How issuer audits combine financial statement testing with an opinion on internal control over financial reporting.
An integrated audit of an issuer includes two related opinions: one on the financial statements and one on internal control over financial reporting. The auditor uses the same risk assessment foundation for both, but the ICFR opinion requires direct evidence about whether controls are effective as of the assessment date.
The exam focus is not memorizing SOX history. The tested skill is understanding how the auditor identifies important controls, tests design and operating effectiveness, evaluates deficiencies, and reports when a material weakness exists.
flowchart TD
A["Financial statement risks"] --> B["Top-down ICFR approach"]
B --> C["Entity-level controls"]
C --> D["Significant accounts and disclosures"]
D --> E["Relevant assertions"]
E --> F["Key controls"]
F --> G["Design and operating-effectiveness testing"]
G --> H["ICFR opinion"]
In an issuer integrated audit, management and the auditor have separate responsibilities. Management establishes, maintains, and assesses ICFR. The auditor independently audits ICFR and expresses an opinion.
| Party | Responsibility | Exam implication |
|---|---|---|
| Management | Design, implement, maintain, and assess ICFR | Management cannot delegate control responsibility to the auditor |
| Auditor | Test and opine on ICFR effectiveness | Auditor obtains evidence about both design and operating effectiveness |
| Audit committee | Oversee financial reporting and auditor communications | Governance receives significant ICFR matters |
| Internal audit, when used | May assist management or provide evidence if evaluated properly | Use of internal audit does not transfer auditor responsibility |
The financial statement audit and ICFR audit inform each other. A misstatement found during substantive testing may indicate a control deficiency. A control deficiency may change the financial statement audit response.
The top-down approach starts with financial statement risks and moves toward the controls that address those risks. It prevents the auditor from testing low-value controls merely because they are easy to test.
| Step | Auditor focus |
|---|---|
| Identify financial statement-level risks | Consider fraud risk, management override, reporting complexity, and entity-level issues |
| Evaluate entity-level controls | Assess tone at the top, audit committee oversight, period-end reporting, and monitoring |
| Identify significant accounts and disclosures | Focus on accounts with materiality, susceptibility to misstatement, complexity, or volume |
| Identify relevant assertions | Determine whether existence, completeness, valuation, rights, presentation, or cutoff matters most |
| Select key controls | Test controls that address the risk of material misstatement for relevant assertions |
| Evaluate deficiencies | Decide whether deficiencies are control deficiencies, significant deficiencies, or material weaknesses |
Entity-level controls may be direct or indirect. A precise management review control over period-end financial reporting may directly address a financial reporting risk. A broad code of conduct is important, but it may be too indirect by itself to prevent or detect a material misstatement in a specific account.
Both design and operation must be effective for ICFR to be effective.
| Effectiveness type | Question | Example failure |
|---|---|---|
| Design effectiveness | Would the control prevent or detect and correct a material misstatement if it operated as designed? | A review control has no defined threshold, evidence requirement, or follow-up process |
| Operating effectiveness | Did the control operate as designed, by the right person, at the right time, throughout the period? | Reconciliations were signed late or exceptions were not resolved |
A control cannot be effective if it is poorly designed, even if employees perform it consistently. A well-designed control is also ineffective if it does not operate reliably.
Testing operating effectiveness usually includes a combination of inquiry, inspection, observation, and reperformance. Inquiry alone is not enough for reliance. For automated controls, the auditor also considers IT general controls over access, change management, and operations.
The auditor issues an adverse opinion on ICFR if one or more material weaknesses exist as of the assessment date. A material weakness means there is a reasonable possibility that a material misstatement will not be prevented or detected and corrected timely.
| ICFR condition | ICFR opinion effect |
|---|---|
| No material weaknesses identified and sufficient evidence obtained | Unqualified opinion on ICFR |
| One or more material weaknesses exist | Adverse opinion on ICFR |
| Auditor cannot obtain sufficient appropriate ICFR evidence | Disclaimer of opinion on ICFR may be appropriate |
An adverse ICFR opinion does not automatically mean the financial statement opinion is adverse. The financial statements may still be fairly presented if the auditor obtains sufficient appropriate substantive evidence and material misstatements are corrected. Conversely, a material financial statement misstatement can be strong evidence that a related control failed.
ICFR testing and substantive testing are connected but not interchangeable.
| Evidence type | What it supports | Limitation |
|---|---|---|
| ICFR control testing | Whether controls are effective | Does not by itself prove every account balance is correct |
| Substantive tests of details | Whether amounts or disclosures are misstated | Does not by itself prove ICFR is effective |
| Substantive analytics | Whether recorded amounts are plausible | May not identify the control failure that allowed a risk |
| Misstatement evaluation | Whether identified errors affect financial statements or control conclusions | Requires both quantitative and qualitative judgment |
If substantive testing finds a material misstatement, the auditor considers whether a material weakness exists. If ICFR testing finds a material weakness, the auditor adjusts the financial statement audit response to obtain sufficient evidence despite weaker controls.
Management may remediate a control deficiency before year-end. The auditor can consider remediation only if the improved control has operated long enough to be tested. A control fixed near the assessment date may not have enough operating history to support an effective ICFR conclusion.
The auditor considers:
Remediation plans are not the same as remediated controls. Future intent does not eliminate a material weakness that exists as of the assessment date.
Do not confuse management’s assessment with the auditor’s opinion. Management assesses ICFR; the auditor independently audits it.
Do not say a clean financial statement opinion automatically means ICFR is effective. A company can have fairly stated financial statements and a material weakness in ICFR.
Do not treat significant deficiencies and material weaknesses as the same. Material weaknesses drive adverse ICFR opinions; significant deficiencies are serious communications but do not by themselves require an adverse ICFR opinion.
Do not accept remediation just because management created a plan. The remediated control must be designed effectively and operate long enough for testing.