Dodd-Frank Act for Issuers
Integrated audit only required for issuers that are large accelerated filers ( greater than 75 million outstanding CE held by non affiliates) Less than exempt
What is the objective of the audit of IC
Express an opinion on the effectiveness of the entity's IC over financial reporting
Material weakness means
ineffective IC
AR in engagement
Plan and perform the integrated audit to achieve objectives of both engagements, use test of controls
Management requirements (issuer)
IC report that1. states mgmt responsibility for establishing an adequate IC2. An assessment, of effectiveness of IC structure
Management requirements (non issuer)
Mgmt must:accept responsibility for effectiveness of ICevaluates effectiveness of IC Provides a written assessment about effectiveness of IC in report that accompanies auditors report
Written representations (Issuer & non issuer)
Written rep letter:1. Acknowledges its responsibility for establishing & maintaining effective IC & mgmt has performed assessment2. As of specific date or period3. Did not rely on auditors procedures for its assessments4. Discloses all deficiencies5. Describes fraud6. Subsequent events
Planning Integrated audit
matters affecting industry, prior knowledge on IC, entity & business, complexity, judgements about materiality
top-down approach
Used in selecting controls to test, evaluates risk at FS level & entity level then down to accounts, transaction then down to assertions
Entity level controls
Control environment, mgmt override, companys risk assessment process, centralized processing, monitoring, period end financial reporting
Testing controls (AICPA standard) - Auditor should evaluate components of ICFR & determine whether
1. Present & functioning in design, operation, and implementation2. Operating together in an integrated manner
To evaluate the design effectiveness of IC the auditor should
perform walkthroughs
To test & evaluate the operating effectiveness of IC
inquiry, inspection, observation, recalculation & re-performance
The auditor is not responsible for obtaining sufficient evidence to support an opinion about the effectiveness of each individual control, but rather the
effectiveness of the entitys internal control overall
For automated controls
if its low risk, no change year to year and automated then you may not need to repeat testing
Compensating controls can help with
May limit severity of deficiency, and prevent it from being a MW
Managements report on IC should
- mgmt responsible for IC- describe subject matter- identify criteria- include stmt of mgmt's assessment- describe MW
Differences between an audit of internal control and an FS audit
- AIC expresses opinion about whether entity maintained effective IC - AIC results in an opinion as of a point in time, and FS longer period- AIC obtain evidence about the effectiveness of selected controls over all relevant assertions while FS is more limited- AIC communication by report release date vs withing 60 days - AIC no restriction on use of the report, while FS audit restrict the use of the SD & MW
Communicate to charged with governance (writing) - non issuer
SD & MW by report release date
Integrated audit communication timeline (issuer)
Communication about all deficiencies should be made prior to issuance
Separate reports for integrated audit
Should contain an "other matter" paragraph making reference to other report & indicating nature of opinion
Presence of MW in IC results in
an adverse opinion - Basis for adverse opinion definition of MW
Separate report on internal control over financial reporting issuer
Each report should include an explanatory paragraph making reference to the other report
If MW are subsequently eliminated & mgmt wants the public to know this
Can get an independent auditor to attest to this, and it is voluntary and they express an opinion on whether a previously reported MW has been eliminated
If auditor obtains info about conditions that arose subsequent to the "as of" date of auditors report, info should be included in
explanatory paragraph of report
Attestation Engagements
Provide assurance on subject matters other than basic FS
Attestation engagements include (SSAE)
Agreed upon procedures, Financial forecasts or projections, Pro forma FS, Compliance, MD&A, Reporting on IC
When can you do an examination (SSAE)?
Prospective FS, Pro forma FS, Compliance, MD&A, Service Org
When can you do a review (SSAE)?
Pro forma FS, MD&A
When can you do an agreed upon procedure (SSAE)?
AUP, Prospective FS, Compliance
SSAE does NOT apply to
audit, preparation, compilation, review of FS, return preparation (tax), litigation services, consulting/advisory, audits of ICFR
SSAE
Provide guidance, set boundaries, provide a measure of quality & describe objectives
SSAE differs from GAAS because
no reference to FS & no reference to GAAP
Common concept of Attest Standards (CAPE CORP)
C - ComplianceA - Acceptance of new client or continueP - Preconditions (independent, takes responsibility, appropriate)E - Engagement documentation standardsC - Acceptance of Change in termsO - Other practitioner work is allowedR - Responsibility of QCP - Professional Skepticism & Judgement
Attestation risk
In an examination or review attest engagement, attestation risk is the risk that the practitioner expresses an inappropriate opinion or conclusion, respectively, when the subject matter or assertion is materially misstated
Auditors report on
assertion itself (We have examined mgmt's assertion) or subject matter to which the assertion relates (we have examined the accompanying schedule)
Scope restriction on examination & review
Examination - Q/D/WReview - Withdraw
Examination
positive opinion, high level of assurancesearch, verification, inquiry, analysis
Review (SSAE)
Not an opinion, limited or negative assurance, conclusionInquiry & analytical procedures
Either report can add a paragraph about
restricted use
If client is responsible party and failure to provide written assertion, scope limitation
E - Q/D/W & restrict useR - WAUP - modify
If client is not responsible party
A report may be issued as long as appropriate procedures are performed and sufficient evidence is obtained. However the form of the report may vary, and its use should be restricted
You should receive a rep letter in
examination and review
Agreed upon procedures
An engagement in which a practitioner is engaged to issue a report of findings based on specific agreed-upon procedures. No opinion or negative assurance
AUP - Conditions (I AM SURE)
I - Independent A - Agreement of partiesM - Measurability & ConsistencyS - Sufficiency of proceduresU - Use of report is restricted R - Responsibility for subject matterE - Engagements to perform AUP on prospective FS
Required reporting elements for AUP
- title (independent)- identification of specified parties, subject matter- Stmt - responsibility of responsible party- Stmt - Procedures were agreed & description of materiality- Stmt - Disclaimer of responsibility - Stmt - In accordance with attestation - List of procedures performed & findings- No examination or review, does not express an opinion or conclusion- Restricted use- Specialist (if applicable)
Prospective Financial Statements
forward looking based on projections rather than past events
financial forecast
expected financial results, expected condition, expected course of action (either general or limited use)
Financial prjection
Based on hypothetical assumptions, "what - if" scenario (limited use ONLY)
What are the types of engagements that can be performed on prospective FS?
preparation, compilation, examination and AUP NOT review
For a preparation (SSARS) on prospective FS, you should not prepare when
1. excludes summary of significant assumptions or2. projection - excludes the hypothetical assumption
For a compilation on prospective FS (SSARS)
no assurance, read FS and assumptions & not required to gather supporting evidence
Examination of prospective FS
provides assurance, express opinion as to whether stmts are in accordance to AICPA & underlying assumptions provide a reasonable basis, independence required
If on prospective FS AICPA is not followed
Q/A
If on prospective FS significant assumptions not disclosed
Adverse
If on prospective FS, basis not reasonable
Adverse
If on prospective FS, scope limitation
Disclaimer
Partial presentations
exclude essential elements like sales, gross profit and only limited use
Pro forma FS
Demonstrate the effect of a future or hypothetical event by showing how it might've affected the historical FS.
Service organizations often have an auditor perform an attestation examination to report on
the controls of the service organization that are relevant to the user entities ICFR or are relevant to the security and confidentiality of the information processed by the service org
What are the objectives of the service auditor?
1. Obtain reasonable assurance about mgmt's description, controls 2. report in accordance with service auditor's findings
Service auditor proceudres
assess suitability of criteria, obtain understanding of service organizations system, obtain evidence of mgmt descriptions
SOC 1 Report
focus solely on controls at a service organization that are likely to be relevant to an audit of a user entity's financial statements, restricted use
SOC 2 Report
Give assurance to a broad range of users regarding the controls in place at a service organization relevant to one or more trust services criteria of security, availability, integrity - restricted use
Type 1 Report
A report on the design and implementation of a service organization's controls. It does not provide assurance on the operating effectiveness of controls. "as of date
Type 2 Report
A report on the design, implementation, and operating effectiveness of a service organization's controls
SOC 1 Type 1 report may aid user auditor in
Obtaining an understanding of controls but can't reduce CR
SOC 1 Type 2 report can aid auditor in
assurance about design, implementation, and operating effectiveness and can reduce CR
If user auditor is unable to obtain sufficient appropriate audit evidence regarding services provided
Q/D
If unmodified opinion and service auditor report used
do not make reference to report of service auditor
If modified opinion report and service auditor report
can make reference to explain a modification (not required)
Compliance reporting in 3 areas
1. Contractual agreements or regulatory requirements in connection with FS audit2. Attestation engagement on entity's compliance with requirements of specific laws3. Compliance & IC over compliance as part of a single audit engagement
Compliance report in connection with FS audit, auditor must
have audited the client's FS and may only issue negative assurance
Negative assurance can be given when
1. No identified instances of noncompliance2. Expressed unmodified or qualified on FS AND3. Applicable regulatory requirements have been subjected to audit procedures as part of FS audit.
If adverse of disclaimer opinion on FS, report on compliance
can only be issued when there are identified instances of noncompliance
2 type of engagements for complaince
1. Compliance with specified requirements 2. IC over compliance
What type of engagement can be used for compliance with specified requirements & IC over compliance?
AUP or examination
How is materiality affect in compliance?
nature of compliance, nature & frequency, & qualitative considerations
Documentation for compliance
assessed risk of noncomplaince, responses to risk, basis for materiality, compliance with supplemental requirements
You need a rep letter for
examination and AUP for compliance
Inherent risk of noncompliance
The susceptibility of a compliance requirement to noncompliance that could be material, assuming that there are no related controls
Control risk of noncompliance
The risk that noncompliance with a compliance requirement that could be material will not be prevented or detected on a timely basis by an entity's internal control.
Detection risk of noncompliance
The risk that the auditor will not detect material noncompliance that exists.
Government auditing standards
GAGAS - yellow book
Must for GAGAS isShould for GAGAS is
unconditional requirementspresumptively mandatory requirements
2 types of government audits
1. GAAP basis FS2. FS in conformity with SP
Attestation engaements that use GAGAS are
1. Compliance2. Effectiveness of IC over compliance3. MD&A4. Reliability of performance measures
Performance audits
Objective analysis, findings and conclusions to help mgmt & governance to improve program & operations
Key categories of performance audit objectives
1. Effectiveness, economy, & efficiency2. IC3. Compliance4. Prospective Analysis
Effectiveness, economy, & efficiency in performance audit
Effectiveness - achievement of goalsEconomy - evaluation of costEfficiency - validity & reliability of performance measures
Performing financial audits with GAGAS
1. Previous audits & attest engagements2. Fraud, noncompliance, and abuse3. Developing a finding4. Audit documentation5. Auditor communication
Abuse
deficient or improper behavior, misuse of authority or position for gain
What to do in developing a finding in GAGAS?
1. criteria - expectations, standards, benchmarks2. condition - status that exists3. cause - reason for condition, deviation from criteria4. effect or potential effect - link bt the condition and the deviation from criteria
reporting on financial audits with GAGAS
include a statement that they complied with GAGAS
Report on IC & Compliance
that have material effect on FS, description of scope, sufficient evidence
Does GAGAS require you to express an opinion on IC
no only require a report that describes the scope
Less than material findings communicate
in writing
Non issuer report for yellow book
AR paragraph should state audit under GAGAS and GAAS, other matter paragraph added to end referencing the GAGAS report
Under Single Audit Act, entities must use expend
total federal assistance equal to or more than 750,000
Program-Specific Audit
an audit of one specific federal program as opposed to a single audit of the whole entity & no FS audit required
Objectives of single audit
1. Audit of FS and reporting on a separate schedule of federal awards2. Compliance audit of federal awards expended
Materiality for Single audit act
To be considered separately in relation to each program
major programs for Single Audit
spend $750,000 in assistance and classified as high risk
program specific requirements
auditor must contact the inspector general of the applicable federal agency and obtain a current program specific audit guide
auditor selection for single audit
using procurement standards, preclude limitations on competition including - only considering one firm or giving advantages to firms based on location
proposals made by auditors must be evaluated for
responsiveness to request, relevant experience, availability of staff, results of peer review
Audit report (single audit) submitted within earlier of:
1. 30 calendar days of receipt2. 9 months after end of period
Single audit reports must be retained for
3 years
AR for single audit
express an opinion regarding the fair presentation of FS & related schedules.
AR for internal control
IC over compliance using major programs as a basis fro both testing & reporting, no responsibility to obtain understanding or related test deemed nonmajor
AR For compliance
Should express an opinion regarding major program compliance with statues & regulations
AR for previous audit findings
required to follow up. Assess reasonableness of summary schedule of prior audit findings prepared by auditee
Audit reporting for single audit
1. Opinion on FS audit (GAAP)2. Opinion on schedule of expenditures of federal awards (SEFA)3. Report on ICFR & compliance (yellow book) GAGAS4. Report on compliance for each major program & report on IC over compliance (single audit) - opinion on compliance5. Provide schedule of findings & questioned costs
Major program determination (4 step process)
1. Identify type A ($750,000+) & type B (no requirement of A)2. Identify type A that are low risk3. Identify type B that are high risk4. Major : All type A not low risk & type B high risk
Major program - type A low risk
must have been audited as a major program in 1 of last 2 most recent periods and can't have MW, modified opinion and questioned costs that exceed 5% of total federal awards
Percentage of coverage`
low risk - 20% of federal awards expendedhigh risk - 40%
High risk programs have
multiple IC structures, weak monitoring for sub-recipients, programs not recently audited