Professional Documents
Culture Documents
Auditing & Attestation - 3 Planning & Supervision
Auditing & Attestation - 3 Planning & Supervision
2. Quality control policies and procedures: part of pre-acceptance phase of engagement, accountant must
document compliance with the firms quality control policies and procedures regarding acceptance or
continuance of clients and engagements.
Engagement letter = a signed contract to establish understanding with the client. It is presumptively mandatory
requirement (required in most circumstances). It is accepted, signed, and dated by client.
Understanding should include:
1. Objectives of the Engagement (it is to express an opinion)
2. Managements responsibilities:
a. Financial statements
b. Accounting policies
c. Internal control
d. Compliance with laws
e. Making all financial records available to auditor
f. Providing management representation letter (at the end of the audit)
g. Adjust FS to correct material misstatements identified by auditor
h. Affirming in the management representation letter that effects of any uncorrected misstatements
are immaterial
3. Auditors responsibilities:
a. Conduct audit in accordance with GAAS
b. Obtain reasonable assurance that FS are free of material misstatement
c. Obtain understanding of entity, its environment, internal control, assess risk
d. If audit is incomplete, unable to form opinion, decline to express opinion or decline to issue report
4. Limitations of the Engagement
a. Material misstatement may remain undetected
b. Audit is not designed to detect error or fraud that is immaterial to FS
c. Audit is not designed to provide assurance on internal control, or identify significant deficiencies
d. If deficiencies discovered, ensure that those charged with governance are aware
5. Other matters
a. Audit is subject to inherent risks that errors and fraud will not be detected
6. Documentation
a. Document understanding with client through written communication. Client engagement letter
should be accepted signed and dated by client.
Planning the audit
Objective of planning phase: develop overall strategy of audit, including conduct, organization, and staffing.
Nature, extent, and timing of planning will vary based on the size and complexity of the entity, and on auditors
experience and understanding of entity. (The NET we cast over the audit.)
Auditor is required to:
Obtain understanding of entity and environment (internal control, assess risk, design audit procedure)
Obtain knowledge of clients industry and business
Use analytical procedures as planning procedure
Develop and document an audit plan
Consider materiality and audit risk
Knowledge of Clients industry:
Common sources of industry info:
AICPA accounting and audit guides
Tolerable Misstatement (tolerable error) = maximum error in a specific population auditor is willing to accept
Misstatements must be communicated to management. Auditor should
1. Distinguish between known and likely misstatements
2. Request management to review the situation and make appropriate corrections
If management refuses to correct some or all, auditor should consider implications on auditors report
Materiality = amount of error or omission that would affect judgment of reasonable person
Preliminary judgment about materiality:
During planning phase, auditor establishes preliminary level of materiality
Tolerable error is typically lower than overall FS materiality limits
Because the FS are interrelated, the auditor should use the smallest level of misstatement that could be material to
any one of the financial statements.
This preliminary assessment of materiality ordinarily will be revised as the audit progresses
Evaluation of audit findings
Size of misstatement is often evaluated in comparison to a relevant financial base (net income, gross sales, gross
margin, total assets, total liabilities)
Auditor must consider the effects, individually and aggregate, of uncorrected misstatements (both known and likely)
Prior period misstatements may affect the FS of current period
Misstatements are more likely to be considered material if they:
Affect trends in profitability or mask a change in trend, or change loss into income
Affect the entitys compliance with loan covenants, contracts, or regulatory provisions
Increase management compensation, indicate a pattern of management bias, or involve fraud
Affect significant FS elements, such as those involving recurring earnings (as opposed to nonrecurring)
Can be objectively determined, as opposed to including an element of subjectivity
Documentation Requirements Auditor should document:
Planning levels of materiality and tolerable misstatement, the basis for those levels, and any subsequent changes
Known and likely misstatements that were corrected by management
Summary of uncorrected misstatements, the auditors conclusion regarding whether such misstatements cause the
FS to be materially misstated, and basis for conclusion
Documents of uncorrected misstatements should include:
o Separate identification of known and likely misstatements
o The aggregate effect on the FS
o Relevant qualitative factors affecting materiality judgments
***If material risk is high, then detection risk is low.***
Audit Risk
- Risk that the auditor may unknowingly fail to modify appropriately the opinion on FS that are materially misstated
- Should be reduced to a low level before an opinion on FS is expressed
The audit risk model: the risk that the auditor will give the wrong opinion.
AR
Audit Risk
(should be low)
RMM
Risk of Material
Misstatement
(assessed by auditor)
DR
Detection Risk
(controlled by auditor)
4
IR
Inherent Risk
CR
Control Risk
DR
Detection Risk
(controlled by auditor)
So in simple words...
AR (giving a wrong opinion) = IR (error in clients accounting system) X CR (internal controls/auditor did not catch it) X
DR (our audit work not finding the mistake)
Risk of Material Misstatement (RMM):
- Exists independently of financial statement audit
- Auditor assess by performing risk assessment procedures and test of controls
- Can be subdivided into inherent risk (IR) and control risk (CR)
Inherent Risk (IR)
- The susceptibility of a relevant assertion to a material misstatement, assuming there are no related controls
- Mistake in clients accounting system
- Auditor assesses but cannot change the inherent risk (whether clients system is good or not, it cant be changed)
- Assertions involving complex calculations, amounts derived from estimates, and cash have relatively higher inherent
risk than assertions without those characteristics
Control Risk (CR)
- Risk that a material misstatement that could occur in a relevant assertion will not be prevented or detected on a
timely basis by the entitys internal control
- Auditor assesses but cannot change the control risk (whether clients internal control is good or not, it cant be
changed)
- Function of the effectiveness of the design and operation of internal control
** Inherent risk and control risk exist independently of the audit, and auditor generally cannot change these risks.
RMM
IR x CR
DR
Auditor cannot change the risk of material misstatement, but can change his assessment of this risk as the audit
progresses.
Detection Risk (DR)
- The risk the auditor will not detect a misstatement that exists in a relevant assertion = auditor will miss the mistake
- Is a function of the effectiveness of audit procedures
- Can be subdivided into tests of details risk (TD) and substantive analytical procedures risk (AP)
- Auditor CAN change detection risk by varying the nature, extent, and timing of audit procedures.
Example 1: acceptable level of DR decreases, the assurance provided from substantive procedures should increase:
5
1. Change the nature of substantive tests from less effective to more effective procedure (direct test toward
independent parties outside the entity rather than toward parties or documentation inside the entity)
2. Change the extent of substantive tests (use larger sample size)
3. Change the timing of substantive tests (perform substantive tests at year-end rather than at interim)
Example 2: acceptable level of DR increases, the assurance that must be obtained from substantive tests decreases,
allowing for somewhat less persuasive evidence to be used, for a reduced extent of testing, or for more testing to be
performed at interim.
Substantive procedures always required!!!
RMM and DR have inverse relationship. When auditor determines that risk of material misstatement is high,
detection risk should be set at a low level. Conversely, when the risk of material misstatement is low, the auditor can
justify a higher detection risk.
Auditor CAN change detection risk by varying the nature, extent, and timing of audit procedures.
RMM and the assurance required from substantive procedures have direct relationship. Greater risk requires more
persuasive evidence, a larger sample size, and/or a shift from interim to year-end testing.
Audit risk and materiality are affected by the size and complexity of the entity. They must be considered at both the FS
level and the account balance, individual transaction class, or disclosure item level.
Considerations at Financial Statement Level
At the FS level, the auditor should consider risks that have a pervasive effect on the FS, potentially affecting many
relevant assertions. FS level audit risk often relates to entitys control environment.
Purpose:
o Design risk assessment procedures
o Identify and assess risk
o Design further audit procedures
o Evaluate the FS taken as a whole
Auditors response:
o The competency of personnel assigned to the engagement
o The potential need for a specialist
o The appropriate level of supervision of assistants
Considerations at the Account Balance, Transaction Class, or Disclosure Item Level
Purpose: At account balance, transaction class, or disclosure item level, used to determine the nature, extent, and
timing of audit procedures to be applied to specific account balances, transaction classes, or disclosure items. The audit
risk model may be useful in this regard.
Inverse relationship between audit risk and materiality. The risk of a very large misstatement may be low, whereas the
risk of small misstatement may be high. The more material the misstatement is, the less likely the auditor will miss it.
Audit Procedures: performed to obtain evidence on which to base the audit opinion
1. Risk assessment procedures: obtain an understanding of the entity and its environment, including internal
control, in order to assess the risk of material misstatement.
2. Tests of controls: (CRIME) auditor tests internal controls. Evaluate the operating effectiveness of internal control
in preventing or detecting material misstatements. Tests of controls are necessary when:
a. The auditors risk assessment is based to some extent on the operating effectiveness of internal control
b. Substantive procedures alone are deemed to be insufficient
6
3. Substantive procedures: auditor tests $$$ balances. Used to detect material misstatements, and include tests of
details and substantive analytical procedures. They are performed in response to the planned level of DR, which
may be based on the results of tests of controls. Test of controls are ALWAYS necessary.
*****MUST understand the fundamentals and memorize the assertions of the following FS Assertions made by
management: All of the A CPA CO CARE about CURVed assertions
Financial Statement Assertions Assertions by mgmt fall into 3 categories: (A CPA CO CARE about CURVed assertions)
1. Transactions and Events
C Completeness all transactions and events that should have been recorded have been recorded
P Proper period cutoff transactions and events have been recorded in the correct (proper) accounting period
A Accuracy amounts and other data relating to recorded transactions and events have been recorded
appropriately
C Classification transactions and events have been recorded in the proper accounts
O Occurrence transactions and events that have been recorded have occurred and pertain to entity
2. Account Balances
C Completeness all assets, liabilities, and equity interests that should have been recorded have been recorded
A Allocation and Valuation assets, liabilities, and equity interests are included in the FS at appropriate
amounts, and any resulting valuation or allocation adjustments are appropriately recorded
R Rights and Obligations the entity holds or controls the rights to assets, and liabilities are the obligations of
the entity
E Existence assets, liabilities, and equity interests exist.
3. Presentation and Disclosure
C Completeness all disclosures that should have been included in the FS have been included
U Understandability and Classification financial information is appropriately presented and described and
disclosures are clearly expressed
R Rights and Obligations, and Occurrence disclosed events and transactions have occurred and pertain to the
entity
V Valuation and Accuracy financial and other information are disclosed at fairly and at appropriate amounts
Financial Statement Assertions:
Management Estimates:
- Engage a specialist to evaluate managements estimate.
- Develop an independent estimate
- Perform a retrospective review of prior period estimates (how good were last years estimates?)
Evaluating Audit Evidence Conditions identified during fieldwork:
a) Discrepancies in the accounting records
b) Conflicting or missing evidential matter
c) Problematic or unusual relationships between the auditor and management
Analytical Procedures are REQUIRED during planning and final review.
When performed at completion of audit, it may indicate a fraud risk that was not previously identified. Auditor should
pay careful attention to unusual relationships relating to year-end revenue and income.
Misstatement caused by fraud (even immaterial misstatements) may be indicative of an underlying problem with
management integrity WITHDRAW
The auditor may need to reevaluate the assessment of fraud risk, the assessed effectiveness of controls, and the
appropriateness of the audit procedures applied
A final evaluation should be made regarding the assessment of the risks of material misstatement due to fraud
Management and those charged with governance
Generally, any indication of fraud (even immaterial fraud) should be discussed with an appropriate level of
management, at least one level above those involved.
- Fraud that causes a material misstatement: discuss with senior mgmt and report directly to those charged with
governance
- Fraud involving senior management: report directly to those charged with governance
- Identified risk factors that represent significant deficiencies or material weaknesses: communicate with senior
management and those charged with governance
Parties outside the entity that we must communicate with:
1. To comply with certain legal and regulatory requirements
2. To a successor auditor
3. In response to a subpoena
4. To a funding agency
Complete documentation of the auditors risk assessment and response is required. Including:
- Planning among engagement personnel regarding fraud risk
- Procedures performed to obtain information related to fraud risk
- Specific identified risks of material misstatement due to fraud
- If the auditor has not identified improper revenue recognition as a fraud risk, support for this conclusion
- Results of procedures performed to address the risk of management override of controls
- Other conditions and analytical relationships that warranted further audit work
- Nature of communications made about fraud
Record retention is now MANDATORY under GAAS, AICPA, and Sarbanes-Oxley (SOX for 7 years)!!!
Fraud = intentional
Errors = unintentional
Illegal Acts = violations of law
11
Auditors responsibility to detect illegal acts that have a material and direct effect on FS is the same as that for
errors and fraud.
Auditor has a responsibility to plan and perform the audit to obtain reasonable assurance that the FS are free of
material misstatement.
Auditor is under no obligation to look for illegal acts having an indirect effect on the FS.
Generally, the less the act affects the FS, the less likely it is that the auditor will discover it.
The auditor generally does not include procedures specifically to detect illegal acts, but may discover such acts
through other procedures, such as reading minutes or making inquiries of management or of legal counsel.
Auditors Response to Illegal Acts
When we suspect there is a problem Possible illegal acts:
1. Obtain an understanding of the situation
2. Inquire of management at a level above those involved
3. Consult the clients legal counsel
4. Apply additional audit procedures, if necessary
When we have found a problem Detected illegal acts:
1. Consider the effects of the illegal act on FS
2. Evaluate the materiality of the illegal act (consider quantitative and qualitative factors)
3. Evaluate the disclosure of loss contingencies, including possible fines, penalties, and damages
4. Consider the implications for other areas of the audit
5. Communicate the illegal act to those charged with governance
Effect of illegal act on auditors report:
1. Departure from GAAP Except For qualified or adverse
2. Insufficient Evidence Except For qualified or disclaimer
3. Client Refuses to modify report Withdraw
If client fails to take appropriate action regarding any illegal act (including those that are non-material), then
withdraw!
Those charged with governance should be adequately informed of illegal acts unless they are clearly
inconsequential. This could be oral or written, but oral communications should be documented.
Ordinarily, the auditor is not responsible to communicate this disclosure to anyone other than senior
management and those charged with governance, but it may be required in some circumstances. For example:
o Comply with certain legal and regulatory requirements
o To a successor auditor
o In response to a subpoena
o To a funding agency
Risk Assessment
Second GAAS standard of fieldwork requires auditor to obtain understanding of entity and its environment,
including internal control. Must perform risk assessment procedures to obtain this understanding.
13
14
Internal Control
The ability to process large volumes of transactions and data accurately and consistently
Improved timeliness and availability of information
Facilitation of data analysis and performance monitoring
Reduction in the risk that controls will be circumvented
Enhanced segregation of duties through effective implementation of security controls
IT Risks:
- Potential reliance on inaccurate systems
- Unauthorized access to data which may result in loss of data and/or data inaccuracies
- Unauthorized changes to data, systems, or programs
- Failure to make required changes or updates to systems or programs
Auditor should:
CRIME Most important ones for the test is C Control Environment and E Existing Control Activities
Risk Assessment by
Management
Control Environment
Information and
Monitoring
Communication Systems
Existing Control
Activities
**Examiners questions focus on the control environment and on an entitys existing control activities
C Control Environment: the overall tone of the organization
- Sets the tone of an organization
- Integrity and ethical values
- Competence
- Participation of those charged with governance
- Managements philosophy and operating style
- Organizational structure
- Assignment of responsibility
- Human resource policies
The following circumstances would raise concerns regarding managements philosophy and operating style:
Management consumed with meeting the budget
Management dominated by one person
Management compensation contingent upon the entitys financial performance (=bonus and stock options)
The control environment has a pervasive effect on the auditors risk assessment, and preliminary judgments about its
effectiveness may influence the nature, extent, and timing of further audit procedures to be performed.
16
P Pre-numbering documents
All transactions are recorded Completeness
No transactions are recorded more than once Existence
Example: Your Checkbook
A Authorization of transactions
Authorization should occur before commitment of resources
Example: Signed approval
I Independent checks to maintain asset accountability
Independent checks involve the verification of work previously performed by others:
o Review of bank reconciliations
o Comparison of subsidiary records to control accounts
o Comparison of physical counts of inventory to perpetual records
Example: Checks and balances
D Documentation
Evidence of transactions and a basis for responsibility for the execution and recording of transaction
Example: Paper trail
T Timely and appropriate performance reviews
Comparison of actual performance to budgets, forecasts, and prior periods
Comparison of financial and nonfinancial information
Example: Analytical procedures
I Information processing controls
Ensure that transactions are valid, authorized, and completely and accurately recorded
Application controls: processing of individual applications (i.e. controls surrounding payroll)
General controls: information processing throughout the company (i.e. access controls, controls over
data center, network operations)
P Physical controls for safeguarding assets
Physical segregation of security of assets
Authorized access to assets and records
Periodic counting and comparison of actual assets with amounts shown in accounting records
Example: Security
S Segregation of duties
One individual provides a crosscheck on the work of another individual
Assigning different people the responsibilities of authorizing, recording transactions, and maintaining
custody of the related assets reduces the opportunities for any individual to both perpetrate and
conceal errors or fraud
Internal control environ. should detect fraud by one person, NOT
1. Collusion
2. Management override
Client should separate these functions:
o A Authorization
o R Recordkeeping
o C Custody of related assets
****Segregation of duties is your ARC to protect against a flood of troubles. Client should separate these functions:
A Authorization
R Recordkeeping
C Custody of related assets
An audit does not require an understanding of all control activities
Auditors primary consideration should be if a control prevents, or detects and corrects, material misstatements
18
I Internal Control Understand entity and its environment, including internal control
M Material Misstatement Assess risk of material misstatement
A Assessed Risk Response Respond to assessed risk level by designing further audit procedures based on assessment
C Control Testing Test internal controls to evaluate their operating effectiveness
P Perform Substantive Testing Perform substantive tests
A Audit Evidence Evaluate sufficiency and appropriateness of audit evidence obtained
IM A CPA: A Assessed Risk Response Respond to assessed risk level by designing further audit procedures based on
assessment
To reduce audit risk to low level, auditor should respond to assessed risk in two ways:
- Overall response: address risk at FS level
- Response at assertion level, the NET (nature, extent, timing) of audit procedures are designed to address risks
Overall Response: Auditor may
Address increased need for professional skepticism
Assign more experienced staff
Increase supervision
Incorporate greater level of unpredictability
Change the NET, such as shifting substantive procedures closer to period end
19
General approach may consist of only Substantive Approach, or a combined approach of tests of controls and
substantives procedures.
Response to Risks at the Relevant Assertion Level
- Link between the assessed level of risk at the relevant assertion level and the NET of further audit procedures.
***Three elements of further audit procedures can be varied by the auditor. We cast our NET over the audit.
N Nature
E Extent
T Timing
Nature:
- Includes the audits purpose - test of control vs. Substantive procedure
- Includes the audits type inspection, observation, inquiry, confirmation, recalculation, reperformance, or analytical
procedure
- The HIGHER the auditors risk assessment, the more reliable the evidence must be.
- Auditor varies the nature of audit procedures to achieve the desired level of reliability and relevancy
- If the info provided by entitys system is used, must test its accuracy and completeness
- Responding to assessed risks, nature of audit procedure is of primary importance
Extent:
- Refers to quantity to be performed - # of observations or sample size
- The HIGHER the auditors assessment, the greater the extent of audit procedures
- Also consider the tolerable misstatement and degree of assurance
Timing:
- May be performed at an interim date or at period end
- The HIGHER the auditors risk assessment, the closer to period end substantive procedures should be
- Auditor should consider when relevant info is available
In designing further audit procedures that are responsive to assessed risks, auditor should consider:
1) Significance and likelihood of risk
2) Characteristics of transaction, balance, or disclosure
3) Nature of controls used (i.e. automated or manual)
4) Whether auditor expects to test the operating effectiveness of controls
Audit procedures should be performed to determine whether the FS are presented in a manner that classifies and
describes financial information appropriately, and includes adequate disclosure of material matters.
Audit Approach the auditors specific approach to identified risks at the relevant assertion level may consist of either a
substantive approach or a combined approach.
Substantive Approach: $$$ Balance Use when:
- No strong controls to be relied upon
- Not efficient to test the operating effectiveness of controls Cost/Benefit
Combined Approach: Tests of operating effectiveness of controls and substantive procedures. If controls are effective,
less assurance will be needed from substantive procedures
Tests of Controls May Be Required IT
20
Where large amount of info is initiated, authorized, recorded, processed, or reported electronically, substantive
procedures alone may not be sufficient
Where highly electronic environments
Dual-Purpose Tests:
- Is a tests of controls performed concurrently with a test of details on the same transaction
- Purpose of test of controls: Evaluate the operating effectiveness of a control
- Purpose of test of details: Support relevant assertions or detect material misstatements
Material misstatements that the auditor detects through performance of substantive procedures should be considered
by the auditor when assessing operating effectiveness.
Audit Approach
Status of Internal Control
Risk Level
None/Weak
High
Yes Maximum
Some
Medium
Yes
Moderate
Strong
Low
Yes
IM A CPA: C Control Testing Test internal controls to evaluate their operating effectiveness
Tests of controls: performed when the auditors risk assessment is based on the assumption that controls are operating
effectively, or when substantive procedures alone are insufficient. (Test Control Strengths, typically not weaknesses)
Obtaining an understanding of internal control includes evaluating the design of controls and determining whether they
have been implemented. Auditor is not required to evaluate operating effectiveness as part of obtaining an
understanding of internal control.
Inspect client records, documenting use, and changes to IT programs.
Only those controls that are suitably designed to prevent or detect material misstatements are subject to tests of
operating effectiveness.
Nature of Tests of Controls:
Tests of the operating effectiveness of controls include: inquiries, inspection, observation, and
reperformance.
o Inquiry alone is not sufficient
o Observation be supported with inquiry or inspection
Obtain evidence about the operating effectiveness of:
o Controls directly related to relevant assertions
o Other indirect controls that affect the direct controls
As the planned level of assurance about operating effectiveness increases, the auditor should obtain
more reliable or more extensive audit evidence.
Hierarchy:
1. Personal observation/knowledge
21
2. External evidence
3. Internal evidence
4. Oral evidence
Extent of tests of controls:
How frequently the control is performed
The length of time during which the auditor wishes to rely on the control
The relevance and reliability of the evidence to be obtained
The extent to which other tests provide audit evidence about the same assertion
The extent to which the auditor wishes to rely on the operating effectiveness of the control
The expected deviation rate from the control
Timing of tests of Controls:
Test at particular time versus testing throughout a period: when tests of controls are performed at one
particular time, they provide evidence that controls operated effectively only at that time. Controls tested
throughout the period provide evidence of operating effectiveness during that period
Controls are tested only during an interim period should be supplemented by additional evidence for the
remaining period Roll Forward
If controls have changed since they were last tested, operating effectiveness must be retested in the current
period
Even if controls have not changed, operating effectiveness must be tested at least once every third year.
Higher the assessed risk, or greater the intended reliance on controls, the more frequently the auditor will
choose to test operating effectiveness
Weak control environment may result in more frequent testing
IM A CPA P Perform Substantive Testing Perform substantive tests
Substantive procedures/tests:
$$$ Balances
Analytical
Ratios
Substantive procedures are used to detect material misstatements at the relevant assertion level.
Substantive procedures should be designed to be responsive to assessed risks; however, regardless of the assessed risk,
substantive procedures are required for each material transaction class, account balance, or disclosure.
Procedures include:
- Agreement of FS to the underlying accounting records
- Examination of material journal entries or adjustments made while preparing the FS
Two types of substantive procedures:
- Tests of details applied to transaction classes, account balances, and disclosures
- Substantive analytical procedures
Auditor may use only substantive analytical procedures, only tests of details, or combination:
Substantive analytical procedures are often used when there is a large volume of predictable transactions
Tests of details are more appropriate when obtaining evidence regarding the existence and valuation of account
balances
To determine which substantive procedures to use is affected by the operating effectiveness of controls
Directional testing:
22
In designing substantive procedures to test the existence or occurrence assertion, the auditor should select from FS
amounts and obtain evidence supporting the inclusion of those amounts in FS.
o Vouching = Support
ouching
In designing substantive procedures to test the completeness assertion, the auditor should select from evidence
indicating that an item should be included in the FS, and then determine whether the item is in fact included.
o Tracing = Coverage
racing
-
Vouching = Support
Tracing = Coverage
ouching
racing
Audit evidence obtained may cause the auditor to modify his or her initial risk assessment. Example:
The auditor should not assume that an identified instance of fraud or error is an isolated occurrence, but instead should
consider whether such instance affects the assessed risk of material misstatement
When there is a change in the assessed level of risk, the auditor should modify planned audit procedures accordingly.
The auditor uses judgment to evaluate the sufficiency and appropriateness of audit evidence, but should consider:
1. Significance and likelihood of potential misstatements
2. Effectiveness of managements responses and controls
3. Experience gained during previous audits
4. Results of audit procedures performed
5. Source, reliability, and persuasiveness of audit evidence obtained
6. Understanding of the entity and its environment
24