AUDITING & ATTESTATION 3

PLANNING & SUPERVISION

TIP PIE ACDO

The auditor must adequately plan the work and must properly supervise any assistants
Audit committee of clients board of directors is responsible for the selection and appointment of independent external
auditor, and for reviewing the nature and scope of the engagement. Auditor has interaction with audit committee in
planning phase.
Sarbanes-Oxley Act:
1. Auditors report to and are overseen by the clients audit committee.
2. Audit committee pre-approves all services provided by auditor.
3. Specified non-audit services are prohibited
Those charged with governance = bear responsibility to oversee the obligations, financial reporting process, and
strategic direction of entity. = board of directors and audit committee
In new client relationship, new CPA is required to talk to old CPA. Client permission is needed to talk to Old CPA,
otherwise it is scope limitation. Auditor then should consider whether or not to accept engagement.
Before accepting, talk to old CPA regarding:
1. Information that might bear on management integrity
2. Disagreements with management over accounting principles, auditing procedures, or other similarly
significant matters
3. Predecessors understanding as to the reasons for the change of auditors
4. Communication to management, the audit committee, and those charged with governance regarding fraud,
illegal acts by client, and matters relating to internal control.
After acceptance, inquire with the old CPA regarding:
1. Making specific inquiries about the audit (i.e. audit problems)
2. Reviewing the predecessors audit documentation (workpapers for evidence)
If new CPA uncovers potential problems relating to old CPAs audit, new CPA should ask client to arrange meeting
involving new and old CPA and the client. If management refuses or successor auditor is not satisfied with the
resolution, the new auditor should consider the implications and whether to resign.
Preliminary Engagement Activities: After accepting, consider whether or not to continue the engagement
1. Assess the auditability of the client
a. The integrity of management (increases the likelihood of FS misrepresentation)
b. The availability and adequacy of the clients accounting records (lack of records = scope limitation)
c. The ability of the auditor to perform the audit after consideration of:
i. The auditors knowledge of clients industry and possible need for a specialist
ii. The auditors independence of the client
iii. Scope limitations
iv. Staffing needs of the engagement
v. The auditors ability to comply fully with the Code of Professional Conduct
2. Clients business risk: risk that events may occur that will negatively impact the company.
3. CPAs business risk: risk that management will not prove to be profitable and whether to accept the engagement
Evaluate compliance with ethical requirements
1. Independence: auditor independence in fact and appearance
1

2. Quality control policies and procedures: part of pre-acceptance phase of engagement, accountant must
document compliance with the firms quality control policies and procedures regarding acceptance or
continuance of clients and engagements.
Engagement letter = a signed contract to establish understanding with the client. It is presumptively mandatory
requirement (required in most circumstances). It is accepted, signed, and dated by client.
Understanding should include:
1. Objectives of the Engagement (it is to express an opinion)
2. Managements responsibilities:
a. Financial statements
b. Accounting policies
c. Internal control
d. Compliance with laws
e. Making all financial records available to auditor
f. Providing management representation letter (at the end of the audit)
g. Adjust FS to correct material misstatements identified by auditor
h. Affirming in the management representation letter that effects of any uncorrected misstatements
are immaterial
3. Auditors responsibilities:
a. Conduct audit in accordance with GAAS
b. Obtain reasonable assurance that FS are free of material misstatement
c. Obtain understanding of entity, its environment, internal control, assess risk
d. If audit is incomplete, unable to form opinion, decline to express opinion or decline to issue report
4. Limitations of the Engagement
a. Material misstatement may remain undetected
b. Audit is not designed to detect error or fraud that is immaterial to FS
c. Audit is not designed to provide assurance on internal control, or identify significant deficiencies
d. If deficiencies discovered, ensure that those charged with governance are aware
5. Other matters
a. Audit is subject to inherent risks that errors and fraud will not be detected
6. Documentation
a. Document understanding with client through written communication. Client engagement letter
should be accepted signed and dated by client.
Planning the audit
Objective of planning phase: develop overall strategy of audit, including conduct, organization, and staffing.
Nature, extent, and timing of planning will vary based on the size and complexity of the entity, and on auditors
experience and understanding of entity. (The NET we cast over the audit.)
Auditor is required to:
Obtain understanding of entity and environment (internal control, assess risk, design audit procedure)
Obtain knowledge of clients industry and business
Use analytical procedures as planning procedure
Develop and document an audit plan
Consider materiality and audit risk
Knowledge of Clients industry:
Common sources of industry info:
AICPA accounting and audit guides

Trade publications and professional trade associations

Government publications
AICPA Accounting Trends and Techniques (annual survey of accounting practices)
Knowledge of Clients business:
Tour client facilities (meet personnel and observe general operation)
Review financial history of client (previous audit reports, audit files, interim FS, meeting minutes, SEC filings, tax returns)
Obtain understanding of client accounting (methods, policies, unusual events, related party transactions)
Inquiry of client personnel (current business developments)
Analytical Procedures
Analytical procedures are used:
Planning the nature, extent, and timing of other auditing procedures (REQUIRED)
Substantive tests to obtain evidential matter (OPTIONAL)
Overall review in the final review stage of the audit (REQUIRED)
GAAS requires: Analytical procedures performed during planning:
During planning, analytical procedures consist of a review of data aggregated at high level (i.e. compare FS to budget
or anticipated results)
Generally, financial data is used, though relevant nonfinancial data (i.e. # of employees, square footage of selling
space, volume of goods produced) may also be considered
Purpose: to enhance the auditors understanding and identify unusual transactions and events, and amounts
Overall Audit Strategy
General: Characteristics of engagement, Reporting objectives (incl. NET of required communications), Preliminary
evaluations of materiality, Involvement of other auditors, specialists, internal auditors, Effect of information technology,
Knowledge from prior experience with entity
Resource allocation: allocate appropriate resources to engagement (staff, skills, experience)
Communication with Those Charged with Governance: required to communicate the planned scope and timing of audit
The Audit Plan: must be written
Components: auditor must develop an audit plan in which specific audit procedures are documented. Plan should
include description of nature, extent, timing of:
o Planned risk assessment procedures (REQUIRED in all FS audits):

Assess risk of material misstatement

Results affect whether and to what extent further audit procedure are necessary
o Planned further audit procedures

Applied at relevant assertion level for material account balance, transaction class, and disclosures

Include tests of operating effectiveness of controls, include NET of planned substantive procedures
Relationship of audit strategy and audit plan (plan follows strategy)
Need for Specialist (either from within the audit firm or outside)
o Complex systems, extensive use of e-commerce, significant audit evidence is only available in e-form
Timing of audit procedures (testing at interim date, effect of IT)
Written audit plan is required!
Materiality
Misstatement: consider what level of misstatement is material, alone or when aggregated with other misstatements
Known Misstatements = specific misstatements identified during the audit
Likely Misstatements = misstatements that auditor considers likely to exist, either due to differences between auditor
and management judgments regarding estimates or based on extrapolation from audit evidence
3

Tolerable Misstatement (tolerable error) = maximum error in a specific population auditor is willing to accept
Misstatements must be communicated to management. Auditor should
1. Distinguish between known and likely misstatements
2. Request management to review the situation and make appropriate corrections
If management refuses to correct some or all, auditor should consider implications on auditors report
Materiality = amount of error or omission that would affect judgment of reasonable person
Preliminary judgment about materiality:
 During planning phase, auditor establishes preliminary level of materiality
 Tolerable error is typically lower than overall FS materiality limits
 Because the FS are interrelated, the auditor should use the smallest level of misstatement that could be material to
any one of the financial statements.
 This preliminary assessment of materiality ordinarily will be revised as the audit progresses
Evaluation of audit findings
 Size of misstatement is often evaluated in comparison to a relevant financial base (net income, gross sales, gross
margin, total assets, total liabilities)
 Auditor must consider the effects, individually and aggregate, of uncorrected misstatements (both known and likely)
 Prior period misstatements may affect the FS of current period
Misstatements are more likely to be considered material if they:

Affect trends in profitability or mask a change in trend, or change loss into income

Affect the entitys compliance with loan covenants, contracts, or regulatory provisions

Increase management compensation, indicate a pattern of management bias, or involve fraud

Affect significant FS elements, such as those involving recurring earnings (as opposed to nonrecurring)

Can be objectively determined, as opposed to including an element of subjectivity
Documentation Requirements Auditor should document:

Planning levels of materiality and tolerable misstatement, the basis for those levels, and any subsequent changes

Known and likely misstatements that were corrected by management

Summary of uncorrected misstatements, the auditors conclusion regarding whether such misstatements cause the
FS to be materially misstated, and basis for conclusion

Documents of uncorrected misstatements should include:
o Separate identification of known and likely misstatements
o The aggregate effect on the FS
o Relevant qualitative factors affecting materiality judgments
***If material risk is high, then detection risk is low.***
Audit Risk
- Risk that the auditor may unknowingly fail to modify appropriately the opinion on FS that are materially misstated
- Should be reduced to a low level before an opinion on FS is expressed
The audit risk model: the risk that the auditor will give the wrong opinion.
AR
Audit Risk
(should be low)

RMM
Risk of Material
Misstatement
(assessed by auditor)

DR
Detection Risk
(controlled by auditor)
4

***RMM = Exists independently of the financial statement audit.

So in simple words...
AR (giving a wrong opinion) = RMM (error in clients accounting system) X DR (our audit work not finding the mistake)
AR
Audit Risk
(should be low)

IR
Inherent Risk

CR
Control Risk

DR
Detection Risk
(controlled by auditor)

So in simple words...
AR (giving a wrong opinion) = IR (error in clients accounting system) X CR (internal controls/auditor did not catch it) X
DR (our audit work not finding the mistake)
Risk of Material Misstatement (RMM):
- Exists independently of financial statement audit
- Auditor assess by performing risk assessment procedures and test of controls
- Can be subdivided into inherent risk (IR) and control risk (CR)
Inherent Risk (IR)
- The susceptibility of a relevant assertion to a material misstatement, assuming there are no related controls
- Mistake in clients accounting system
- Auditor assesses but cannot change the inherent risk (whether clients system is good or not, it cant be changed)
- Assertions involving complex calculations, amounts derived from estimates, and cash have relatively higher inherent
risk than assertions without those characteristics
Control Risk (CR)
- Risk that a material misstatement that could occur in a relevant assertion will not be prevented or detected on a
timely basis by the entitys internal control
- Auditor assesses but cannot change the control risk (whether clients internal control is good or not, it cant be
changed)
- Function of the effectiveness of the design and operation of internal control
** Inherent risk and control risk exist independently of the audit, and auditor generally cannot change these risks.
RMM
IR x CR

DR

Auditor cannot change the risk of material misstatement, but can change his assessment of this risk as the audit
progresses.
Detection Risk (DR)
- The risk the auditor will not detect a misstatement that exists in a relevant assertion = auditor will miss the mistake
- Is a function of the effectiveness of audit procedures
- Can be subdivided into tests of details risk (TD) and substantive analytical procedures risk (AP)
- Auditor CAN change detection risk by varying the nature, extent, and timing of audit procedures.
Example 1: acceptable level of DR decreases, the assurance provided from substantive procedures should increase:
5

1. Change the nature of substantive tests from less effective to more effective procedure (direct test toward
independent parties outside the entity rather than toward parties or documentation inside the entity)
2. Change the extent of substantive tests (use larger sample size)
3. Change the timing of substantive tests (perform substantive tests at year-end rather than at interim)
Example 2: acceptable level of DR increases, the assurance that must be obtained from substantive tests decreases,
allowing for somewhat less persuasive evidence to be used, for a reduced extent of testing, or for more testing to be
performed at interim.
Substantive procedures always required!!!
RMM and DR have inverse relationship. When auditor determines that risk of material misstatement is high,
detection risk should be set at a low level. Conversely, when the risk of material misstatement is low, the auditor can
justify a higher detection risk.
Auditor CAN change detection risk by varying the nature, extent, and timing of audit procedures.
RMM and the assurance required from substantive procedures have direct relationship. Greater risk requires more
persuasive evidence, a larger sample size, and/or a shift from interim to year-end testing.
Audit risk and materiality are affected by the size and complexity of the entity. They must be considered at both the FS
level and the account balance, individual transaction class, or disclosure item level.
Considerations at Financial Statement Level
At the FS level, the auditor should consider risks that have a pervasive effect on the FS, potentially affecting many
relevant assertions. FS level audit risk often relates to entitys control environment.
Purpose:
o Design risk assessment procedures
o Identify and assess risk
o Design further audit procedures
o Evaluate the FS taken as a whole
Auditors response:
o The competency of personnel assigned to the engagement
o The potential need for a specialist
o The appropriate level of supervision of assistants
Considerations at the Account Balance, Transaction Class, or Disclosure Item Level
Purpose: At account balance, transaction class, or disclosure item level, used to determine the nature, extent, and
timing of audit procedures to be applied to specific account balances, transaction classes, or disclosure items. The audit
risk model may be useful in this regard.
Inverse relationship between audit risk and materiality. The risk of a very large misstatement may be low, whereas the
risk of small misstatement may be high. The more material the misstatement is, the less likely the auditor will miss it.
Audit Procedures: performed to obtain evidence on which to base the audit opinion
1. Risk assessment procedures: obtain an understanding of the entity and its environment, including internal
control, in order to assess the risk of material misstatement.
2. Tests of controls: (CRIME) auditor tests internal controls. Evaluate the operating effectiveness of internal control
in preventing or detecting material misstatements. Tests of controls are necessary when:
a. The auditors risk assessment is based to some extent on the operating effectiveness of internal control
b. Substantive procedures alone are deemed to be insufficient
6

3. Substantive procedures: auditor tests $$$ balances. Used to detect material misstatements, and include tests of
details and substantive analytical procedures. They are performed in response to the planned level of DR, which
may be based on the results of tests of controls. Test of controls are ALWAYS necessary.
*****MUST understand the fundamentals and memorize the assertions of the following FS Assertions made by
management: All of the A CPA CO CARE about CURVed assertions
Financial Statement Assertions Assertions by mgmt fall into 3 categories: (A CPA CO CARE about CURVed assertions)
1. Transactions and Events
C Completeness all transactions and events that should have been recorded have been recorded
P Proper period cutoff transactions and events have been recorded in the correct (proper) accounting period
A Accuracy amounts and other data relating to recorded transactions and events have been recorded
appropriately
C Classification transactions and events have been recorded in the proper accounts
O Occurrence transactions and events that have been recorded have occurred and pertain to entity
2. Account Balances
C Completeness all assets, liabilities, and equity interests that should have been recorded have been recorded
A Allocation and Valuation assets, liabilities, and equity interests are included in the FS at appropriate
amounts, and any resulting valuation or allocation adjustments are appropriately recorded
R Rights and Obligations the entity holds or controls the rights to assets, and liabilities are the obligations of
the entity
E Existence assets, liabilities, and equity interests exist.
3. Presentation and Disclosure
C Completeness all disclosures that should have been included in the FS have been included
U Understandability and Classification financial information is appropriately presented and described and
disclosures are clearly expressed
R Rights and Obligations, and Occurrence disclosed events and transactions have occurred and pertain to the
entity
V Valuation and Accuracy financial and other information are disclosed at fairly and at appropriate amounts
Financial Statement Assertions:

A CPA CO CARE about CURVed assertions

Drafting the Audit Plan = REQUIRED

After sufficient planning information has been gathered, an audit plan should be drafted.
- Is a listing of detailed audit procedures
- Set out procedures specifying the nature, extent, and timing of the work to be performed
CPA gathers evidence to support the expressed opinion
Proper Supervision = TIP PIE ACDO
When assistants are used, proper supervision includes: (dont have to memorize, just know them)
1. Directing the efforts of assistants
2. Communicating with the audit team
3. Informing assistants of their responsibilities
4. Staying informed regarding significant accounting and auditing issues
5. Reviewing the work performed by assistants
6. Dealing with differences of opinion among members of the audit team
Extent of supervision depends on: complexity of subject matter and qualifications of assistants

Role of the clients internal auditors is NOT judgment.

When planning the audit, the auditor should consider the extent of involvement of the clients internal auditors in the
performance of the audit. While internal auditors must maintain objectivity and integrity, they are NOT independent
of the client, their employer. The independent external auditor cannot share with the internal auditor any of the
responsibility for audit decisions, judgments, or assessments made as part of the audit.
External Auditor Responsibilities
Obtain an understanding of the internal audit function.
If the auditor decides to make us of the internal auditors work, competence and objectivity must be assessed.
The higher the level of the reporting of internal auditor, the more objectivity that can be assumed
If internal auditors work is used, external auditor must evaluate their work by reperforming or examine some tests
The external auditor remains solely responsible for the report on the FS. While the internal auditor may assist with
regard to routine ministerial tasks, he may NOT be utilized to make judgment calls, which remain the responsibility
of independent auditor.
CPA must judge and assess, NOT internal auditors.
Using the Work of a Specialist use of a specialist when: (dont have to memorize, just know them)
1. Valuation of restricted securities and works of art
2. Determination of physical characteristics (i.e. mineral reserves, fungible goods)
3. Determination of specialized estimates (i.e. actuarial calculations)
4. Interpretation of technical standards or legal documents
The Specialist:
- Should have an understanding of the auditors use of the specialists findings.
- Does not have to use the same methods as client in calculating amounts.
The auditor must understand the nature of specialists work and be able to evaluate the findings for their suitability in
corroborating FS amounts.
The auditor must be satisfied as to the professional competence and reputation of the specialist.
**Treat the specialist like one of your staff, which is the following:
1. R Reputation
2. I Independent
3. P Professional Competency
4. P Program Steps
Based on the specialists work, if the auditor decides to add an explanatory paragraph or depart from unqualified
opinion, auditor may refer to the specialist in the report. If the auditor is expressing a standard unqualified opinion, no
reference should be made to the specialist.
Fraud and Illegal Acts

Errors = Unintentional misstatements or omissions of amounts or disclosures

Fraud = Intentional action that results in misstatement of FS
1. Fraudulent Financial Report = LYING. Intentional misstatements or omissions of amounts or disclosures in
the FS, designed to deceive FS users. Usually acts of management and may involve:
a. Manipulation
b. Misrepresentation
c. Intentional misapplication of accounting principals
2. Misappropriation of Assets = STEALING. Involves theft of an entitys assets.
8

Fraud Risk Factors include:

1. Incentive/Pressures: a reason to commit fraud
2. Opportunity: a lack of effective controls
3. Rationalization/Attitude: an attempt to justify fraudulent behaviour
Due to the concealment aspects of fraud and the need to apply judgment in evaluating fraud risk, even a properly
planned and executed audit may fail to detect fraud.
The more indirect the effect of error or fraud is on the FS, the less chance the auditor has of detecting it.
It is managements responsibility to design and implement programs and controls to prevent, deter, and detect fraud.
The auditor has a responsibility to design (design = plan and perform) the auditor to obtain reasonable assurance
about whether the FS are free of material misstatement, whether caused by error or fraud.
Auditor should maintain an attitude of professional scepticism, including questioning mind and critical assessment.
Auditor should perform the following procedures:
1. Discuss fraud risk with engagement personnel
2. Obtain information to identify specific fraud risks
3. Assess fraud risk and develop an appropriate response
4. Evaluate audit evidence regarding fraud
5. Make appropriate communications about fraud
6. Document the auditors consideration of fraud
Discussion among engagement personnel is REQUIRED as part of planning
Consideration of the risk of management override of controls major factor in fraud
Discussion should involve all key members of audit team, may include specialists, and may occur in multiple locations.
Communication should continue throughout the audit.
When inquiring of entity personnel regarding their views of fraud risk the auditor should direct inquiries to
management, employees involved in financial reporting, operating personnel, internal auditors, in-house legal counsel,
those charged with governance, etc.
o Inconsistent responses indicate a need for additional evidence
Analytical Procedures required during the planning stage AND final stage
When planning, auditor is specifically required to perform analytical procedures relating to revenue, in order to identify
unusual relationships that might be indicative of fraud. They often use data aggregated at high level, and may only
provide broad indication regarding fraud risk.
The attributes of risk:
1. Type of risk: Does it involve fraudulent financial reporting or misappropriation of assets: Lying or Stealing?
2. Significance of the risk: Can it lead to a material misstatement?
3. Likelihood of the risk: How likely is this to happen?
4. Pervasiveness of the risk: Does it affect the FS as a whole or only specific accounts, transactions, or
assertions? (So wide spread problem or limited to one area or one person)
There is a presumption in every audit that the following two risks exist:
Improper revenue recognition
9

 Management override of controls

Additional Considerations of the following factors:
The size, complexity, and ownership characteristics of the entity
o Large entities may have audit committee, internal audits, formal code of conduct
o Smaller entity may lack such features
The Greatest Risk is when:
o Management judgment is involved
o Highly complex accounting principles
The auditor is required to respond to the results of the risk assessment on three levels:
1. Overall, General Response auditor should consider the overall fraud risk when:
a. Assigning personnel to the engagement
b. Determining the appropriate level of supervision of engagement personnel
c. Evaluating managements selection and application of accounting principles
d. Incorporating an appropriate level of unpredictability in the selection of auditing procedures from one year to
next
2. Response Encompassing specific audit procedures:
a. Nature change nature of specific procedures by seeking evidence that is more reliable
b. Extent vary the extent of testing by increasing sample size, performing testing at a more detailed level
c. Timing judgement to determine the appropriate timing for audit procedures
The auditor uses a NET because a CPA CAREs about CURVed assertions
3. Response addressing risks related to management override
a. Examine journal entries and other adjustments (scrutinizing the journal entries at the highest level is essential)
b. Review accounting estimates for biases (ex. completely manipulate and over-exaggerate the values)
c. Evaluate the business purpose for significant unusual transactions (ask questions when complex situation)
Significant Fraud Risk Withdraw!
Examples of responses to identified risks:
Revenue recognition
- Perform substantive analytical procedures relating to revenue
- Confirm with customers contract terms and absence of side agreements
- Inquire of entity personnel regarding unusual conditions
- Physically observe shipments close to period end
- Test controls surrounding the electronic processing of revenue transactions
Revenue recognition criteria:
1. Must have signed agreement (arrangement)
2. Must be a delivery risk and rewards
3. Must be a fixed or determinable price
4. Collectability
Inventory quantities
- Material Misstatement Concern: Failure to reconcile books to physical inventory
- Examine inventory records
- Observe inventory counts on unannounced basis
- Conduct inventory counts at different locations on same date
- Conduct inventory counts at or near the end of the period
- Perform more rigorous examination and additional testing during observation
- Compare quantities for the current period with prior periods
10

Management Estimates:
- Engage a specialist to evaluate managements estimate.
- Develop an independent estimate
- Perform a retrospective review of prior period estimates (how good were last years estimates?)
Evaluating Audit Evidence Conditions identified during fieldwork:
a) Discrepancies in the accounting records
b) Conflicting or missing evidential matter
c) Problematic or unusual relationships between the auditor and management
Analytical Procedures are REQUIRED during planning and final review.
When performed at completion of audit, it may indicate a fraud risk that was not previously identified. Auditor should
pay careful attention to unusual relationships relating to year-end revenue and income.
Misstatement caused by fraud (even immaterial misstatements) may be indicative of an underlying problem with
management integrity WITHDRAW
The auditor may need to reevaluate the assessment of fraud risk, the assessed effectiveness of controls, and the
appropriateness of the audit procedures applied
A final evaluation should be made regarding the assessment of the risks of material misstatement due to fraud
Management and those charged with governance
Generally, any indication of fraud (even immaterial fraud) should be discussed with an appropriate level of
management, at least one level above those involved.
- Fraud that causes a material misstatement: discuss with senior mgmt and report directly to those charged with
governance
- Fraud involving senior management: report directly to those charged with governance
- Identified risk factors that represent significant deficiencies or material weaknesses: communicate with senior
management and those charged with governance
Parties outside the entity that we must communicate with:
1. To comply with certain legal and regulatory requirements
2. To a successor auditor
3. In response to a subpoena
4. To a funding agency
Complete documentation of the auditors risk assessment and response is required. Including:
- Planning among engagement personnel regarding fraud risk
- Procedures performed to obtain information related to fraud risk
- Specific identified risks of material misstatement due to fraud
- If the auditor has not identified improper revenue recognition as a fraud risk, support for this conclusion
- Results of procedures performed to address the risk of management override of controls
- Other conditions and analytical relationships that warranted further audit work
- Nature of communications made about fraud
Record retention is now MANDATORY under GAAS, AICPA, and Sarbanes-Oxley (SOX for 7 years)!!!
Fraud = intentional
Errors = unintentional
Illegal Acts = violations of law
11

 Auditors responsibility to detect illegal acts that have a material and direct effect on FS is the same as that for
errors and fraud.
Auditor has a responsibility to plan and perform the audit to obtain reasonable assurance that the FS are free of
material misstatement.
Auditor is under no obligation to look for illegal acts having an indirect effect on the FS.
Generally, the less the act affects the FS, the less likely it is that the auditor will discover it.
The auditor generally does not include procedures specifically to detect illegal acts, but may discover such acts
through other procedures, such as reading minutes or making inquiries of management or of legal counsel.
Auditors Response to Illegal Acts
When we suspect there is a problem Possible illegal acts:
1. Obtain an understanding of the situation
2. Inquire of management at a level above those involved
3. Consult the clients legal counsel
4. Apply additional audit procedures, if necessary
When we have found a problem Detected illegal acts:
1. Consider the effects of the illegal act on FS
2. Evaluate the materiality of the illegal act (consider quantitative and qualitative factors)
3. Evaluate the disclosure of loss contingencies, including possible fines, penalties, and damages
4. Consider the implications for other areas of the audit
5. Communicate the illegal act to those charged with governance
Effect of illegal act on auditors report:
1. Departure from GAAP Except For qualified or adverse
2. Insufficient Evidence Except For qualified or disclaimer
3. Client Refuses to modify report Withdraw
 If client fails to take appropriate action regarding any illegal act (including those that are non-material), then
withdraw!
 Those charged with governance should be adequately informed of illegal acts unless they are clearly
inconsequential. This could be oral or written, but oral communications should be documented.
 Ordinarily, the auditor is not responsible to communicate this disclosure to anyone other than senior
management and those charged with governance, but it may be required in some circumstances. For example:
o Comply with certain legal and regulatory requirements
o To a successor auditor
o In response to a subpoena
o To a funding agency
Risk Assessment

TIP PIE ACDO (Fieldwork)

-

Second GAAS standard of fieldwork requires auditor to obtain understanding of entity and its environment,
including internal control. Must perform risk assessment procedures to obtain this understanding.

Audit Steps: IM A CPA

I Internal Control Understand entity and its environment, including internal control
M Material Misstatement Assess risk of material misstatement
A Assessed Risk Response Respond to assessed risk level by designing further audit procedures based on assessment
C Control Testing Test internal controls to evaluate their operating effectiveness
P Perform Substantive Testing Perform substantive tests
12

A Audit Evidence Evaluate sufficiency and appropriateness of audit evidence obtained

I Internal Control Understand entity and its environment, including internal control
Obtaining understanding is critical it establishes a frame of reference within which the audit is planned and performed
Risk assessment procedures:
1. Inquiries of management, others in entity, board of directors, internal auditors, legal counsel
2. Analytical Procedures required in planning and final stage compare recorded amounts to expectations
3. Observation and Inspection inspect company documents, read reports, board minutes
4. Discussion Among the Audit Team significant audit risk, management overrides, may be held with the
discussion involving fraud risk
5. Other Procedures review external info, fraud risk assessment results, prior period evidence
Auditor may perform substantive procedures or tests of controls concurrently with risk assessment procedures.
Risk assessment may change as more evidence is obtained; the auditor should revise the assessment and modify
planned audit procedures.
Factors to understand:
Industry, Regulatory, and Other External Factors
Nature of the Entity (operations, ownership, governance, investments, structure, financing)
Objectives, Strategies, and Business Risks
o Business risk: often arises from change or complexity
o Example: competitive risk may render a companys product obsolete or reduce value, and failure to
recognize this change could result in a material misstatement of inventory
Entitys Financial Performance (management measures this performance, auditor should obtain an understanding)
Internal Control, Including the Selection and Application of Accounting Policies
M Material Misstatement Assess risk of material misstatement
When assessing risk, consider whether substantive tests alone are insufficient to reduce detection risk to an acceptably
low level (i.e. whether evaluation of controls is also necessary covered later).
Significant Risks:
Factors that may be indicative of significant risks:
Nonroutine, unusual, or complex transactions
Business risks
Fraud risk
Significant related party transactions
Accounting estimates
Accounting principles that are subject to different interpretations
Respond to assessed risk level by designing further audit procedures based on assessment. Response to significant risks:
Evaluate the design of the entitys related controls
Determine whether the controls have been implemented
Evaluate whether and how management responds to such risks (if mgmt doesnt respond, go to those charged
with governance)
Test internal controls to evaluate their operating effectiveness
Test of controls: Test strengths to be relied upon, not weaknesses
Identify controls that are likely to prevent or detect and correct material misstatements in specific relevant assertions.
If risk assessment is based on effective operation of those controls, they must be tested by the auditor.

13

Identify specific internal controls relevant to specific assertions.

Controls that are more directly related to an assertion are more effective in preventing/detecting and correcting it,
than those indirectly relating to an assertion.
Situations that reflect management integrity or lack of records = Qualifying, Disclaiming, or Withdrawing!
Documentation Requirements: Document the following:
Discussion among the audit team
Key elements of understanding of the entity and its environment (including all components of internal control)
The assessment of the risks of material misstatement
Identified risks and related controls evaluated by the auditor
Control factors used/helped plan the audit engagement
Control factors that helped ensure management rules/directives were followed
*****The documentation may include any item the auditor can FIND:
 F Flowchart
 I Internal Control Questionnaire or Checklists
 N Narrative
 D Decision table
Flowcharts:
- Depicts auditors understanding of system.
- A symbolic diagram representing the sequential flow of authority, processes, and documents
- Adequate flowchart shows the origin of each document in the system, its subsequent processing, and its final
disposition
- IT flowcharts are initially created to document the logic and existing flow of a computer program
- Flowchart Organization:
o Show the general flow of documents and data
o Start at top of page and move from top to bottom and from left to right
o Use descriptive wording geared to the reader
o Avoid intersecting flow lines by using off-page/on-page connectors
- MUST SEE FLOWCHARTING SYMBOLS on page A3-42!!!!!
Internal Control Questionnaires:
- Used for each item of management assertions: a CPA CO CAREs about CURVed assertions
- Generally, consists of a list of questions to be answered by YES or NO response
- Negative response is designed to draw attention to a possible weakness in internal control
- Written explanations are required for NO answers
- The questionnaire format can be open-ended, requiring explanation by employee being interviewed
Narratives:
- Hard to see weaknesses
- Is a written version of a flowchart
- Appropriate for less complex control structures (flowcharts are appropriate for more complex structures)
Decision Trees or Tables:
- Decision Trees are graphic illustrations that depict the logic of an operation or process
- Decision Tables are graphic illustrations that depict the logical relationships of a system in table form
Flowchart  Sequential
Decision Tree Logical

14

Internal Control

TIP PIE ACDO (Internal Control)

Entity Objectives:
1. Reliability of financial reporting Most RELEVANT to audit and auditor MUST consider and understand
2. Effectiveness and efficiency of operations
3. Compliance with applicable laws and regulations
5 Components of Internal Control: CRIME
1. C Control Environment: the overall tone of the organization
2. R Risk Assessment: managements identification of risk
3. I Information and Communication Systems: a means of recording transactions and communicating
responsibilities
4. M Monitoring: assessment of internal control performance over time
5. E Existing Control Activities: control policies and procedures
Control Testing = Internal Control (CRIME)
Substantive Testing = $$$ Balance Testing
Auditor should focus on: How a specific control prevents, or detects and corrects, material misstatements
Generally, those controls that pertain to the first objective, reliability of financial reporting, are most relevant to the
audit; it is primarily those controls that the auditor must consider and understand.
The auditor need not assess all controls related to financial reporting, but use professional judgement in determining it.
***Its a CRIME not to have strong internal control.***
***CPA required understanding for each element of CRIME as it pertains to financial reporting.
The auditor should obtain an understanding of the five components of internal control sufficient to:
1. Evaluate the design of relevant controls and determine whether they have been implemented.
2. Assess the risk of material misstatement identify types of potential misstatement
3. Design the nature, extent, and timing of further audit procedures
a. Identify types of potential misstatement
b. Consider factors that affect the risks of material misstatement
c. Design tests of controls
d. Design substantive procedures
A CPA tests internal control in order to adequately plan the NET audit.
Limitations of internal control:
 Human error
 Deliberate circumvention of controls by collusion of two or more people
 Management override of internal control
 Segregation of duties may be difficult to achieve in a smaller entity (cost/benefit issue)
Effect of Information Technology on Internal Control
- IT system may make it impossible to reduce detection risk through substantive testing alone MUST also perform
control testing.
- A CPA must document all evaluations.
IT Benefits:
15

The ability to process large volumes of transactions and data accurately and consistently
Improved timeliness and availability of information
Facilitation of data analysis and performance monitoring
Reduction in the risk that controls will be circumvented
Enhanced segregation of duties through effective implementation of security controls

IT Risks:
- Potential reliance on inaccurate systems
- Unauthorized access to data which may result in loss of data and/or data inaccuracies
- Unauthorized changes to data, systems, or programs
- Failure to make required changes or updates to systems or programs
Auditor should:

1. Document use of programs

2. Perform tests more often during the year

Organization Structure of IT Department (Segregation of duties):

 C Control group: responsible for internal control in IT dept. Maintain error log and determine its cause.
 O Operators: input data
 P Programmers: write and develop computer programs
 A Analysts: identify and design the overall system (programmers do the detailed work)
 L Librarian: track programs, maintain data storage, controls access to programs
Weakness:

1. Anyone doing more than one job

2. Anyone supervising another area

CRIME Most important ones for the test is C Control Environment and E Existing Control Activities

Risk Assessment by
Management

Control Environment


Information and
Monitoring
Communication Systems


Existing Control
Activities

**Examiners questions focus on the control environment and on an entitys existing control activities
C Control Environment: the overall tone of the organization
- Sets the tone of an organization
- Integrity and ethical values
- Competence
- Participation of those charged with governance
- Managements philosophy and operating style
- Organizational structure
- Assignment of responsibility
- Human resource policies
The following circumstances would raise concerns regarding managements philosophy and operating style:
 Management consumed with meeting the budget
 Management dominated by one person
 Management compensation contingent upon the entitys financial performance (=bonus and stock options)
The control environment has a pervasive effect on the auditors risk assessment, and preliminary judgments about its
effectiveness may influence the nature, extent, and timing of further audit procedures to be performed.
16

R Risk Assessment: managements identification of risk relevant to the FS

- CPA should obtain understanding and knowledge
- Entitys identification of risks to achievement of its objectives
- The assessment by management of risk facing the entity, not the auditors assessment of control risk
- Risks are generally related to changes, for example: (dont have to memorize, just know them)
1) Change in regulatory environment
2) New personnel
3) New information systems or technology
4) Rapid expansion of operations
5) New business models
6) Corporate restructuring
7) Expansion or acquisition of foreign operations
8) Adoption of new accounting principles or pronouncements
I Information and Communication Systems: a means of recording transactions and communicating responsibilities
- CPA should obtain understanding and knowledge
- Support the identification, capture, and exchange of information in a timely and useful manner
The accounting information system:
Classes of transactions significant to FS
Accounting processing (both automated and manual), from initiation of a transaction to FS
Accounting records (both electronic and manual), supporting information, and specific accounts involved in
initiating, authorizing, recording, processing, and reporting transactions
Ways other significant events are captured by the system
Financial reporting process, including development of significant accounting estimates and disclosures
Auditor should obtain understanding of:
1. Methods used to communicate roles and responsibilities
2. Communication between mgmt and those charged with governance, audit committee, and external parties
3. Initiating, authorizing, recording, processing, and reporting entity transactions, conditions, and events
M Monitoring: assessment of internal control performance over time
- CPA should obtain understanding and knowledge of activities to monitor internal control
- Process that assesses the quality of internal control (design and control operations) performance over time
- Establishing and maintaining internal control is a responsibility of management, for example:
- Internal audit function
- Regular management and supervisory activities
- Other procedures such as mailing customer statements
E Existing Control Activities: control policies and procedures
- CPA should obtain understanding and knowledge
- Policies and procedures that ensure management directives are carried out and risks are addressed
- Strong internal control has PAID-TIPS
- P Pre-numbering documents
- A Authorization of transactions
- I Independent checks to maintain asset accountability
- D Documentation
- T Timely and appropriate performance reviews
- I Information processing controls
- P Physical controls for safeguarding assets
- S Segregation of duties
17

 P Pre-numbering documents
All transactions are recorded  Completeness
No transactions are recorded more than once  Existence
Example: Your Checkbook
 A Authorization of transactions
Authorization should occur before commitment of resources
Example: Signed approval
 I Independent checks to maintain asset accountability
Independent checks involve the verification of work previously performed by others:
o Review of bank reconciliations
o Comparison of subsidiary records to control accounts
o Comparison of physical counts of inventory to perpetual records
Example: Checks and balances
 D Documentation
Evidence of transactions and a basis for responsibility for the execution and recording of transaction
Example: Paper trail
 T Timely and appropriate performance reviews
Comparison of actual performance to budgets, forecasts, and prior periods
Comparison of financial and nonfinancial information
Example: Analytical procedures
 I Information processing controls
Ensure that transactions are valid, authorized, and completely and accurately recorded
Application controls: processing of individual applications (i.e. controls surrounding payroll)
General controls: information processing throughout the company (i.e. access controls, controls over
data center, network operations)
 P Physical controls for safeguarding assets
Physical segregation of security of assets
Authorized access to assets and records
Periodic counting and comparison of actual assets with amounts shown in accounting records
Example: Security
 S Segregation of duties
One individual provides a crosscheck on the work of another individual
Assigning different people the responsibilities of authorizing, recording transactions, and maintaining
custody of the related assets reduces the opportunities for any individual to both perpetrate and
conceal errors or fraud
Internal control environ. should detect fraud by one person, NOT
1. Collusion
2. Management override
Client should separate these functions:
o A Authorization
o R Recordkeeping
o C Custody of related assets
****Segregation of duties is your ARC to protect against a flood of troubles. Client should separate these functions:
 A Authorization
 R Recordkeeping
 C Custody of related assets
 An audit does not require an understanding of all control activities
 Auditors primary consideration should be if a control prevents, or detects and corrects, material misstatements
18

Effect of Service Organizations on Internal Control

Service organizations: for example, are ADP and Paychex
Service organizations services are considered to be part of an entitys information system when those services affect
the initiation, execution, processing, or reporting of the user companys transactions.
Service auditor: the service organizations auditor (ex. ADPs auditor)
User auditor: we, the independent CPA
User auditors responsibilities:
- Consider effect of service bureau on internal control of user organization
- Obtain the necessary understanding of user organizations internal control to plan the audit
- Assess control risk at the user organization
- Perform substantive procedures
- Make inquiries of the service auditors professional reputation
- User auditor should not make reference to the report of the service auditor
Service auditors responsibilities:
- Inquire of management regarding subsequent events that effect users organizations
- Obtain a management representation letter
- Responsible for representations in service auditors report and exercising due care in applying procedures
- Report should describe the scope and nature of the auditors procedures
- Two types of reports a service auditor may provide:
- Report on Controls Placed in Operation:

May aid auditor in obtaining an understanding of controls; however, it is provided when tests of
operating effectiveness were not performed, and therefore it does not provide the user auditor
with a basis for reducing the assessment of control risk
- Report on Controls Placed in Operation and Tests of Operating Effectiveness

May provide evidence that would allow a reduction in the assessed level of control risk
Responding to Assessed Risks

I Internal Control Understand entity and its environment, including internal control
M Material Misstatement Assess risk of material misstatement
A Assessed Risk Response Respond to assessed risk level by designing further audit procedures based on assessment
C Control Testing Test internal controls to evaluate their operating effectiveness
P Perform Substantive Testing Perform substantive tests
A Audit Evidence Evaluate sufficiency and appropriateness of audit evidence obtained
IM A CPA: A Assessed Risk Response Respond to assessed risk level by designing further audit procedures based on
assessment
To reduce audit risk to low level, auditor should respond to assessed risk in two ways:
- Overall response: address risk at FS level
- Response at assertion level, the NET (nature, extent, timing) of audit procedures are designed to address risks
Overall Response: Auditor may 
Address increased need for professional skepticism
Assign more experienced staff
Increase supervision
Incorporate greater level of unpredictability
Change the NET, such as shifting substantive procedures closer to period end

19

General approach may consist of only Substantive Approach, or a combined approach of tests of controls and
substantives procedures.
Response to Risks at the Relevant Assertion Level 
- Link between the assessed level of risk at the relevant assertion level and the NET of further audit procedures.
***Three elements of further audit procedures can be varied by the auditor. We cast our NET over the audit.
N Nature
E Extent
T Timing
Nature:
- Includes the audits purpose - test of control vs. Substantive procedure
- Includes the audits type inspection, observation, inquiry, confirmation, recalculation, reperformance, or analytical
procedure
- The HIGHER the auditors risk assessment, the more reliable the evidence must be.
- Auditor varies the nature of audit procedures to achieve the desired level of reliability and relevancy
- If the info provided by entitys system is used, must test its accuracy and completeness
- Responding to assessed risks, nature of audit procedure is of primary importance
Extent:
- Refers to quantity to be performed - # of observations or sample size
- The HIGHER the auditors assessment, the greater the extent of audit procedures
- Also consider the tolerable misstatement and degree of assurance
Timing:
- May be performed at an interim date or at period end
- The HIGHER the auditors risk assessment, the closer to period end substantive procedures should be
- Auditor should consider when relevant info is available
In designing further audit procedures that are responsive to assessed risks, auditor should consider:
1) Significance and likelihood of risk
2) Characteristics of transaction, balance, or disclosure
3) Nature of controls used (i.e. automated or manual)
4) Whether auditor expects to test the operating effectiveness of controls
Audit procedures should be performed to determine whether the FS are presented in a manner that classifies and
describes financial information appropriately, and includes adequate disclosure of material matters.
Audit Approach the auditors specific approach to identified risks at the relevant assertion level may consist of either a
substantive approach or a combined approach.
Substantive Approach: $$$ Balance Use when:
- No strong controls to be relied upon
- Not efficient to test the operating effectiveness of controls  Cost/Benefit
Combined Approach: Tests of operating effectiveness of controls and substantive procedures. If controls are effective,
less assurance will be needed from substantive procedures
Tests of Controls May Be Required IT
20

Where large amount of info is initiated, authorized, recorded, processed, or reported electronically, substantive
procedures alone may not be sufficient
Where highly electronic environments

Dual-Purpose Tests:
- Is a tests of controls performed concurrently with a test of details on the same transaction
- Purpose of test of controls: Evaluate the operating effectiveness of a control
- Purpose of test of details: Support relevant assertions or detect material misstatements
Material misstatements that the auditor detects through performance of substantive procedures should be considered
by the auditor when assessing operating effectiveness.
Audit Approach
Status of Internal Control

Risk Level

Perform Control Tests

Perform Substantive Testing

None/Weak

High

No (unless heavy use of IT)

Yes Maximum

Some

Medium

Yes

Moderate

Strong

Low

Yes

Minimum (never eliminate for

material balances, transaction
classes, or disclosures)

IM A CPA: C Control Testing Test internal controls to evaluate their operating effectiveness
Tests of controls: performed when the auditors risk assessment is based on the assumption that controls are operating
effectively, or when substantive procedures alone are insufficient. (Test Control Strengths, typically not weaknesses)
Obtaining an understanding of internal control includes evaluating the design of controls and determining whether they
have been implemented. Auditor is not required to evaluate operating effectiveness as part of obtaining an
understanding of internal control.
Inspect client records, documenting use, and changes to IT programs.
Only those controls that are suitably designed to prevent or detect material misstatements are subject to tests of
operating effectiveness.
Nature of Tests of Controls:
 Tests of the operating effectiveness of controls include: inquiries, inspection, observation, and
reperformance.
o Inquiry alone is not sufficient
o Observation be supported with inquiry or inspection
 Obtain evidence about the operating effectiveness of:
o Controls directly related to relevant assertions
o Other indirect controls that affect the direct controls
 As the planned level of assurance about operating effectiveness increases, the auditor should obtain
more reliable or more extensive audit evidence.
Hierarchy:
1. Personal observation/knowledge
21

2. External evidence
3. Internal evidence
4. Oral evidence
Extent of tests of controls:
 How frequently the control is performed
 The length of time during which the auditor wishes to rely on the control
 The relevance and reliability of the evidence to be obtained
 The extent to which other tests provide audit evidence about the same assertion
 The extent to which the auditor wishes to rely on the operating effectiveness of the control
 The expected deviation rate from the control
Timing of tests of Controls:
 Test at particular time versus testing throughout a period: when tests of controls are performed at one
particular time, they provide evidence that controls operated effectively only at that time. Controls tested
throughout the period provide evidence of operating effectiveness during that period
 Controls are tested only during an interim period should be supplemented by additional evidence for the
remaining period  Roll Forward
 If controls have changed since they were last tested, operating effectiveness must be retested in the current
period
 Even if controls have not changed, operating effectiveness must be tested at least once every third year.
 Higher the assessed risk, or greater the intended reliance on controls, the more frequently the auditor will
choose to test operating effectiveness
 Weak control environment may result in more frequent testing
IM A CPA P Perform Substantive Testing Perform substantive tests
Substantive procedures/tests:
 $$$ Balances
 Analytical
 Ratios
Substantive procedures are used to detect material misstatements at the relevant assertion level.
Substantive procedures should be designed to be responsive to assessed risks; however, regardless of the assessed risk,
substantive procedures are required for each material transaction class, account balance, or disclosure.
Procedures include:
- Agreement of FS to the underlying accounting records
- Examination of material journal entries or adjustments made while preparing the FS
Two types of substantive procedures:
- Tests of details applied to transaction classes, account balances, and disclosures
- Substantive analytical procedures
Auditor may use only substantive analytical procedures, only tests of details, or combination:
Substantive analytical procedures are often used when there is a large volume of predictable transactions
Tests of details are more appropriate when obtaining evidence regarding the existence and valuation of account
balances
To determine which substantive procedures to use is affected by the operating effectiveness of controls
Directional testing:

22

In designing substantive procedures to test the existence or occurrence assertion, the auditor should select from FS
amounts and obtain evidence supporting the inclusion of those amounts in FS.
o Vouching = Support
ouching
In designing substantive procedures to test the completeness assertion, the auditor should select from evidence
indicating that an item should be included in the FS, and then determine whether the item is in fact included.
o Tracing = Coverage
racing
-

Vouching = Support
Tracing = Coverage

ouching
racing

See chart on page A3-63

Risks  overstated assets and revenue
Vouch to support/existence/occurrence ouching
Financial Statements
Trial Balance
General Ledger
Subsidiary Ledger
Books of Original Entry
Source Documents
Execution of Event
Transaction Approved
Risk  understated liabilities and expenses
Trace for completeness/coverage
racing
The greater the risk of material misstatement, the less detection risk that can be accepted, and the greater the extent of
substantive procedures.
If controls are operating effectively, the extent of substantive procedures may be reduced.
Sample size is affected by the planned level of detection risk, the tolerable misstatement, the expected misstatement,
and the nature of the population
Timing of substantive procedure:
Interim Testing if substantive procedures are performed at an interim date, the auditor should perform further
substantive procedures (may combine with tests of controls) to provide a reasonable basis for extending audit
conclusions to period end.
Performing substantive procedures at interim date, increases risk that auditor will not detect FS material misstatements
In certain situations, such as those in which there is an identified fraud risk, the auditor may choose to perform
substantive procedures at or near period end.
Evidence obtained from substantive tests performed in a prior audit generally is not sufficient for the current period
IM A CPA A Audit Evidence Evaluate sufficiency and appropriateness of audit evidence obtained
23

Audit evidence obtained may cause the auditor to modify his or her initial risk assessment. Example:
The auditor should not assume that an identified instance of fraud or error is an isolated occurrence, but instead should
consider whether such instance affects the assessed risk of material misstatement
When there is a change in the assessed level of risk, the auditor should modify planned audit procedures accordingly.
The auditor uses judgment to evaluate the sufficiency and appropriateness of audit evidence, but should consider:
1. Significance and likelihood of potential misstatements
2. Effectiveness of managements responses and controls
3. Experience gained during previous audits
4. Results of audit procedures performed
5. Source, reliability, and persuasiveness of audit evidence obtained
6. Understanding of the entity and its environment

24