 Hello, and welcome to this session in which we will discuss integrated audit. In this section for integrated audit I will focus specifically on two things. First, I will introduce the integrated audit. What is integrated audit? Give you a historical background. Why does it exist and what is it? Then I'm going to speak specifically about the management responsibility when it comes to integrated audit. What is their responsibility? Then in the next session, we'll talk about the auditor's responsibility. Now, I will not discuss how management test their audit because that's not the that's not the case that you will be tested on on the CPA exam. But when it comes to the auditor's responsibility, we're going to see specifically how would the auditor conduct an integrated audit. So what is integrated audit? It's auditing the financial statements, which is that's normal. We always audit the financial statement, but in addition to the financial statements, we will audit. Notice the word audit I highlighted in yellow internal control over financial reporting. I see FR abbreviated. Now, let's give you some historical contacts about this. Why it makes sense? Now, when companies like Enron, Worldcom, they filed for bankruptcy in 1999-2000-2001. We went through a series of bankruptcies including Enron and Worldcom. Those were the major ones. And this investigation found out that if internal control over financial reporting was working properly, if internal control was working properly, those fraud could have been avoided. Those fraud could have been caught much earlier. And that's the reason why now we have to audit financial statements for publicly traded companies and audit internal control over financial reporting. Now, whose subject to this requirement? I just told you issuers or publicly traded companies, specifically large and accelerated. So generally speaking, we say issuers are subject to integrated audit unless they are exempted by the DAAP-FRIEND Act. Well, what is large and accelerated filers? Well, large filers is when 700 million of your market value of the common stock is held by outsiders. Simply put, you are a large company and 700 million of your market value is held by outsiders. Outsiders mean someone other than people that are related to the company. That those are large filers. Who are accelerated filers? Well, accelerated filers were talking about 75 million up to 700 million of their fair market value in common stock held by non-affiliate. Little smaller than the large ones, 752, 75 million to 7 to 700 million. Nevertheless, those two are subject unless the company is exempt by the DAAP-FRIEND Act. Simply put, if the company is a small, it will be exempt in terms of revenue. Just know that certain publicly traded companies issuers are exempt. Also, non issuers could have an integrated audit. Now, bear in mind, they are not required to have an integrated audit. The integrated audit is an option. Maybe management wants to have an integrated audit. Maybe the owners of the company, maybe the lender, the bank wants to be, to make sure that the internal control is working properly. Maybe a potential investor, they would say, look, I will invest in you. But first, I want an integrated audit. That could be the case. Before we proceed any further, I have a public announcement about my company, farhatlectures.com. Farhat accounting lectures is a supplemental educational tool that's going to help you with your CPA exam preparation, as well as your accounting courses. My CPA material is aligned with your CPA review course, such as Becker, Roger, Wiley, Gleam, Miles. My accounting courses are aligned with your accounting courses, broken down by chapter and topics. My resources consist of lectures, multiple choice questions, true-false questions, as well as exercises. Go ahead, start your free trial today. No obligation, no credit card required. Now, bear in mind that management always was responsible for maintaining an effective internal control. You cannot run a company without effective internal control, because we're talking about, you know, internal control over financial reporting. You should not operate a company or even work for a company for that matter if they don't have good control, because you're going to run into a lot of issues if you don't have good controls. However, Sarbanes-Axley of 2002 abbreviated a SOC, which would happens that took place after Enron and Wartcom. This is the name of two senators, Paul Sarbanes and Michael Axley. They drafted this act and what they did, they increased management responsibilities. So now management is responsible to do more about internal control. Management needs to demonstrate that internal controls are effective. It's no longer we have them down on a piece of paper somewhere. Now, show me that you have them on a piece of paper. You should have them on a piece of paper for that fact. But that's not enough. You want to show me that they are effective. In other words, they are working properly. And this is why the auditor will have to audit not only the financial statements, they will have to audit internal control over financial reporting. Now, the SEC will provide guidance for the implementation of SOCs. So we have to understand that the Securities and Exchange Commission, obviously, because they oversees the issuers, they provide the guidance on how companies implement SOC. Now, we have to understand that the CPA exam differentiates between issuers and non-issuers. Simply put, they will tell you, for example, those are the management responsibility about internal control when it comes to non-issuer. And these are the responsibility for the issuers because that's the case and because you could be studying for the CPA exam. Now, my auditing course, we really don't differentiate between issuers and non-issuers. When I teach this as an undergraduate course, I teach you generally the rules and usually it's for non-issuers because they're similar, but we don't differentiate. But for the CPA exam, they make those small distinctions. Just be aware of this. So what are the prerequisites of auditing a non-issuer internal control? So before you audit their non-issuer, they have to accept responsibility of the effectiveness. Obviously, you will not audit anything. You will not provide any attestation unless the other party takes responsibility. And we saw this in audit. For example, management says we are responsible for the financial statement. When we did non-attestation services, well, also in every engagement, compilations, reviews, also management is responsible for those. We don't do anything that's given assurance of the other party. Don't take responsibility for that. Also, management will evaluate. Evaluate in this context means test or audit. So here what happened is we expect management to test or audit the effectiveness of their internal control over financial reporting using some framework. US companies use COSO and they will be as of the end of the most recent physical period. Management will have to show that they collected actual evidence to support the evaluation. So simply put, before you issue that report, you want management to take responsibility. You want management to have audited, evaluated their internal control, and they have to provide you written assessment and huge written assessments or assertions. It doesn't matter on the effectiveness of the internal control over financial reportings. Now, those written assessment will basically confirm that they did this basically. And if they don't provide written assessment, you either withdraw or you disclaim. You really cannot engage them if they don't provide written assessment or assertions. Again, here we are talking issuers and non-issuers. Also, they have to generate a report. They have to tell you that we provided this report about the effectiveness of their internal control, whether it's effective or not. And the report will be part of their annual 10K, their annual report. Then the auditor would also tell you the auditor have issued an audit report on management assessment or assertion. They will tell you that's the case. This is some of the prerequisite for non-issuers. The prerequisite for issuers are basically similar to the non-issuers. Management is responsible for establishing and maintaining an adequate internal control and procedures for financial reporting. Management made an assessment of the internal control at the end of the most physical year about the effectiveness of the internal control over financial reporting. And also they have to provide written assessment slash assertions for publicly traded companies. We call them assertions. Now, those written assertions and assessment, they have to be provided by both. They have to take responsibilities in writing. One, again, management is responsible for establishing and maintaining internal control. Notice we are repeating the same thing, which is that's fine. Repetition will help you understand the concept. Management assessed the effectiveness of internal control. It's not only they are responsible for establishing and maintaining, they tested it. They tell you what criteria they used. Usually it's COSO. And they'll have to tell you they did not rely on the auditor as the basis for their assessment. Simply put, they did their assessment themselves, because the auditor will have to make an assessment as well. But they did not rely on the auditor. They said, okay, the auditor did it. We'll accept it. Our internal control are working properly. Not at all. They have to do it themselves. They have to disclose any deficiencies in the design of an operation of control. All significant and material deficiencies will have to be disclosed, including sometimes they might have some deficiencies from the prior year. They have to tell you whether they resolved it or not. They have to disclose any fraud involving either senior management or people who are working in the internal control over financial reporting. Also, they will have to disclose any material changes about any significant, significant or material deficiency if they took any corrective action as of the report date. Now, the best way to kind of summarize all of this is to actually look at an actual report. And guess what? The report would basically repeat what we just said, but this is what the end product looks like. This is what it looks like. One of the paragraph what says management is responsible for establishing and maintaining adequate internal control. We already talked about this a few times. Adam Company's internal control was designed to provide only reasonable assurance that the company's management and board of directors regarding the preparation and fair presentation of the published financial statement. All internal control system, no matter how well designed, have inherent limitation. This is basically a limitation paragraph. Therefore, even a system determined to be effective can provide only reasonable assurance. To remind you, we are providing reasonable assurance. Also, we assess. Notice, I told you, they have to assess. They have to take responsibility for the design. They have to take the responsibility for maintaining, for establishing the control, but they have to assess. They have to test the effectiveness of the company's internal control over financial reporting as of the date and making the assessment. We use COSO as the criteria based on our assessment. We believe that the company's internal control over financial reporting is effective. Also, they have to tell you our independent auditor, Adam Company independent auditor have issued an audit report on our assessment and our assessment over financial reporting. You could see it on page 50 in the annual report. Then they'll have to sign and date, usually the CEO and the CFO, people in charge of the company simply pot or managing the company for that matter. So this is basically a report. If you read it and if you really think about it, this page here summarizes practically everything that we did. It shows you few things, management responsibility and they have to assess the internal control and the auditor will have to audit that. Then the signature and date. What should you do now? Go to Farhat Lectures and look at additional resources, multiple choice questions that's going to help you understand this topic better. Whether you are a CPA candidate or a student, it's very important to understand integrated audit. Integrated audit is an important topic in your examination process for the to get that certification. Take it seriously. I'm going to have a series of those lectures about integrated audit, starting next with the auditor's