statements,
a departure from generally accepted accounting principles results
in either a qualied opinion or an adverse opinion based on
materiality. whi1103X_ch18_696-725.indd 712 07/02/11 3:52
PMConrming PagesIntegrated Audits of Public Companies 713Report of
Independent Registered Public Accounting FirmTo the Audit Committee
and Stockholders of Carver Company:[Introductory paragraph]We have
audited Carver Companys internal control over nancial reporting as
of December 31, 20X8, based on criteria established in Internal
ControlIntegrated Framework issued by the Committee of Sponsoring
Organiza-tions of the Treadway Commission (COSO). Carver Companys
management is responsible for maintaining effective internal
control over nancial reporting, and for its assessment of the
effectiveness of internal control over nancial reporting, included
in the accompanying [title of managements report]. Our
responsibility is to express an opinion on the companys internal
control over nancial reporting based on our audits.[Scope
paragraph]We conducted our audit in accordance with the standards
of the Public Company Accounting Oversight Board (United States).
Those standards require that we plan and perform the audit to
obtain reasonable assurance about whether effective internal
control over nancial reporting was maintained in all material
respects. Our audit included obtaining an understanding of internal
control over nancial reporting, assessing the risk that a material
weakness exists, and testing and evaluating the design and
operating effectiveness of internal control based on the assessed
risk. Our audit also included performing such other procedures as
we considered necessary in the circum-stances. We believe that our
audit provides a reasonable basis for our opinion.[Denition
paragraph]A companys internal control over nancial reporting is a
process designed to provide reasonable assurance regard-ing the
reliability of nancial reporting and the preparation of nancial
statements for external purposes in accor-dance with generally
accepted accounting principles. A companys internal control over
nancial reporting includes those policies and procedures that (1)
pertain to the maintenance of records that, in reasonable detail,
accurately and fairly reect the transactions and dispositions of
the assets of the company; (2) provide reasonable assurance that
transactions are recorded as necessary to permit preparation of
nancial statements in accordance with gen-erally accepted
accounting principles, and that receipts and expenditures of the
company are being made only in accordance with authorizations of
management and directors of the company; and (3) provide reasonable
assurance regarding prevention or timely detection of unauthorized
acquisition, use, or disposition of the companys assets that could
have a material effect on the nancial statements.[Inherent
limitations paragraph]Because of its inherent limitations, internal
control over nancial reporting may not prevent or detect
misstate-ments. Also, projections of any evaluation of
effectiveness to future periods are subject to the risk that
controls may become inadequate because of changes in conditions, or
that the degree of compliance with the policies or proce-dures may
deteriorate.[Opinion paragraph]In our opinion, Carver Company
maintained, in all material respects, effective internal control
over nancial reporting as of December 31, 20X8, based on criteria
established in Internal ControlIntegrated Framework issued by the
Committee of Sponsoring Organizations of the Treadway Commission
(COSO).[Explanatory paragraph]We have also audited, in accordance
with the standards of the Public Company Accounting Oversight Board
(United States), the balance sheets of Carver Company as of
December 31, 20X8 and 20X7, and the related state-ments of income,
shareholders equity and comprehensive income, and cash ows for each
of the three years for the period ended December 31, 20X8, of
Carver Company. Our report, dated February 12, 20X9, expressed an
unqualied opinion.Willington & Co., CPAsBisbee, Arizona, United
States of America February 20X9 FIGURE 18.9 Report with Standard
Unqualied Opinion on Internal Control over Financial Reporting
whi1103X_ch18_696-725.indd 713 07/02/11 3:52 PMConrming
Pages714Chapter Eighteen Correcting a Material Weakness Recall that
the audit report is modied for material weaknesses that exist at
the as of date
(year-end).Considerasituationinwhichfourmonthspriortoyear-endmanagement
identies a material weakness. If management corrects this weakness
prior to year-end,
cantheauditorsissueanunqualiedopiniononinternalcontrol?Yes,butonlyifthe
auditorshavesuf
cientevidencetoprovidereasonableassurancethatthenewcontrol
isoperatingefectively.Obtainingsuchevidenceismucheasierforcontrolsthatoper-ate
frequently, in contrast to those that operate only monthly or
quarterly (e.g., nancial
statementclose).Allinall,thetimingoftheidenticationofthematerialweaknessis
very important. For example, if the material weakness is not
identied until after year-end, an adverse opinion must be issued
even if the weakness is corrected: The control did not operate
efectively on the date of managements report. Existence of a
Material Weakness A material weakness in internal control that
exists at year-end results in the issuance of an adverse opinion.
When expressing an adverse opinion, the auditors report must dene a
material weakness, indicate that one has been identied, and refer
to the description of it in managements report. Figure 18.10
provides an example of an adverse opinion. Scope Limitations
Ifarestrictiononthescopeoftheauditisimposedbythecircumstances,theauditors
should withdraw from the engagement or disclaim an opinion. Earlier
we discussed the situation in which the auditors identify a
material weakness and management takes steps to correct that
material weakness prior to year-end. If the auditors are unable to
obtain suf cient evidence that the new controls are efective for a
suf cient period of time, they will issue a disclaimer of opinion
on internal control. Managements Report on Internal Control Is
Incomplete or Improperly Presented When managements report on
internal control (including its assessment) is found to be
inadequate, the auditors should modify their report to include an
explanatory paragraph describing the reasons for this
determination. If management does not disclose a material weakness
properly, the auditors should state that the material weakness is
not included in managements assessment and describe it in the audit
report. Note that the auditors report is already adverse due to the
existence of a material weakness. In this situation, the auditors
also are required to communicate in writing to the audit committee
that the
mate-rialweaknesswasnotdisclosedoridentiedasamaterialweaknessinmanagements
report.
Figure18.11summarizesreportingforthisandtheprecedingcircumstances
described in this section. Audit Report Modications (Paragraphs 14
and the nal paragraph are identical to Figure 18.9 standard
unqualied report)[Explanatory paragraph]A material weakness is a
control deciency, or a combination of control deciencies, in
internal control over nan-cial reporting, such that there is a
reasonable possibility that a material misstatement of the companys
annual or interim nancial statements will not be prevented or
detected on a timely basis. A material weakness was identied and is
described in managements assessment of internal control. That
material weakness relates to [describe the material weakness,
including its actual and potential effect on the nancial
statements].[Opinion paragraph]In our opinion, because of the
effect of the material weakness described above on the achievement
of the objec-tives of the control criteria, Carver Company has not
maintained effective internal control over nancial reporting as of
December 31, 20X8, based on criteria established in Internal
ControlIntegrated Framework issued by the Commit-tee of Sponsoring
Organizations of the Treadway Commission (COSO). FIGURE 18.10
Abstract of Report with Adverse Opinion on Internal Control over
Financial Reporting whi1103X_ch18_696-725.indd 714 07/02/11 3:52
PMConrming PagesIntegrated Audits of Public Companies 715 Reliance
on Other Auditors
Whenotherauditorshaveperformedaportionoftheaudit,theauditorsmustdecide
whether they are able to serve as the principal auditors. The
considerations and reporting requirements are essentially the same
as when other auditors are involved in the nancial statement audit.
The auditors who are able to serve as the principal auditors of the
nan-cialstatementsordinarilyalsoserveasprincipalauditorsofinternalcontrol.Whenthe
principal auditors decide to refer in their report to the work of
the other auditors, this ref-erence is included both in describing
the scope of the audit and in expressing the opinion. Subsequent
Events
Subsequenteventsrelevanttotheinternalcontrolauditarechangesininternalcontrol
subsequenttoyear-endbutbeforethedateoftheauditorsreport.Theauditorshave
aresponsibilitytomakeinquiriesofmanagementaboutwhethertherehavebeenany
such changes. If the auditors obtain knowledge of subsequent events
that materially and adversely afect the efectiveness of internal
control, they should issue an adverse opin-ion. If the auditors are
unable to determine the efect of the subsequent event, they should
disclaim an opinion. Issuing a Combined Report on the Financial
Statements and Internal Control PCAOB
StandardNo.5allowsauditorstoeitherissueseparatereportsontheiraudits
of the nancial statements and internal control or issue one
combined report. The
illus-trationsinthischapterhavebeenbasedonseparatereports.
Figure18.12providesan illustration of a combined unqualied report
on both the nancial statements and internal control. PCAOBStandard
No. 5 requires that auditors communicate in writing to management
all control deciencies, regardless of their severitythis includes
material weaknesses, sig-nicant deciencies, and other deciencies.
In addition, a written communication to the audit committee must be
issued that includes material weaknesses, signicant decien-cies,
and an indication that all deciencies have been communicated to
management. The
writtencommunicationsonweaknessestobothmanagementandtheauditcommittee
should be made prior to issuance of the audit report on internal
control. In addition, when the auditors conclude that the oversight
of the companys external nancial reporting and internal control
over nancial reporting is inefective, they must communicate that
conclusion in writing to the board of directors. Other
Communication Requirements Circumstance Auditors OpinionMaterial
Weakness Exists AdverseMaterial Weakness Existed during Year,
System Changed Prior to the As of DateAuditors test new system and
material weakness eliminated UnqualiedAuditors do not have sufcient
time to test new system Treat as scope restrictionScope
Restriction* Disclaimer or Withdraw from EngagementManagements
Report on Internal Control Is Incomplete or Improperly
PresentedReport does not acknowledge a material weakness identied
by the auditorAdverseOther Issues Unqualied (but with an
explanatory paragraph)* If the auditors intend to issue a
disclaimer of opinion, yet know of a material weakness, the
material weakness should be described in the report. FIGURE 18.11
Circumstances Afecting Auditors Opinion on Internal Control
whi1103X_ch18_696-725.indd 715 07/02/11 3:52 PMConrming
Pages716Chapter EighteenReport of Independent Registered Public
Accounting FirmTo the Audit Committee and Stockholders of Carver
Company[Introductory paragraph]We have audited the accompanying
balance sheets of Carver Company as of December 31, 20X8 and 20X7,
and the related statements of income, stockholders equity and
comprehensive income, and cash ows for each of the years in the
three-year period ended December 31, 20X8. We also have audited
Carver Companys internal control over nancial reporting as of
December 31, 20X8, based on [Identify control criteria: for
example, criteria established in Internal ControlIntegrated
Framework issued by the Committee of Sponsoring Organizations of
the Treadway Commission (COSO)]. Carver Companys management is
responsible for these nancial statements, for maintain-ing
effective internal control over nancial reporting, and for its
assessment of the effectiveness of internal control over nancial
reporting included in the accompanying [title of managements
report]. Our responsibility is to express an opinion on these
nancial statements and an opinion on the companys internal control
over nancial reporting based on our audits.[Scope paragraph]We
conducted our audits in accordance with the standards of the Public
Company Accounting Oversight Board (United States). Those standards
require that we plan and perform the audits to obtain reasonable
assurance about whether the nancial statements are free of material
misstatement and whether effective internal control over nancial
reporting was maintained in all material respects. Our audits of
the nancial statements included exam-ining, on a test basis,
evidence supporting the amounts and disclosures in the nancial
statements, assessing the accounting principles used and signicant
estimates made by management, and evaluating the overall nancial
statement presentation. Our audit of internal control over nancial
reporting included obtaining an understanding of internal control
over nancial reporting, assessing the risk that a material weakness
exists, and testing and evalu-ating the design and operating
effectiveness of internal control based on the assessed risk. Our
audits also included performing such other procedures as we
considered necessary in the circumstances. We believe that our
audits pro-vide a reasonable basis for our opinions.[Denition
paragraph]A companys internal control over nancial reporting is a
process designed to provide reasonable assurance regard-ing the
reliability of nancial reporting and the preparation of nancial
statements for external purposes in accor-dance with generally
accepted accounting principles. A companys internal control over
nancial reporting includes those policies and procedures that (1)
pertain to the maintenance of records that, in reasonable detail,
accurately and fairly reect the transactions and dispositions of
the assets of the company; (2) provide reasonable assurance that
transactions are recorded as necessary to permit preparation of
nancial statements in accordance with gen-erally accepted
accounting principles, and that receipts and expenditures of the
company are being made only in accordance with authorizations of
management and directors of the company; and (3) provide reasonable
assurance regarding prevention or timely detection of unauthorized
acquisition, use, or disposition of the companys assets that could
have a material effect on the nancial statements.[Inherent
limitations paragraph]Because of its inherent limitations, internal
control over nancial reporting may not prevent or detect
misstate-ments. Also, projections of any evaluation of
effectiveness to future periods are subject to the risk that
controls may become inadequate because of changes in conditions, or
that the degree of compliance with the policies or proce-dures may
deteriorate.[Opinion paragraph]In our opinion, the nancial
statements referred to above present fairly, in all material
respects, the nancial position of Carver Company as of December 31,
20X8 and 20X7, and the results of its operations and its cash ows
for each of the years in the three-year period ended December 31,
20X8, in conformity with accounting principles generally accepted
in the United States of America. Also in our opinion, Carver
Company maintained, in all material respects, effective internal
control over nancial reporting as of December 31, 20X8, based on
[identify control crite-ria: for example, criteria established in
Internal ControlIntegrated Framework issued by the Committee of
Sponsor-ing Organizations of the Treadway Commission
(COSO)].Willington & Co., CPAsBisbee, Arizona, United States of
America February 20X9 FIGURE 18.12Combined Report with Standard
Unqualied Opinion on Financial Statements and Internal Control over
Financial Reporting whi1103X_ch18_696-725.indd 716 07/02/11 3:52
PMConrming PagesIntegrated Audits of Public Companies 717 After the
existence of a material weakness has led to an adverse opinion in
an internal
controlauditreport,thecompanyisordinarilymotivatedtoeliminatetheweaknessas
quicklyasisreasonablypossible.Whenmanagementbelievesthatthematerialweak-ness
has been eliminated, the auditors may be engaged to report on
whether the material weaknesscontinuestoexist.PCAOB
StandardNo.4,ReportingonWhetheraPrevi-ously Reported Material
Weakness Continues to Exist, provides the guidance for such
engagements.
Toengagetheauditorstoperformthisservice,managementmustrstgathersuf-cient
evidence to demonstrate that the material weakness has been
eliminated, docu-ment this evidence, and provide a written
assertion stating that the material weakness no longer exists. The
auditors then plan and perform an engagement that focuses on
con-trols that are relevant to the particular weakness. If they
determine that the controls are now efective, the auditors may
issue an unqualied report indicating that the material weakness no
longer exists. PCAOB Standard No. 4 provides other reporting
guidance, including:
Asignicantscopelimitationontheauditorsproceduresshouldresultineithera
disclaimerofopinionortheresignationoftheauditors(qualiedopinionsarenot
allowed).
Whentheauditorsoriginalreportincludesothermaterialweaknessesthatarenot
being considered in this engagement, the report should be modied to
disclose that the other weaknesses are not addressed by the
opinion. After a change in auditors, the successor auditors may
issue such a report, but they rst must obtain a suf cient
understanding of the entity and the related material weakness.
If,whileperformingtheengagement,theauditorsdiscoveranadditionalmaterial
weakness, the auditors should inform the audit committee about the
matter, but they are not required to modify their report. While
nonpublic companies are not required to undergo integrated audits,
the option is available. As an example, management may be
considering taking the company public in the relatively near future
and might choose to undergo such an audit. Attestation standard
AT501providesguidanceforperformingtheinternalcontrolportionofanintegrated
audit for a nonpublic company. The procedures for a nonpublic
integrated audit are very similar to those for a public
companythatwehaveemphasizedthroughoutthischapter.Accordingly,wewillnot
provideextensivedetail,butwillsimplysummarizesignicantdiferencesasshown
below. Integrated Audits for Nonpublic Companies Reporting on
Whether a Previously Reported Material Weakness Continues to Exist
Issue PCAOB Standard 5 AT 501Title of the engagement? Audit
ExaminationReport on subject matter and/or assertion?Only on
subject matter Subject matter or assertion when no material
weakness exists; when a material weak-ness exists, subject
matterMay the report issued indicate that no mate-rial weaknesses
were identied?Yes NoWhich standards are followed by the CPA as
indicated in the report?PCAOB Standards Attestation standards
estab-lished by the AICPAwhi1103X_ch18_696-725.indd 717 07/02/11
3:52 PMConrming Pages718Chapter Eighteen This chapter explained the
nature of integrated audits of public companies performed in
responsetotheSarbanes-OxleyActof2002andinaccordancewithPublicCompany
Accounting Oversight Board Standard No. 5. To summarize: 1.Section
404(a) of the Sarbanes-Oxley Act requires management to acknowledge
its responsibility for establishing and maintaining adequate
internal control and provide an assessment of internal control
efectiveness as of the end of the most recent scal year. 2.Section
404(b) of the Sarbanes-Oxley Act requires the auditors to provide
an opinion on the efectiveness of internal control. 3.Material
weaknesses involve a reasonable possibility that a material
misstatement of
thenancialstatementswillnotbepreventedordetectedonatimelybasis.Signi-cantdecienciesarelessseverethanmaternalweaknesses,yetimportantenoughto
merit attention by those responsible for oversight of the companys
nancial reporting.
4.Anintegratedauditincludesanauditreportonboththenancialstatementsand
internal control. To issue such a report, the auditors perform
procedures to test con-trols over all signicant accounts, as well
as substantive tests to support their opinion on the fairness of
the nancial statements. 5.Internal control audit reports are modied
for a material weakness that exists at year-end. The report issued
includes an adverse opinion indicating that efective internal
control does not exist. If the scope of the auditors work is
limited, they should issue a disclaimer of opinion, or withdraw
from the engagement. 6.After a client has remediated a material
weakness that led to an adverse report, audi-tors may be engaged to
attest to the elimination of the material weakness. Chapter Summary
Accounting estimate (705) A transaction involving managements
judgments or assumptions, such as determining the allowance for
doubtful accounts, establishing warranty reserves, and assessing
assets for impairment. Asofdate(702)
Anauditofinternalcontrolovernancialreportingassessesinternalcontrolas
of a particular point in time, the as of date, as opposed to the
entire period under audit. This date is ordinarily the last day of
the clients scal period. Compensatingcontrol(699)
Acontrolthatreducestheriskthatanexistingorpotentialcontrol weakness
will result in a failure to meet a control objective (e.g.,
avoiding misstatements). Compensating controls are ordinarily
controls performed to detect, rather than prevent, the misstatement
from occurring. For example, a reconciliation of the bank account
performed by an individual otherwise independent of the cash
function serves to detect a variety of possible misstatements (both
errors and fraud) that may have occurred in the processing of cash
receipts and disbursements. Complementary controls (706) Controls
that function together to achieve the same control objective (e.g.,
avoiding misstatements). Controldeciency(698)
Aweaknessinthedesignoroperationofacontrolthatdoesnotallow
managementoremployees,inthenormalcourseofperformingtheirfunctions,topreventordetect
misstatements on a timely basis. Detective controls (710) Policies
and procedures that are designed to identify errors or fraud after
they have occurred. Detective controls can be applied to groups of
transactions (e.g., bank reconciliations). Integrated audit (under
PCAOB Standard No. 5 )(696) An audit that includes audit reports on
both a companys internal control over nancial reporting and the
nancial statements. Major classes of transactions (699) Those
transaction ows that have a meaningful bearing on the totals
accumulated in the companys signicant accounts and, therefore, have
a meaningful bearing on relevant assertions. Materialweakness(698)
Acontroldeciency,oracombinationofcontroldeciencies,ininternal
control over nancial reporting, such that there is a reasonable
possibility that a material misstatement of the companys annual or
interim nancial statements will not be prevented or detected on a
timely basis. Key Terms Introduced or Emphasized in Chapter 18
whi1103X_ch18_696-725.indd 718 07/02/11 3:52 PMConrming
PagesIntegrated Audits of Public Companies 719
Nonroutinetransaction(705)
Atransactionthatoccursonlyperiodically,suchascountingand pricing
inventory, calculating depreciation expense, or determining prepaid
expenses. Preventive controls (710) Procedures designed to prevent
an error or fraud. Preventive controls are normally applied at the
individual transaction level. Redundant controls (706) Duplicate
controls that both achieve a control objective. Routine transaction
(705) A transaction for a recurring nancial activity recorded in
the accounting records in the normal course of business, such as
sales, purchases, cash receipts, cash disbursements, and payroll.
Sarbanes-Oxley Act of 2002 (697) An act passed by the U.S. Congress
to protect investors from the possibility of fraudulent accounting
activities by corporations by improving the accuracy and
reliability of corporate disclosures. Section404(696)
TheprimarysectionoftheSarbanes-OxleyActdealingwithmanagementand
auditor reporting on internal control over nancial reporting.
Section 404(a) requires that each annual report led with the
Securities and Exchange Commission include an internal control
report prepared by management in which management acknowledges its
responsibility for establishing and maintaining adequate internal
control and an assessment of internal control efectiveas of the end
of the most recent scal year. Section 404(b) requires that the CPA
rm attest to and report internal control. Signicant account (704)
An account for which there is a reasonable possibility that it
could contain
misstatementsthatindividually,orwhenaggregatedwithothers,couldhaveamaterialefectonthe
nancial statements. Signicant deciency (698) A deciency, or a
combination of deciencies, in internal control over nancial
reporting that is less severe than a material weakness, yet
important enough to merit attention by those responsible for
oversight of the companys nancial reporting. Walk-through (707) A
procedure in which an auditor follows a transaction from
origination through the companys processes, including information
systems, until it is reected in the companys nancial
records,usingthesamedocumentsandinformationtechnologythatcompanypersonneluse.Walk-throughproceduresusuallyincludeacombinationofinquiry,observation,inspectionofrelevant
documentation, and reperformance of controls. Review Questions
181.Section 404 of the Sarbanes-Oxley Act of 2002 includes two
sections. Describe those sections. 182.Identify managements four
overall responsibilities with respect to internal control over
nan-cial reporting that arise due to the Securities and Exchange
Commissions implementation of the Sarbanes-Oxley Act of 2002.
183.What information must be included in managements report on
internal control over nancial reporting in the annual report led
with the Securities and Exchange Commission? 184.Describe the
diference between a signicant deciency and a material weakness in
internal control. 185.Comment on the accuracy of the following
statement: Since both signicant deciencies and material weaknesses
must be reported to the audit committee, for practical purposes,
there is no distinction between the two. 186.What is meant by the
as of date when reporting on internal control over nancial
reporting? 187.What is a compensating control? 188.Provide examples
of antifraud programs that the auditors might expect the client to
have. 189.Describe what is meant by a walk-through. Must
walk-throughs be performed during audits
ofinternalcontrolovernancialreporting?Maytheclientperformawalk-throughandthe
auditors then review the clients work?
1810.Whileperformingawalk-through,auditorsordinarilymakecertaininquiriesofemployees.
Provide three examples of such inquiries. 1811.Auditors often
perform walk-throughs in integrated audits. Describe the evidence
that is typi-cally provided by a walk-through.
1812.Whenperforminganauditofinternalcontrolovernancialreporting,auditorsmaydistin-guishamongthefollowingtypesoftransactions:routine,nonroutine,andaccountingesti-mates.
Distinguish between these three types of transactions and give an
example of each. 1813.When performing an integrated audit, auditors
must identify signicant accounts and
disclo-sures.Whatmakesanaccountsignicant?Whatfactorsshouldbeconsideredindeciding
whether an account is signicant? whi1103X_ch18_696-725.indd 719
07/02/11 3:52 PMConrming Pages720Chapter Eighteen1814.A client
operates out of 25 locations. Must the CPA perform tests related to
internal control at each of these locations? 1815.Comment on the
following: Auditors must decide, based on cost considerations,
whether to test the design efectiveness or operating efectiveness
of controls. 1816.Provide an example of a situation in which the
design of controls may be efective but those controls do not
operate efectively. 1817.Comment on the following: Inquiry alone
does not provide suf cient evidence to support the operating
efectiveness of a control.
1818.Commentonthefollowing:Allcontrolsshouldbetestedeitherpriortoorontheasof
date. 1819.What requirements exist when the auditors use the work
of client personnel as a part of the
evidenceobtainedforanauditofinternalcontrol?Inwhichareasoftheauditwouldone
expect this to be most likely to occur? 1820.Provide an example of
a situation in which the performance of substantive procedures for
the nancial statement audit might afect the internal control audit.
1821.Provide an example of a situation in which the performance of
tests of controls for the internal control audit might afect the
performance of substantive procedures in a nancial statement audit.
1822.Distinguishbetweenentity-levelcontrolsandcontrolsdesignedtoachievespeciccontrol
objectives. 1823.Provide three examples of ndings by the auditors
that are at least signicant deciencies and strong indicators of the
existence of a material weakness in internal control. 1824.The
auditors have completed an examination of internal control and are
preparing to issue a report. Does the opinion paragraph on the
clients internal control conclude on internal control or
managements assessment of internal control?
1825.Whattypeofreportoninternalcontrolislikelytobeissuedwhenmanagementimposesa
scope limitation?
1826.Ifanadverseinternalcontrolreportisissuedbytheauditors,mayanunqualiedreportbe
issued on the nancial statements? 1827.Which types of deciencies
must be communicated to the audit committee? 1828.Describe the
requirements involved when auditors are engaged to report on
whether a previ-ously reported material weakness continues to
exist. Questions Requiring Analysis 1829.The CPA rm of Carson &
Boggs LLP is performing an internal control audit in accordance
withPCAOB
StandardNo.5.Thepartnerinchargeoftheengagementhasaskedyouto
explaintheprocessofdeterminingwhichcontrolstotest.Describetheprocess,presenting
each of the links in this process and a short summary of how the
auditors approach each of them. LO 1, 5
1830.Testsofcontrolsareordinarilyperformedforbothnancialstatementauditsandinternal
control audits. a.What is the objective of tests of controls when
performed for internal control audits? b.What is the objective of
tests of controls when performed for nancial statement audits?
c.How are these diferent objectives reconciled in an integrated
audit? 1831.The CPA rm of Webster, Warren, & Webb LLP issued an
adverse opinion on the internal control of Alexandria Financial, a
public company, due to a material weakness. The weakness involved
the lack of suf cient accounting expertise to evaluate and adopt
appropriate account-ing principles. Subsequent to issuance of the
report, management of Alexandria hired a new controller to
eliminate the weakness.
a.DescribewhatstepsAlexandriamustperformtoengageWebster,Warren,&Webbto
issue a report indicating that the weakness no longer exists.
b.Describe how Webster, Warren, & Webb should approach the
engagement. c.Describe what Webster, Warren, & Webb must do if,
during the course of the engagement, a member of the audit team
discovers another mater