Unit 5 - Integrated Audits, Attestation Engagements

Dodd-Frank Act for Issuers

Integrated audit only required for issuers that are large accelerated filers ( greater than 75 million outstanding CE held by non affiliates) Less than exempt

What is the objective of the audit of IC

Express an opinion on the effectiveness of the entity's IC over financial reporting

Material weakness means

ineffective IC

AR in engagement

Plan and perform the integrated audit to achieve objectives of both engagements, use test of controls

Management requirements (issuer)

IC report that1. states mgmt responsibility for establishing an adequate IC2. An assessment, of effectiveness of IC structure

Management requirements (non issuer)

Mgmt must:accept responsibility for effectiveness of ICevaluates effectiveness of IC Provides a written assessment about effectiveness of IC in report that accompanies auditors report

Written representations (Issuer & non issuer)

Written rep letter:1. Acknowledges its responsibility for establishing & maintaining effective IC & mgmt has performed assessment2. As of specific date or period3. Did not rely on auditors procedures for its assessments4. Discloses all deficiencies5. Describes fraud6. Subsequent events

Planning Integrated audit

matters affecting industry, prior knowledge on IC, entity & business, complexity, judgements about materiality

top-down approach

Used in selecting controls to test, evaluates risk at FS level & entity level then down to accounts, transaction then down to assertions

Entity level controls

Control environment, mgmt override, companys risk assessment process, centralized processing, monitoring, period end financial reporting

Testing controls (AICPA standard) - Auditor should evaluate components of ICFR & determine whether

1. Present & functioning in design, operation, and implementation2. Operating together in an integrated manner

To evaluate the design effectiveness of IC the auditor should

perform walkthroughs

To test & evaluate the operating effectiveness of IC

inquiry, inspection, observation, recalculation & re-performance

The auditor is not responsible for obtaining sufficient evidence to support an opinion about the effectiveness of each individual control, but rather the

effectiveness of the entitys internal control overall

For automated controls

if its low risk, no change year to year and automated then you may not need to repeat testing

Compensating controls can help with

May limit severity of deficiency, and prevent it from being a MW

Managements report on IC should

- mgmt responsible for IC- describe subject matter- identify criteria- include stmt of mgmt's assessment- describe MW

Differences between an audit of internal control and an FS audit

- AIC expresses opinion about whether entity maintained effective IC - AIC results in an opinion as of a point in time, and FS longer period- AIC obtain evidence about the effectiveness of selected controls over all relevant assertions while FS is more limited- AIC communication by report release date vs withing 60 days - AIC no restriction on use of the report, while FS audit restrict the use of the SD & MW

Communicate to charged with governance (writing) - non issuer

SD & MW by report release date

Integrated audit communication timeline (issuer)

Communication about all deficiencies should be made prior to issuance

Separate reports for integrated audit

Should contain an "other matter" paragraph making reference to other report & indicating nature of opinion

Presence of MW in IC results in

an adverse opinion - Basis for adverse opinion definition of MW

Separate report on internal control over financial reporting issuer

Each report should include an explanatory paragraph making reference to the other report

If MW are subsequently eliminated & mgmt wants the public to know this

Can get an independent auditor to attest to this, and it is voluntary and they express an opinion on whether a previously reported MW has been eliminated

If auditor obtains info about conditions that arose subsequent to the "as of" date of auditors report, info should be included in

explanatory paragraph of report

Attestation Engagements

Provide assurance on subject matters other than basic FS

Attestation engagements include (SSAE)

Agreed upon procedures, Financial forecasts or projections, Pro forma FS, Compliance, MD&A, Reporting on IC

When can you do an examination (SSAE)?

Prospective FS, Pro forma FS, Compliance, MD&A, Service Org

When can you do a review (SSAE)?

Pro forma FS, MD&A

When can you do an agreed upon procedure (SSAE)?

AUP, Prospective FS, Compliance

SSAE does NOT apply to

audit, preparation, compilation, review of FS, return preparation (tax), litigation services, consulting/advisory, audits of ICFR

SSAE

Provide guidance, set boundaries, provide a measure of quality & describe objectives

SSAE differs from GAAS because

no reference to FS & no reference to GAAP

Common concept of Attest Standards (CAPE CORP)

C - ComplianceA - Acceptance of new client or continueP - Preconditions (independent, takes responsibility, appropriate)E - Engagement documentation standardsC - Acceptance of Change in termsO - Other practitioner work is allowedR - Responsibility of QCP - Professional Skepticism & Judgement

Attestation risk

In an examination or review attest engagement, attestation risk is the risk that the practitioner expresses an inappropriate opinion or conclusion, respectively, when the subject matter or assertion is materially misstated

Auditors report on

assertion itself (We have examined mgmt's assertion) or subject matter to which the assertion relates (we have examined the accompanying schedule)

Scope restriction on examination & review

Examination - Q/D/WReview - Withdraw

Examination

positive opinion, high level of assurancesearch, verification, inquiry, analysis

Review (SSAE)

Not an opinion, limited or negative assurance, conclusionInquiry & analytical procedures

Either report can add a paragraph about

restricted use

If client is responsible party and failure to provide written assertion, scope limitation

E - Q/D/W & restrict useR - WAUP - modify

If client is not responsible party

A report may be issued as long as appropriate procedures are performed and sufficient evidence is obtained. However the form of the report may vary, and its use should be restricted

You should receive a rep letter in

examination and review

Agreed upon procedures

An engagement in which a practitioner is engaged to issue a report of findings based on specific agreed-upon procedures. No opinion or negative assurance

AUP - Conditions (I AM SURE)

I - Independent A - Agreement of partiesM - Measurability & ConsistencyS - Sufficiency of proceduresU - Use of report is restricted R - Responsibility for subject matterE - Engagements to perform AUP on prospective FS

Required reporting elements for AUP

- title (independent)- identification of specified parties, subject matter- Stmt - responsibility of responsible party- Stmt - Procedures were agreed & description of materiality- Stmt - Disclaimer of responsibility - Stmt - In accordance with attestation - List of procedures performed & findings- No examination or review, does not express an opinion or conclusion- Restricted use- Specialist (if applicable)

Prospective Financial Statements

forward looking based on projections rather than past events

financial forecast

expected financial results, expected condition, expected course of action (either general or limited use)

Financial prjection

Based on hypothetical assumptions, "what - if" scenario (limited use ONLY)

What are the types of engagements that can be performed on prospective FS?

preparation, compilation, examination and AUP NOT review

For a preparation (SSARS) on prospective FS, you should not prepare when

1. excludes summary of significant assumptions or2. projection - excludes the hypothetical assumption

For a compilation on prospective FS (SSARS)

no assurance, read FS and assumptions & not required to gather supporting evidence

Examination of prospective FS

provides assurance, express opinion as to whether stmts are in accordance to AICPA & underlying assumptions provide a reasonable basis, independence required

If on prospective FS AICPA is not followed

Q/A

If on prospective FS significant assumptions not disclosed

Adverse

If on prospective FS, basis not reasonable

Adverse

If on prospective FS, scope limitation

Disclaimer

Partial presentations

exclude essential elements like sales, gross profit and only limited use

Pro forma FS

Demonstrate the effect of a future or hypothetical event by showing how it might've affected the historical FS.

Service organizations often have an auditor perform an attestation examination to report on

the controls of the service organization that are relevant to the user entities ICFR or are relevant to the security and confidentiality of the information processed by the service org

What are the objectives of the service auditor?

1. Obtain reasonable assurance about mgmt's description, controls 2. report in accordance with service auditor's findings

Service auditor proceudres

assess suitability of criteria, obtain understanding of service organizations system, obtain evidence of mgmt descriptions

SOC 1 Report

focus solely on controls at a service organization that are likely to be relevant to an audit of a user entity's financial statements, restricted use

SOC 2 Report

Give assurance to a broad range of users regarding the controls in place at a service organization relevant to one or more trust services criteria of security, availability, integrity - restricted use

Type 1 Report

A report on the design and implementation of a service organization's controls. It does not provide assurance on the operating effectiveness of controls. "as of date

Type 2 Report

A report on the design, implementation, and operating effectiveness of a service organization's controls

SOC 1 Type 1 report may aid user auditor in

Obtaining an understanding of controls but can't reduce CR

SOC 1 Type 2 report can aid auditor in

assurance about design, implementation, and operating effectiveness and can reduce CR

If user auditor is unable to obtain sufficient appropriate audit evidence regarding services provided

Q/D

If unmodified opinion and service auditor report used

do not make reference to report of service auditor

If modified opinion report and service auditor report

can make reference to explain a modification (not required)

Compliance reporting in 3 areas

1. Contractual agreements or regulatory requirements in connection with FS audit2. Attestation engagement on entity's compliance with requirements of specific laws3. Compliance & IC over compliance as part of a single audit engagement

Compliance report in connection with FS audit, auditor must

have audited the client's FS and may only issue negative assurance

Negative assurance can be given when

1. No identified instances of noncompliance2. Expressed unmodified or qualified on FS AND3. Applicable regulatory requirements have been subjected to audit procedures as part of FS audit.

If adverse of disclaimer opinion on FS, report on compliance

can only be issued when there are identified instances of noncompliance

2 type of engagements for complaince

1. Compliance with specified requirements 2. IC over compliance

What type of engagement can be used for compliance with specified requirements & IC over compliance?

AUP or examination

How is materiality affect in compliance?

nature of compliance, nature & frequency, & qualitative considerations

Documentation for compliance

assessed risk of noncomplaince, responses to risk, basis for materiality, compliance with supplemental requirements

You need a rep letter for

examination and AUP for compliance

Inherent risk of noncompliance

The susceptibility of a compliance requirement to noncompliance that could be material, assuming that there are no related controls

Control risk of noncompliance

The risk that noncompliance with a compliance requirement that could be material will not be prevented or detected on a timely basis by an entity's internal control.

Detection risk of noncompliance

The risk that the auditor will not detect material noncompliance that exists.

Government auditing standards

GAGAS - yellow book

Must for GAGAS isShould for GAGAS is

unconditional requirementspresumptively mandatory requirements

2 types of government audits

1. GAAP basis FS2. FS in conformity with SP

Attestation engaements that use GAGAS are

1. Compliance2. Effectiveness of IC over compliance3. MD&A4. Reliability of performance measures

Performance audits

Objective analysis, findings and conclusions to help mgmt & governance to improve program & operations

Key categories of performance audit objectives

1. Effectiveness, economy, & efficiency2. IC3. Compliance4. Prospective Analysis

Effectiveness, economy, & efficiency in performance audit

Effectiveness - achievement of goalsEconomy - evaluation of costEfficiency - validity & reliability of performance measures

Performing financial audits with GAGAS

1. Previous audits & attest engagements2. Fraud, noncompliance, and abuse3. Developing a finding4. Audit documentation5. Auditor communication

Abuse

deficient or improper behavior, misuse of authority or position for gain

What to do in developing a finding in GAGAS?

1. criteria - expectations, standards, benchmarks2. condition - status that exists3. cause - reason for condition, deviation from criteria4. effect or potential effect - link bt the condition and the deviation from criteria

reporting on financial audits with GAGAS

include a statement that they complied with GAGAS

Report on IC & Compliance

that have material effect on FS, description of scope, sufficient evidence

Does GAGAS require you to express an opinion on IC

no only require a report that describes the scope

Less than material findings communicate

in writing

Non issuer report for yellow book

AR paragraph should state audit under GAGAS and GAAS, other matter paragraph added to end referencing the GAGAS report

Under Single Audit Act, entities must use expend

total federal assistance equal to or more than 750,000

Program-Specific Audit

an audit of one specific federal program as opposed to a single audit of the whole entity & no FS audit required

Objectives of single audit

1. Audit of FS and reporting on a separate schedule of federal awards2. Compliance audit of federal awards expended

Materiality for Single audit act

To be considered separately in relation to each program

major programs for Single Audit

spend $750,000 in assistance and classified as high risk

program specific requirements

auditor must contact the inspector general of the applicable federal agency and obtain a current program specific audit guide

auditor selection for single audit

using procurement standards, preclude limitations on competition including - only considering one firm or giving advantages to firms based on location

proposals made by auditors must be evaluated for

responsiveness to request, relevant experience, availability of staff, results of peer review

Audit report (single audit) submitted within earlier of:

1. 30 calendar days of receipt2. 9 months after end of period

Single audit reports must be retained for

3 years

AR for single audit

express an opinion regarding the fair presentation of FS & related schedules.

AR for internal control

IC over compliance using major programs as a basis fro both testing & reporting, no responsibility to obtain understanding or related test deemed nonmajor

AR For compliance

Should express an opinion regarding major program compliance with statues & regulations

AR for previous audit findings

required to follow up. Assess reasonableness of summary schedule of prior audit findings prepared by auditee

Audit reporting for single audit

1. Opinion on FS audit (GAAP)2. Opinion on schedule of expenditures of federal awards (SEFA)3. Report on ICFR & compliance (yellow book) GAGAS4. Report on compliance for each major program & report on IC over compliance (single audit) - opinion on compliance5. Provide schedule of findings & questioned costs

Major program determination (4 step process)

1. Identify type A ($750,000+) & type B (no requirement of A)2. Identify type A that are low risk3. Identify type B that are high risk4. Major : All type A not low risk & type B high risk

Major program - type A low risk

must have been audited as a major program in 1 of last 2 most recent periods and can't have MW, modified opinion and questioned costs that exceed 5% of total federal awards

Percentage of coverage`

low risk - 20% of federal awards expendedhigh risk - 40%

High risk programs have

multiple IC structures, weak monitoring for sub-recipients, programs not recently audited