An integrated audit combines a financial statement audit with an audit of internal controls. Since the Sarbanes-Oxley Act came into effect, management is responsible for establishing, maintaining, and reporting on an internal control structure, and auditors are required to assess this internal control structure. The objective of an integrated audit is for the auditor to express an opinion on a company’s controls over financial reporting.
Integrated Audit vs Non-Integrated Audit: A non-integrated audit is just a traditional audit that generally focuses on financial statements or operational aspects of a business, unlike an integrated audit, which combines an audit of financial statements with an audit of internal controls.
Integrated Audit Regulation; Who and When: The Requirements
Public Company Audits
Public companies must undergo an integrated audit, and only CPAs can perform them.
All public companies, when filing the annual report with the SEC, are required to include an internal control report. For these companies with a market capitalization in excess of $75 million, the CPA firm auditing the financial statements is required to express an opinion on management’s internal control report, thus integrating the financial reporting audit with an internal controls audit. During an integrated audit, auditors should use the same methodology used by management to determine whether internal controls are effective.
Smaller Public Companies & Private Company Audits
Although not required, smaller public companies and some private companies may have their auditors use an integrated audit approach, in case of potential growth or acquisition. Also, auditors may prefer to use an integrated audit approach, even if not required, because less substantive testing may be required. This is because when a control occurs through automation based on a system configuration, a sample of one can be used to test this control.
Under the PCAOB, the law requires the auditor to attest to management’s assessment of internal controls. See our related blog post: What is an Attestation? In preparation for the integrated audit, management is responsible for implementing internal controls around financial reporting. Management must document and sign that they acknowledge this responsibility and include an assessment of the effectiveness of the internal controls they have established – this is called a management representation letter.
As noted above, private companies are not required by law to receive integrated audits, but in the event other circumstances require an integrated audit, they are governed by SAS 130.
The Highlights: AS 2201
The PCAOB Auditing Standard 2201 does a thorough job of providing guidance and should be the first resource used for learning about the details of Integrated Audits. In this post, I will highlight some interesting and significant pieces of this guidance.
Planning the Audit
AS 2201.09 provides a specific list of matters that should be considered when developing procedures for an integrated audit. In addition to this list, a risk assessment should be performed, focusing on risk that a material weakness could exist in a particular area of the company’s internal control over financial reporting. The selection of controls to test, types of evidence to obtain, and testing methods should be designed based on this level of risk. Below are some example items this guidance suggests an auditor consider during planning:
- Current events or changes in regulations that could affect the industry
- Knowledge that may already exist from of the system of internal controls being audited
- Events that could affect the business and its operations
- How complex are the operations of the organization
- Deficiencies that have already been communicated either by another firm or past audits
The top-down approach is used as a way to determine which controls should be tested. This approach begins with understanding the overall risks to controls over financial reporting, moves to entity-level controls, and then focuses on significant accounts and disclosures which are more likely to cause the financial statements to be misstated. It is top-down because it looks at the overall high-level picture to determine the controls to test.
Entity-Level Controls: Support Internal Controls
The auditor’s evaluation of entity-level controls can influence the amount of testing performed on other controls. If upper-level management supports a strong, risk-based control environment, control activities are monitored, risk is continually assessed, and controls are modified based on the assessment, and management is unable to override control activities, strong entity-level controls are in place and an auditor can consider decreasing other controls testing. On the other hand, if the auditor finds that entity-level controls are lacking and the risk of management override is high, they may consider increased testing of lower-level controls.
Controls Testing: Design vs. Operating Effectiveness
Both the design and operating effectiveness of controls should be tested and evidence should be obtained to support this testing. First, a walkthrough, which includes inquiry, observation, and inspection of the procedures is performed to determine if the control activities are designed to meet specific control objectives.
Then, testing is performed to validate that the control activities are actually being put into operation in the manner they were designed. Testing of operating effectiveness is generally done through inquiry (which alone is not sufficient), an inspection of the evidence, observation, recalculation, or reperformance. The testing of the controls is where the integrated audit team will spend the majority of their time and efforts. This is especially true for controls that are determined to be a higher risk of misstatement. The audit team may choose to increase the amount of evidence that is required to gain assurance that controls are operating effectively.
If a deviation is found during testing, it is up to the auditor to use their professional judgment to determine whether or not the control was still operating effectively. One deviation does not necessarily mean that the control’s operating effectiveness failed.
Reporting on Internal Controls Audits
Based on all the evidence obtained from financial substantive audit procedures and control testing, or from any other sources, the auditor should form an opinion on whether internal controls over financial reporting were effective. AS 2201.85 – .92 provide specific guidance for report wording and show examples. Although procedures performed during integrated audits can greatly vary based on company and industry, the published report of the auditor is very uniform.
Using a SOC report in an Integrated Audit: Controls Performed by a Service Organization
Not all controls are performed internally, as there is an increased use of service organizations to handle various aspects of each business. If a service organization is used to perform a business process relating to a significant account or obtains services from another organization that are part of the company’s information system, the controls performed by this service organization must be evaluated.
Two examples of these cases may be when the entire payroll function is outsourced, or when servers containing financial data and/or applications processing financial transactions reside in a data center owned and managed by a third party.
If this is the case, it will be necessary for the auditor to understand how the controls performed by the service organization are relevant to the company being audited. This can be done two ways. One is by reviewing a System and Organization Controls (SOC) report, detailed below, or by performing the tests of the controls at the service organization. This requires additional auditing steps – which can be found at our other post here “Subservice Organizations: Carve-out Audit vs. Inclusive Audit Methods.”
Using a SOC Report
The controls performed by the service organization should be evaluated, but it is not usually feasible to send auditor to the service organization for a control audit. In this case, SOC reports can be used. A SOC report is published by a CPA firm and documents their independent opinion on the design and/or operating effectiveness of internal controls relevant to the services provided to their customers. An auditor can obtain the SOC report from the service organization, and review the report for controls relevant to the services utilized.
The SOC report can provide a level of comfort that the service organization has controls in place around the significant outsourced services. Although the SOC report is used in forming the audit opinion, the auditor should not mention or reference the SOC report in the opinion paragraph of the Independent Auditor’s Report.
PCAOB Auditing Standards 2601 provide additional detailed guidance on the audit impact of an entity’s use of a service organization.
Also see the following Linford & Co’s past blog post for more information:
- SOC reports relate to Management Assertions: Management’s Assertion and SOC Reports.
- What is a SOC 2 Report? Expert Advice You Need to Know
- What is a SOC 1 Report? Expert Advice You Need to Know
- SOC 1 vs. SOC 2 – What is the Difference and How do you Know What you Need?
Jaclyn Finney started her career as an auditor in 2009. She started with Linford & Co., LLP. in 2016 and is currently a manager with the firm. She is a CISA with a special focus on SOC, HITRUST, FedRAMP and royalty examinations. Jaclyn works with her clients to provide a process that meets the needs of each customer and generates a tailored report that is useful to the client and the users of the report.