22.1 ICFR Integrated Audit Framework

What an Integrated Audit Adds

An integrated audit is an audit of internal control over financial reporting (ICFR) performed together with the audit of the financial statements, governed by PCAOB Auditing Standard 2201 (AS 2201). Only issuers (SEC registrants) and certain large accelerated filers require this combined engagement; private companies generally receive only a financial statement audit. The financial statement audit answers whether the statements are materially misstated.

The ICFR audit answers whether the company maintained effective ICFR, in all material respects, as of a single point in time, the as-of date, which is almost always the last day of the fiscal year.

The two objectives share evidence but are not the same opinion. A clean financial statement opinion does not guarantee a clean ICFR opinion, and vice versa. For AUD, this topic sits exactly where risk assessment, COSO, issuer reporting, and audit evidence intersect, so expect fact patterns rather than definition recall.

ICFR and the COSO Framework

ICFR is a process providing reasonable assurance about the reliability of financial reporting and the preparation of financial statements for external purposes under the applicable framework. It covers maintenance of records, authorization of transactions, prevention or timely detection of unauthorized asset use, and accurate reporting. Reasonable assurance is a high but not absolute level of assurance; inherent limitations such as human error, faulty judgment, collusion, and management override mean no system can guarantee detection of every misstatement.

Management must base its assessment on a suitable, recognized framework, and in U.S. practice that is the COSO Internal Control - Integrated Framework (2013). COSO has five interrelated components and 17 underlying principles.

The exam may name a component directly, but more often it gives a process fact pattern and asks whether a control addresses the relevant risk.

The Top-Down Workflow Under AS 2201

AS 2201 mandates a top-down approach so that financial reporting risk, not a checklist of every policy, drives the work:

1. Start at the financial statement level and identify overall sources of ICFR risk.
2. Evaluate entity-level controls, including audit committee oversight, the period-end financial reporting process, management review controls, and the company's own monitoring.
3. Select significant accounts and disclosures using inherent risk, size, complexity, exposure to loss, fraud susceptibility, and volume of activity.
4. Identify the relevant assertions (existence/occurrence, completeness, valuation/allocation, rights/obligations, presentation/disclosure) for each account.
5. Understand the transaction flow from initiation through recording and reporting, usually via a walkthrough.
6. Select controls that address the risk of material misstatement for those assertions.
7. Test design and operating effectiveness, then evaluate deficiencies individually and in combination.

A broad code of conduct supports the control environment but does not, by itself, prove that revenue cutoff controls operated. A system-enforced shipping cutoff, a year-end review of post-period credit memos, and reconciliation of shipping logs to recorded sales tie far more directly to revenue occurrence and cutoff.

Evidence: Design vs. Operating Effectiveness

Design effectiveness asks whether a control, if operated as prescribed by competent personnel, would prevent or detect a material misstatement on a timely basis. A walkthrough, following one transaction end-to-end, is powerful here because the auditor observes documents, system behavior, approvals, reconciliations, and handoffs.

Operating effectiveness asks whether the control actually operated: who performed it, how often, what evidence proves performance, and whether exceptions were investigated and resolved. The auditor inspects review signoffs, reperforms reconciliations, tests system configuration, observes counts, or examines exception reports.

The classic CPA trap is assuming clean substantive testing proves controls work. Substantive results can inform the auditor's view (a detected misstatement that controls missed is a strong negative indicator), but the ICFR opinion still requires direct control evidence. The reverse trap is equally tested: a material weakness can exist with no material misstatement, because the question is the reasonable possibility that controls would fail, not whether they already did.

Timing, Rollforward, and Reliance on Others

Because the ICFR opinion is rendered as of the period-end date, controls tested earlier in the year require a rollforward (or update) to year-end. The auditor evaluates the nature and significance of any changes since the interim test, the length of the remaining period, and the risk associated with the control. A purely automated control with effective change-management ITGCs may need little additional testing; a high-risk manual review usually needs further evidence near year-end.

AS 2201 also lets the auditor use the work of others (internal audit, the company's own monitoring) to alter the nature, timing, and extent of procedures. The extent of reliance varies inversely with risk: the higher the risk associated with a control, the less the auditor relies on others and the more direct testing the auditor performs personally. For the highest-risk areas, such as the period-end financial reporting process and controls over significant non-routine or estimation accounts, the auditor performs more of the work itself.

This linkage between assessed risk and the source and amount of evidence is a frequent simulation theme, and it mirrors the same risk-response logic candidates use throughout the financial statement audit.