An integrated audit combines a financial statement audit with an audit of internal controls. Since the Sarbanes-Oxley Act came into effect, management is responsible for establishing, maintaining, and reporting on an internal control structure, and auditors are required to assess this internal control structure.
Integrated Audit Regulations
Who and When: The Requirements
Public companies must undergo an integrated audit, and only CPAs can perform them.
All public companies, when filing the annual report with the SEC, are required to include an internal control report. For these companies with a market capitalization in excess of $75 million, the CPA firm auditing the financial statements is required to express an opinion on management’s internal control report, thus integrating the financial reporting audit with an internal controls audit.
Although not required, smaller public companies and some private companies may have their auditors use an integrated audit approach, in case of potential growth or acquisition. Also, auditors may prefer to use an integrated audit approach, even if not required, because less substantive testing may be required.
The Sarbanes Oxley Act of 2002, section 404, dictates the requirements that management must report on and assess internal controls and a registered public accounting firm must attest to management’s assessment. From this requirement, the requirement for an integrated audit was born. SOX 404 Section 404 can be seen on page 45. Also see our related blog post: What is the Sarbanes Oxley Act?
Guidance for performing the integrated audit is provided by the PCAOB in Auditing Standard 2201. This publication provides guidance on planning the audit, incorporating a risk assessment, testing controls, evaluating weaknesses and deficiencies, and reporting on an opinion.
The law requires the auditor to attest to management’s assessment of internal controls. See our related blog post: What is an Attestation? In preparation for the integrated audit, management is responsible for implementing internal controls around financial reporting. Management must document and sign that they acknowledge this responsibility and include an assessment of the effectiveness of the internal controls they have established – this is called a management representation letter.
The Highlights: AS 2201
The PCAOB Auditing Standard 2201 does a thorough job of providing guidance and should be the first resource used for learning about the details of Integrated Audits. In this post I would like to highlight some interesting and significant pieces of this guidance.
Planning the Audit
AS 2201.09 provides a specific list of matters that should be considered when developing procedures for an integrated audit. In addition to this list, a risk assessment should be performed, focusing on risk that a material weakness could exist in a particular area of the company’s internal control over financial reporting. Selection of controls to test, types of evidence to obtain, and testing methods should be designed based on this level of risk.
This approach begins with understanding the overall risks to controls over financial reporting, moves to entity-level controls, and then focuses on significant accounts and disclosures which are more likely to cause the financial statements to be misstated. It is top-down, because it looks at the overall high level picture to determine the controls to test.
The auditor’s evaluation of entity-level controls can influence the amount of testing performed on other controls. If upper-level management supports a strong, risk-based control environment, control activities are monitored, risk is continually assessed, and controls are modified based on the assessment, and management is unable to override control activities, strong entity-level controls are in place and an auditor can consider decreasing other controls testing.
Controls Testing: Design vs. Operating Effectiveness
Both the design and operating effectiveness of controls should be tested and evidence should be obtained to support this testing. First, a walkthrough of the procedures is performed to determine if the control activities are designed to meet specific control objectives. Then, testing is performed to validate that the control activities are actually being put into operation in the manner they were designed. The testing of the controls is where the integrated audit team will spend the majority of their time and efforts.
Based on all the evidence obtained from financial substantive audit procedures and control testing, or from any other sources, the auditor should form an opinion on whether internal controls over financial reporting were effective. AS 2201.85 – .92 provide specific guidance for report wording and show examples. Although procedures performed during integrated audits can greatly vary based on company and industry, the published report of the auditor are very uniform.
Using a SOC report in an Integrated Audit
Controls Performed by a Service Organization
Not all controls are performed internally, as there is an increased use of service organizations to handle various aspects of each business. If a service organization is used to perform a business process relating to a significant account or obtains services from another organization that are part of the company’s information system, the controls performed by this service organization must be evaluated.
Two examples of these cases may be when the entire payroll function is outsourced, or when servers containing financial data and/or applications processing financial transactions reside in a data center owned and managed by a third party.
Using a SOC Report
The controls performed by the service organization should be evaluated, but it is not usually feasible to send auditor to the service organization for a control audit. In this case, System and Organization Controls (SOC) reports can be used. A SOC report is published by a CPA firm and documents their independent opinion on the design and/or operating effectiveness of internal controls relevant to the services provided to their customers. An auditor can obtain the SOC report from the service organization, and review the report for controls relevant to the services utilized.
The SOC report can provide a level of comfort that the service organization has controls in place around the significant outsourced services. Although the SOC report is used in forming the audit opinion, the auditor should not mention or reference the SOC report in the opinion paragraph of the Independent Auditor’s Report.
PCAOB Auditing Standards 2601 provide additional detailed guidance on the audit impact of an entity’s use of a service organization: AS 2601. Also see Linford & Co’s past blog post about how SOC reports relate to Management Assertions: Management’s Assertion and SOC Reports. Need a SOC 1 (formerly SSAE 16) or SOC 2 audit to provide to your customers? Learn more about our SOC 1 Audit and SOC 2 Audit services.
Related Blog Posts:
Linford & Co., LLP, founded in 2008, is comprised of professional and certified auditors with specialized expertise in SOC 1, SOC 2, HIPAA, HITRUST, FedRAMP and royalty/licensing audits. Our auditors hold CPA, CISA, CISSP, GSEC licenses and certifications. Learn more about our company and our leadership team.