1. Confirming Pages
Chapter
18
Learning objectives
Integrated Audits
of Public Companies
LO1 In this chapter, we provide information on integrated
Describe the nature of an inte-
audits based on the provisions of Public Company
After studying this chapter, Accounting Oversight Board (PCAOB) Standard No. 5,
grated audit.
you should be able to:
“An Audit of Internal Control Over Financial Reporting
LO1 Describe the nature of That Is Integrated with an Audit of Financial Statements.” Throughout this chapter,
an integrated audit. our emphasis is on presenting (1) details on audits of internal control over financial
reporting and (2) information on how financial statement audits are modified when
LO2 Discuss management’s
responsibility for
the auditors perform an integrated audit. Although we have referred to integrated
reporting on internal audits earlier in the text, in this chapter we emphasize in detail the nature of a pub-
control as required by lic company audit. While an integrated audit involves an enhanced consideration of
the Sarbanes-Oxley Act internal control, the financial statement audit’s various planning, evidence gathering,
of 2002. and reporting procedures remain largely unchanged. Accordingly, the focus of this
LO3 Describe the audi- chapter is on audits of internal control over financial reporting (hereafter, internal
tors’ responsibility for control).
reporting on inter-
nal control through
integrated audits as Overview
required by the Public
Company Accounting The Sarbanes-Oxley Act of 2002 requires that, in addition to reporting upon financial
Oversight Board.
statements, auditors of public companies should also report upon internal control over
LO4 Present the auditors’ financial reporting (hereafter, internal control). Consistently, PCAOB Standard No. 5
approach to analyzing recognizes this relationship and states that the internal control and financial statement
internal control when audits should be viewed as integrated.
performing an inte-
Section 404 is composed of two distinct sections.1 Section 404(a), which applies
grated audit.
to all public companies, requires that each annual report filed with the Securities and
LO5 Explain how findings Exchange Commission include an internal control report prepared by management in
relating to the audits which management acknowledges its responsibility for establishing and maintaining
of internal control and
adequate internal control and provides an assessment of internal control effectiveness
the financial state-
as of the end of the most recent fiscal year. Section 404(b), which applies to public
ments may affect one
another.
companies with a market capitalization in excess of $75,000,000, requires the CPA
firm to audit internal control and express an opinion on the effectiveness of internal
LO6 Discuss circumstances
control. While the emphasis of this chapter is on the auditors’ responsibility under
that require auditors
Section 404(b), we will begin with an overview of management’s responsibility.
to modify their report
on internal control.
1
While we emphasize Section 404 in this chapter, we also incorporate information from Sec-
tion 103, which requires auditor reporting on internal control. In addition, other sections of the
Sarbanes-Oxley Act are also relevant to the overall area of audits of financial statements. Sec-
tion 302 requires each of a company’s principal executives and financial officers to certify the
financial and other information contained in the company’s quarterly and annual reports. These
certifications must indicate that, based on the officer’s knowledge, the financial statements
and other financial information included in the report fairly present, in all material respects,
the financial condition and results of operations of the company as of, and for, the period pre-
sented in the report. Section 906 includes a similar certification requirement but amends the
Federal Criminal Code and explicitly sets forth possible criminal penalties for certifications that
do not comply with the requirements.
whi1103X_ch18_696-725.indd 696 07/02/11 3:52 PM

2. Confirming Pages
Integrated Audits of Public Companies 697
Management’s Responsibility for Internal Control
LO2
Management has always been responsible for maintaining effective internal control.
However, the Sarbanes-Oxley Act of 2002 increases management’s responsibility
Discuss management’s respon-
sibility for reporting on internal for demonstrating that controls are effective. As operationalized by the Securities and
control as required by the Sar- Exchange Commission (SEC), management is required to:
banes-Oxley Act of 2002.
• Accept responsibility for the effectiveness of internal control.
• Evaluate the effectiveness of internal control using suitable control criteria.
• Support the evaluation with sufficient evidence.
• Provide a report on internal control.
Management’s report and the auditors’ opinion must be included in Form 10-K, the
annual report filed with the SEC. The Sarbanes-Oxley Act requires management to per-
form the above steps in a meaningful manner to support its report. While the exact word-
ing of the report is left to management’s discretion, Section 404(a) of the Sarbanes-Oxley
Act requires the report to:
• State that it is management’s responsibility to establish and maintain adequate internal
control.
• Identify management’s framework for evaluating internal control.
• Include management’s assessment of the effectiveness of the company’s internal con-
trol over financial reporting as of the end of the most recent fiscal period, including a
statement as to whether internal control over financial reporting is effective.
• Include a statement that the company’s auditors have issued an attestation report on
management’s assessment.
Management’s For most SEC registrants, passage of Sarbanes-Oxley resulted in a one-time major project
Evaluation Process of evaluating and improving internal control to allow both management and the auditors
and Assessment to conclude that the company’s internal control is effective. Then, for each subsequent
year’s reporting, the analysis is updated. The overall process is one of identifying the
significant controls and testing their design and operating effectiveness.
The project is performed either by the company itself or by the company assisted by
consultants—often personnel from a CPA firm that does not audit the company’s finan-
cial statements. The company’s external auditing firm may provide only limited assis-
tance to management to avoid a situation in which its assessment is in essence part of
management’s assessment, as well as its own. That is, the CPA firm performing the audit
should not create a situation in which management relies in any way on the CPA firm’s
assessment in making its own assessment.
As a starting point, the Securities and Exchange Commission, which provides oper-
ational guidance for implementing the Sarbanes-Oxley requirements, has adopted the
following definition for internal control:
Internal control over financial reporting is a process designed by, or under the supervision of, the
company’s principal executive and principal financial officers, or persons performing similar func-
tions, and affected by the company’s board of directors, management, and other personnel, to
provide reasonable assurance regarding the reliability of financial reporting and the preparation
of financial statements for external purposes in accordance with generally accepted accounting
principles and includes those policies and procedures that:
1. Pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect
the transactions and dispositions of the assets of the company;
2. Provide reasonable assurance that transactions are recorded as necessary to permit prepa-
ration of financial statements in accordance with generally accepted accounting principles,
and that receipts and expenditures of the company are being made only in accordance with
authorizations of management and directors of the company; and
3. Provide reasonable assurance regarding prevention or timely detection of unauthorized
acquisition, use, or disposition of the company’s assets that could have a material effect on
the financial statements.
whi1103X_ch18_696-725.indd 697 07/02/11 3:52 PM

3. Confirming Pages
698 Chapter Eighteen
FIGURE 18.1 Does Existence Result
Comparison of Control
in Required Modification
Deficiency, Significant
of Management’s Assessment
Deficiency, and Material
Deficiency Severity and Auditors’ Report?
Weakness Definitions
Control Not directly considered in Only if it is a material
Deficiency definition weakness
Significant Less severe than a material No
Deficiency weakness
Material Reasonable possibility of a Yes
Weakness material misstatement
FIGURE 18.2
Levels of Severity of Control Deficiency
Control Deficiencies
Less than a Significant
Significant Deficiency Material Weakness
Deficiency
Management’s report must be based on the preceding definition of internal control
and must result from an evaluation using an accepted “control framework.” Although
not required, the control framework ordinarily used is the Internal Control–Integrated
Framework, created by the Committee of Sponsoring Organizations of the Treadway
Commission (COSO). The COSO framework, discussed in detail in Chapter 7, is the
internal control framework commonly used in audits of financial statements.
To perform its evaluation and make its assessment,2 management must understand the
concepts of control deficiency, significant deficiency, and material weakness—concepts
originally presented in Chapter 7 of this text, although the latter two terms are defined
differently for purposes of an integrated audit. A control deficiency exists when the
design or operation of a control does not allow management or employees, in the nor-
mal course of performing their functions, to prevent or detect misstatements on a timely
basis.
A material weakness is a control deficiency, or combination of control deficien-
cies, in internal control over financial reporting, such that there is a reasonable possibil-
ity that a material misstatement of the company’s annual or interim financial statements
will not be prevented or detected on a timely basis. A reasonable possibility exists when
the likelihood is either “reasonably possible” or “probable” as those terms are used in
FASB ASC 450-20 “Loss Contingencies.”
A significant deficiency is a control deficiency, or a combination of control defi-
ciencies, in internal control over financial reporting that is less severe than a material
weakness, yet important enough to merit attention by those responsible for oversight of
the company’s financial reporting.
Figures 18.1 and 18.2 illustrate relationships among deficiencies, significant deficien-
cies, and material weaknesses.
2
The “evaluation” or “evaluation process” refers to the methods and procedures management
implements to comply with the requirements. The “assessment” is the disclosure required in man-
agement’s report on internal control discussing any material weaknesses and management’s assess-
ment of the effectiveness of internal control.
whi1103X_ch18_696-725.indd 698 07/02/11 3:52 PM

4. Confirming Pages
Integrated Audits of Public Companies 699
In evaluating the significance of identified deficiencies, both quantitative and
qualitative factors are considered. Quantitative factors address the potential amount
of loss. Qualitative factors include consideration of the nature of the accounts and
assertions involved and the possible future consequences of the deficiency. Chapters
6 and 16 of this text include discussions of qualitative factors affecting materiality
judgments.
Additionally, the consideration of a control deficiency should also include analysis of
whether a compensating control exists to either prevent or detect the possible mis-
statement. For example, assume a company has a deficiency in control over cash dis-
bursements. The compensating control of reconciliation of cash accounts by a competent
individual who is otherwise independent of the cash function might make the likelihood
of not detecting a significant misstatement less than reasonably possible. Therefore, while
a deficiency might exist, it might not be a significant deficiency or a material weakness
due to the existence of a compensating control.
Management must identify the significant financial statement accounts in order to
evaluate the controls over major classes of transactions. Major classes of transac-
tions are those that materially affect significant financial statement accounts—either
directly through entries in the general ledger or indirectly through the creation of rights or
obligations that may or may not be recorded in the general ledger.
The overall objective of management’s evaluation of internal control is to provide it
with a reasonable basis for its annual assessment as to whether there are any material
weaknesses in internal control as of the end of the fiscal year. How does management go
about achieving this objective? The SEC guidance is structured about two broad prin-
ciples—(1) evaluating the design of controls to identify controls and risks and (2) evalu-
ating the operation of the controls. This is consistent with the internal control coverage
throughout the text—first consider the design, and then the operating effectiveness of
controls.
Evaluating Design Effectiveness of Controls
The evaluation process begins with identifying and assessing the risks to reliable financial
reporting. Management then considers whether it has controls placed in operation (imple-
mented) that are designed to adequately address those risks. Management ordinarily uses
a top-down approach in which it begins with the identification of entity-level controls
and works down to detailed controls only to the extent necessary. For example, if man-
agement determines that a control within the company’s period-end financial reporting
process (an entity-level control) is designed to adequately address the risk of a material
misstatement of interest expense, management may not need to identify any additional
controls related to interest expense. When additional assurance is needed, consideration
of additional controls becomes necessary. Since the process auditors go through is simi-
lar, we discuss this in greater detail later in the chapter.
Evaluating Operating Effectiveness of Internal Control
Management then evaluates operating effectiveness of controls in those areas that
pose a high risk to reliable financial reporting. Evidence on operating effectiveness is
obtained from tests of controls and from ongoing monitoring activities related to the
controls. Tests of controls are similar to those performed by financial statement auditors
as described in detail in Chapter 7. Ongoing monitoring includes activities that provide
information about the operation of controls. This information is obtained, for example,
through assessments made by employees, assessments made by management (referred
to as self-assessment procedures), and the analysis of performance measures designed to
track the operation of controls (e.g., budgets).
Documentation
A required part of management’s evaluation process is appropriate documentation of
internal control. The documentation often occurs throughout the entire evaluation
whi1103X_ch18_696-725.indd 699 07/02/11 3:52 PM

5. Confirming Pages
700 Chapter Eighteen
FIGURE 18.3
Management is responsible for establishing and maintaining adequate internal control
Management Report on
over financial reporting. Carver Company’s internal control system was designed to pro-
Internal Control
vide reasonable assurance to the company’s management and board of directors regard-
ing the preparation and fair presentation of published financial statements.
All internal control systems, no matter how well designed, have inherent limitations.
Therefore, even a system determined to be effective can provide only reasonable assur-
ance with respect to financial statement preparation and presentation. [Note: This para-
graph is not required.]
We assessed the effectiveness of the company’s internal control over financial reporting
as of December 31, 20X4. In making this assessment, we used the criteria set forth by the
Committee of Sponsoring Organizations of the Treadway Commission (COSO) in Internal
Control–Integrated Framework. Based on our assessment, we believe that, as of Decem-
ber 31, 20X4, the company’s internal control over financial reporting is effective based on
those criteria.
Carver Company’s independent auditors have issued an audit report on our assessment
of the company’s internal control over financial reporting. This report appears on
page XX.
Sally Jones John Hankson
Chief Executive Officer Chief Financial Officer
February 12, 20X5
process. Virtually all of the documentation tools included in Chapters 7 and 8 of this text
are relevant for both management’s evaluation and the external auditors’ audit of internal
control.
Reporting
Management’s evaluation process culminates with the issuance of management’s report
on internal control, which includes management’s assessment. If management believes
that no material weaknesses exist at year-end, it is able to issue a report concluding that
the company maintained effective internal control over financial reporting. An illustration
of such a report is included in Figure 18.3. In the next section, we will describe the audi-
tors’ process for evaluating and reporting on internal control.
The Auditors’ Responsibility for Reporting
on Internal Control in PCAOB Audits
The auditors’ objective in an audit of internal control is to express an opinion on the com-
LO3 pany’s internal control over financial reporting. To meet this objective, the auditors must
Describe the auditors’ responsibil- plan and perform the audit to obtain reasonable assurance about whether material weak-
ity for reporting on internal con-
trol through integrated audits as
nesses exist as of the date specified in management’s assessment. Evidence is gathered
required by the Public Company on both the design and operating effectiveness of internal control as of the date specified
Accounting Oversight Board. in management’s assessment—normally the last day of the company’s fiscal year. The
audit may be viewed as consisting of the following five stages.
1. Plan the engagement.
2. Use a top-down approach to identify controls to test.
3. Test and evaluate design effectiveness of internal control.
4. Test and evaluate operating effectiveness of internal control.
5. Form an opinion on the effectiveness of internal control.
whi1103X_ch18_696-725.indd 700 07/02/11 3:52 PM

6. Confirming Pages
Integrated Audits of Public Companies 701
Plan the As indicated in Figure 18.4, the auditors first plan the engagement. Efficient planning
Engagement requires coordination with the financial statement audit. For purposes of both audits, the
auditors consider matters related to the client’s industry, regulatory matters, the client’s
business, and any recent changes in the client’s operations. The auditors’ knowledge of
LO4
a client’s internal control at the planning stage of the engagement will differ significantly
Present the auditors’ approach to depending upon the nature of the client and the auditors’ experience with that client, and
analyzing internal control when
performing an integrated audit.
this in turn will affect the scope of the auditors’ procedures. For example, when the audi-
tors have previously performed audits of the client, the auditors begin the integrated audit
with more information than in a circumstance in which the company is a new audit client.
Accordingly, they only have to perform procedures to update their knowledge.
FIGURE 18.4
An Audit of Internal Company Control Criteria
Control over Financial Internal (ordinarily COSO
Reporting Control Internal Control
Framework)
Management‘s
Evaluation of
Internal Control
Management’s
report on internal control
(with internal control
assessment)
Plan the
engagement
Use a top-down approach
to identify controls
to test
Test and evaluate
design effectiveness
Test and evaluate
operating effectiveness
Form an opinion on
the effectiveness of
internal control over
financial reporting
Issue Auditors‘
Attestation Report
whi1103X_ch18_696-725.indd 701 07/02/11 3:52 PM

7. Confirming Pages
702 Chapter Eighteen
There is a subtle difference between the auditors’ consideration of internal control for
the audit of internal control as compared to their consideration of internal control in an
audit of financial statements. In the audit of internal control, the focus is on whether inter-
nal control is effective at a point in time—the as of date—which is ordinarily the last
day of the client’s fiscal period. To express the internal control opinion, the auditors must
obtain sufficient evidence on the effectiveness of controls at the as of date. By itself, this
would involve performing tests of controls for a period that is usually significantly less
than the entire year. On the other hand, in a financial statement audit the consideration
of internal control is performed to help plan the audit and to assess control risk for the
entire financial statement period. Therefore, the auditors must perform tests of controls
of transactions occurring throughout the year to meet the objective of obtaining sufficient
evidence to support the opinion on internal control and assess control risk. This distinc-
tion is discussed in more detail later in this chapter.
When planning and performing the audit of internal control, the auditors should take
into account the results of the financial statement fraud risk assessment. Specifically, the
auditors should identify and test controls that address the risk of fraud, including man-
agement override of other controls. These controls include those over:
• Significant unusual transactions, particularly those reported late in the period and
those related to the period-end financial reporting process.
• Related party transactions.
• Significant management estimates.
• Incentives for management to falsify or inappropriately manage financial results.
When planning and performing the audit of internal control, the auditors should also
recognize internal control differences between small and large clients. Often these differ-
ences are related to the degree of complexity of their operations. For example, when the
auditors are auditing a small company, many control objectives may be accomplished
through daily interaction of senior management and other company personnel rather than
through formal policies and procedures. Because of the extensive involvement of senior
management in performing controls and the period-end financial reporting process, the
auditors of a small company should realize that controls to prevent management override
are even more important than it is for a large company. Accordingly, for example, while
detailed oversight by the audit committee may be an important control for most compa-
nies, it may be particularly important for a small company.
Use a Top-Down Figure 18.4 indicates that the auditors use a top-down approach to identify controls
Approach to to test. What is a “top-down” approach? As indicated in Figure 18.5, the “top-down”
Identify Controls approach starts at the top—the financial statements and entity-level controls—and links
the financial statement elements and entity-level controls to significant accounts, relevant
to Test3
assertions, and to the major classes of transactions. The goal is to focus on testing those
controls that are most important to the auditor’s conclusion on internal control, while
avoiding those that are less important.
Entity-Level Controls
Entity-level controls often are those included in the control environment or monitoring
components of internal control. For example, the portions of the control environment deal-
ing with the tone at the top, assignment of authority and responsibility, and corporate codes
of conduct have a pervasive effect on internal control. Also, information technology general
controls over program development, program changes, and computer controls over pro-
cessing have a pervasive effect in that they help ensure that specific controls over process-
ing are operating effectively. The pervasiveness of entity-level controls distinguishes them
3
This terminology is used in PCAOB Standard No. 5. This stage corresponds to obtaining an under-
standing of internal control in a financial statement audit.
whi1103X_ch18_696-725.indd 702 07/02/11 3:52 PM

8. Confirming Pages
Integrated Audits of Public Companies 703
FIGURE 18.5 Overall Approach Illustration
A Top-Down Approach
to Testing Internal Entity-
Financial Balance Centralized
level
Control statements sheet processing
controls
Significant accounts Accounts
and disclosures receivable
Various Detailed list
Relevant Completeness
other of cash
assertions assertion
controls receipts
Major classes of Cash receipt and
transactions and transactions remittance
significant processes process
from other controls that are designed to achieve the specific objectives. As an example of
a control that is not an entity-level control, consider control of requiring accounting for all
shipping documents. This control activity is aimed primarily at assuring the completeness
of recorded sales and does not have the pervasive effect of an entity-level control.
Entity-level controls relating to audit committee effectiveness, fraud, and the period-
end financial reporting process are particularly emphasized in Standard No. 5. The audit
committee is particularly important since an effective audit committee exercises over-
sight responsibility over both financial reporting and internal control. Indeed, ineffec-
tive audit committee oversight by itself is regarded as a strong indication that a material
weakness in internal control exists.
PCAOB Standard No. 5 also emphasizes the need for controls specifically intended
to address the risk of fraud. These controls range from entity-level control environment
controls, such as an appropriate tone at the top, corporate codes of conduct, and an effec-
tive antifraud program, to control activities, such as the reconciliation of cash accounts.
Figure 18.6 provides examples of antifraud programs and elements.
The period-end financial reporting process (often referred to as “financial statement
close”) is also very significant. The period-end process involves the procedures used to
enter transaction totals into the general ledger through the end of the financial statement
reporting process. Auditors must thoroughly evaluate this process, including the man-
ner in which financial statements are produced, the extent of information technology
involved, who participates from management, the locations involved, and the types of
adjusting entries and oversight by appropriate parties.
In considering entity-level controls, the auditors should be aware that controls may
have either an indirect or a direct effect on the likelihood of misstatement. Controls with
an indirect effect on the likelihood of misstatement might affect the auditors’ decisions
about the other controls that the auditors select for testing, as well as the nature, timing,
and extent of procedures the auditors perform on other controls. For example, a positive
tone at the top of the organization may lead to more effective lower level control perfor-
mance, yet it does not have a direct effect on the likelihood of misstatement for any par-
ticular assertion. Such a control might allow the auditors to decrease the testing of other
lower level controls.
Controls with a direct effect on the likelihood of misstatement operate at varying levels
of precision. Some of these controls might be designed to identify possible breakdowns
in lower level controls and operate at a level of precision that would allow auditors to
reduce, but not eliminate, the testing of other controls. As an example, a monitoring
control that detects only relatively large misstatements may fall into this category. When
whi1103X_ch18_696-725.indd 703 07/02/11 3:52 PM

9. Confirming Pages
704 Chapter Eighteen
FIGURE 18.6 Antifraud Program
Entity-Level Antifraud
or Element Strong Indicator of Significant Deficiency
Programs and Elements
Management accountability Senior management conducts ineffective
oversight of antifraud programs and controls.
Audit committee Audit committee passively conducts oversight.
It does not actively engage the topic of fraud.
Internal audit Inadequate scope of activities.
Inadequate communication, involvement, and
interaction with the audit committee.
Code of conduct/ethics Nonexistent code or code that fails to address
conflicts of interest, related party transac-
tions, illegal acts, and monitoring by
management and the board.
Ineffective communication to all covered
persons.
“Whistleblower” program* No program for anonymous submissions.
Inadequate process for responding to allega-
tions of suspicions of fraud.
Whistleblower program significantly defective
in design or operation.
Hiring and promotion procedures Failure to perform substantive background
investigations for individuals being consid-
ered for employment or promotion to a posi-
tion of trust.
Remediation Failure to take appropriate and consistent
remedial actions with regard to identified
significant deficiencies, material weaknesses,
actual fraud, or suspected fraud.
* A program for handling complaints and for accepting confidential submissions of concerns about questionable accounting, auditing, and
other matters (e.g., hotlines).
such a control is operating effectively, it might allow the auditor to reduce, but not elimi-
nate, the testing of other controls.
Other entity-level controls that have a direct effect on the likelihood of misstatement
might be designed to operate at a level of precision that would adequately prevent or
detect material misstatements to one or more relevant assertions. Such controls may allow
the auditor to omit testing additional controls relating to that risk. Monitoring controls
that identify relatively small misstatements may fall into this category. Note, however,
that this area has been controversial as some have asked how frequently such controls
actually exist, and thus allow the elimination of testing of controls beneath “the top.”
Significant Accounts and Disclosures
As shown in Figure 18.5, the auditors must obtain an understanding of significant
accounts and disclosures. An account is significant if there is a reasonable possibility
that it could contain a misstatement that, individually or when aggregated with others, has
a material effect on the financial statements, considering both the risks of understatement
and overstatement. The assessment should be made without giving any consideration
to the effectiveness of internal control. Factors that the auditors consider in deciding
whether an account is significant include:
• Size and composition.
• Susceptibility of loss due to errors or fraud.
whi1103X_ch18_696-725.indd 704 07/02/11 3:52 PM

10. Confirming Pages
Integrated Audits of Public Companies 705
• Volume of activity, complexity, and homogeneity of individual transactions.
• Nature of the account.
• Accounting and reporting complexity.
• Exposure to losses.
• Possibility of significant contingent liabilities.
• Existence of related party transactions.
• Changes from the prior period.
Identifying Relevant Financial Statement Assertions
Once they have determined the significant accounts and disclosures, the auditors must
determine which financial statement assertions are relevant to the significant accounts:
(1) existence or occurrence; (2) completeness; (3) valuation or allocation; (4) rights and
obligations; and/or (5) presentation and disclosure. Relevant assertions for an account
are those that have a meaningful bearing on whether the account is presented fairly. For
example, valuation may be very relevant to determining the amount of receivables, but it
is not ordinarily relevant to cash unless currency translation is involved.
Obtaining a Further Understanding of Likely Sources of Misstatement
To further understand the likely sources of potential misstatements, auditors should under-
stand the flow of transactions related to the relevant assertions. This understanding allows
the auditors to identify points within the company’s processes where a material misstate-
ment could arise and to identify the controls to prevent or detect these misstatements.
Throughout the text (e.g., Chapter 6, Chapters 11–16), we have discussed the concept
of transaction cycles. Transaction cycles (also referred to as classes of transactions) are
those transaction flows that have a meaningful bearing on the totals accumulated in the
company’s significant accounts and, therefore, have a meaningful bearing on relevant
assertions. Consider a company whose sales may be initiated by customers either through
the Internet or in a retail store. These two types of sales may be viewed as representing
two major classes of transactions within the sales process.
Although not explicitly discussed in PCAOB Standard No. 5, it is helpful to classify
transactions by transaction type—routine, nonroutine, or accounting estimates. Routine
transactions are for recurring activities, such as sales, purchases, cash receipts and
disbursements, and payroll. Nonroutine transactions occur only periodically; they
generally are not part of the routine flow of transactions and include transactions such as
counting and pricing inventory, calculating depreciation expense, or determining prepaid
expenses. Accounting estimates are activities involving management’s judgments or
assumptions, such as determining the allowance for doubtful accounts, estimating war-
ranty reserves, and assessing assets for impairment.
Throughout the audit of internal control, auditors must be concerned about all
three transaction types. However, the auditors must be aware that the unique nature
of non-routine transactions and the subjectivity involved with accounting estimate
transactions make them particularly prone to misstatement unless they are properly
controlled.
To understand the likely sources of potential misstatements and as a part of selecting
the controls to test, the auditors should:
• Understand the flow of transactions;
• Verify points within the company’s processes at which a misstatement could arise that
could be material;
• Identify the controls management has implemented to address these potential mis-
statements; and
• Identify the controls management has implemented to prevent or detect on a timely
basis unauthorized acquisition, use, or disposition of the company’s assets that could
result in a material misstatement.
whi1103X_ch18_696-725.indd 705 07/02/11 3:52 PM

11. Confirming Pages
706 Chapter Eighteen
FIGURE 18.7 Relationships among Processes, Transaction Types, and Significant Accounts
Examples of Significant Accounts
Allowance for Doubtful Accounts
Property, Plant, & Equipment
Stockholders’ Equity
Accounts Receivable
Inventory Reserves
Other Accounts
Inventories
Prepaid
Cash
Transaction
Example Processes Types
Financial statement close Nonroutine X X X X X X X X X
Cash receipts Routine X X X
Cash disbursements Routine X X
Payroll Routine
Inventory costing (CGS) Routine X X
Estimate purchase commitments Estimation X
Estimate excess and obsolete
inventory Estimation X
Lower-of-cost-or-market
calculation Estimation X
LIFO calculation Nonroutine X
Physical inventory count Nonroutine X
Accounts receivable and sales Routine X
Source: Adapted from Ernst & Young, Evaluating Internal Control: Considerations for Documenting Controls at the Process, Transaction, or Application Level, 2003.
Figure 18.7 provides an illustration of the relationships among significant accounts,
processes, and transaction types emphasizing inventory processes; it presumes one major
class of transactions for each process.
Selecting Controls to Test
The auditors should test those controls that are important to their conclusion about
whether the company’s controls sufficiently address the risk of misstatement for each
relevant assertion. It is not necessary to design tests of all controls. For example, tests of
redundant controls (those that duplicate other controls) need not be designed when
tests of the related control are planned, unless redundancy itself is a control objective.
The auditors may decide to design tests of preventive controls, detective controls, or a
combination of both for the various assertions and significant accounts. Preventive con-
trols have the objective of preventing errors or fraud from occurring; detective controls
have the objective of detecting errors or fraud that have already occurred. Effective inter-
nal control generally involves “levels” of controls composed of a combination of both
preventive and detective controls. Some controls are complementary controls in that
they work together to achieve a particular control objective. When tests are being per-
formed related to that control objective, the complementary controls must be tested.
A question that arises when a client has multiple locations is: Must the auditors design
and perform tests at all locations? The answer is no. In determining the locations at which
to perform tests of controls, the auditor should assess the risk of material misstatement
to the financial statements of each location and base the amount of testing on the degree
of risk.
whi1103X_ch18_696-725.indd 706 07/02/11 3:52 PM

12. Confirming Pages
Integrated Audits of Public Companies 707
Performing Walk-throughs
While not required, performing walk-throughs may frequently be the most effective way
to obtain an understanding of the likely sources of misstatement. A walk-through
involves literally tracing a transaction from its origination through the company’s infor-
mation system until it is reflected in the company’s financial reports. Walk-throughs pro-
vide the auditors with evidence to:
• Verify that they have identified points at which a significant risk of misstatement to a
relevant assertion exists.
• Verify their understanding of the design of controls, including those related to the
prevention or detection of fraud.
• Evaluate the effectiveness of the design of controls.
• Confirm whether controls have been placed in operation (implemented).
Because much judgment is required in performing a walk-through, the auditors should
either perform walk-throughs themselves or supervise the work of others who provide
assistance to them (e.g., internal auditors).
While performing walk-throughs, the auditors ask those involved to describe their
understanding of the processing involved and to demonstrate what they do. In addition,
follow-up inquiries should be made to help identify abuse of controls or indicators of
fraud. Examples of such follow-up inquiries include:
• What do you do when you find an error?
• What kind of errors have you found?
• What happened as a result of finding the errors, and how were the errors resolved?
• Have you ever been asked to override the process or controls? If yes, why did it occur
and what happened?
Test and Evaluate The auditors test the design effectiveness of controls by determining whether the com-
Design pany’s controls, if operating properly, satisfy the company’s control objectives and can
Effectiveness of effectively prevent or detect errors or fraud that could result in material misstatements.
The procedures performed here include a combination of inquiry of appropriate person-
Internal Control
nel, observation of the company’s operations, and inspection of relevant documenta-
over Financial tion. Figure 18.8 provides an example of control objectives, risks, and controls using the
Reporting COSO framework. The auditors specifically consider whether the controls, if function-
ing, would reduce the risks to an appropriately low level.
Test and Evaluate Tests of the operating effectiveness of a control determine whether the control func-
Operating tions as designed and whether the person performing the control possesses the necessary
Effectiveness of authority and qualifications. In deciding how to design tests of operating effectiveness,
the auditors must focus on the nature, timing, and extent of the tests.
Internal Control
over Financial Nature of Tests of Operating Effectiveness
Reporting Tests of controls, in the order of increasing persuasiveness, include a combination of
inquiries of appropriate personnel, inspection of relevant documents, observation of the
company’s operations, and reperformance of the application of controls. For example, to
evaluate whether the second control objective in Figure 18.8, the accurate and complete
recording of invoices, is achieved, the auditors might use generalized audit software to
inspect electronic documents to determine that no gaps exist in the sequence of shipping
documents. Also, Standard No. 5 states that the auditors should vary the exact tests per-
formed when possible to introduce unpredictability into the audit process.
Evaluating responses to inquiries represents a particular challenge in that the responses
may range from formal written inquiries (e.g., representation letters) to informal oral
inquiries. Because of the possibility of misrepresentation or misunderstanding of the
whi1103X_ch18_696-725.indd 707 07/02/11 3:52 PM

13. Confirming Pages
708 Chapter Eighteen
FIGURE 18.8 Process: Accounts Receivable
Control Objective Risks Controls
1. Ensure that all goods Missing documents or • Use standard shipping or contract terms.
shipped are accurately incorrect information • Communicate nonstandard shipping or contract
billed in the proper terms to accounts receivable department.
period. Improper cutoff of ship- • Identify shipments as being before or after period
ment at the end of a end by means of a shipping log and prenumbered
period shipping documents.
2. Accurately record Missing documents or • Prenumber and account for shipping documents
invoices for all incorrect information and sales invoices.
authorized shipments • Match orders, shipping documents, invoices, and
and only for such customer information, and follow through on miss-
shipments. ing or inconsistent information.
• Mail customer statements periodically and investi-
gate and resolve disputes or inquiries by individuals
independent of the invoicing function.
• Monitor number of customer complaints regarding
improper invoices or statements.
3. Accurately record all Missing documents or • Authorization of credit memos by individuals inde-
authorized sales incorrect information pendent of accounts receivable function.
returns and • Prenumber and account for credit memos and
allowances and only receiving documents.
such returns and • Match credit memos and receiving documents and
allowances. resolve unmatched items by individuals indepen-
dent of the accounts receivable function.
Inaccurate input of data • Mail customer statements periodically and investi-
gate and resolve disputes or inquiries by individuals
independent of the invoicing function.
4. Ensure continued Unauthorized input for • Review correspondence authorizing returns and
completeness and nonexistent returns, allowances.
accuracy of accounts allowances, and • Reconcile accounts receivable subsidiary ledger
receivable. write-offs with sales and cash receipts transactions.
• Resolve differences between the accounts receiv-
able subsidiary ledger and the accounts receivable
control account.
5. Safeguard accounts Unauthorized access to • Restrict access to accounts receivable files and data
receivable records. accounts receivable used in processing receivables.
records and stored data
Source: Adapted from Internal Control–Integrated Framework, Evaluation Tools.
responses, inquiry alone does not provide sufficient evidence to support the operating
effectiveness of a control. Thus, auditors should substantiate the responses to inquiries by
performing other procedures, such as inspecting reports or other documentation relating
to the inquiries.
Timing of Tests of Controls
Tests of controls should be performed over a period of time sufficient to determine
whether, as of the date specified in management’s report, the controls were operating
effectively. The auditors are aware that some controls operate continuously (e.g., con-
trols over routine transactions, such as sales), while others operate only periodically (e.g.,
controls over nonroutine transactions or events, such as the preparation and analysis of
monthly or quarterly financial statements). For controls that operate only periodically,
it may be necessary to wait until after the date of management’s report to test them; for
example, controls over period-end financial reporting normally operate only after the date
whi1103X_ch18_696-725.indd 708 07/02/11 3:52 PM

14. Confirming Pages
Integrated Audits of Public Companies 709
Illustrative Case Frequency of Testing
One CPA firm provided the following guidance to its auditors as to frequency of testing:
Frequency of Control Suggested Number of Items to Test
Annual 1
Quarterly 2
Monthly 3–6
Weekly 10–20
Daily 20–40
Multiple times per day 30–60
of management’s report. The auditors’ tests can be performed only at the time the con-
trols are operating.
Extent of Tests of Controls
PCAOB Standard No. 5 requires the auditors to obtain sufficient evidence about the
effectiveness of controls for all relevant assertions related to all significant accounts.
This means that the auditors must design procedures to provide a high level of assurance
that the controls related to each relevant assertion are operating effectively. For man-
ual controls, this generally involves more extensive testing than for automated controls.
Generally, the more frequently controls operate, the more auditors should test them, and
controls that are relatively more important should be tested more extensively. Also, the
auditors cannot be satisfied with less-than-persuasive evidence because of a belief that
management is honest.
When control exceptions are identified, the auditors should critically assess the nature
and extent of testing and consider whether additional testing is appropriate. Also, a con-
clusion that an identified control exception does not represent a control deficiency is only
appropriate if evidence beyond what the auditors had originally planned, and beyond
inquiry, supports that conclusion. The issue of evaluating exceptions will be described in
more detail later in this chapter.
Can auditors use the work of others—internal auditors, company personnel, and third
parties—in the audit of internal control? For example, if client personnel have already
performed certain procedures that the auditors had intended, may the auditors use that
work? The answer is yes because PCAOB Standard No. 5 allows auditors to use the
work of others. It is expected that the work of others used by the auditors will often be
related to relatively low-risk areas. In any event, the auditors must understand that when
they use the work of others they remain responsible for their opinion and they cannot
share responsibility with those others. In all cases in which the work of others is used, the
auditors should evaluate the competence and objectivity of those individuals and test the
work they have performed.
Another issue relates to the degree to which auditors must retest controls in detail
each year. In audits subsequent to the first year, auditors should incorporate knowledge
obtained during past audits of internal control. Using this “cumulative audit knowledge”
(knowledge obtained from prior audits), the auditors often may be able to reduce the
amount of work performed. In making decisions as to the necessary testing, the auditors
should consider the various risk factors related to a control as well as:
• The nature, timing, and extent of procedures performed in previous audits,
• The results of the previous years’ testing of the control, and
• Whether there have been changes in the control, or the significant process in which it
operates, since the previous audit.
whi1103X_ch18_696-725.indd 709 07/02/11 3:52 PM

15. Confirming Pages
710 Chapter Eighteen
To illustrate, assume that a control presents a low risk overall in that there is a low inher-
ent risk, a low degree of complexity, few changes in controls, and the previous year
revealed no deficiencies. In such a case, the auditors may determine that sufficient evi-
dence of operating effectiveness could be obtained by performing a walk-through. In
addition, the auditors may use the work of others to a greater extent than in the past. But,
on an overall basis, the auditors must test controls every year and cannot “rotate” analysis
of various transaction types between various years (e.g., consider controls over sales this
year, and purchases next year).
LO5 Relationship between Tests of Controls Performed for the Internal Control Audit and
Those Performed for the Financial Statement Audit
Explain how findings relating to
the audits of internal control and Are the types of tests of controls performed for an internal control audit the same as those
the financial statements may affect performed for a financial statement audit? May the evidence from tests performed for an
one another.
internal control audit be used for the financial statement audit? While the answer to both of
these questions is yes, the auditors must consider the differences in the objectives of the tests.
The objective of tests of controls in an audit of internal control is to obtain evidence
about the effectiveness of controls to support the auditors’ opinion on whether manage-
ment’s assessment of the effectiveness of internal control, taken as a whole, is fairly
stated as of a point in time. Accordingly, to express this opinion the auditors must obtain
evidence about the effectiveness of controls over all relevant assertions for all significant
accounts and disclosures in the financial statements.
The objective of tests of controls for a financial statement audit is to assess control risk.
If the auditors decide to assess control risk at less than the maximum, they are required
to obtain evidence that the relevant controls operated effectively during the entire period
upon which they plan to place reliance on those controls. However, the auditors are not
required to assess control risk at less than the maximum for all assertions.
How may these two different approaches for tests of controls be reconciled in an inte-
grated audit? PCAOB Standard No. 5, for purposes of the internal control audit, allows the
auditors to obtain evidence about operating effectiveness at different times throughout the
year—provided that the auditors update those tests or obtain other evidence that the controls
still operated effectively at the end of the year. Thus, although the timing for issuing the
internal control report will not ordinarily require tests from throughout the year, the inte-
grated nature of the two audits suggests that testing should be spread throughout the year.
The requirements of Standard No. 5 have had the effect of pushing auditors to perform
financial statement audits using the systems approach—an approach with heavy reliance
on internal control evidence. In essence, since extensive tests of controls are required for
each significant account for the internal control audit, the auditors should have significant
evidence about the effectiveness of internal control for the financial statement audit. The
auditors generally must merely extend the tests to cover the financial statement period in
order to assess control risk at a low level for purposes of the financial statement audit.
Effect of Tests of Controls on Financial Statement Audit Substantive Procedures
Historically, to enhance audit efficiency and effectiveness, auditors often have used a
substantive audit approach that is not acceptable for integrated audits. Auditors have
traditionally relied primarily (or completely) on evidence from substantive procedures
rather than testing controls in audit areas when a substantive approach was considered
the most cost-effective approach. To illustrate, when only a financial statement audit is
being performed, auditors often rely heavily upon substantive procedures to audit areas
such as property, plant, and equipment; investments; and long-term debt. Since auditors
must now report on the effectiveness of internal control, approaches limiting the testing
of controls are not acceptable.
Historically, another efficiency that has developed in financial statement audits is min-
imizing the testing of controls aimed at preventive controls (e.g., transaction level
controls), and emphasizing the testing of detective controls (e.g., various types of
reconciliations and exception reports). When auditors express an opinion on internal
whi1103X_ch18_696-725.indd 710 07/02/11 3:52 PM