Integrated Audit - An approach to value added and efficient audit engagements.

In this article, I will be talking about how to apply the integrated audit approach in the audit engagements.

However, before I start, I want to stress that what is written here has nothing to do with my current employer. It is purely based on my audit experience with PwC USA specifically 2004 - 2006 while applying the Sarbanes Oxley Act in the audit of few listed SEC clients.

The US GAAS and ISA have been requiring the proper understanding of the client internal control while it remains the auditor professional judgment either to test it or not depending on the audit strategy (NET - Nature/Extent/Timing).

In the early 90s, we had three audit strategy, High, None and Some

1. High means high reliance on the client internal control to reduce the extent of substantive test if the controls test were satisfactory. This is what we will call snorkeling when the water is really clear.
2. None means that the client internal control either not properly designed or not effectively implemented (Control gap/Control deficiency/Material Weakness); thus, the auditor will perform extensive substantive testing toward year end or what is so called Diving.
3. Some means the auditor will utilize the existence of the key control in some areas to achieve better engagement metrics while still performing detailed testing in the areas not covered by solid controls.

At that time, the external audit was adding value by advising or recommending more controls to be applied by our clients on the hope that this can reduce our audit risk in the following years (management letter points).

However, game changed with the Sarbanes Oxley Act being in the horizon, the CPA firms are now required by such legislation to understand, test and report on the internal control over financial reporting.

This act was mainly applicable on the listed companies which by all means started to comply by:

1. Empowering their internal audit function and audit committee role,

2. Maintaining proper documentation to their existing internal control,

3. Reporting on management assessment of their internal controls (no longer required).

Between 2004- 2006, the big 4 firms were helping SEC clients by performing:

i. Advisory service mainly on the documentation and operation side of the internal control system, or

ii. Assurance service by expressing an opinion on the FS and internal control system.

The most efficient way to do it was to apply an integrated approach by identifying the key risks, map them to the key controls in place and testing those controls.

At the beginning, it took much effort, time and audit fees coupled with arguments about which controls shall we test, financial controls or operation or entity wide or all key ones or those who affect the financial reporting aspects or the compliance aspects or mix?! ???♂?

-       We can’t audit or cover all risks and controls in just one year, however, a solution was found when we start applying the Bucket testing approach.

• Bucket testing approach is applied on each entity to group controls based on the risk assessment and got updated annually if there is any change in the internal control structure.
• If during planning, it was found that there is a control gap, then the audit/NET strategy need to reflect such deficiency.
• For strategic entities, it might be decided to perform Bucket 1,2 and 3 whereas for other entities we can do bucket testing 1 and 2 and never need to do bucket 3.
• The same control can move between Bucket 2 or 3 depending on the nature of operation of the entity itself.

In summary, the Integrated Audit approach is mainly about;

• Understanding the client business, operation and environment very well.
• Understanding well the prevailing laws, regulation and local legislation to be complied with.
• Understanding the client business risk, internal control system.
• Mapping the controls with the relevant risk (Risk & Control Matrix).
• Assess the design efficiency of the internal control system through conducting process Walk-through
• Applying risk based approach to focus on the key risks and key controls affecting the fairness of the financial statement (ICFR)
• Considering always the possibility of using the System Process Analyst (SPA - IT auditors) especially in the automated environment where lots of manual controls have been replaced by IT controls, interfaces behind the scene.
• Ensuring the effectiveness of these controls throughout the year - through testing these controls - to obtain comfort on the reliability of the financial information making up the financial books and records (ledger to trial balance).
• Properly evaluate the materiality of the findings whether deficiency, significant deficiency or material weakness.
• Always update the audit strategy throughout the audit based on the findings at any stage.
• Coming up with a conclusion about the effectiveness of the internal control system enough to render an opinion either stand alone or combined with the opinion on the financial statement.
• Gradually reducing the nature of the substantive analytical procedures/test of details through utilizing the CAKE (Cumulative Audit Knowledge Experience).
• Issuing an opinion on the fairness of the financial statements along with an opinion on its compliance with the governing laws and regulation.

Finally, the compliance aspect part is very wide in scope, it is very important to identify the compliance framework, if we are auditing;

• An airline company, then it will be International Air Transport Association (IATA) regulation.
• A Bank or financial institution, then it will be local Central bank regulations including Money laundry Acts, KYC.
• A food or pharmaceutical company, then it will be Food & Drug Authority (FDA) regulations.
• Listed company, then it will be the local exchange market regulation (SEC).
• Tax Law or local tax authority and HSE regulation are examples of more generic compliance framework.