Integrated Audits: How to Test ICFR & Financials Together Like a Pro
Overview: An integrated audit combines the financial statement audit with an audit of internal control over financial reporting (ICFR). This guide explains when an integrated audit is required, how to plan it, test controls, and report findings under both PCAOB and AICPA standards.
✅ Issuers vs. Nonissuers
• For issuers (public companies), PCAOB standards require an integrated audit unless exempt under the Dodd-Frank Act. • Large accelerated filers (>$700M market cap) and accelerated filers (>$75M) must have an ICFR audit. Smaller reporting companies are exempt. • For nonissuers (private companies), SAS 130 allows integrated audits if management provides a written assessment.
📌 Management Responsibilities
Management must:
- Accept responsibility for maintaining effective ICFR.
- Evaluate control effectiveness using suitable criteria.
- Provide sufficient evidence and a written assessment as of the balance sheet date.
- Give written representations acknowledging disclosures of all significant deficiencies or fraud.
✅ Top-Down Approach
Auditors use a top-down approach to select controls:
- Start at the FS level → entity-level controls → significant accounts, disclosures, and assertions.
- Walk-throughs help identify likely misstatement sources.
✅ Entity-Level Controls
Examples: Control environment, risk assessment process, management override, monitoring results. Strong entity-level controls can reduce testing at lower levels.
✅ Testing Controls
- Evaluate design effectiveness (will the control work if applied?).
- Test operating effectiveness (is the control working as designed?).
- Methods: Walk-throughs, inquiry, observation, inspection, reperformance.
- Inquiry alone is never enough.
- More evidence is needed for high-risk controls.
✅ Service Organizations & Automated Controls
- If part of ICFR depends on a service org, get a service auditor’s report or perform your own tests.
- For stable automated controls, benchmarking may avoid redundant testing.
✅ Reporting & Deficiencies
• Form an opinion on whether ICFR is effective as of the balance sheet date.
• Any material weaknesses must be disclosed.
• If management refuses to supply a written assessment or representations, the auditor should withdraw or disclaim.
✅ Key Differences: ICFR vs. FS Audit
- Scope: ICFR audit is point-in-time; FS audit covers a full period.
- Extent: ICFR audit requires testing controls over all relevant assertions; FS audit may rely on substantive tests alone.
- Communication: ICFR deficiencies must be communicated by report release date; FS audit allows up to 60 days.
🔗 Helpful References
👉 Master integrated audits: plan smart, test controls thoroughly, and report with confidence!
