 Welcome to the session in which we will discuss the integrated audit and specifically now we're going to be looking at forming the opinion. We're going to form the opinion. So what is an integrated audit? Just to make sure we are all on the same page is what it's when you audit the financial statements and issue an opinion and at the same time audit the internal control over financial reporting and issue an opinion about that as well. This is what we called an integrated audit. In the prior session we looked at how to plan the engagement using the top-down approach, test and evaluate the design of internal control over financial reporting, test and evaluate the operating effectiveness of internal control over financial reporting. This is what we did in the prior session and we did all those four steps to reach our ultimate objective in an integrated audit and that is to express an opinion on the company's internal control over financial reporting. This is exactly what we want to do. Now we're getting to our goal, to our objective, forming an opinion on the effectiveness of internal control over financial reporting. For the opinion I'm going to break it down into three sub-lectures. First I'm going to discuss the type of internal control deficiencies because when we performed step three and four we could have found some deficiencies, control deficiencies. So we need to know what type of control deficiencies we can have and who should we report those deficiencies to. Now I'm going to do this separately. Why? Because I believe it warrants serious attention to understand the different type of control deficiencies. Once you understand the different type of control efficiencies and who do we report to then would look at the actual report and I will have two different sections for the report. One for the issuer which is publicly traded and one for the non-assure which is report slash communication. So in this session I'm going to focus on the types of internal control deficiencies that we would find and who are we going to report those to. At the end we'll look at this but it's important to understand the different types of control deficiencies. Before we proceed any further I have a public announcement about my company farhatlectures.com. Farhat accounting lectures is a supplemental educational tool that's going to help you with your CPA exam preparation as well as your accounting courses. My CPA material is aligned with your CPA review course such as Becker, Roger, Wiley, Gleam, Miles. My accounting courses are aligned with your accounting courses broken down by chapter and topics. My resources consist of lectures, multiple choice questions, true false questions as well as exercises. Go ahead start your free trial today no obligation, no credit card required. Discussing deficiencies we need to be familiar with what is a control deficiency, what is a material weakness and what is a significant deficiency. So you need to be familiar with those three terms because when I'm going over the report or the communication I don't have to redefine them again although they are defined in the report themselves but I need to talk about them here and how do we come up with what is considered material weakness, what is considered significant deficiency. So you need to understand once you understand them then it's easy to go over the report now you can relate an example to what you are looking. So what is a control deficiency? Well any problem in the design of or the operation remember we test the design or the operation so any problem with the design of operation that does not allow management to perform to reach its objective which is what functioning properly to prevent or detect material misstatement on a timely basis. So simply put control deficiency is something is not working properly in the internal control over financial reporting either in the design or the operation. Now what is what is material weakness now this is basically I put it in red to kind of emphasize its seriousness. Now you have a serious issue it's a control deficiency or many of them deficiencies over financial reporting for which there is a reasonable possibility that material misstatement of the company will not be prevented or detected on a timely basis. Now we do have a deficiency here but there is a reasonable possibility now what do we mean by reasonable possibility if you remember the lost contingency rules that you learned in intermediate accounting if not that's fine remember when we have a contingency it could be remote reasonably possible or probable. Here what we're saying is there's a reasonable plus reasonable possibility there's a good chance that this deficiency will not will not prevent errors from happening okay if it's probable it's higher if it's not remote we don't consider it if it's not remote but here it's a reasonable reasonably possible then we consider this as a material weakness it's a control deficiency that's considered material weakness that's the most serious one so it's important to know once you see material weakness material means it means important now we could have a control deficiency but it's considered significant deficiency I have this in dark blue I'm not really sure if you can see it or not I'll have prefer to have it in yellow but it would not look good. Control deficiencies over financial reporting but those are less severe than the material weakness so they are significant but not material although they are not material they are significant it's important to let management or people who are responsible for the oversight of financial reporting to be aware of them so we have control deficiency we need to know what control deficiency is something that's not going to allow you to perform your function properly but that could constitute a material weakness or it could constitute a significant deficiency or it just could be a control deficiency now the question is how do you determine the significance of the deficiency so simply put how do we determine whether this is a material or a significant deficiency material weakness or significant deficiency here we use qualitative as well as quantitative factors plus judgment so I'm not going to tell you for example this is exactly now we're going to look at some red flags but it's always a judgment what is the judgment based on well you have to evaluate the deficiencies that you identified individually and in combination because individually they may not be significant but if you combine them they could be significant or they could be significant individually you have to look at the magnitude of the severity of the possible misstatement because of this deficiency so if we have this deficiency what could happen what's the magnitude what's the size what's the severity what's the faciveness of this deficiency we could look at the amount involved the account involved because different accounts are more important the volume of the activity well the more activities we have the higher the possibility something could go wrong if we have one transaction maybe we could just focus on that transaction and control it but we have many transactions that could be an issue but also those transactions could be automated or not we have to look at that as well also we have to take a look at whether it's reasonably possible it's going to fail remember we talked about reasonable possible that's important it's is it going to fail now we don't qualify the probability of misstatement we don't say for example there's a 60 percent chance we're going to have this misstatement or 70 percent chance we don't want to fight us we just say is it reasonably possible to control what failed and we have to keep in mind although the control failed it doesn't mean a misstatement what happened and we don't take this into account so simply put we cannot say because no misstatement occurred because of this deficiency therefore it's not severe well the deficiency is there whether a misstatement happened or not we don't take that into account so no misstatement has to occur for the deficiency to be judged severe give you an example let's assume for every customer we have to check their credit before we sell them on account let's assume we fail several several times to check the credit and this is a serious deficiency well but all the customers paid well no misstatement happened nevertheless it's considered severe so no misstatement has to happen too counted as whether it's a serious or a severe control deficiency also the possibility of the statement exists a certain risk factor exists now again we're talking about different accounts different amount different exposure we have to take that into account for example if we're looking at the account we look have to look at the account type that's affected by this deficiency and the relevant assertion that we are looking at for example revenues we worry about overstatements as well as assets liabilities and expenses we our concern is completeness and or understatement we look at the frequency of error how many time this error is happening susceptibility to loss judgment estimate required for the transaction those are all risk factors that could tell you if there's a deficiency there the possibility is getting greater and greater that's a serious one we have to look at the interrelationship between controls and among deficiencies so if there's one control is it limited to one department one one one part of the company or is it going to affect other controls if there is an interrelationship between control many controls and many deficiencies is it pervasiveness also interrelationship could be dealing with whether we have a manual versus automated for example a manual control may be limited to one area but automated control could affect many area or vice versa but we have to know there's a difference between manual and automated control again one by itself may not be significant or relevant but when we put them in combination they could be severe and material because they could have interrelationship between controls and deficiencies also we have to look at the potential loss of the deficiency again here we're talking about the amount basically the same thing i said on the other slide just framed differently in the important of the deficiency when it comes to the financial statement how important is it how much does it affect would it affect our going from net net net income to net loss does it affect revenue what's what's the importance of it of the financial statement now there are factors that we are considered red flags and they are considered material weakness like those are serious serious stuff that we can identify some of them for example if people in charge of governance like audit committee internal control board of directors are not exercising strong oversight that's a material weakness we have some serious problem any fraud conducted by senior management that's pretty serious any financial restatement due to fraud or error because we have to restate no we might we're looking at some serious issues here any material misstatement or misstatement missed by the internal auditor if the internal auditor is not catching those basically it goes back to here they're not exercising strong oversight those are some serious weaknesses now remember when we talked about testing we said we test the design and we test the operating effectiveness therefore that if some deficiencies could be related to design some deficiencies could be could be related to the effectiveness of the internal control so let's go over some examples and we're going to start with significant or material weakness in design well that's design for example the design of internal control over financial reporting is inadequate or the internal control IT and IT controls whether it's application or general they're also not effective for example there is no proper segregation of duties that's in the design by design by design we have some deficiencies right there design over significant account transaction is inadequate so we don't have proper segregation for certain transactions and accounts lack of proper documentation for the design or poor documentation of the design that's considered a problem in the design itself maybe not enough awareness of the design of the internal control over financial reporting across the organization remember when you're learning about the design you're talking to people if you find out they don't really understand it and they're in charge of the internal control over financial reporting well that's that support design that's part of the design it means right from the get go they're not doing a good job because they don't understand it and if there's no method to report internal control deficiency or deficiencies in a timely fashion that's the problem with the design the staff lack qualification or training right right from the get go they're not well trained there's a problem with the design and there's any absence of the monitoring process so these are all we can say design deficiencies again we have design and we have operating deficiencies so what are some examples now of significant or material weakness in operation no proper safeguard of assets not now we're dealing with actual operation are we protecting our assets so they are properly counted no reconciliation we're not preparing reconciliation of significant account that's part of the operation and we're not doing it that's important the staff lacks independence and objectivity so when they're working they're not really doing the best job they can or they're not taken into account the the benefit or the or the spirit of the internal control because somehow they are not independent or objective because they maybe they have some undo pressure from upper management not providing misrepresenting information to the auditor that's part of the operating deficiencies now we're talking to them we're working with them an actual failure of either general or it controls the they're not working properly or a high degree of deviation or failure or exception rate now since we know about control deficiency significant deficiency in material deficiency the question is okay we found them what do we have to do who do we have to report them to so I'm going to break down into how what to do under non issuers and under issuers starting with non issuers what do we have to do when it comes to management and people who are in charge of governance well for non issuers any control deficiency is reported to management and writing so we have to report it to management and writing any control deficiency if it says if it's considered a significant deficiency it's also reported to management if it's a material deficiency it's also reported to management in writing well that's easy all deficiencies are reported to management and writing how about when it comes to people in charge of governance and we did not specify for non issuers this could be the board of directors could be the audit committee could be someone and the higher up well we do we report control deficiencies to them not necessary but we report significant deficiency significant deficiency system that's important remember this is dread flag this is like important well if it's important we're gonna report it to the people in charge material deficiency we also reported that the people in charge as well the question is when do we communicate those deficiencies to management and people who are in charge of governance well for the material deficiencies we have to report by the report release date significant deficiencies by report release date control deficiency within 60 days of the report release date now when it comes to issuers again we have three type of the control deficiency significant three types significant deficiency and material deficiency what do we have to report control deficiencies to management and writing and the answer is yes in addition to that we inform the audit committee remember issuers they have the audit committee remember here we are dealing with publicly traded companies so we do report to them and inform the audit committee that we did report this significant deficiency the same thing we report to management and writing and inform the audit committee material deficiency same thing notice management always they should know about everything because they are running the company they should know about all of those what about people in charge with governance and here specifically we're talking about the audit committee we also report to them significant deficiencies in writing because those are important they need to be aware of this as well as well as material deficiency we have to give it to them in writing now the question is when do we communicate the management and audit committee when it comes to issuers well prior to issuing the report on internal control for control deficiency prior to issuing report on on internal control for significant deficiency prior to issuing report on internal control for material deficiency so pretty straightforward now now i hope we understand what's a control deficiency what is considered significant deficiency what factors do we use what's considered material deficiency who do we report it the next thing we're going to do we're going to look at actual reports now we're going to look at actual reports for issuers and for non issuers to show you the actual reports and what i like about the report it summarizes the whole process because in the internal report we're going to basically go back and restate and summary exactly everything everything for an integrated audit because that's what the report is summarize everything and what i'm going to do i'm going to feel guilty about this i'm going to have two separate recording one for issuers for one for non issuers although they're very close to each other it's okay to see it twice it's going to help you prepare for the exam better what should you do now go to far hat lectures work mcq's look at additional resources that's going to help you understand the integrated audit this is an important topic on the CPA exam they test you on it so be prepared i'm always here to help you good luck study hard the CPA exam is worth it