Professional Documents
Culture Documents
http://cpacfa.blogspot.com
Planning and Supervision
TIP PIE ACDO
The audit committee is responsible for the selection and the appointment of the auditor and the reviewing the
nature and scope of the engagement
In a new client relationship, it is mandatory to make inquiries of the predecessor auditor. Client permission is
needed. If the client is unwilling it is a scope limitation.
An engagement letter – a signed contract which documents the understanding with the client is required for an
audit engagement (should be signed and dated by the client)
An audit is not designed to detect error or fraud that is immaterial to the F/S
An audit is not designed to provide assurance on internal control or to identify significant deficiencies
Audit is subject to inherent risks that errors and fraud will not be detected. If we discover fraud then we report
it to the audit committee
The auditor is required to obtain an understanding of the entity, its environment and internal controls
Materiality
Known misstatements – specific misstatements identified during the audit
Likely misstatements – misstatements the auditor considers likely to exist due to differences between auditor
and mgmt judgements or from audit evidence
Tolerable misstatements – maximum error in a specific population that the auditor is willing to accept
Because the F/S are interrelated, the auditor should use the smallest level of misstatement that could be material
to any one of the F/S
The auditor must consider the effects, both individually and in aggregate, of the uncorrected misstatements
(both known and likely)
Audit Risk
Audit risk is the risk that the auditor may unknowingly fail to modify appropriately the opinion on the F/S that
are materially misstated (risk that the auditor will give the wrong opinion)
AR = RMM * DR
AR = (IR * CR) * DR
RMM and DR have inverse relationship. When risk of material misstatement is high, detection risk should be
set low (so we have to do more work)
Direct relationship between RMM and assurance required from Substantive procedures. Greater the risk
(RMM) the more persuasive evidence needed.
Audit risk and materiality must be considered at both the F/S level and the account balance (item level)
• At the F/S level, the auditor should consider risks that have pervasive effect on the F/S, potentially affecting
many relevant assertions
• The account balance level (transaction & item level) is used to determine the nature, extent, and timing of
audit procedures. Inverse relationship between audit risk and materiality
Audit Procedures:
1. Risk assessment procedures
2. Test of controls – test of internal controls (CRIME)
3. Substantive procedures – tests $ balances
Account balances
C – Completeness
A – Allocation and valuation
R – Rights and obligations
E – Existence
After sufficient planning information has been gathered, an audit plan should be drafted. A written audit plan is
required for every audit.
When planning the audit, the auditor should consider the extent of involvement of the client’s internal auditors
in the audit. Internal auditors are not independent, thus, the external auditor can’t share with the internal auditor
any responsibility for audit decisions.
• Auditor must obtain an understanding of the internal audit function
• If the auditor uses the work of internal audit, competence and objectivity must be assessed
• The higher the level the internal auditors report to, the more objectivity can be assumed
• The auditor remains solely responsible for the report on the F/S. The internal auditor may not be utilized to
make judgement calls
If a specialist is used must evaluate the competence and objectivity of the specialist. Treat like one of your staff.
Its mgmt’s responsibility to design and implement programs and controls to prevent and detect fraud
The auditor has a responsibility to plan and perform (referred to as design) the audit to obtain reasonable
assurance about whether the F/S are free from material misstatement, whether caused by error or fraud.
Consider the results of analytical procedures (required during the planning and final stage)
4
AUD - Notes Chapter 3
http://cpacfa.blogspot.com
Attributes of risk:
• Type of risk: fraudulent F/S or misappropriation of assets
• Significance of risk: can it lead to a material misstatement
• Likelihood of the risk: how likely is this to happen
• Pervasiveness of the risk: does it affect the whole F/S or only specific accounts or transactions
2 Areas of greatest fraud concern:
1. Improper revenue recognition
2. Mgmt override controls
The auditor is required to respond to the results of the risk assessment on three levels
1. Overall, general response
- assigning personnel to the engagement
- determining the appropriate level of supervision of engagement personnel
- evaluating mgmt’s selection and application of accounting principles
2. Response encompassing specific audit procedures
- change nature
- change extent
- change timing
3. Response addressing risks related to mgmt override
- examine journal entries and other adjustments
- review accounting estimates for biases
- evaluate the business purpose for significant unusual transactions
Revenue recognition
- perform substantive analytical procedures relating to revenue
- confirm with customers contract terms and the absence of side agreements
Revenue recognition criteria
1. must have an arrangement (signed agreement)
2. must be a delivery
3. must be fixed or determinable price
4. collectability
Inventory quantities
- concern that there may be a failure to reconcile books to physical inventory
Mgmt estimates
- engage a specialist
- develop an independent estimate
- perform a retrospective review of prior period estimates (how good were last yr’s estimates)
Misstatements caused by fraud (even immaterial misstatements) may be indicative of an underlying problem
with mgmt integrity. The auditor may need to reevaluate the assessment of fraud risk, the assessed effectiveness
of controls, and the appropriateness of audit procedures applied.
Inform the audit committee of any fraud. Parties outside the entity that we may communicate with in certain
circumstances:
5
AUD - Notes Chapter 3
http://cpacfa.blogspot.com
- to comply with certain legal and regulatory requirements
- to a successor auditor
- in response to a subpoena
- to a funding agency
If the auditor has not identified improper revenue recognition as fraud risk, support for this conclusion
Illegal acts – violation of law
The auditors responsibility to detect illegal acts are the same for fraud and errors.
The auditor has no obligation to look for illegal acts having an indirect effect on the F/S
The auditor generally does not include procedures to specifically detect illegal acts
Risk Assessment
TIP PIE ACDO (fieldwork)
Documentation requirements
• Discussion among the audit team
• Key elements of the understanding of the entity and its environment
• The assessment of the risks of material misstatement
• The identified risks and related controls evaluated by the auditor
Document
1. control factors that were used/helped to plan the audit engagement
2. control factors that helped ensure mgmt rules and directives were followed
Forms of documentation may include any item the auditor can FIND
F – Flowchart
I – Internal control questionnaire or checklists
N – Narrative
D – Decision table
Flowcharts – symbolic diagram representing the sequential flow of authority, processes and documents. Depicts
the auditors understanding of the system
• An adequate flowchart shows the origin of each document in the system, its subsequent processing, and its
final disposition
• IT flowcharts are initially created to document the logic and existing flow of a computer program
Decision tables or trees – graphic illustrations that depict the logic of an operation or a process
Internal Control
TIP PIE ACDO
Entity objectives
1. Reliability of financial reporting (most relevant to the audit)
2. Effectiveness and efficiency of operations
3. Compliance with applicable laws and regulations
7
AUD - Notes Chapter 3
http://cpacfa.blogspot.com
Controls that pertain to the first objective (reliability of financial reporting) are the most relevant to the audit,
and these are the controls that the auditor must consider and understand.
IT system may make it impossible to reduce detection risk through substantive testing alone (must do control
testing as well)
IT benefits:
• Ability to process large volumes of transactions accurately
• Improved timeliness and availability of information
• Facilitation of data analysis and performance monitoring
• Reduction is the risk that controls will be circumvented
• Enhanced segregation of duties through effective security controls
IT Risks:
• Potential reliance on inaccurate systems
• Unauthorized access to data
• Unauthorized changes to data, systems and programs
• Failure to make required changes and updates to systems or programs
Auditor should document use of programs and perform tests more often during the yr
8
AUD - Notes Chapter 3
http://cpacfa.blogspot.com
Anyone doing for an 1 job or supervising another area is a weakness
CRIME
C – Control Environment – has pervasive effect on the auditors risk of assessment and preliminary judgements
about its effectiveness may influence NET of further audit procedures to be performed
• Sets the tone of an organization, influencing the control consciousness of its people
• Communication and enforcement of integrity and ethical values
• Mgmt’s philosophy and operating style
• Organizational structure
• Assignment of authority, responsibility and accountability
• Human resource policies and practices
R – Risk assessment
• CPA should obtain understanding and knowledge
M – Monitoring
• CPA should obtain understanding and knowledge
• Process that assesses the quality of internal control performance over time
• Establishing and maintaining internal control is a responsibility of mgmt
The internal control environment should be detected in the ordinary course of business by an employee, not
- Collusion
- Mgmt overrides
Report on controls placed in operation – may aid the auditor in obtaining an understanding of controls,
however, it is provided when tests of operating effectiveness were not performed, and therefore it does not
provide the user with a basis for reducing the assessment of control risk
Audit approach – the auditors specific approach to identified risks at the relevant assertion level may consist of
either a substantive or combined approach
Combined approach – both control testing and substantive procedures are used. If controls are operating
effectively, less assurance will be required from substantive procedures.
Test of controls may be required in highly electronic environments, substantive procedures alone may not be
sufficient
Audit approach
Status of internal control Risk level Perform control tests Perform substantive tests
None or weak high No (because nothing to rely on) yes-maximum
Some medium Yes
Strong low Yes minimal (but never
eliminate for material
balances, transaction classes, or disclosures)
Obtaining an understanding of internal controls includes evaluating the design of controls and determining
whether they have been implemented
Only controls that are suitably designed to prevent or detect material misstatements are subject to tests of
operating effectiveness
Evidence hierarchy:
1. Personal observation and knowledge
2. External evidence
10
AUD - Notes Chapter 3
http://cpacfa.blogspot.com
3. Internal evidence
4. Oral evidence
Directional testing
To test existence or occurrence assertion – Top down, start from F/S. Look for support = vouching
Test existence for overstatement of assets and revenues
To test completeness assertion – Bottom up, start from item, look to see its included/covered in F/S = tracing
Test completeness for understatement of liabilities and expenses
If substantive procedures are performed at an interim date, the auditor should perform further substantive
procedures (maybe with test of controls) to provide reasonable basis for extending audit conclusions to period
end
If risk of material misstatement is low, performing substantive procedures at interim increases the risk that the
auditor will not detect material misstatements in the F/S
In certain situations, such as those in which there is an identified fraud risk, the auditor may choose to perform
substantive procedures at or near period end.
11