“CAQ Lessons Learned – Performing an Audit of Internal Control in an Integrated Audit” identified 21 practical insights for auditors: 

1. Take advantage of the company’s internal control evaluation process and documentation, where practical, in connection with financial statement audits performed in years prior to the first integrated audit.
2. Early and frequent communication and coordination between management and the external auditors create a more effective and efficient audit process.
3. Coordinate with management regarding the timing of its work to enable the auditor to utilize management’s work to the extent permitted by PCAOB standards.
4. Early in the process identify and assess those risks and controls that may have a pervasive impact on the assessment and effectiveness of ICFR.
5. Consider the implications of any unremediated deficiencies.
6. Plan the audit of ICFR and the audit of the financial statements as a single integrated audit.
7. Where appropriate, plan to employ a controls reliance approach in the first year of the required Section 404(b) audit of ICFR.
8. Consider what audit procedures could meet the objectives of both substantive testing and internal control testing. Where practical, perform the internal control tests in conjunction with the substantive tests in those areas.
9. Substantive tests, the risk assessment process, as well as knowledge obtained from prior audits or reviews of interim financial information inform the auditor with respect to the risks related to internal control (which can affect the nature, timing and extent of tests of controls) and the auditor’s conclusions related to the effectiveness of internal control.
10. Coordinate the planning and performance of the internal control tests and substantive tests among the persons performing the work.
11. Because of the additional complexities in planning and executing an integrated audit, it is important to have experienced members of the engagement team, including specialists, involved at an early stage and for such members to remain close to the engagement as it progresses.
12. Due to the learning curve associated with implementing the ICFR audit requirement, involve auditors with previous experience auditing internal control or auditors who have been trained specifically on performing integrated audits.
13. Apply the top-down, risk-based approach set forth in AS 5 by starting at the financial statement level to effectively and efficiently identify significant accounts and disclosures, and their relevant assertions.
14. The more refined the risk assessment is, the more the audit approach can be tailored based on the assessed risks.
15. Different combinations of procedures, including walkthroughs, can be performed to achieve the required objectives discussed in AS 5 paragraph 34 in an effective and efficient manner.
16. The significance, extent, and complexity of IT applications, and their supporting general IT control environment, influence the identification of material risks to reliable financial reporting.
17. Apply a top-down approach, beginning with the identification of entity-level controls, to identify the controls that are necessary to sufficiently address the assessed risk of misstatement to each relevant assertion (i.e., controls that are important to the audit).
18. Maximize the opportunities for using the work of others.
19. Vary the nature, timing, and extent of testing of identified controls based upon the risk associated with a control.
20. Testing controls at an interim date may improve the effectiveness and efficiency of the integrated audit by spreading the auditor’s effort out over the fiscal year and increasing the opportunity to identify control deficiencies at an earlier date.
21. When a control’s design is determined to be ineffective, it is not necessary to test the operating effectiveness of the control. Similarly, once the auditor has sufficient evidence to conclude an effectively designed control did not operate effectively, the auditor may cease testing that control.

Among its suggestions, the report offers practical pointers about performing an integrated audit, notes the benefits of a top-down, risk-based approach to emphasize areas where material risks are most likely, and also the advantages of maintaining an open line of communication between the auditor, company management and the audit committee.  

The CAQ effort supports compliance with the provisions of Section 404 of the Sarbanes-Oxley Act, which require public company management and auditors to evaluate and assess the effectiveness of the internal controls that contribute to public companies’ financial reports.

“Sharing experience across the profession enables auditors to serve investors even more effectively by enhancing the quality of internal controls and audits,” CAQ Executive Director Cindy Fornelli said. 

The CAQ assembled a task force comprised of auditors with extensive experience with integrated audits. Based on their work with both accelerated and non-accelerated filers, task force members addressed filers’ concerns with background on the issues and suggestions for auditors. The 21 lessons learned can help advance the public company auditing profession’s goal of effective and efficient integrated audits that benefit investors and assist smaller auditing firms in the initial implementation of integrated audits.

According to Fornelli, the report is intended to help audit firms that have not yet had the opportunity to conduct an integrated audit, as well as more experienced firms that can benefit from the shared knowledge. “Not all firms handle all audit matters in the same way – nor should they – and task force discussions reflected this diversity in practice,” she explained. Fornelli added that SOX’s focus on internal control, and coordinating the internal control audit in conjunction with the existing audit of the financial statements, may present a new environment for auditors of smaller public companies.

The information contained in the report represents the views of the members of the task force, has not been approved by any regulatory body or any senior technical committee of the American Institute of Certified Public Accountants, and does not set standards for any purpose.

 “CAQ Lessons Learned – Performing an Audit of Internal Control in an Integrated Audit” may be accessed online.