Professional Documents
Culture Documents
Audit committee of client’s board of directors is responsible for the selection and appointment of independent external
auditor, and for reviewing the nature and scope of the engagement. Auditor has interaction with audit committee in
planning phase.
Sarbanes-Oxley Act:
1. Auditors report to and are overseen by the client’s audit committee.
2. Audit committee pre-approves all services provided by auditor.
3. Specified non-audit services are prohibited
“Those charged with governance” = bear responsibility to oversee the obligations, financial reporting process, and
strategic direction of entity. = “board of directors” and “audit committee”
In new client relationship, new CPA is required to talk to old CPA. Client permission is needed to talk to Old CPA,
otherwise it is scope limitation. Auditor then should consider whether or not to accept engagement.
If new CPA uncovers potential problems relating to old CPA’s audit, new CPA should ask client to arrange meeting
involving new and old CPA and the client. If management refuses or successor auditor is not satisfied with the
resolution, the new auditor should consider the implications and whether to resign.
Preliminary Engagement Activities: After accepting, consider whether or not to continue the engagement
1. Assess the auditability of the client
a. The integrity of management (increases the likelihood of FS misrepresentation)
b. The availability and adequacy of the client’s accounting records (lack of records = scope limitation)
c. The ability of the auditor to perform the audit after consideration of:
i. The auditor’s knowledge of client’s industry and possible need for a specialist
ii. The auditor’s independence of the client
iii. Scope limitations
iv. Staffing needs of the engagement
v. The auditor’s ability to comply fully with the Code of Professional Conduct
2. Client’s business risk: risk that events may occur that will negatively impact the company.
3. CPA’s business risk: risk that management will not prove to be profitable and whether to accept the engagement
1
2. Quality control policies and procedures: part of pre-acceptance phase of engagement, accountant must
document compliance with the firm’s quality control policies and procedures regarding acceptance or
continuance of clients and engagements.
Engagement letter = a signed contract to establish understanding with the client. It is presumptively mandatory
requirement (required in most circumstances). It is accepted, signed, and dated by client.
Objective of planning phase: develop overall strategy of audit, including conduct, organization, and staffing.
Nature, extent, and timing of planning will vary based on the size and complexity of the entity, and on auditor’s
experience and understanding of entity. (The NET we cast over the audit.)
Analytical Procedures
Analytical procedures are used:
• Planning the nature, extent, and timing of other auditing procedures (REQUIRED)
• Substantive tests to obtain evidential matter (OPTIONAL)
• Overall review in the final review stage of the audit (REQUIRED)
GAAS requires: Analytical procedures performed during planning:
• During planning, analytical procedures consist of a review of data aggregated at high level (i.e. compare FS to budget
or anticipated results)
• Generally, financial data is used, though relevant nonfinancial data (i.e. # of employees, square footage of selling
space, volume of goods produced) may also be considered
• Purpose: to enhance the auditor’s understanding and identify unusual transactions and events, and amounts
Materiality
Misstatement: consider what level of misstatement is material, alone or when aggregated with other misstatements
3
Tolerable Misstatement (tolerable error) = maximum error in a specific population auditor is willing to accept
If management refuses to correct some or all, auditor should consider implications on auditor’s report
Materiality = amount of error or omission that would affect judgment of reasonable person
Audit Risk
- Risk that the auditor may unknowingly fail to modify appropriately the opinion on FS that are materially misstated
- Should be reduced to a low level before an opinion on FS is expressed
The audit risk model: the risk that the auditor will give the wrong opinion.
AR RMM DR
Audit Risk = Risk of Material X Detection Risk
(should be low) Misstatement (controlled by auditor)
(assessed by auditor)
4
***RMM = Exists independently of the financial statement audit.
So in simple words...
AR (giving a wrong opinion) = RMM (error in client’s accounting system) X DR (our audit work not finding the mistake)
AR IR CR DR
Audit Risk = Inherent Risk X Control Risk X Detection Risk
(should be low) (controlled by auditor)
So in simple words...
AR (giving a wrong opinion) = IR (error in client’s accounting system) X CR (internal controls/auditor did not catch it) X
DR (our audit work not finding the mistake)
** Inherent risk and control risk exist independently of the audit, and auditor generally cannot change these risks.
RMM
IR x CR DR
Auditor cannot change the risk of material misstatement, but can change his assessment of this risk as the audit
progresses.
Example 1: acceptable level of DR decreases, the assurance provided from substantive procedures should increase:
5
1. Change the nature of substantive tests from less effective to more effective procedure (direct test toward
independent parties outside the entity rather than toward parties or documentation inside the entity)
2. Change the extent of substantive tests (use larger sample size)
3. Change the timing of substantive tests (perform substantive tests at year-end rather than at interim)
Example 2: acceptable level of DR increases, the assurance that must be obtained from substantive tests decreases,
allowing for somewhat less persuasive evidence to be used, for a reduced extent of testing, or for more testing to be
performed at interim.
RMM and DR have inverse relationship. When auditor determines that risk of material misstatement is high,
detection risk should be set at a low level. Conversely, when the risk of material misstatement is low, the auditor can
justify a higher detection risk.
Auditor CAN change detection risk by varying the nature, extent, and timing of audit procedures.
RMM and the assurance required from substantive procedures have direct relationship. Greater risk requires more
persuasive evidence, a larger sample size, and/or a shift from interim to year-end testing.
Audit risk and materiality are affected by the size and complexity of the entity. They must be considered at both the FS
level and the account balance, individual transaction class, or disclosure item level.
Purpose:
o Design risk assessment procedures
o Identify and assess risk
o Design further audit procedures
o Evaluate the FS taken as a whole
Auditor’s response:
o The competency of personnel assigned to the engagement
o The potential need for a specialist
o The appropriate level of supervision of assistants
Inverse relationship between audit risk and materiality. The risk of a very large misstatement may be low, whereas the
risk of small misstatement may be high. The more material the misstatement is, the less likely the auditor will miss it.
Audit Procedures: performed to obtain evidence on which to base the audit opinion
1. Risk assessment procedures: obtain an understanding of the entity and its environment, including internal
control, in order to assess the risk of material misstatement.
2. Tests of controls: (CRIME) auditor tests internal controls. Evaluate the operating effectiveness of internal control
in preventing or detecting material misstatements. Tests of controls are necessary when:
a. The auditor’s risk assessment is based to some extent on the operating effectiveness of internal control
b. Substantive procedures alone are deemed to be insufficient
6
3. Substantive procedures: auditor tests $$$ balances. Used to detect material misstatements, and include tests of
details and substantive analytical procedures. They are performed in response to the planned level of DR, which
may be based on the results of tests of controls. Test of controls are ALWAYS necessary.
*****MUST understand the fundamentals and memorize the assertions of the following FS Assertions made by
management: All of the “A CPA CO CARE about CURVed assertions”
Financial Statement Assertions – Assertions by mgmt fall into 3 categories: (“A CPA CO CARE about CURVed assertions”)
1. Transactions and Events
• C – Completeness – all transactions and events that should have been recorded have been recorded
• P –Proper period cutoff – transactions and events have been recorded in the correct (proper) accounting period
• A –Accuracy – amounts and other data relating to recorded transactions and events have been recorded
appropriately
• C –Classification – transactions and events have been recorded in the proper accounts
• O – Occurrence – transactions and events that have been recorded have occurred and pertain to entity
2. Account Balances
• C – Completeness – all assets, liabilities, and equity interests that should have been recorded have been recorded
• A – Allocation and Valuation – assets, liabilities, and equity interests are included in the FS at appropriate
amounts, and any resulting valuation or allocation adjustments are appropriately recorded
• R – Rights and Obligations – the entity holds or controls the rights to assets, and liabilities are the obligations of
the entity
• E – Existence – assets, liabilities, and equity interests exist.
Extent of supervision depends on: complexity of subject matter and qualifications of assistants
7
Role of the client’s internal auditors is NOT judgment.
When planning the audit, the auditor should consider the extent of involvement of the client’s internal auditors in the
performance of the audit. While internal auditors must maintain objectivity and integrity, they are NOT independent
of the client, their employer. The independent external auditor cannot share with the internal auditor any of the
responsibility for audit decisions, judgments, or assessments made as part of the audit.
Using the Work of a Specialist – use of a specialist when: (don’t have to memorize, just know them)
1. Valuation of restricted securities and works of art
2. Determination of physical characteristics (i.e. mineral reserves, fungible goods)
3. Determination of specialized estimates (i.e. actuarial calculations)
4. Interpretation of technical standards or legal documents
The Specialist:
- Should have an understanding of the auditor’s use of the specialist’s findings.
- Does not have to use the same methods as client in calculating amounts.
The auditor must understand the nature of specialist’s work and be able to evaluate the findings for their suitability in
corroborating FS amounts.
The auditor must be satisfied as to the professional competence and reputation of the specialist.
**Treat the specialist like one of your staff, which is the following:
1. R – Reputation
2. I – Independent
3. P – Professional Competency
4. P – Program Steps
Based on the specialist’s work, if the auditor decides to add an explanatory paragraph or depart from unqualified
opinion, auditor may refer to the specialist in the report. If the auditor is expressing a standard unqualified opinion, no
reference should be made to the specialist.
8
Fraud Risk Factors include:
1. Incentive/Pressures: a reason to commit fraud
2. Opportunity: a lack of effective controls
3. Rationalization/Attitude: an attempt to justify fraudulent behaviour
Due to the concealment aspects of fraud and the need to apply judgment in evaluating fraud risk, even a properly
planned and executed audit may fail to detect fraud.
The more indirect the effect of error or fraud is on the FS, the less chance the auditor has of detecting it.
It is management’s responsibility to design and implement programs and controls to prevent, deter, and detect fraud.
The auditor has a responsibility to design (design = plan and perform) the auditor to obtain reasonable assurance
about whether the FS are free of material misstatement, whether caused by error or fraud.
Auditor should maintain an attitude of professional scepticism, including questioning mind and critical assessment.
Discussion should involve all key members of audit team, may include specialists, and may occur in multiple locations.
Communication should continue throughout the audit.
When inquiring of entity personnel regarding their views of fraud risk – the auditor should direct inquiries to
management, employees involved in financial reporting, operating personnel, internal auditors, in-house legal counsel,
those charged with governance, etc.
o Inconsistent responses indicate a need for additional evidence
Analytical Procedures – required during the planning stage AND final stage
When planning, auditor is specifically required to perform analytical procedures relating to revenue, in order to identify
unusual relationships that might be indicative of fraud. They often use data aggregated at high level, and may only
provide broad indication regarding fraud risk.
There is a presumption in every audit that the following two risks exist:
→ Improper revenue recognition
9
→ Management override of controls
The auditor is required to respond to the results of the risk assessment on three levels:
1. Overall, General Response – auditor should consider the overall fraud risk when:
a. Assigning personnel to the engagement
b. Determining the appropriate level of supervision of engagement personnel
c. Evaluating management’s selection and application of accounting principles
d. Incorporating an appropriate level of unpredictability in the selection of auditing procedures from one year to
next
2. Response Encompassing specific audit procedures:
a. Nature – change nature of specific procedures by seeking evidence that is more reliable
b. Extent – vary the extent of testing by increasing sample size, performing testing at a more detailed level
c. Timing – judgement to determine the appropriate timing for audit procedures
The auditor uses a “NET” because a CPA CAREs about CURVed assertions”
Inventory quantities
- Material Misstatement Concern: Failure to reconcile books to physical inventory
- Examine inventory records
- Observe inventory counts on unannounced basis
- Conduct inventory counts at different locations on same date
- Conduct inventory counts at or near the end of the period
- Perform more rigorous examination and additional testing during observation
- Compare quantities for the current period with prior periods
10
Management Estimates:
- Engage a specialist to evaluate management’s estimate.
- Develop an independent estimate
- Perform a retrospective review of prior period estimates (how good were last year’s estimates?)
Misstatement caused by fraud (even immaterial misstatements) may be indicative of an underlying problem with
management integrity – WITHDRAW
The auditor may need to reevaluate the assessment of fraud risk, the assessed effectiveness of controls, and the
appropriateness of the audit procedures applied
A final evaluation should be made regarding the assessment of the risks of material misstatement due to fraud
Complete documentation of the auditor’s risk assessment and response is required. Including:
- Planning among engagement personnel regarding fraud risk
- Procedures performed to obtain information related to fraud risk
- Specific identified risks of material misstatement due to fraud
- If the auditor has not identified improper revenue recognition as a fraud risk, support for this conclusion
- Results of procedures performed to address the risk of management override of controls
- Other conditions and analytical relationships that warranted further audit work
- Nature of communications made about fraud
Record retention is now MANDATORY under GAAS, AICPA, and Sarbanes-Oxley (SOX for 7 years)!!!
Fraud = intentional
Errors = unintentional
Illegal Acts = violations of law
11
→ Auditor’s responsibility to detect illegal acts that have a material and direct effect on FS is the same as that for
errors and fraud.
→ Auditor has a responsibility to plan and perform the audit to obtain reasonable assurance that the FS are free of
material misstatement.
→ Auditor is under no obligation to look for illegal acts having an indirect effect on the FS.
→ Generally, the less the act affects the FS, the less likely it is that the auditor will discover it.
→ The auditor generally does not include procedures specifically to detect illegal acts, but may discover such acts
through other procedures, such as reading minutes or making inquiries of management or of legal counsel.
If client fails to take appropriate action regarding any illegal act (including those that are non-material), then
withdraw!
Those charged with governance should be adequately informed of illegal acts unless they are clearly
inconsequential. This could be oral or written, but oral communications should be documented.
Ordinarily, the auditor is not responsible to communicate this disclosure to anyone other than senior
management and those charged with governance, but it may be required in some circumstances. For example:
o Comply with certain legal and regulatory requirements
o To a successor auditor
o In response to a subpoena
o To a funding agency
Risk Assessment
- Second GAAS standard of fieldwork requires auditor to obtain understanding of entity and its environment,
including internal control. Must perform risk assessment procedures to obtain this understanding.
12
A – Audit Evidence – Evaluate sufficiency and appropriateness of audit evidence obtained
I – Internal Control – Understand entity and its environment, including internal control
Obtaining understanding is critical – it establishes a frame of reference within which the audit is planned and performed
Auditor may perform substantive procedures or tests of controls concurrently with risk assessment procedures.
Risk assessment may change as more evidence is obtained; the auditor should revise the assessment and modify
planned audit procedures.
Factors to understand:
• Industry, Regulatory, and Other External Factors
• Nature of the Entity (operations, ownership, governance, investments, structure, financing)
• Objectives, Strategies, and Business Risks
o Business risk: often arises from change or complexity
o Example: competitive risk may render a company’s product obsolete or reduce value, and failure to
recognize this change could result in a material misstatement of inventory
• Entity’s Financial Performance (management measures this performance, auditor should obtain an understanding)
• Internal Control, Including the Selection and Application of Accounting Policies
Significant Risks:
Factors that may be indicative of significant risks:
• Nonroutine, unusual, or complex transactions
• Business risks
• Fraud risk
• Significant related party transactions
• Accounting estimates
• Accounting principles that are subject to different interpretations
Respond to assessed risk level by designing further audit procedures based on assessment. Response to significant risks:
• Evaluate the design of the entity’s related controls
• Determine whether the controls have been implemented
• Evaluate whether and how management responds to such risks (if mgmt doesn’t respond, go to those charged
with governance)
Situations that reflect management integrity or lack of records = Qualifying, Disclaiming, or Withdrawing!
*****The documentation may include any item the auditor can FIND:
F – Flowchart
I – Internal Control Questionnaire or Checklists
N – Narrative
D – Decision table
Flowcharts:
- Depicts auditor’s understanding of system.
- A symbolic diagram representing the sequential flow of authority, processes, and documents
- Adequate flowchart shows the origin of each document in the system, its subsequent processing, and its final
disposition
- IT flowcharts are initially created to document the logic and existing flow of a computer program
- Flowchart Organization:
o Show the general flow of documents and data
o Start at top of page and move from top to bottom and from left to right
o Use descriptive wording geared to the reader
o Avoid intersecting flow lines by using off-page/on-page connectors
- MUST SEE FLOWCHARTING SYMBOLS on page A3-42!!!!!
Narratives:
- Hard to “see” weaknesses
- Is a written version of a flowchart
- Appropriate for less complex control structures (flowcharts are appropriate for more complex structures)
Flowchart Sequential
Decision Tree Logical
14
Internal Control
TIP PIE ACDO (Internal Control)
Entity Objectives:
1. Reliability of financial reporting – Most RELEVANT to audit and auditor MUST consider and understand
2. Effectiveness and efficiency of operations
3. Compliance with applicable laws and regulations
Auditor should focus on: How a specific control prevents, or detects and corrects, material misstatements
Generally, those controls that pertain to the first objective, reliability of financial reporting, are most relevant to the
audit; it is primarily those controls that the auditor must consider and understand.
The auditor need not assess all controls related to financial reporting, but use professional judgement in determining it.
The auditor should obtain an understanding of the five components of internal control sufficient to:
1. Evaluate the design of relevant controls and determine whether they have been implemented.
2. Assess the risk of material misstatement – identify types of potential misstatement
3. Design the nature, extent, and timing of further audit procedures
a. Identify types of potential misstatement
b. Consider factors that affect the risks of material misstatement
c. Design tests of controls
d. Design substantive procedures
A CPA tests internal control in order to adequately plan the “NET” audit.
IT Benefits:
15
- The ability to process large volumes of transactions and data accurately and consistently
- Improved timeliness and availability of information
- Facilitation of data analysis and performance monitoring
- Reduction in the risk that controls will be circumvented
- Enhanced segregation of duties through effective implementation of security controls
IT Risks:
- Potential reliance on inaccurate systems
- Unauthorized access to data which may result in loss of data and/or data inaccuracies
- Unauthorized changes to data, systems, or programs
- Failure to make required changes or updates to systems or programs
CRIME Most important ones for the test is C – Control Environment and E – Existing Control Activities
Control Environment
Risk Assessment by Information and Monitoring Existing Control
Management Communication Systems Activities
**Examiners’ questions focus on the control environment and on an entity’s existing control activities
The following circumstances would raise concerns regarding management’s philosophy and operating style:
Management consumed with meeting the budget
Management dominated by one person
Management compensation contingent upon the entity’s financial performance (=bonus and stock options)
The control environment has a pervasive effect on the auditor’s risk assessment, and preliminary judgments about its
effectiveness may influence the nature, extent, and timing of further audit procedures to be performed.
16
R – Risk Assessment: management’s identification of risk relevant to the FS
- CPA should obtain understanding and knowledge
- Entity’s identification of risks to achievement of its objectives
- The assessment by management of risk facing the entity, not the auditor’s assessment of control risk
- Risks are generally related to changes, for example: (don’t have to memorize, just know them)
1) Change in regulatory environment
2) New personnel
3) New information systems or technology
4) Rapid expansion of operations
5) New business models
6) Corporate restructuring
7) Expansion or acquisition of foreign operations
8) Adoption of new accounting principles or pronouncements
I – Information and Communication Systems: a means of recording transactions and communicating responsibilities
- CPA should obtain understanding and knowledge
- Support the identification, capture, and exchange of information in a timely and useful manner
17
P – Pre-numbering documents
• All transactions are recorded Completeness
• No transactions are recorded more than once Existence
• Example: Your Checkbook
A – Authorization of transactions
• Authorization should occur before commitment of resources
• Example: Signed approval
I – Independent checks to maintain asset accountability
• Independent checks involve the verification of work previously performed by others:
o Review of bank reconciliations
o Comparison of subsidiary records to control accounts
o Comparison of physical counts of inventory to perpetual records
• Example: Checks and balances
D – Documentation
• Evidence of transactions and a basis for responsibility for the execution and recording of transaction
• Example: Paper trail
T – Timely and appropriate performance reviews
• Comparison of actual performance to budgets, forecasts, and prior periods
• Comparison of financial and nonfinancial information
• Example: Analytical procedures
I – Information processing controls
• Ensure that transactions are valid, authorized, and completely and accurately recorded
• Application controls: processing of individual “applications” (i.e. controls surrounding payroll)
• General controls: information processing throughout the company (i.e. access controls, controls over
data center, network operations)
P – Physical controls for safeguarding assets
• Physical segregation of security of assets
• Authorized access to assets and records
• Periodic counting and comparison of actual assets with amounts shown in accounting records
• Example: Security
S – Segregation of duties
• One individual provides a crosscheck on the work of another individual
• Assigning different people the responsibilities of authorizing, recording transactions, and maintaining
custody of the related assets reduces the opportunities for any individual to both perpetrate and
conceal errors or fraud
• Internal control environ. should detect fraud by one person, NOT
1. Collusion
2. Management override
• Client should separate these functions:
o A – Authorization
o R – Recordkeeping
o C – Custody of related assets
****Segregation of duties is your ARC to protect against a flood of troubles. Client should separate these functions:
A – Authorization
R – Recordkeeping
C – Custody of related assets
18
Effect of Service Organizations on Internal Control
Service organizations: for example, are ADP and Paychex
Service organization’s services are considered to be part of an entity’s information system when those services affect
the initiation, execution, processing, or reporting of the user company’s transactions.
I – Internal Control – Understand entity and its environment, including internal control
M – Material Misstatement – Assess risk of material misstatement
A – Assessed Risk Response – Respond to assessed risk level by designing further audit procedures based on assessment
C – Control Testing – Test internal controls to evaluate their operating effectiveness
P – Perform Substantive Testing – Perform substantive tests
A – Audit Evidence – Evaluate sufficiency and appropriateness of audit evidence obtained
“IM A CPA”: A – Assessed Risk Response – Respond to assessed risk level by designing further audit procedures based on
assessment
To reduce audit risk to low level, auditor should respond to assessed risk in two ways:
- Overall response: address risk at FS level
- Response at assertion level, the NET (nature, extent, timing) of audit procedures are designed to address risks
***Three elements of further audit procedures can be varied by the auditor. We cast our “NET” over the audit.
N – Nature
E – Extent
T – Timing
Nature:
- Includes the audit’s purpose - test of control vs. Substantive procedure
- Includes the audit’s type – inspection, observation, inquiry, confirmation, recalculation, reperformance, or analytical
procedure
- The HIGHER the auditor’s risk assessment, the more reliable the evidence must be.
- Auditor varies the nature of audit procedures to achieve the desired level of reliability and relevancy
- If the info provided by entity’s system is used, must test its accuracy and completeness
- Responding to assessed risks, nature of audit procedure is of primary importance
Extent:
- Refers to quantity to be performed - # of observations or sample size
- The HIGHER the auditor’s assessment, the greater the extent of audit procedures
- Also consider the tolerable misstatement and degree of assurance
Timing:
- May be performed at an interim date or at period end
- The HIGHER the auditor’s risk assessment, the closer to period end substantive procedures should be
- Auditor should consider when relevant info is available
In designing further audit procedures that are responsive to assessed risks, auditor should consider:
1) Significance and likelihood of risk
2) Characteristics of transaction, balance, or disclosure
3) Nature of controls used (i.e. automated or manual)
4) Whether auditor expects to test the operating effectiveness of controls
Audit procedures should be performed to determine whether the FS are presented in a manner that classifies and
describes financial information appropriately, and includes adequate disclosure of material matters.
Audit Approach – the auditor’s specific approach to identified risks at the relevant assertion level may consist of either a
substantive approach or a combined approach.
Combined Approach: Tests of operating effectiveness of controls and substantive procedures. If controls are effective,
less assurance will be needed from substantive procedures
Dual-Purpose Tests:
- Is a tests of controls performed concurrently with a test of details on the same transaction
- Purpose of test of controls: Evaluate the operating effectiveness of a control
- Purpose of test of details: Support relevant assertions or detect material misstatements
Material misstatements that the auditor detects through performance of substantive procedures should be considered
by the auditor when assessing operating effectiveness.
Audit Approach
Status of Internal Control Risk Level Perform Control Tests Perform Substantive Testing
“IM A CPA”: C – Control Testing – Test internal controls to evaluate their operating effectiveness
Tests of controls: performed when the auditor’s risk assessment is based on the assumption that controls are operating
effectively, or when substantive procedures alone are insufficient. (Test Control Strengths, typically not weaknesses)
Obtaining an understanding of internal control includes evaluating the design of controls and determining whether they
have been implemented. Auditor is not required to evaluate operating effectiveness as part of obtaining an
understanding of internal control.
Only those controls that are suitably designed to prevent or detect material misstatements are subject to tests of
operating effectiveness.
Hierarchy:
1. Personal observation/knowledge
21
2. External evidence
3. Internal evidence
4. Oral evidence
Substantive procedures/tests:
$$$ Balances
Analytical
Ratios
Substantive procedures are used to detect material misstatements at the relevant assertion level.
Substantive procedures should be designed to be responsive to assessed risks; however, regardless of the assessed risk,
substantive procedures are required for each material transaction class, account balance, or disclosure.
Procedures include:
- Agreement of FS to the underlying accounting records
- Examination of material journal entries or adjustments made while preparing the FS
Auditor may use only substantive analytical procedures, only tests of details, or combination:
• Substantive analytical procedures are often used when there is a large volume of predictable transactions
• Tests of details are more appropriate when obtaining evidence regarding the existence and valuation of account
balances
• To determine which substantive procedures to use is affected by the operating effectiveness of controls
Directional testing:
22
In designing substantive procedures to test the existence or occurrence assertion, the auditor should select from FS
amounts and obtain evidence supporting the inclusion of those amounts in FS.
o Vouching = Support ouching
In designing substantive procedures to test the completeness assertion, the auditor should select from evidence
indicating that an item should be included in the FS, and then determine whether the item is in fact included.
o Tracing = Coverage racing
Financial Statements
Trial Balance
General Ledger
Subsidiary Ledger
Books of Original Entry
Source Documents
Execution of Event
Transaction Approved
The greater the risk of material misstatement, the less detection risk that can be accepted, and the greater the extent of
substantive procedures.
If controls are operating effectively, the extent of substantive procedures may be reduced.
Sample size is affected by the planned level of detection risk, the tolerable misstatement, the expected misstatement,
and the nature of the population
Performing substantive procedures at interim date, increases risk that auditor will not detect FS material misstatements
In certain situations, such as those in which there is an identified fraud risk, the auditor may choose to perform
substantive procedures at or near period end.
Evidence obtained from substantive tests performed in a prior audit generally is not sufficient for the current period
“IM A CPA” – A – Audit Evidence – Evaluate sufficiency and appropriateness of audit evidence obtained
23
Audit evidence obtained may cause the auditor to modify his or her initial risk assessment. Example:
The auditor should not assume that an identified instance of fraud or error is an isolated occurrence, but instead should
consider whether such instance affects the assessed risk of material misstatement
When there is a change in the assessed level of risk, the auditor should modify planned audit procedures accordingly.
The auditor uses judgment to evaluate the sufficiency and appropriateness of audit evidence, but should consider:
1. Significance and likelihood of potential misstatements
2. Effectiveness of management’s responses and controls
3. Experience gained during previous audits
4. Results of audit procedures performed
5. Source, reliability, and persuasiveness of audit evidence obtained
6. Understanding of the entity and its environment
24