How do we conduct an audit

1
How do we conduct an audit?

• Actg 493Advanced Auditing
• Spring 2007

2
Which audit are we talking about?

• Financial statement audit
• Audit of internal control effectiveness (SOX Rule
  404)
• These audits are separate, yet connected!

3
Big Picture Financial Statement Audit

• We must attest to whether financial statements
  are right (i.e. fairly stated)
• Specific dimensions of right
• Existence
• Completeness
• Valuation
• Rights and Obligations
• Presentation and Disclosure

4
Big Picture 404 Audit

• We audit managements assertion that they
  maintained an effective system of internal
  controls
• See Monaco statements
• What do we mean by effective system of internal
  controls?
• COSO
• Controls over system of financial reporting are
  effective in preventing the F/S from being
  misstated
• If system is determined to have material
  weaknesses, then an adverse report is issued on
  I/C

5
What tests can we use in a financial statement
audit?

• Tests to obtain an understanding
• Tests of controls
• Company level
• Transaction level
• Tests of transactions and balances
• Substantive tests of details
• Substantive analytics

6
What do we test?

• All aspects of financial statements that could
  have a material effect
• Revenue Cycle (Ch 14)
• Expenditure Cycle (Ch 15)
• Production Personnel Services Cycles (Ch16)
• Investing Financing Cycles (Ch 17)
• Investments Cash Balances (Ch 18)
• Financial Reporting Cycle

7
How do we decide which tests to perform to what
extent?

• AR IR x CR x DR
• AR IR x CR x AP x TD

8
Basic audit approaches

• Low Inherent Risk (IR)
• Focus on gaining an understanding and use
  analytics
• Limited tests of controls and details of
  transactions and balances
• Low Control Risk (CR)
• Focus on testing controls
• Limited tests of details of trans and balances
• Primarily substantive approach
• Focus on testing testing trans and balances
• Limited tests of controls and AP
• Q What approach is used various companies?

9
Bucket Approach to Audit Comfort

• Determine the level of comfort you need taking
  into consideration the acceptable level of Audit
  Risk as well as the Inherent Risk of the
  audit/account. The larger the risk, the larger
  size of bucket you need.
• Determine how you will fill your bucket based
  on Controls, Substantive Tests and Analytical
  procedures.
• Public companies subject to 404 procedures will
  likely have more of the bucket filled with
  Tests of Controls, some Substantive Tests and
  some Analytical Procedures.
• Smaller private companies without strong
  controls, will have a much lower level of comfort
  being obtained from Controls and the Substantive
  Tests and Analytical Procedures will make up most
  of the bucket.
• Reviewsmostly Analytical Procedures with maybe a
  little Substantive Tests and/or Controls.

Analytical Procedures
Substantive Tests
Tests of Controls
Lines move depending on the level of comfort you
need from each type of test
10
SOX 404 Overview
11
404 Background

• Effective dates
• Accelerated filers (market cap gt 75 million)
• Non-accelerated and foreign filers fiscal years
  ending on or after July 15, 2006
• Who is impacted?
• Appx. 13,700 filing companies
• Appx 1000 firms registered with PCAOB
• Managements Certification Rule 302 Told the
  whole truth and nothing but the truth statements
  signed by management

12
404 Background contd

• Requirements
• Report to be included in each annual filing with
  the SEC stating that management is responsible
  for establishing and maintaining adequate system
  of internal controls for financial reporting.
• Must also contain an assessment of the
  effectiveness of the internal control structure
  and procedures at year end.
• Managements assessment
• Registered auditors attest to managements
  assessment
• Quarterly must disclose changes (to correct
  problems)

13
404 Background contd

• Not effective defined as
• Control deficiency Failure of a control,
  however inconsequential to financial statements
  reported to management
• Significant deficiency - Reported to BOD unless
  company chooses to disclose
• Material weakness - Automatic adverse opinion

14
SIGNIFICANCE
Material
MaterialWeakness
Significant Deficiency
LIKELIHOOD
Significant Deficiency
Remote
Probable
Immaterial
15
How do we do a 404 audit?

• Recall types of controls
• Reporting controls and disclosure controls
• Entity wide and transaction level controls
• Review client documentation for adequacy of
  design
• Test controls for effectiveness
• Daily (many times) 25
• Daily (once) 15
• Weekly 5
• Monthly 2
• Quarter and y/e 1
• What happens if control fails? Is there time for
  company to remediate and auditors to test?

16
404 Reporting

• If significant deficiencies only, clean opinion
  but may disclose
• One firm 67 of clients had significant
  deficiencies
• If material weakness, adverse opinion
• Local adverse opinions
• Hollywood Video 2004 (PWC) leases
• Mentor Graphics (KPMG) calculation of tax
  provision

17
Adverse Opinion Summary
18
How does 404 audit relate to financial statement
audit?

• Intersection between f/s and 404 audits occurs
  through tests of controls.
• How can we have a clean audit opinion and an
  adverse opinion on controls?

19
Intended (and Unintended) Consequences of 404

• Real question is whether we have greater
  integrity and reliability in financial reporting.
• Impact on profession
• Impact on audit quality
• Impact on financial markets
• See Ripple Effects of the Sarbanes Oxley Act
  published in 2004 and Revisiting the Ripple
  Effects of the Sarbanes Oxley Act

20
One companys thoughts

• We are in the process of our compliance efforts
  mandated by Section 404 of the Sarbanes-Oxley Act
  of 2002. As we have done our due diligence in
  trying to understand the requirements and
  corresponding work necessary to successfully
  document our system of internal controls to the
  standards and satisfaction of third parties, we
  have encountered egregious estimates of time,
  dollars, outside consultant fees, and volumes of
  paperwork. As our implementation has progressed,
  we have yet to realize any control, operations or
  governance improvements or benefits.
  Additionally, and most importantly, the estimated
  potential cost to our shareholders in relation to
  the benefits, or even potential benefits, is
  unconscionable. We believe that these additional
  costs and expenses will merely confirm the
  existence of an already effective and functioning
  control system that already conforms with a
  recognized system of internal controls.

21

• Although we intend to diligently pursue
  implementation and compliance with the Section
  404 requirements, we do not believe it is in our
  shareholders' best interests to incur unnecessary
  outsized costs in this effort. As we are a single
  location company with an extremely involved,
  hands-on senior management group in a highly
  regulated industry with significant insider
  ownership, the potential benefits to be derived
  from the Section 404 requirements are believed to
  be minimal. Consequently, we will make every
  effort internally to comply with the Section 404
  requirements but will minimize what we believe to
  be the unreasonable and unnecessary expense of
  retaining outside third parties to assist in this
  effort.
• As a result of this cautioned approach and the
  complexity of compliance, there is a risk that,
  notwithstanding the best efforts of our
  management group, we may fail to adopt sufficient
  internal controls over financial reporting that
  are in compliance with the Section 404
  requirements.
• Monarch Casino, 10K notes