Reporting on Internal Control in an Integrated Audit

Similar documents
An Audit of Internal Control Over Financial Reporting That Is Integrated With an Audit of Financial Statements

Miles CPA Review: AUD Updates

PCAOB ON REPORTING ON INTERNAL CONTROL IN AN INTEGRATED AUDIT (11/15 ~ STUDY TEXT)

Gleim CPA Review Updates to Auditing and Attestation 2018 Edition, 1st Printing June 2018

ACCOUNTING AND AUDITING SUPPLEMENT NO

EXPOSURE DRAFT PROPOSED STATEMENT ON AUDITING STANDARDS

Appointed Actuary s Report

Interim Financial Information

Reporting on Compliance With Aspects of Contractual Agreements or Regulatory Requirements in Connection With Audited Financial Statements

Appendix Illustrative Auditor s Reports Under Government Auditing Standards

Forming an Opinion and Reporting on Financial Statements: Auditing Interpretations of Section 700

Appendix Illustrative Auditor's Reports Under Government Auditing Standards

2017 Update on Audit and Attest Standards (SASs and SSAEs)

COMPANION POLICY CP TO NATIONAL INSTRUMENT CERTIFICATION OF DISCLOSURE IN ISSUERS ANNUAL AND INTERIM FILINGS TABLE OF CONTENTS

CPA REVIEW SCHOOL OF THE PHILIPPINES M a n i l a

BUS 425 Auditing Tad Miller 1/24/2018 Intro, objectives, assertions, reporting. 1 AUDITING Write the definition of auditing.

Requiring the Opinion section to be presented first in the auditor s report, followed by the Basis for Opinion section.

Appendix Illustrative Auditor's Reports Under Government Auditing Standards

[Designated for AT Section 701, Management s Discussion and Analysis]

NAHRO. Objectives. The Audit Process. Understand the audit process

Final Balloted Draft

Disposition of AU sections 508 and 9508

Corporate Overview Statutory Reports Financial Statements Independent Auditor s Report

Auditor Reporting Requirements and Other Communication Considerations of Government Auditing Standards

Companion Policy CP to National Instrument Certification of Disclosure in Issuers Annual and Interim Filings.

Webinar: New Auditor s Report Overview of Changes Effective in 2017

Auditing and Assurance Standards Council

Clarified Auditing Standards and PCAOB Standards

Webinar: New Auditor s Report Overview of Changes Effective in 2017

STANDARD FOR AUDITS OF SMALL ENTITIES

Forming an Opinion and Reporting on Financial Statements

Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance with Singapore Standards on Auditing

Appendix Illustrative Auditor s Reports for Program-Specific Audits

Reporting on Audited Financial Statements: Proposed New and Revised International Standards on Auditing (ISAs)

Impact on Actuarially Determined Items SEAC Fall Meeting - Atlanta, GA November 19, 2003

Certification of Internal Control: Final Certification Rules

Overall Objective of the Independent Auditor and the Conduct of an Audit in Accordance with International Standards on Auditing

NEOGENOMICS, INC. (Exact name of registrant as specified in its charter)

October 10, Report of Independent Registered Public Accounting Firm. To the Board of Directors of XYZ Custodian, Inc. fn 1.

Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance with Singapore Standards on Auditing

Opening Balances Initial Audit Engagements, Including Reaudit Engagements

ASB Meeting July 21-23, 2015

Independent Auditor s Report

IAASB Main Agenda (March 2005) Page Agenda Item [MARK-UP COPY]

Agenda Item 2A PROPOSED STATEMENT ON STANDARDS FOR ACCOUNTING AND REVIEW SERVICES REVIEW OF FINANCIAL STATEMENTS CONTENTS

Introduction Scope of this SA 1. This Standard on Auditing (SA) deals with the auditor s responsibility to form an opinion on the financial statements

Auditors and Public Offering Documents

Forming an Opinion and Reporting on Financial Statements

Proposed International Standard on Auditing. Review of Interim Financial Information Performed by the Auditor of the Entity.

Audit Engagement Letter a. [CPA Firm s Letterhead]

Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance With Generally Accepted Auditing Standards

International Standard on Auditing (Ireland) 200 Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance with

AS 3101, The Auditor's Report on an Audit of Financial Statements When the Auditor Expresses an Unqualified Opinion

Auditing Operations and Completing the Audit. Chapter 16. Substantive Tests for Selling, General and Administrative Expenses.

Initial Audit Engagements Opening Balances

The Independent Auditor s Report on a Complete Set of General Purpose Financial Statements

AU-C Section 9700 Forming an Opinion and Reporting on Financial Statements: Auditing Interpretations of AU-C Section 700

2 4 Generally accepted auditing standards are the Statements on Auditing Standards issued by the Auditing Standards Board.

Forming an Opinion and Reporting on Financial Statements

Review of Financial Statements

Forming an Opinion and Reporting on Financial Statements

ANNUAL REPORT ON THE INTERIM INSPECTION PROGRAM RELATED TO AUDITS OF BROKERS AND DEALERS

Preview of Observations from 2016 Inspections of Auditors of Issuers

Reporting- The New Auditor s Report Presentation by: CPA Stephen Obock Associate Director, KPMG March 2018

Conforming Amendments to PCAOB Auditing Standards Resulting from the Adoption of Auditing Standard No. 5

Forming an Opinion and Reporting on Financial Statements

Changes to auditor reporting standards in Canada: What to expect

Report on Inspection of Ernst & Young LLP (Headquartered in New York, New York) Public Company Accounting Oversight Board

INTERNATIONAL STANDARD ON AUDITING 700 FORMING AN OPINION AND REPORTING ON FINANCIAL STATEMENTS CONTENTS

AUD-6 Appendix: Reports per PCAOB AS [applicable only for Q1 & Q2 2018; w.e.f. Q3 2018, new format PCAOB reports are tested]

New Auditor Reporting Standards

Local Government Financial Officials and their Independent Auditors

Modifications to the Opinion in the Independent Auditor s Report

Chapter 2 Professional Standards

Prospective Financial Information

December 27, The Board of Directors Kosrae Port Authority. Dear Members of the Board of Directors:

If no board of directors exists, identify the equivalent body with oversight responsibility.

) ) ) ) ) ) ) ) ) ) ) ) PCAOB Release No March 9, 2004

Auditing and Assurance Standards Council

OUR RESPONSIBILITY UNDER GENERALLY ACCEPTED AUDITING STANDARDS AND GENERALLY ACCEPTED GOVERNMENT AUDITING STANDARDS

Compilation of Financial Statements

INDEPENDENT AUDITORS REPORT ON CONSOLIDATED FINANCIAL STATEMENTS

Our comments and observations on the Proposed Standards address the following principal areas:

Introduction Scope of this SA 1. This Standard on Auditing (SA) deals with the auditor s responsibilities in the audit of financial statements relatin

Proposed Statement on Auditing Standards Auditor reporting and Proposed Amendments Addressing disclosures in the audit of financial statements

Reporting on an Audit:

2016 FINANCIAL INSTITUTIONS OVERVIEW FOR KNOWLEDGE COACH USERS

International Standard on Auditing (UK) 200 (Revised June 2016)

Chapter 17. Auditors Reports. McGraw-Hill/Irwin. Copyright 2012 by The McGraw-Hill Companies, Inc. All rights reserved.

Independent Auditors. Consolidated Audit Guide for Audits of HUD Programs. August 1997

ISAE 3000 Staff Adaptation of Requirements from ISAs 210, 300, 315 and 330

Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance with International Standards on Auditing

Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement

Audit Opinion Session-02. November

SRI LANKA AUDITING STANDARD 510 INITIAL AUDIT ENGAGEMENTS OPENING BALANCES CONTENTS

Chapter 18. Reports on Audited Financial Statements

STATE OF NEW MEXICO Office of the State Auditor

January 13, Commissioners Consolidated Commission on Utilities. Dear Commissioners:

International Standard on Auditing (UK) 700 (Revised June 2016)

Special Considerations Audits of Single Financial Statements and Specific Elements, Accounts, or Items of a Financial Statement

Transcription:

1 Reporting on Internal Control in an Integrated Audit I. Internal Control This section presents the AICPA's attestation standards related to reporting on internal control over financial reporting in an integrated audit of a non issuer's financial statements. The AICPA issued SSAE No. 15 to supersede an earlier SSAE and, thereby, more closely align its standards with PCAOB auditing standards. Note These AICPA standards are not applicable to reports on internal control for public companies (issuers) which are subject to PCAOB standards! II. Applicability When engaged to perform an examination of the design and operating effectiveness of an entity's internal control over financial reporting (examination of internal control ) that is integrated with an audit of the entity's financial statements (integrated audit). A. Timing of an Examination of Internal Control Usually engaged to examine internal control over financial reporting as of the end of the entity's fiscal year. (If engaged to examine internal control for a period of time, the examination should be integrated with an audit of the financial statements covering the same period.) B. SSAE No. 15 does not apply to other engagements related to internal control that are addressed by other standards, such as (1) engagements to examine the suitability of design of internal control; (2) engagements to examine controls over the effectiveness and efficiency of operations; (3) engagements to examine controls over compliance with laws and regulations; (4) engagements to report on controls at a service organization; and (5) engagements to apply agreed upon procedures on controls. (Note that an auditor should not accept an engagement to review an entity's internal control over financial reporting.) III. Underlying Concepts of SSAE No. 15 A. If one or more material weaknesses exist then the entity's internal control cannot be considered effective. Accordingly, the auditor should plan and perform the examination to obtain sufficient appropriate evidence to obtain reasonable assurance about whether material weaknesses exist as of the date specified. B. The auditor is not required to search for deficiencies that are less severe than a material weakness (i.e., not required to look for significant deficiencies). C. The auditor should use the same suitable and available control criteria to perform the examination of internal control as management uses for its evaluation of the effectiveness of the entity's internal control. D. Four Conditions Must be Met for the Auditor to Examine Internal Control: 1. Management must accept responsibility for the effectiveness of the entity's internal control; 2. Management must evaluate the effectiveness of the entity's internal control using suitable and available criteria (e.g., COSO's Internal Control Integrated Framework); 3. Management must support its assertion about the effectiveness of the entity's internal control with sufficient appropriate evidence; and 4. Management must provide its written assertion about the effectiveness of the entity's internal control in a report that accompanies the auditor's report.

2 (If management refuses to furnish a written assertion, the auditor should withdraw from the engagement.) E. The Auditor's Basic Responsibilities The auditor should plan and perform the integrated audit to achieve the objectives of both engagements simultaneously; that is, design the tests of control to (1) obtain sufficient appropriate evidence to support the auditor's opinion on internal control as of the period end and (2) obtain sufficient appropriate evidence to support the auditor's control risk assessments for purposes of the audit of the financial statements. IV. Planning the Engagement The auditor uses the same risk assessment process to focus attention on the areas of highest risk in both engagements. A. Scaling the Examination The size and complexity of the entity, its business processes, and the business units may affect the way in which the entity achieves its control objectives. (Less control testing may be needed for smaller, less complex entities.) B. Entities with Multiple Locations The auditor should assess the risk of material misstatement associated with the various locations/business units and correlate the amount of work with the degree of risk. C. Fraud Risk Assessment The auditor should incorporate the results of the fraud risk assessment performed in the financial statement audit. D. Using the Work of Others The auditor should assess the competence and objectivity of persons whose work the auditor plans to use. (The auditor's need to perform the work increases with the risk associated with a control.) E. Materiality The auditor should use the same materiality for both engagements. F. Use a Top Down Approach The auditor should (1) begin at the financial statement level; (2) use the auditor's understanding of the overall risks to internal control; (3) focus on entity level controls (e.g., the control environment, the entity's risk assessment process, monitoring controls, etc.); (4) focus on accounts, disclosures, and assertions that have a reasonable possibility of material misstatement to the financial statements; (5) verify the auditor's understanding of the risks in the entity's processes (including walkthroughs ); and (6) select controls for testing based on the assessed risk of material misstatement to each relevant assertion. V. Testing Controls and Evaluating Identified Deficiencies The evidence that should be obtained increases with the risk of the control being tested. (The objective is to express an opinion on the entity's overall internal control, not on the effectiveness of individual controls.) A. Evaluating Design Effectiveness Procedures include a mix of inquiry, observation of the entity's operations, and inspection of relevant documentation. (A walkthrough is usually sufficient to evaluate design effectiveness.) B. Evaluating Operating Effectiveness Procedures include a mix of inquiry, observation of the entity's operations, inspection of relevant documentation, recalculation, and reperformance of the control. (Note that these procedures are presented in order of increasing persuasiveness of the resulting evidence.) C. The Severity of a Deficiency Depends on the magnitude of the potential misstatement and the degree of likelihood (whether there is a reasonable possibility ) of a failure; it does not require that an actual misstatement occur. D. Risk Factors Affecting Whether a Misstatement may Occur (1) the nature of the accounts, classes of transactions, disclosures, and assertions involved; (2) the susceptibility of the related asset or liability to loss or fraud; (3) the subjectivity, complexity, or judgment involved; (4) the interaction of the control with other controls; (5) the interaction among the deficiencies; and (6) the possible future consequences of the deficiency. E. Multiple Deficiencies May cause a material weakness even though the deficiencies individually may be less severe.

3 F. Compensating Controls May mitigate the severity of a deficiency, although they do not eliminate the deficiency entirely. G. Indicators of Material Weaknesses (1) discovery of any fraud involving senior management; (2) restatement of previously issued financial statements to correct a material misstatement; (3) identification of any material misstatement during the audit that was not detected by internal control; and (4) ineffective oversight of reporting and controls by those charged with governance. VI. Concluding Procedures A. Review Reports of Other Parties The auditor should review the reports of others (such as internal auditors) during the year that address internal control issues. B. Obtain Written Representations from Management Specific to Internal Control Matters management's failure to provide these representations is a scope restriction. C. Communicate Certain Internal Control Matters Identified during the Integrated Audit. 1. Any identified material weaknesses and significant deficiencies should be communicated in writing by the report release date. (For governmental entities only, the written communication must occur within 60 days of the report release date.) 2. Any lesser deficiencies should be communicated in writing to management within 60 days of the report release date (and should inform those charged with governance of that communication). 3. Communicating an absence of deficiencies the auditor should not issue any report stating that no material weaknesses (or that no significant deficiencies ) were identified in an integrated audit. VII. Reporting on Internal Control A. Separate or Combined Reports The auditor may choose separate reports on the financial statements and on internal control or a combined report on both. (If issuing separate reports, the auditor should add a paragraph to each report referencing the other report.) Other Sample Combined Report on Internal Control and Financial Statements Independent Auditor's Report (Introductory paragraph) We have audited the accompanying balance sheet of ABC Company as of December 31, 20XX, and the related statements of income, retained earnings, and cash flows for the year then ended. We also have audited SSAE No. 15 includes the following statement: Because the examination of internal control is integrated with the audit of the financial statements and an examination provides the same level of assurance as an audit, the auditor may refer to the examination of internal control as an audit in his or her report or other communications. ABC Company's internal control over financial reporting as of December 31, 20XX based on (identify criteria ). ABC Company's management is responsible for these financial statements, for maintaining effective internal control over financial reporting, and for its assertion of the effectiveness of internal control over financial reporting, included in the accompanying (title of management's report ). Our responsibility is to express an opinion on these financial statements and an

4 opinion on ABC Company's internal control over financial reporting based on our examination audits. (Scope paragraph) We conducted our audit of the financial statements in accordance with auditing standards generally accepted in the United States of America and our audit of internal control over financial reporting in accordance with attestation standards established by the American Institute of Certified Public Accountants. Those standards require that we plan and perform the audits to obtain reasonable assurance about whether the financial statements are free of material misstatement and whether effective internal control over financial reporting was maintained in all material respects. Our audit of the financial statements included examining, on a test basis, evidence supporting the amounts and disclosures in the financial statements, assessing the accounting principles used and significant estimates made by management, as well as evaluating the overall financial statement presentation. Our audit of internal control over financial reporting included obtaining an understanding of internal control over financial reporting, assessing the risk that a material weakness exists, and testing and evaluating the design and operating effectiveness of internal control based on the assessed risk. Our audits also included performing such other procedures as we considered necessary in the circumstances. We believe that our audits provide a reasonable basis for our opinions. (Definition paragraph) An entity's internal control over financial reporting is a process effected by those charged with governance, management, and other personnel, designed to provide reasonable assurance regarding the preparation of reliable financial statements in accordance with (applicable financial reporting framework, such as accounting principles generally accepted in the United States of America ). An entity's internal control over financial reporting includes those policies and procedures that (1) pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the entity; (2) provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with (applicable financial reporting framework, such as accounting principles generally accepted in the United States of America ), and that receipts and expenditures of the entity are being made only in accordance with authorizations of management and those charged with governance; and (3) provide reasonable assurance regarding prevention, or timely detection and correction of unauthorized acquisition, use, or disposition of the entity's assets that could have a material effect on the financial statements. (Inherent limitations paragraph) Because of its inherent limitations, internal control over financial reporting may not prevent, or detect and correct misstatements. Also, projections of any evaluation of effectiveness to future periods are subject to the risk that controls may become inadequate because of changes in conditions, or that the degree of compliance with the policies or procedures may deteriorate. (Opinion paragraph) In our opinion, the financial statements referred to above present fairly, in all

5 material respects, the financial position of ABC Company as of December 31, 20XX, and the results of its operations and its cash flows for the year then ended in conformity with accounting principles generally accepted in the United States of America. Also in our opinion, ABC Company maintained, in all material respects, effective internal control over financial reporting as of December 31, 20XX, based on (identified criteria ). (Signature) (Date) B. Report Date Should be dated when the auditor has obtained sufficient appropriate evidence to support the auditor's opinion. (If issuing separate reports, the reports should have the same date for an integrated audit.) C. Unqualified Opinion on Management's Assertion about Internal Control or on the Operating Effectiveness of Internal Control (Directly) The structure of the auditor's report consists of six paragraphs: (1) introductory paragraph; (2) scope paragraph; (3) definition paragraph; (4) inherent limitations paragraph; (5) opinion paragraph; and (6) audit of financial statements paragraph. Other Sample Examination Report on Management's Assertion Independent Auditor's Report (Introductory paragraph) We have examined management's assertion, included in the accompanying (title of management report ), that ABC Company maintained effective internal control over financial reporting as of December 31, 20XX based on (identify criteria ). ABC Company's management is responsible for maintaining effective internal control over financial reporting, and for its assertion of the effectiveness of internal control over financial reporting, included in the accompanying (title of management's report ). Our responsibility is to express an opinion on ABC Company's internal control over financial reporting based on our examination. (Scope paragraph) We conducted our examination in accordance with attestation standards established by the American Institute of Certified Public Accountants. Those standards require that we plan and perform the examination to obtain reasonable assurance about whether effective internal control over financial reporting was maintained in all material respects. Our examination included obtaining an understanding of internal control over financial reporting, assessing the risk that a material weakness exists, and testing and evaluating the design and operating effectiveness of internal control based on the assessed risk. Our examination also included performing such other procedures as we considered necessary in the circumstances. We believe that our examination provides a reasonable basis for our opinion. (Definition paragraph)

6 An entity's internal control over financial reporting is a process effected by those charged with governance, management, and other personnel, designed to provide reasonable assurance regarding the preparation of reliable financial statements in accordance with [applicable financial reporting framework, such as accounting principles generally accepted in the United States of America]. An entity's internal control over financial reporting includes those policies and procedures that (1) pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the entity; (2) provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with (applicable financial reporting framework, such as accounting principles generally accepted in the United States of America ), and that receipts and expenditures of the entity are being made only in accordance with authorizations of management and those charged with governance; and (3) provide reasonable assurance regarding prevention, or timely detection and correction of unauthorized acquisition, use, or disposition of the entity's assets that could have a material effect on the financial statements. (Inherent limitations paragraph) Because of its inherent limitations, internal control over financial reporting may not prevent, or detect and correct misstatements. Also, projections of any evaluation of effectiveness to future periods are subject to the risk that controls may become inadequate because of changes in conditions, or that the degree of compliance with the policies or procedures may deteriorate. (Opinion paragraph) In our opinion, management's assertion that ABC Company maintained effective internal control over financial reporting as of December 31, 20XX is fairly stated, in all material respects, based on (identified criteria ). (Audit of financial statements paragraph) We also have audited, in accordance with auditing standards generally accepted in the United States of America, the (identify financial statements ) of ABC Company and our report dated (date of report, which should be the same as the date of the report on the examination of internal control] expressed [include nature of opinion ). (Signature) (Date) Other Sample Examination Report on the Effectiveness of Internal Control Independent Auditor's Report (Introductory paragraph) We have examined ABC Company's internal control over financial reporting as of December 31, 20XX based on (identify criteria ). ABC Company's management is responsible for maintaining effective internal control over financial reporting,

7 and for its assertion of the effectiveness of internal control over financial reporting, included in the accompanying (title of management's report ). Our responsibility is to express an opinion on ABC Company's internal control over financial reporting based on our examination. (Scope paragraph) We conducted our examination in accordance with attestation standards established by the American Institute of Certified Public Accountants. Those standards require that we plan and perform the examination to obtain reasonable assurance about whether effective internal control over financial reporting was maintained in all material respects. Our examination included obtaining an understanding of internal control over financial reporting, assessing the risk that a material weakness exists, and testing and evaluating the design and operating effectiveness of internal control based on the assessed risk. Our examination also included performing such other procedures as we considered necessary in the circumstances. We believe that our examination provides a reasonable basis for our opinion. (Definition paragraph) An entity's internal control over financial reporting is a process effected by those charged with governance, management, and other personnel, designed to provide reasonable assurance regarding the preparation of reliable financial statements in accordance with (applicable financial reporting framework, such as accounting principles generally accepted in the United States of America ). An entity's internal control over financial reporting includes those policies and procedures that (1) pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the entity; (2) provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with (applicable financial reporting framework, such as accounting principles generally accepted in the United States of America ), and that receipts and expenditures of the entity are being made only in accordance with authorizations of management and those charged with governance; and (3) provide reasonable assurance regarding prevention, or timely detection and correction of unauthorized acquisition, use, or disposition of the entity's assets that could have a material effect on the financial statements. (Inherent limitations paragraph) Because of its inherent limitations, internal control over financial reporting may not prevent, or detect and correct misstatements. Also, projections of any evaluation of effectiveness to future periods are subject to the risk that controls may become inadequate because of changes in conditions, or that the degree of compliance with the policies or procedures may deteriorate. (Opinion paragraph) In our opinion, ABC Company maintained, in all material respects, effective internal control over financial reporting as of December 31, 20XX, based on (identified criteria ). (Audit of financial statements paragraph) We also have audited, in accordance with auditing standards generally accepted in

8 D. the United States of America, the (identify financial statements ) of ABC Company and our report dated (date of report, which should be the same as the date of the report on the examination of internal control ) expressed (include nature of opinion ). (Signature) (Date) Adverse Opinions The auditor should express an adverse opinion if there is one or more material weaknesses in internal control (in this case, report directly on the effectiveness of internal control, not on management's assertion); should also consider the implications to the audit of the entity's financial statements. Other Sample Report with Adverse Opinion on the Effectiveness of Internal Control Independent Auditor's Report (Introductory paragraph) We have examined ABC Company's internal control over financial reporting as of December 31, 20XX based on (identify criteria ). ABC Company's management is responsible for maintaining effective internal control over financial reporting, and for its assertion of the effectiveness of internal control over financial reporting, included in the accompanying (title of management's report). Our responsibility is to express an opinion on ABC Company's internal control over financial reporting based on our examination. (Scope paragraph) We conducted our examination in accordance with attestation standards established by the American Institute of Certified Public Accountants. Those standards require that we plan and perform the examination to obtain reasonable assurance about whether effective internal control over financial reporting was maintained in all material respects. Our examination included obtaining an understanding of internal control over financial reporting, assessing the risk that a material weakness exists, and testing and evaluating the design and operating effectiveness of internal control based on the assessed risk. Our examination also included performing such other procedures as we considered necessary in the circumstances. We believe that our examination provides a reasonable basis for our opinion. (Definition paragraph) An entity's internal control over financial reporting is a process effected by those charged with governance, management, and other personnel, designed to provide reasonable assurance regarding the preparation of reliable financial statements in accordance with (applicable financial reporting framework, such as accounting principles generally accepted in the United States of America ). An entity's internal control over financial reporting includes those policies and procedures that (1) pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the entity; (2)

9 provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with (applicable financial reporting framework, such as accounting principles generally accepted in the United States of America ), and that receipts and expenditures of the entity are being made only in accordance with authorizations of management and those charged with governance; and (3) provide reasonable assurance regarding prevention, or timely detection and correction of unauthorized acquisition, use, or disposition of the entity's assets that could have a material effect on the financial statements. (Inherent limitations paragraph) Because of its inherent limitations, internal control over financial reporting may not prevent, or detect and correct misstatements. Also, projections of any evaluation of effectiveness to future periods are subject to the risk that controls may become inadequate because of changes in conditions, or that the degree of compliance with the policies or procedures may deteriorate. (Explanatory paragraph) A material weakness is a deficiency, or a combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the entity's financial statements will not be prevented, or detected and corrected on a timely basis. The following material weakness has been identified and included in the accompanying (title of management's report ). (Identify the material weakness described in management's report.) (Opinion paragraph) In our opinion, because of the effect of the material weakness described above on the achievement of the objectives of the control criteria, ABC Company has not maintained effective internal control over financial reporting as of December 31, 20XX, based on (identified criteria ). (Audit of financial statements paragraph ) We also have audited, in accordance with auditing standards generally accepted in the United States of America, the (identify financial statements ) of ABC Company. We considered the material weakness identified above in determining the nature, timing, and extent of audit tests applied in our audit of the 20XX financial statements, and this report does not affect our report dated (date of report, which should be the same as the date of the report on the examination of internal control ), which expressed (include nature of opinion ). (Signature) (Date) E. Other Report Modifications (1) if elements of management's report are incomplete or improperly presented (add an explanatory paragraph); (2) if there is a scope limitation (either withdraw or disclaim an opinion); (3) if the opinion is based partially on the report of another auditor; or (4) management's report contains other additional information, such as commentary about corrective action taken (disclaim an opinion on the other information).

10 Reporting on Internal Control in an Integrated Audit Other UPDATE NOTICE: The following content applies to those testing in 2017. In October 2015, the Statement on Auditing Standards (SAS) No. 130, An Audit of Internal Control Over Financial Reporting That Is Integrated with an Audit of Financial Statements, was issued. SAS 130 is effective for integrated audits for periods ending on or after December 15, 2016, at which point it will replace Statement on Standards for Attestation Engagements (SSAE) No. 15, An Examination of an Entity's Internal Control Over Financial Reporting That Is Integrated with an Audit of Its Financial Statements. SAS 130 is eligible for testing on or after January 1, 2017. I. Applicability and Objectives A. Applicability This guidance applies when an auditor is engaged to audit internal control over financial reporting (ICFR) along with an audit of a nonissuer's financial statements, known as an integrated audit. The AICPA issued a Statement on Auditing Standards to replace the guidance that was previously included among the Statements on Standards for Attestation Engagements. The AICPA guidance is closely aligned with the corresponding PCAOB Auditing Standards applicable to an integrated audit of an issuer. B. Objectives There are two objectives: (1) To obtain reasonable assurance whether material weaknesses exist at the as of date in management's assessment of ICFR; and (2) to express an opinion on the effectiveness of ICFR and communicate appropriately with management and those charged with governance. II. Underlying Concepts A. If any (one or more) material weaknesses exist, then the entity's internal control cannot be considered effective. The auditor should plan and perform the audit of ICFR to obtain sufficient appropriate evidence to provide reasonable assurance whether material weaknesses exist as of the date specified by management's report. B. The auditor is not required to search for deficiencies that are less severe than a material weakness (such as significant deficiencies or other lesser matters). C. The auditor should use the same suitable and available control criteria to perform the audit of ICFR that management uses for its assessment of the effectiveness of ICFR. D. Preconditions for the Audit of ICFR: 1. Management must accept responsibility for the effectiveness of ICFR. 2. Management must provide the auditor with an assessment of ICFR using suitable and available criteria (e.g., COSO's Internal Control Integrated Framework). 3. Management must support its assessment of ICFR with sufficient documentation. 4. Management must provide its written assessment about the effectiveness of ICFR in a report that accompanies the auditor's report. (If management refuses to furnish a written assessment, the auditor should withdraw from the audit of ICFR.) E. The Auditor's Basic Responsibilities The auditor should plan and perform the integrated audit to achieve the objectives of both engagements simultaneously; that is, design the tests of control to (1) obtain sufficient appropriate evidence to support the auditor's opinion on ICFR at the as of date in management's report; and (2) obtain sufficient appropriate evidence to support the auditor's control risk

11 assessments for purposes of the audit of the financial statements. III. Planning the Audit of ICFR A. Risk Assessment, in General The auditor should use the same risk assessment process to focus attention on the areas of highest risk in the audit of ICFR and the audit of the entity's financial statements. B. Fraud Risk Assessment The auditor should evaluate whether the entity's controls adequately address the risks of material misstatement due to fraud as well as the risk of management override of controls. C. Entities with Multiple Locations The auditor should assess the risk of material misstatement associated with the various locations/business units and correlate the amount of work with the degree of risk. D. Materiality The auditor should use the same materiality for the audit of ICFR and for the audit of the entity's financial statements. E. Using the Work of Internal Auditors or Others The auditor should assess the competence and objectivity of persons when planning to use them either (1) to obtain audit evidence or (2) to provide direct assistance in the audit of ICFR. (The need for the auditor to perform the work increases as the risk associated with a control increases.) F. Scaling the Audit The size and complexity of the entity, its business processes, and the business units may affect the way in which the entity achieves its control objectives. (Less control testing may be needed for smaller, less complex entities.) G. Use a Top Down Approach The auditor should (1) begin at the financial statement level; (2) use the auditor's understanding of the overall risks to internal control; (3) focus on entity level controls (e.g., the control environment, the entity's risk assessment process, monitoring controls, etc.); (4) focus on significant classes of transactions, accounts, disclosures, and relevant assertions that have a reasonable possibility of material misstatement to the financial statements; (5) verify the auditor's understanding of the risks in the entity's processes (includes performing walkthroughs); and (6) select controls for testing based on the assessed risk of material misstatement to each relevant assertion. IV. Testing Controls and Evaluating Identified Deficiencies The evidence that should be obtained increases with the risk of the control being tested. (The objective is to express an opinion on ICFR overall, not on the effectiveness of individual controls.) A. Evaluating Design Effectiveness Procedures include a mix of inquiry, observation of the entity's operations, and inspection of relevant documentation. (A walkthrough is usually sufficient to evaluate design effectiveness.) B. Testing Operating Effectiveness Procedures include a mix of inquiry, observation of the entity's operations, inspection of relevant documentation, recalculation, and reperformance of the control. (Note that these procedures are presented in order of increasing persuasiveness of the resulting evidence.) Inquiry alone is insufficient for evaluating the operating effectiveness of controls. C. The Severity of a Deficiency Depends on the magnitude of the potential misstatement and the degree of likelihood (whether there is a reasonable possibility ) of a failure; it does not require that an actual misstatement occur. D. Risk Factors Affecting whether a Misstatement may Occur (1) The size and composition of the account; (2) susceptibility to misstatement; (3) volume of activity and complexity; (4) nature of the account, transactions, or disclosure; (5) accounting and reporting complexities associated with the account, transactions, or disclosures; (6) exposure to losses in the account; (7) possibility of significant contingent liabilities resulting; (8) existence of related party transactions; and (9) changes from the prior period. E. Multiple Deficiencies May cause a material weakness even though the deficiencies individually may be less severe. F. Compensating Controls May mitigate the severity of a deficiency, although

12 they do not eliminate the deficiency entirely. G. Indicators of Material Weaknesses (1) Discovery of any fraud involving senior management, whether material or not; (2) restatement of previously issued financial statements to correct a material misstatement; (3) identification of any material misstatement during the audit that was not detected by internal control; and (4) ineffective oversight of reporting and controls by those charged with governance. V. Concluding Procedures A. Review Reports of Other Parties The auditor should review the reports of others (such as internal auditors) during the period that address internal control issues. B. Obtain written representations from management specific to the audit of ICFR; management's failure to provide these representations is a scope limitation. C. Communicate Certain Internal Control Matters Identified during the Integrated Audit. 1. Communicating material weaknesses and significant deficiencies Should be communicated in writing to those charged with governance and management by the report release date. (For governmental entities only, the written communication must occur within 60 days of the report release date.) 2. Communicating other lesser deficiencies Should be communicated in writing to management within 60 days of the report release date; should also inform those charged with governance of that communication. 3. Communicating an absence of deficiencies The auditor should not issue any report stating that no material weaknesses (or no deficiencies less severe than a material weakness) were identified in an audit of ICFR. VI. Reporting on ICFR A. The Auditor's Written Report on ICFR Should Include the Following Elements: 1. A title that includes the word independent ; 2. An addressee; 3. An introductory paragraph that (a) identifies the entity involved; (b) states that ICFR has been audited; (c) identifies the as of date; and (d) identifies the criteria used to evaluate ICFR; 4. A section labeled Management's Responsibility for [ICFR] that (a) states that management is responsible for ICFR; (b) states that management is responsible for its assessment about the effectiveness of ICFR; and (c) refers to management's report on ICFR; 5. A section labeled Auditor's Responsibility that (a) states that the auditor's responsibility is to express an opinion on the entity's ICFR; (b) states that the audit was conducted in accordance with [GAAS]; (c) states that such standards require that the auditor plan and perform the audit to obtain reasonable assurance about whether effective ICFR was maintained in all material respects; (d) describes the audit; and (e) states the auditor's belief that the evidence obtained is sufficient and appropriate as a basis for the opinion; 6. A section labeled Definition and Inherent Limitations of [ICFR] that (a) defines ICFR (using the same description as used in management's report); and (b) includes a paragraph commenting on the inherent limitations of internal control; 7. A section labeled Opinion that expresses the auditor's opinion on whether the entity maintained, in all material respects, effective ICFR as of the specified date, based on the criteria used; 8. Cross reference the auditor may issue a separate report on ICFR and on

13 the entity's financial statements, or the auditor may issue a combined report on both. If the auditor issues a separate report on ICFR, the auditor should include an other matter paragraph that cross references the separate audit report on the financial statements (and vice versa); 9. The manual or printed signature of the auditor's firm; 10. The city and state where the auditor practices; and 11. The date of the auditor's report; B. Report Date The auditor's report on ICFR should not be dated before the auditor has obtained sufficient appropriate audit evidence to support the auditor's opinion, including evidence that the audit documentation has been reviewed; the audit reports on ICFR and on the financial statements should have the same date. C. Five Reasons to Modify the Auditor's Report on ICFR 1. Adverse opinion issued When there is at least one material weakness, the report should include the definition of material weakness and reference the description in management's report or point out that management's report did not identify the matter; the report also should determine the effect on the audit of the entity's financial statements (state whether the opinion on the financial statements was affected by adding an other matter paragraph or commenting in the paragraph that identifies the material weakness). 2. Elements of management's report are incomplete or improperly presented If management does not revise its report, the auditor should add an other matter paragraph to describe the reasons for the determination that elements of the report are incomplete or improperly presented. 3. Scope limitations The auditor should either withdraw from the engagement or disclaim an opinion on ICFR (stating the reasons for the disclaimer) and consider the effect on the audit of financial statements. 4. Making reference to a component auditor The auditor should not make such a reference unless the component auditor has followed appropriate professional standards and has issued a report on a component's ICFR that is not restricted. 5. Management's report includes additional information The auditor should add an other matter paragraph to disclaim an opinion on the other information in management's report; if such other information is included in a document containing management's report, the auditor should read the additional information to evaluate whether there are material inconsistencies with management's report. (If there are, the auditor should try to persuade management to make appropriate changes to resolve any inconsistency.) VII. Sample Reports That Follow A. Example of a management report (with no material weaknesses reported) B. Auditor's unmodified opinion on an entity's financial statements and ICFR (presented as a combined report on both parts of the integrated audit) C. Auditor's unmodified opinion on ICFR (presented as a separate report on ICFR) D. Auditor's adverse opinion on ICFR (presented as a separate report on ICFR) Other Example Management Report (with No Material Weaknesses Reported) Management's Report on Internal Control Over Financial Reporting ABC Company's internal control over financial reporting is a process effected by

14 those charged with governance, management, and other personnel, designed to provide reasonable assurance regarding the preparation of reliable financial statements in accordance with [applicable financial reporting framework, such as accounting principles generally accepted in the United States of America ]. An entity's internal control over financial reporting includes those policies and procedures that: (1) pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the entity; (2) provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with [applicable financial reporting framework, such as accounting principles generally accepted in the United States of America ] and that receipts and expenditures of the entity are being made only in accordance with authorizations of management and those charged with governance; and (3) provide reasonable assurance regarding prevention, or timely detection and correction, of unauthorized acquisition, use, or disposition of the entity's assets that could have a material effect on the financial statements. Management of ABC Company is responsible for designing, implementing, and maintaining effective internal control over financial reporting. Management assessed the effectiveness of ABC Company's internal control over financial reporting as of December 31, 20XX, based on [identify criteria ]. Based on that assessment, management concluded that, as of December 31, 20XX, ABC Company's internal control over financial reporting is effective, based on [identify criteria ]. Internal control over financial reporting has inherent limitations. Internal control over financial reporting is a process that involves human diligence and compliance and is subject to lapses in judgment and breakdowns resulting from human failures. Internal control over financial reporting also can be circumvented by collusion or improper management override. Because of its inherent limitations, internal control over financial reporting may not prevent, or detect and correct, misstatements. Also, projections of any assessment of effectiveness to future periods are subject to the risk that controls may become inadequate because of changes in conditions or that the degree of compliance with the policies or procedures may deteriorate. ABC Company [Report signers, if applicable ] [Date] Unmodified Opinions on Financial Statements and ICFR (Combined Report) [Appropriate Addressee] Report on Internal Control Over Financial Reporting We have audited the accompanying financial statements of ABC Company, which comprise the balance sheet as of December 31, 20XX, and the related statements of income, changes in stockholders' equity, and cash flows for the year then ended, and the related notes to the financial statements. We have also audited ABC Company's internal control over financial reporting as of December 31, 20XX, based on [identify criteria ]. Management's Responsibility for the Financial Statements and Internal

15 Control Over Financial Reporting Management is responsible for the preparation and fair presentation of these financial statements in accordance with accounting principles generally accepted in the United States of America; this includes the design, implementation, and maintenance of effective internal control over financial reporting relevant to the preparation and fair presentation of financial statements that are free from material misstatement, whether due to fraud or error. Management is also responsible for its assessment about the effectiveness of internal control over financial reporting, included in the accompanying [title of management's report ]. Auditor's Responsibility Our responsibility is to express an opinion on these financial statements and an opinion on the entity's internal control over financial reporting based on our audits. We conducted our audits in accordance with auditing standards generally accepted in the United States of America. Those standards require that we plan and perform the audits to obtain reasonable assurance about whether the financial statements are free from material misstatement and whether effective internal control over financial reporting was maintained in all material respects. An audit of financial statements involves performing procedures to obtain audit evidence about the amounts and disclosures in the financial statements. The procedures selected depend on the auditor's judgment, including the assessment of the risks of material misstatement of the financial statements, whether due to fraud or error. In making those risk assessments, the auditor considers internal control relevant to the entity's preparation and fair presentation of the financial statements in order to design audit procedures that are appropriate in the circumstances. An audit of financial statements also includes evaluating the appropriateness of accounting policies used and the reasonableness of significant accounting estimates made by management, as well as evaluating the overall presentation of the financial statements. An audit of internal control over financial reporting involves performing procedures to obtain audit evidence about whether a material weakness exists. The procedures selected depend on the auditor's judgment, including the assessment of the risks that a material weakness exists. An audit includes obtaining an understanding of internal control over financial reporting and testing and evaluating the design and operating effectiveness of internal control over financial reporting based on the assessed risk. We believe that the audit evidence we have obtained is sufficient and appropriate to provide a basis for our audit opinions. Definition and Inherent Limitations of Internal Control Over Financial Reporting An entity's internal control over financial reporting is a process effected by those charged with governance, management, and other personnel, designed to provide reasonable assurance regarding the preparation of reliable financial statements in accordance with [applicable financial reporting framework, such as accounting principles generally accepted in the United States of America ]. An entity's internal control over financial reporting includes those policies and procedures that (1) pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the entity; (2)

16 provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with [applicable financial reporting framework, such as accounting principles generally accepted in the United States of America ] and that receipts and expenditures of the entity are being made only in accordance with authorizations of management and those charged with governance; and (3) provide reasonable assurance regarding prevention, or timely detection and correction of unauthorized acquisition, use, or disposition of the entity's assets that could have a material effect on the financial statements. Because of its inherent limitations, internal control over financial reporting may not prevent, or detect and correct, misstatements. Also, projections of any assessment of effectiveness to future periods are subject to the risk that controls may become inadequate because of changes in conditions or that the degree of compliance with the policies or procedures may deteriorate. Opinions In our opinion, the financial statements referred to above present fairly, in all material respects, the financial position of ABC Company as of December 31, 20XX, and the results of its operations and its cash flows for the year then ended in accordance with [applicable financial reporting framework, such as accounting principles generally accepted in the United States of America ]. Also, in our opinion, ABC Company maintained, in all material respects, effective internal control over financial reporting as of December 31, 20XX, based on [identify criteria ]. Report on Other Legal and Regulatory Requirements [Form and content of this section of the auditor's report will vary depending on the nature of the auditor's other reporting responsibilities.] [Auditor's signature ] [Auditor's city and state ] [Date of the auditor's report ] Other Unmodified Opinion on ICFR (Separate Report on ICFR) [Appropriate Addressee ] Report on Internal Control Over Financial Reporting We have audited ABC Company's internal control over financial reporting as of December 31, 20XX, based on [identify criteria ]. Management's Responsibility for Internal Control Over Financial Reporting Management is responsible for designing, implementing, and maintaining effective internal control over financial reporting and for its assessment about the effectiveness of internal control over financial reporting, included in the accompanying [title of management's report ].