What Is an Integrated Audit?
Audits and auditors—Yikes. It’s the thing of nightmares for most business owners. But, while the thought of being audited may cause you distress, what you learn when it’s over may help take your company to the next level.
In the past, financial audits have been focused on making sure the numbers were correct. But today, auditing has grown to incorporate processes beyond the numbers. For example, auditing internal controls, cyber safety, and human resources performance have become part of the annual audit.
These types of integrated audits allow businesses to gain valuable insight that only comes from an outsider looking in.
Today we’ll look specifically at the integration of audit of internal control and financial statement audits.
What’s the Purpose of an Integrated Audit?
An integrated audit takes the traditional audit of financial statements and adds in an examination of the company’s internal controls over financial reporting (ICFR).
Historically, external auditors have focused on ensuring the numbers on the balance sheet, income statement, and statement of cash flows are free of material misstatement.
Auditors would gain a high-level understanding of the company’s general control environment and business processes but would rely heavily on substantive testing to validate numbers on the financial statements.
But with an integrated audit approach, the audit process requires an in-depth understanding and review of a company’s control environment. And testing the effectiveness of internal controls becomes a part of the audit engagement.
The auditor’s control objectives will be to express an opinion on management’s assessment of the effectiveness of ICFR. Auditors will primarily look at internal controls over transaction processing with a heavy focus on the information systems used in your accounting department.
During their audit planning, auditors will design audit procedures that will review:
- The design of the entity-level controls, and
- The operating effectiveness of these controls
After gathering audit evidence, if either the design or operation of the controls is ineffective, the audit team won’t be able to rely on the control to provide reasonable assurance that it will prevent financial misstatements.
This means the auditors will need to complete more substantive testing of financial statement accounts to ensure the financial statements are accurate. And this will invariably increase the cost of the audit.
Who’s Required To Have an Integrated Audit?
The short answer is that all public companies must have an integrated audit under the auditing standards of the Sarbanes-Oxley Act.
But private companies can have an integrated audit. And companies looking for future investors or considering selling should look into having an integrated audit. Having an independent opinion confirming the proper operation of your internal controls may boost the attractiveness of the business.
How Does an Integrated Audit Help Your Internal Auditors?
While an external CPA completes an integrated audit, the auditor’s report can provide your staff with insights into potential material weaknesses in your internal controls.
And while the integrated audit is a regulatory requirement for public companies, it can also provide valuable insight into your internal audit function.
During the internal audit portion of the integrated audit, auditors will gain an understanding of the flow of transactions through your company. They will be looking to ensure transactions:
- Are complete,
- Are valued correctly,
- Are presented and disclosed properly.
Depending on the size of your company, auditors will spend several weeks completing their audit procedures which will include things like reviewing procedural documentation, interviewing key employees, and examining transactions as they flow through your IT system.
After the audit is completed, the auditors will provide their audit report to you or, if you have one, your audit committee. If they noted any areas where internal controls were inadequate to prevent a material misstatement to the financial statements, it would be included in the audit report.
Although you hope to receive a “clean audit opinion,” meaning the auditors found no issues, there are chances that problems may come to light. This will allow your team to address any information technology gaps or other shortcomings in your risk assessment or risk management.
Integrated Audit Report Examples
An audit report on ICFR that found no material weaknesses or other deficiencies is relatively short and straightforward. Here’s an example from Microsoft’s 2020 fiscal year 10-K filing with the Securities and Exchange Commission.
Source: SEC EDGAR
If an auditor were to find material weaknesses or significant deficiencies in internal controls, they would disclose them. Have a look at this 2019 annual report for Marriott International, Inc., where their auditors found material weaknesses.
You’ll notice there’s an extra paragraph under the Opinion on Internal Control over Financial Reporting heading. This is where their auditor’s disclosed a material weakness in controls over how Marriott operated its guest loyalty program.
Source: SEC EDGAR
Although few business owners enjoy the idea of having an audit, it can provide benefits. The results of an audit can help prevent future errors, increase your bottom line, and assist you in making better business decisions.